d

Worms: The Complete Documentation

• This category contains 21 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Adore Worm

Published on 2001-04-12, by William Stearns, ©SANS Institute.

This note is a preliminary characterization of the Adore worm. The worm code can be modified by anyone at any time. We'll try to keep this page updated as we learn more.

Adore Worm - Another Mutation

Published on April 06, 2001, by J. Anthony Dell, ©SANS Institute.

The Adore worm, originally identified as the Red Worm, is a collection of programs and shell scripts contained in a file called red.tar. The Adore worm attempts to gain unauthorized access to systems that are vulnerable to the LPRng, rpc-statd, and the Berkeley Internet Name Domain (BIND) software exploits.

Analyzing Worms using Compression

Published on 2004-06-03, by S. Wehner, ©S. Wehner.

iven an unknown internet worm, can we determine its family ? For example, given Sasser C can we easily guess that it's a Sasser variant without any manual analysis if we're given Sasser A and B ? It appears that this is possible using compression alone. Our tests below show that we can successfully cluster different kinds of worms using the standard compressor bzip2. This method is extremely simple. Given Sasser A, for example, it was very easy to determine that Sasser D was a Sasser variant without taking a single look at the file.

Curious Yellow: The First Coordinated Worm Design

Published on 2005, by Brandon Wiley, ©Brandon Wiley.

The Warhol worm design began the theoretical discussion of so-called "superworms", a new type of computer worms. A worm is a computer program which copies itself from computer to computer in an attempt to reproduce as much as possible. A superworm uses more advanced techniques to achieve very quick infection of the network. The primary strategy behind the Warhol superworm is to pre-scan the network for vulnerable targets. When the worm is launched it already has a large list of targets with a known method for infection and can therefore quickly infect an initial seed population.

One thing which the Warhol paper mentions is that better results might be achieved via a coordinated worm in which various instances of the worm on different computers communicate with each other in order to optimize infection. The Warhol paper states, however, that no coordinated worm has ever been created. This paper proposes the first design for a worm which utilizes efficient communication between worm instances for an optimal infection strategy.

Defending against Hitlist Worms using Network Address Space Randomization

Published on 2005-11-11, by S. Antonatos, P. Akritidis, E. P. Markatos, K. G. Anagnostakis, ©S. Antonatos, P. Akritidis, E. P. Markatos, K. G. Anagnostakis.

Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where even automated defenses may not be able to react in a timely fashion.

This paper examines a new proactive defense mechanism called Network Address Space Randomization (NASR) whose objective is to harden networks specifically against hitlist worms. The idea behind NASR is that hitlist information could be rendered stale if nodes are forced to frequently change their IP addresses. NASR limits or slows down hitlist worms and forces them to exhibit features that make them easier to contain at the perimeter. We explore the design space for NASR and present a prototype implementation as well as preliminary experiments examining the effectiveness and limitations of the approach.

Detection of RCS Worm Epidemics (The)

Published on 2005-11-11, by Kurt Rohloff, Tamer Basar, ©Kurt Rohloff, Tamer Basar.

This paper discusses the problem of automatically detecting the existence of Random Constant Scanning (RCS) worm epidemics on the Internet by observing packet traffic in a local network. The propagation of the RCS worm is modelled as a simple epidemic. An optimal hypothesis-testing approach is presented to detect simple epidemics under idealized conditions based on the cumulative sums of log-likelihood ratios. It is shown that there are limitations on the ability of this optimal method to detect several important subclasses of RCS worm epidemics even under idealized conditions.

Host-Based Detection of Worms through Peer-to-Peer Cooperation

Published on 2005-11-11, by David J. Malan and Michael D. Smith, ©David J. Malan and Michael D. Smith.

We propose a host-based, runtime defense against worms that achieves negligible risk of false positives through peertopeer cooperation. We view correlation among otherwise independent peers’ behavior as anomalous behavior, indication of a fast-spreading worm. We detect correlation by exploiting worms’ temporal consistency, similarity (low temporal variance) in worms’ invocations of system calls. We evaluate our ideas on Windows XP with Service Pack 2 using traces of nine variants of worms and twenty-five nonworms, including ten commercial applications and fifteen processes native to the platform. We find that two peers, upon exchanging snapshots of their internal behavior, defined with frequency distributions of system calls, can decide that they are, more likely than not, executing a worm between 76% and 97% of the time. More importantly, we find that the probability that peers might err, judging a non-worm a worm, is negligible.

Instant Messaging Worms, Analysis and Countermeasures (On)

Published on 2005, by Mohammad Mannan, Paul C. van Oorschot, ©Mohammad Mannan, Paul C. van Oorschot.

We provide a collection of minor results on the area of Instant Messaging (IM) worms, which has received relatively little attention in the formal literature. We review selected IM worms and summarize their main characteristics, motivating a brief overview of the network formed by IM contact lists, and a discussion of theoretical consequences of worms in such networks. Existing methods to restrict an IM worm epidemic are analyzed in terms of usability and effectiveness, leading to the suggestion of two minor variations to limit IM worm propagation. We believe these variations are more user-friendly and effective than existing published methods. We also provide brief results of a three and a half year user study of IM text messaging and file transfer frequency in a moderate-size public IM network – the largest such study to date – which is of independent interest, but also supports in part the preceding claim regarding user-friendliness.

Limits of Global Scanning Worm Detectors in the Presence of Background Noise (The)

Published on 2005-11-11, by David W. Richardson, Steven D. Gribble, and Edward D. Lazowska, ©David W. Richardson, Steven D. Gribble, and Edward D. Lazowska.

Internet worms cause billions of dollars in damage each year. To combat them, researchers have been exploring global worm detection systems to spot a new random scanning worm outbreak quickly. These systems passively listen for worm probes on unused IP addresses, looking for anomalous increases in probe traffic to distinguish the emergence of a new worm from background Internet noise.

In this paper, we use analytic modeling, simulation, and measurement to understand how background noise impacts the detection ability of global scanning worm detectors. We investigate the relationship between the average background noise level, the number of IP addresses monitored, and the detection latency for two classes of global scanning worm detectors: scan packet-based and victims-based schemes. Our results show how worm detection latency degrades as a function of the background noise level. To compensate, global scanning worm detectors can increase the number of IP addresses that they monitor. However, given the growth trend of background noise levels, the number of IP addresses which must be monitored may quickly become unreasonable. Because of this, we conclude that global scanning worm detection schemes are unlikely to be competitive with local scanning and signature-based worm detection schemes.

Lion Worm

Published on 2001-04-18, by William Stearns, ©SANS Institute.

There has been a source code change in lion. Lion now behaves similar to the way that Ramen behaves. It takes and infects the system (still using bind exploit) and sets up to listen on port 27374 and feeds it a web page. It also again sends out an email with the /etc/passwd and /etc/shadow to huckit@china.com. You can set your IDS up to monitor for outgoing email to huckit@china.com as long as you monitor your outbound connections. Lion still uses randb to generate class B address's and pscan to scan random class B internet address space.

Microsoft LSASS Buffer Overflow from exploit to worm

Published on 2004, by Travis Abrams, ©SANS Institute.

This paper is an analysis of the vulnerability in the Microsoft Local Security Authority Service. This vulnerability has been widely exploited and at the time of this writing it has been implemented into most new worms that are released.

Outwitting the Witty Worm

Published on 2005-05-24, by Abhishek Kumar, Vern Paxson and Nicholas Weaver, ©Abhishek Kumar, Vern Paxson and Nicholas Weaver.

Many Internet worms use pseudo-random numbers to scan the IP address-space. In this project, we reverse engineered the state of the pseudo-random number generator (pRNG) which the Witty worm used to generate packets. By combining our knowledge of Witty's code with the pRNG state, we performed a detailed recreation of the worm's spread. We were able to discover several characteristics of the infected systems, including their uptime, network access bandwidth, and number of disks. Additionally, we were able to find specific details about the worm author's deliberate targeting of a US Military base, and determine the identity of Patient 0, the system used to launch the worm.

RAMEN - A Linux Worm

Published on 2001-02-21, by Jack R. Collins, ©SANS Institute.

The goal of this assignment was to research an exploit or vulnerability using the resources available on the Internet. Choosing the recent "ramen worm" as an example, we found security advisories warning of its existence, clean-up scripts for removal of the worm from an infected host, thorough analyses of its mechanism of infiltration and replication, documentation of its "mutation" over time, its impact on an infected host and the internet as a whole, its "signature" for detecting it on a host and a network, and recommendations for easily patching the vulnerabilities so as to prevent an infection in the first place.

Ramen Linux Worm Propagation

Published on 2001-01-18, by X-Force, Internet Security Systems.

A self-propagating worm known as Ramen is currently exploiting well-known holes in unpatched Red Hat Linux 6.2 systems and in early versions of Red Hat 7.0. In addition to scanning for additional systems and propagating to vulnerable systems, the worm also defaces Web servers it encounters by replacing the "index.html" file. It may also interfere with some networks supporting multicasting.

Ramen Worm

Published on 02/15/2001, by William Stearns, ©SANS Institute.

A self propagating Linux worm called Ramen has been reported. This worm is known to infect Red Hat 6.2 and 7.0 machines. It infects the machines with vulnerabilities in wu-ftp, rpc.statd, and LPRng services. This worm has the ability to infect other Linux and Unix machines via a vulnerable wu-ftp version, rpc.statd and LPRng. This worm can also be e

Self-Learning Worm Using Importance Scanning (A)

Published on 2005, by Zesheng Chen, Chuanyi Ji, ©Zesheng Chen, Chuanyi Ji.

The use of side information by an attacker can help a worm speed up the propagation. This philosophy has been the basis for advanced worm scanning mechanisms such as hitlist scanning, routable scanning, and importance scanning. Some of these scanning methods use information on vulnerable hosts. Such information, however, may not be easy to collect before a worm is released. Questions then arise whether and how a worm can self-learn and use such information while propagating, and how virulent the resulting worm may be. In this paper, we design a self-learning worm using importance scanning. An optimal yet practical importancescanning strategy is derived based on a new metric. A selflearning worm is demonstrated to have the ability to accurately estimate the underlying vulnerable-host distribution if a sufficient number of infected hosts are observed. Experimental results based on parameters chosen from Code Red show that after accurately estimating the distribution of vulnerable hosts, a self-learning worm can spread much faster than a random-scanning worm, a permutation-scanning worm, and a Class A routing worm. Some guidelines for detecting and defending against such self-learning worms are also discussed.

Self-Stopping Worms

Published on 2005, by Justin Ma, Geoffrey M. Voelker, and Stefan Savage, ©Justin Ma, Geoffrey M. Voelker, and Stefan Savage.

Modern network worms spread with tremendous speed—potentially covering the planet in mere seconds. However, for most worms, this prodigious pace continues unabated long after the outbreak’s incidence has peaked. Indeed, it is this ongoing infection activity that is typically used to identify compromised hosts. In principle, a stealthier worm might eliminate this telltale sign by coordinating its members to halt infection activity after the vulnerable population is subverted. Thus, after a short initial spreading period all infected hosts could become quiescent "sleeper agents." In this paper, we show that such "self-stopping" capabilities are trivial to add to existing worms, and can be efficiently implemented without any explicit coordination or additional network traffic.

Spread of the Sapphire/Slammer Worm (The)

Published on 2005, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver, ©Cooperative Association for Internet Data Analysis.

The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes.

The worm (also called Slammer) began to infect hosts slightly before 05:30 UTC on Saturday, January 25. Sapphire exploited a buffer overflow vulnerability in computers on the Internet running Microsoft's SQL Server or MSDE 2000 (Microsoft SQL Server Desktop Engine). This weakness in an underlying indexing service was discovered in July 2002; Microsoft released a patch for the vulnerability before it was announced. The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures. Several disassembled versions of the source code of the worm are available.

Spread of the Witty Worm (The)

Published on 2005-06-21, by Colleen Shannon and David Moore, ©Cooperative Association for Internet Data Analysis.

On Friday March 19, 2004 at approximately 8:45pm PST, an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems™ (ISS) products, including ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE. The worm takes advantage of a security flaw in these firewall applications that was discovered earlier this month by eEye Digital Security™. Once the Witty worm infects a computer, it deletes a randomly chosen section of the hard drive, over time rendering the machine unusable. The worm's payload contained the phrase (^.^) insert witty message here (^.^) so it came to be known as the Witty worm.

What is Code Red Worm?

Published on 2001-08-04, by Adrian Tham, ©SANS Institute.

The term Internet worm brings to mind the first notorious worm, Morris Worm. A fast self-replicating worm that crippled almost 10 percent of the computer connected to the Internet in Nov 1988. This worm took advantage of exploits in Unix's sendmail, and finger daemon to propagate over the Internet. Though Morris worm could only successfully attack Sun and VAX system which run on Berkeley Unix code, it has caused great damage because these machines made up a large percentage of the Internet.

Worm Evolution Tracking via Timing Analysis

Published on 2005-11-11, by Moheeb Abu Rajab, Fabian Monrose, Andreas Terzis, ©Moheeb Abu Rajab, Fabian Monrose, Andreas Terzis.

We present a technique to infer a worm’s infection sequence from traffic traces collected at a network telescope. We analyze the fidelity of the infection evolution as inferred by our technique, and explore its effectiveness under varying constraints including the scanning rate of the worm, the size of the vulnerable population, and the size of the telescope itself. Moreover, we provide guidance regarding the point at which our method’s accuracy diminishes beyond practical value. As we show empirically, this point is reached well after a few hundred initial infected hosts (possibly including "patient zero") has been reliably identified with more than 80% accuracy. We generalize our mechanism by exploiting the change in the pattern of inter-arrival times exhibited during the early stages of such an outbreak to detect the presence and approximate size of the hit-list. Our mechanism is resilient to varying parameters like the worm scanning rate and the size of the vulnerable population, and can provide significant insights into the characteristics of the hit-list even under spreading dynamics that exceed that of currently known worms. Lastly, to illustrate the practicality of our solution, we apply our approach to real-world traces of the Witty worm and provide a refined estimate on the previously suspected hit-list size.