Background aper Presentation A Study of Massmailing Worms本文背景介绍邮件蠕虫的传播的研究

1、a study of mass-a study of mass-mailing wormsmailing wormsby cynthia wong, stan bielski, jonathan m. mccune, and chenxi wang, carnegie mellon university, 2004presented by allen stonemass-mailing wormsmass-mailing worms background (morris, code red, and slammer) analysis of sobig and mydoom worms ano

2、malies tcp ip addresses dns traffic in general discussion and conclusions protectionworms what are they?worms what are they?“a self-replicating computer program, similar to a computer virus. a virus attaches itself to, and becomes part of, another program; however, a worm is self-contained and does

3、not need to be part of another program to propagate itself. they are often designed to exploit the file transmission capabilities found on many computers.” - wikipedia ()the morris wormthe morris worm the first internet worm, written by robert t. morris, jr., a first-year computer scien

4、ce student at cornell university. infected roughly six thousand machines nationwide in november of 1988. performance of victim machines drastically reduced because of propagation attempts.scanning wormsscanning worms typical worms use aggressive ip scanning to find potential victim machines that are

5、 vulnerable to the exploit it carries. code red, 2001 359,000 computers infected within 14 hours. iis exploit spread through web scanning.mass-mailing wormsmass-mailing worms sends itself via email. usually infects with email attachments. harvests email addresses from address book, web cache, and ha

6、rd disk. (unlike viruses) no need to acquire new targets. tricks users into running malicious code on their own machines. some worms use their own smtp engine.analysisanalysis the sobig and mydoom mass-mailing worms real network trace data, collected from the edge router of cmus electrical and compu

7、ter engineering department two week periods (aug. sept. 2003 and jan. feb. 2004)infected or chatty? infected or chatty? heuristics of suspicionheuristics of suspicion outgoing smtp connections on a controlled network not going to an authorized mail server. message payload similar to the payload size

8、s of known worm traffic from symantec. admittedly not 100 percent accurate.worm effect tcp trafficworm effect tcp traffic scanning worms have spikes in all kinds of traffic, caused by scanning for other boxes to compromise. mass-mailing worms use email to spread to potential victim boxes through mai

9、l service over tcp.worm effect tcp trafficworm effect tcp trafficworm effect tcp trafficworm effect tcp traffic since the worms use their own smtp engines, there should be no outbound smtp traffic spikes from the existing mail servers. there is a spike in traffic with sobig, but not mydoom. spoofed

10、emails from the harvest of addresses creates false guesses, which create backscatter. sobig is more aggressive than mydoom during propagation.worm effect distinct ipsworm effect distinct ips normal boxes that are not infected touch an average number of distinct ips in a given day. infected boxes use

11、 email addresses from all over, from the harvest. the number of distinct ips an infected system touches should be noticably larger. the number of ips a mail server touches should not change, intuitively, since they already send to new ips on a regular basis.worm effect distinct ipsworm effect distin

12、ct ips infected boxes experienced a rise mail servers did as well, despite the expectation.worm effect - dnsworm effect - dns dns related events expected to rise, since smtp needs to resolve the ip associated with email addresses.worm effect - dnsworm effect - dnsworm effect overall worm effect over

13、all traffictraffic http traffic dominates the network, with over 90% of all inbound and outbound traffic. do the infected systems make a large impact on that fact?worm effect overall trafficworm effect overall trafficdiscussion and discussion and conclusionsconclusions mass-mailing worms show signif

14、icant and noticeable impact on a network. prevention measures at the dns server, rather than at the smtp server. detection focused on outgoing tcp, dns, and distinct ips, rather than on whole-network anomaly, due to the impact of http.discussion and discussion and conclusionsconclusions both worms o

15、verran the network. sobig moreso than mydoom. smtp servers still affected, even with mail clients on the worms, due to backscatter. antivirus software on mail servers actually counter-productive as a defense measure.protectionprotection detect worms either at the border router or individual systems. utilize dns servers to limit the spread of the worm, possibly quarantining malicio