security threats worms and viruses

Security Threats

Worms and Viruses

Cyril OnwubikoCyril OnwubikoNetworking and Communications GroupNetworking and Communications Group

http://ncg.kingston.ac.ukhttp://ncg.kingston.ac.uk

The Networking and Communications Group

Networking and Communications Group

Background Theory Detection Mechanisms Countermeasures Q/A

Overview


Background


Security Threats

Computer Systems Network Systems Information & ContentA

sset

Eff

ect

Disruption of Service Degradation of Service Denial of Service Manipulation/Theft of Information

Exploit Vulnerabilities in::

Causes::


Worms/Viruses

Worms Malicious software with the capability of self-replication May not require another software to be activated Propagates through networks

Viruses Malicious software that attaches itself to other software Requires another software to be activated Replicates within Computer systems, not necessarily

networks


Type of Worms/Viruses

Time Bomb: A type of worm that remains dormant in the host until a certain time is reached. Example: <if time Eq 22/03/2006 then start>

Logic Bomb: A type of worm that remains dormant in a host until a certain condition, or an event occurs (logic), and then deletes files, slows down or crashes the host system etc. Example: < if license_expires then start>

Trojan Horse: A type of worm (malicious logic) performing, or able to perform, an illegitimate action while giving the impression of being legitimate; the illegitimate action can be disclosure or modification of information. Example: Internet pop-ups: <Your system is running very slow, Do you want to Speed Up?> [Click]

1


Type of Worms/Viruses

Rabbit: A type of worm when activated replicates itself until a point of system exhaustion: Example: Consumes CPU and network resources

Bacterium: A type of virus that attaches itself on the OS (rather than application). It causes and consumes system’s resources to the point of exhaustion. Similar to ‘Rabbit’

Aggressive Worms: A type of worm that spreads across the network faster than normal worms. They are continuously activated!

2


Theory


General Concept

Countermeasures

Security Threats

Worm/Virus

Worms and Viruses are subsets of security threats. To appropriately mitigate against them, we need effective countermeasures!


Worm Models

Susceptible Infected


Recovered


quarantine

Removed

Recovered

SI

Mod

el

SIR

Mod

el

SIR

QR

Mod

el

No countermeasures applied

Recovered: infected systems that have been treatedRemoved: susceptible systems that are disconnected and patched

A single set of countermeasure

A couple of countermeasures


Classification of Worms

Worms Viruses Innocuous, Humorous, Data Altering & Catastrophic

Emphasis on Network

Early warning/detection possible

Emphasis on Computer Up to date DAT patches required

Beh

avio

urM

ediu

m

Innocuous, Humorous, Deceptive, Data Altering, & Catastrophic

Operational, external, human-made, software, malicious, deliberate and permanent

Operational, external, human-made, software, malicious, deliberate and permanent D

esig

n


Phases of Worm Propagation

External systems targeted (outside the ‘hitlist’) Propagation rate is quadratic or near exponential Combined efforts from compromised systems Hard to stop at this stage

Dormant and inactive Waits for a condition, or time to start: E.g.: Code Red II, Slammer Worms

Early stage Penetration Stage

Worm activated Hits the ‘hitlist’ – a list of systems with target vulnerability: E.g.: Win32.Blaster exploits flaw in MS RPC Propagation rate is gradual and linear

Exhaustion Stage

Near termination/completion Countermeasures known and patches released Program termination time very close

Perpetuation Stage


High CPU

System may crash intermittently

Increased/Abnormal traffic on egress routers/interfaces

Abnormal system behaviour (slows down, performance issues, freezes and hangs often)

Increased/Abnormal protocol usage high peer_contact sent/received traffic

System halt and may not start

Missing or corrupt/destroy files/ System register may be affected/altered

Symptomatic Effect (Behaviour)


Detection


Early Detection Mechanisms

Ingress ACL

Rate Limiting at gateway devices

Security Information Management Systems

Automated Filtering

Filtering of known security ports and protocols. Example: Ingress traffic using port UDP 137, TCP 135,139 445 etc

Proactive Monitoring


Early Warning Systems

Proactive-Based Systems

C orp ora te N e tw ork (C N )O p en N e tw ork (O N )

(In te rn e t)

p rob in gtra ffic

• Traffic analysis and

• Probabilistic analysis

• Pattern analysis and speculative evidences

Early warning System


Countermeasures


Stay up to date with latest software patches

Harden your operating systems (SP/personal FW etc)

Disable unused services

Consider filtering on ingress gateway devices

Consider disconnecting infected systems …

Remediation Services

Basic Techniques:

1


Microsoft NAP (Network Access Protection)

Cisco NAC (Network Admission Control)

Access Control Mechanisms.

Enterprise Initiatives

Admission Control Mechanisms:

2


OS-SIM (Open Source Security Information Management)

PADS (Passive Asset Detection Systems)

SNORT – Open Source IDS

BASE (Basic Analysis Security Engine (Alert Management)

Open Source Initiatives

Proactive Monitoring Technique:

3


Conclusion

Worms and Viruses are major security threats to information and network asset.

Worms (unlike viruses) can be detected early if adequate security mechanisms are in place.

Effects of worm/virus infection ranges from service disruption to system crash

Proactive monitoring and early warning systems are recommended detection mechanisms.

Remediation services, OS hardening, patching, ingress filtering and disconnecting of infected systems are recommended countermeasures!


Resources/References

1. Microsoft NAP: http://www.microsoft.com/windowsserver2003/technologies/networking/nap/beta.mspx

2. Cisco NAC: http://www.cisco.com/warp/public/cc/so/neso/sqso/csdni_wp.htm

3. Cisco CiscoWorks SIMS: http://www.cisco.com/en/US/products/sw/cscowork/ps5209/index.html

4. Additional Resource: http://www.research-series.com/cyril/resources.html5. IETF: EAP (Extensible Authentication Protocol):

https://datatracker.ietf.org/public/idindex.cgi?command=id_detail&id=83696. Desktop FW/IDS. E.g. Blackice defender (ISS); ZoneAlarm etc7. NCG: NCG Publications:

http://ncg.kingston.ac.uk/research/publications/publications.htm


Contact Details

Networking & Communications GroupKingston University

http://ncg.kingston.ac.uk

Email:[email protected] or [email protected]

Tel: Not Applicable

security threats worms and viruses

Documents

communications groupnetworking

communications grouphttp

type of worm malicious

infected systems

susceptible systems

systems resources

type of virus

compromised systems