Active Internet Worms & DIB:S
Active Internet Worms & DIB:S
The Problem
Wormsign – CR, etc.
Houston, I think we have a problem
Old News is Good News
(for the badguys/gals)
Impact?
CR II Propagation
IP Behavior [1]
Collateral Damage
Collateral Damage
Collateral Damage
Collateral Damage
Collateral Damage
Demonstration
CodeRed II
Reaction
Detection
Detection
C:\explorer.exe
Detection
C:\inetpub\scripts\root.exe
Eradication
Worm Functions
sadmind/IIS
Buffer Overflow
Exploiting Buffer Overflows
Unicode Directory Traversal
Unicode Directory Traversal
Unicode Directory Traversal
sadmind/IIS
sadmind/IIS
Mechanisms in sadmind/IIS
Mechanisms in CodeRed
Mechanisms in Nimda
Future Improvements?
Early Warning of 0-days
DIB:S
IP Behavior [1] review
IP Behavior [2]
Frequency of ICMP responses
DIB:S Participants
Embedded Data Correllation
Event Bloom Signatures
DIB:S Architecture
Future Challenges
Future DIB:S Challenges
Future Worm Directions
Slide 46
Slide 47