Defense and Detection Strategies against Internet Worms -- Contents vii -- Foreword xvii -- Preface xxi -- Acknowledgments xxvii -- 1 Introduction 1 -- 1.1 Why worm-based intrusions? 2 -- 1.2 The new threat model 3 -- 1.3 A new kind of analysis requirement 4 -- 1.4 The persistent costs of worms 5 -- 1.5 Intentions of worm creators 6 -- 1.6 Cycles of worm releases 7 -- References 8 -- Part I Background and Taxonomy 9 -- 2 Worms Defined 11 -- 2.1 A formal definition 12 -- 2.2 The five components of a worm 12 -- 2.3 Finding new victims: reconnaissance 14 -- 2.4 Taking control: attack 15 -- 2.5 Passing messages: communication 15 -- 2.6 Taking orders: command interface 16 -- 2.7 Knowing the network: intelligence 17 -- 2.8 Assembly of the pieces 18 -- 2.9 Ramen worm analysis 19 -- 2.10 Conclusions 21 -- References 21 -- 3 Worm Traffic Patterns 23 -- 3.1 Predicted traffic patterns 23 -- 3.2 Disruption in Internet backbone activities 26 -- 3.3 Observed traffic patterns 28 -- 3.4 Conclusions 34 -- References 34 -- 4 Worm History and Taxonomy 37 -- 4.1 The beginning 38 -- 4.2 UNIX targets 44 -- 4.3 Microsoft Windows and IIS targets 53 -- 4.4 Related research 63 -- 4.5 Conclusions 65 -- References 65 -- 5 Construction of a Worm 69 -- 5.1 Target selection 69 -- 5.2 Choice of languages 72 -- 5.3 Scanning techniques 74 -- 5.4 Payload delivery mechanism 75 -- 5.5 Installation on the target host 76 -- 5.6 Establishing the worm network 77 -- 5.7 Additional considerations 78 -- 5.8 Alternative designs 78 -- 5.9 Conclusions 80 -- References 80 -- Part II Worm Trends 81 -- 6 Infection Patterns 83 -- 6.1 Scanning and attack patterns 83 -- 6.2 Introduction mechanisms 89 -- 6.3 Worm network topologies 91 -- 6.4 Target vulnerabilities 97 -- 6.5 Payload propagation 99 -- 6.6 Conclusions 102 -- References 102 -- 7 Targets of Attack 103 -- 7.1 Servers 103.

7.2 Desktops and workstations 105 -- 7.3 Embedded devices 108 -- 7.4 Conclusions 110 -- References 110 -- 8 Possible Futures for Worms 113 -- 8.1 Intelligent worms 113 -- 8.2 Modular and upgradable worms 1187 -- 8.3 Warhol and Flash worms 122 -- 8.4 Polymorphic traffic 126 -- 8.5 Using Web crawlers as worms 127 -- 8.6 Superworms and Curious Yellow 129 -- 8.7 Jumping executable worm 130 -- 8.8 Conclusions 131 -- References 132 -- Part III Detection 135 -- 9 Traffic Analysis 137 -- 9.1 Part overview 137 -- 9.2 Introduction to traffic analysis 138 -- 9.3 Traffic analysis setup 139 -- 9.4 Growth in traffic volume 142 -- 9.5 Rise in the number of scans and sweeps 143 -- 9.6 Change in traffic patterns for some hosts 148 -- 9.7 Predicting scans by analyzing the scan engine 150 -- 9.8 Discussion 156 -- 9.9 Conclusions 158 -- 9.10 Resources 158 -- References 159 -- 10 Honeypots and Dark (Black Hole) Network Monitors 161 -- 10.1 Honeypots 162 -- 10.2 Black hole monitoring 164 -- 10.3 Discussion 170 -- 10.4 Conclusions 172 -- 10.5 Resources 173 -- References 173 -- 11 Signature-Based Detection 175 -- 11.1 Traditional paradigms in signature analysis 176 -- 11.2 Network signatures 177 -- 11.3 Log signatures 180 -- 11.4 File system signatures 190 -- 11.5 Analyzing the Slapper worm 195 -- 11.6 Creating signatures for detection engines 198 -- 11.7 Analysis of signature-based detection 204 -- 11.8 Conclusions 206 -- 11.9 Resources 206 -- References 208 -- Part IV Defenses 209 -- 12 Host-Based Defenses 211 -- 12.2 Host defense in depth 213 -- 12.3 Host firewalls 213 -- 12.4 Virus detection software 214 -- 12.5 Partitioned privileges 216 -- 12.6 Sandboxing of applications 219 -- 12.7 Disabling unneeded services and features 221 -- 12.8 Aggressively patching known holes 223 -- 12.9 Behavior limits on hosts 225 -- 12.10 Biologically inspired host defenses 227.

12.11 Discussion 229 -- 12.12 Conclusions 230 -- References 230 -- 13 Firewall and Network Defenses 233 -- 13.1 Example rules 234 -- 13.2 Perimeter firewalls 236 -- 13.3 Subnet firewalls 239 -- 13.4 Reactive IDS deployments 239 -- 13.5 Discussion 242 -- 13.6 Conclusions 242 -- References 243 -- 14 Proxy-Based Defenses 245 -- 14.1 Example configuration 246 -- 14.2 Authentication via the proxy server 249 -- 14.3 Mail server proxies 249 -- 14.4 Web-based proxies 251 -- 14.5 Discussion 253 -- 14.6 Conclusions 254 -- 14.7 Resources 254 -- References 254 -- 15 Attacking the Worm Network 257 -- 15.1 Shutdown messages 259 -- 15.2 "I am already infected" 260 -- 15.3 Poison updates 261 -- 15.4 Slowing down the spread 262 -- 15.5 Legal implications of attacking worm nodes 263 -- 15.6 A more professional and effective way to stop worms 264 -- 15.7 Discussion 266 -- 15.8 Conclusions 267 -- References 267 -- 16 Conclusions 269 -- 16.1 A current example 269 -- 16.2 Reacting to worms 270 -- 16.3 Blind spots 273 -- 16.4 The continuing threat 273 -- 16.5 Summary 275 -- 16.6 On-line resources 275 -- References 277 -- About the Author 279 -- Index 281.