Lesson 11.1 - Internet Worms

Question 1

What is a Virus?

Answer 1

An “Infection” of an existing program that results in the modification of behavior.

Question 2

What is an Internet Worm?

Answer 2

usually spread by exploiting flaws in existing programs or open services

Question 3

What is a parasitic virus?

Answer 3

Typically infects an existing executable file.

Question 4

What is a memory-resident virus?

Answer 4

Infects running programs

Question 5

What is a boot sector virus?

Answer 5

A virus that spreads whenever the system is booted.

Question 6

What is a polmorphic virus?

Answer 6

A virus that encrypts part of the virus program using a randomly generated key.

Question 7

What is the difference between Worms and viruses?

Answer 7

Viruses: Spread manually
Worms: Spread automatically by scanning for vulnerabilities. A worm can use any of the virus techniques to gain initial access.

Question 8

What is the main difference between a worm and a vius?
A. Worms do not have destructive payloads?
B. Viruses only infect windows machines
C. Viruses can spread more rapidly
D. Worms can spread automatically

Answer 8

D

Question 9

What are the three steps in a worm’s “life-cycle”?

Answer 9

1. Discover/”scan” for vunerable hosts
2. Infect vulnerable machine via remote exploit
3. Remain undiscoverable

Question 10

How do we model fast-spreading worms

Answer 10

Using the Random Constant Spread model
K: Initial compromise rate
N: Number of vulnerable hosts
a: fraction of hosts already compromised.
Nda: Newly infected in dt
Nda = (Na)*K(1-a)dt

Question 11

How to increase initial compromise rate?

Answer 11

1. Hit List: List of vulnerable hosts (recon)
2. Permutation scanning: Shared permutation of IP address lists. Start from own IP + work down, ensuring compromised lists don’t duplicate work

Question 12

What allowed the slammer worm to spread quickly?
A: TCP / reliable transport
B: UDP / connectionless transport
C: Infected many OS types
D: Could fit in a single packet

Answer 12

B & D