Lesson 11.1 - 11.3 - Internet Worms, Spam & Denial of Service Flashcards
What is a virus and how is it spread?
- Its when a programs behavior is modified because of an “infection”
- Spread by some user action/something the user did
- MANUAL
What is a worm?
- Code that replicates itself across the network
- Spread automatically by exploiting flaws in existing services/programs
- AUTOMATIC
What types of viruses are there and what does each type do?
- Parasitic Virus - infects executable files
- Memory-Resident Virus - infects running programs
- Boot-Sector Virus - spreads when system is booted
- Polymorphic Virus - self encrypt their code using randomly generated key and then makes modified copies of itself that does basically the same thing
What does the worm lifecycle look like?
- Discover/Scan for vulnerable hosts
- Infect vulnerable machines through remote exploits
- Remain undiscovered
What was the first internet worm ever made?
- Morris worm by Robert Morris in 1988
- No malicious payload, but it exhausted resources
- Spread through multiple vectors:
- Cracking passwords with a small dictionary and remote execution
- Buffer overflow
- Debug command in sendmail
What 3 major worms were released in the summer of 2001?
- Code Red 1 version 2 - modern worm in IIS that spread from 1st to 20th of each month using random scan of IP address space. PAYLOAD was DNS attack on Whitehouse.gov
- Code Red 2 - same as above but fixed random scan bug. Scanned nearby addresses. PAYLOAD was IIS backdoor
- Nimda - Spread through multiple vectors (email, network shares, webpages, scanned for backdoors from Code Red
Fast spreading worms use a high initial compromise rate. T/F
True
How do we increase initial compromise rate?
- Create a hit list which is a list of vulnerable hosts
* Permutation scanning: shared permutation of IP address list. They start with their IP address and work down
What was the Slammer worm?
- Code fit in small UDP packet
- Buffer overflow + random scanning
- Connectionless! Meaning it wasn’t limited by latency only by bandwidth
- Didn’t have payload, just caused resource exhaustion
Since most spam ends up in a spam folder, why is spam still a problem?
- Filters - someone has to design them and keep them up to date
- Storage - they take up a lot of space
- Security Problems - malware, phishing attack
How do we differentiate spam from “ham”?
- Content based filtering —> easy to evade
- IP address of sender (blacklisting)
- Behavioral features (sent at same time of day, etc)
How does IP Blacklisting work?
The sender has an IP address and the receiver can see that address so when a message is incoming from an unknown IP address the receiver can query a DNS Blacklist and check if the IP address has been blacklisted. If it hasn’t it accepts it, if it has it won’t even accept the email.
What are some behaviors we can track to help us filter spam?
- Geographic location
- Set of target recipients
- Upstream ISPs
- If a sender is a member of a Botnet
- In single packets
- Distance b/w sender & receiver + AS
- Density
- Time of day
- In a single message
- # of recipients
- Length of the message
- In a group of messages
- Variation in message length
What is a surprise BGP Agility attack?
- The attacker hijacks a BGP router
- The attacker sends spam
- Because the router has been hijacked it can use an ephemeral (temporary) IP address and the Blacklist is rendered useless!
What is SNARE?
A behavioral network spam filter that achieves a 70% detection rate