SUPER WORMS AND CRYPTO VIROLOGY: A DEADLY COMBINATION
#1

Presented by:
G.Siva Kumar reddy
Y.Sarath

[attachment=11184]
Abstract
Understanding the possible extent of the future attacks is the key to successfully protecting against them. Designers of protection mechanisms need to keep in mind the potential ferocity and sophistication of viruses that are just around the corner. That is why we think that the potential destructive capabilities of fast spreading worms like the Warhol worm, Flash worm and Curious Yellow need to be explored to the maximum extent possible. While re-visiting some techniques of viruses from the past, we can come across some that utilize cryptographic tools in their malicious activity. That alarming property, combined with the speed of the so-called “super worms”, is explored in the present work. Suggestions for countermeasures and future work are given.
Keywords
Computer viruses, worms, cryptography, crypto virology
1. Introduction
The most distinctive and alarming trends in current computer
attacks are high automation and speed, increasing sophistication of attack tools, vulnerability discovery rate that is hard to keep up with, increasing permeability of firewalls and highly asymmetric nature of threat [1]. Monitoring organizations
name worms as one of the four most alarming types of today’s attacks.
The most notable incidents that caused such concern include the outbreaks of Code Red [10], Code Red II [11], Nimda [9], and, more recently, Linux.slapper [12] worms. All four worms were noted for their extraordinary propagations speeds; however, Damage -wise, they were rated as a low threat. Such a discrepancy between the levels of propagation techniques and destructive capabilities was immediately spotted, and several interesting works were produced ([2],[3],[4]) that (sometimes too emotionally) put the situation in perspective and explored the limits of destructive potential of fast-spreading, cooperating malicious entities. However, this potential becomes even more overwhelming when one tries to combine the swiftness of the worms with the ferocity of some viruses from the past. Cryptography, as some point out [5], is usually thought of as a science that supplies us with tools to enforce integrity and confidentiality; however, its undoubted strengths can be used to attack these same properties. Some of the studied viruses relied on cryptographic tools to cause damage that is quite hard to un-do.
This paper explores the combination of fast worms and crypto virologic virus techniques. First, in Section 2.1, we give a survey of works describing the Warhol worm, Flash worm and Curious Yellow. Then, in Section 2.2 we describe Cryptovirology and potential damage that can be done by viruses with cryptographic capabilities. Section 3 is dedicated to further damage assessment and the counter measures to the problem that we suggest. Finally, Section 4 is a summary of the ideas outlined in this paper.
2. Overview
2.1 Warhol Worm

The widely discussed [13] work on the Warhol worm begins by a quick analysis of the worms that plagued the internet in 2001. The famous Code Red virus was quite successful in its propagation. However, it performed random automatic scanning for the new victims, and utilized the only vulnerability in the Microsoft Internet Information Services (IIS). The worm did not use any local information to spread itself more efficiently. It did not have any communication or coordination capabilities .Nonetheless, after a quick analysis, the authors come to a conclusion that the proportion of web servers infected grew exponentially with time. In the beginning, each infected server was able to find 1.8 other vulnerable servers per hour; in the final stages of the worm’s life, the rate was 0.7. Code Red turned itself off on July 19, 2001. Damage-wise, Code Red had a distributed denial of service (DDOS) payload targeting the IP address of whitehouse.gov, and some web site defacement capabilities. Apart from that, it initiated an extraordinary amount of scanning traffic from the victim host. While somewhat bothersome, these actions cannot be considered a serious attack and indicate that the creator of the worm most likely pursued experimental goals. A distinctive characteristic of Code Red is the very random nature of scanning it performed. According to authors. Data Code Red entities scanned the same computers for the same vulnerabilities up to 500000 times per hour! The proportion of wasted scanning traffic becomes even more impressive if we consider the percentage of all possible IP addresses that actually map to active web servers running IIS with the targeted vulnerability. Such a random propagation strategy has several disadvantages: it wastes victim’s resources, greatly reduces the propagation speed, reveals itself on the target system, and makes the worm world-famous in a matter of hours.
Code Red II targeted the same single IIS vulnerability as Code Red. As a scanning strategy improvement, it chose a random IP address from the Victim’s the class B address space with probability of 3/8, a random IP address from the victim’s the class A address space with probability of 1/2, and an absolutely random IP address with a probability of 1/8. The authors note that such improved scanning strategy was successful, due to the fact that apparently hosts with similar vulnerabilities tend to be closer on the network, and also the quicker contamination of firewall-protected domains, once some Code Red II instance managed to get inside such network. The worm died by design on October 1, 2001.
Based on the new propagation strategy, we can conclude that the author of Code Red II, most likely, also pursued experimental goals, taking no time to address multiple vulnerabilities, or develop a more meaningful way to spread the virus.
The new virus had a potentially more damaging payload, which installed a root backdoor allowing unrestricted remote access to the infected host. However, Code Red II was quickly contained too, immediately revealing itself on the victim hosts.
The authors also argue that analysis of Code Red II behavior would be more involved than Code Red’s, due to the fact that the two viruses overlapped and interfered with each other, and also to the local scanning strategy of the former.
Finally, the authors describe the Nimda worm, which contained a few obvious improvements. Nimda used five different ways to propagate itself, namely: an IIS vulnerability, bulk emails, open network shares, defaced web pages to infect visitors through their browsers and backdoors left by Code Red II and sadmind viruses. Such multi-vector approach also helped to penetrate the firewalls quicker, since most organizations leave incoming mail handling to the mail server or even users themselves. These improvements made Nimda another widely discussed worm; however, Nimda still appears to be a quick hack that lacks any solid design or purpose. The worm displayed the same characteristics; the authors cite their measurements on a Lawrence Berkeley National Laboratory computer that showed a peak hit rate of 140 Nimda HTTP connections per second. Despite the same inefficiency, system administrators report Nimda activity still, more than a year since the attack
Nimda did not carry a communication or coordination payload. According to most sources ([9],[2]), the worm did not include any apparent destructive functions, apart from the ones that facilitated further propagation.
A large part of the paper is dedicated to considering possible worm improvements. The authors refer to the improved virus as a “Warhol worm”. First, they look at so-called .hit-list scanning., which is collecting a list of vulnerable hosts prior to worm launch. After the pre-scanning stage, the worm would be unleashed on the hosts in the list. The authors argue that it took existing worm the longest to infect the first 10000 hosts and infection grew exponentially; therefore, a boost of 50000 would greatly speed up the propagation.
Permutation scanning is another improvement targeted at reducing the scanning overlap between warm entities. The new worm would generate an IP address space permutation using a 32-bit block cipher and a pre-selected key. It would encrypt an IP to get the corresponding permutation, and decrypt to get an IP. During the infection, it would work up the permutation starting from a random IP’s hash, and re-start at a random point in the hash every time it comes across an already infected system. Another improvement would be to stop completely after running into several infected hosts in row; that would indicate that the Internet is completely infected.
In a partitioned permutation scheme, worm instances get a hash range they are responsible for, and they halve their range every time they infect a new host, giving the other half to the new instance. When an instance completes its range scan, it restarts from a random point in the hash.
Topological scanning relies on the information and properties of the infected hosts, such as email addresses found on hard drives, a list of peers from a peer-to-peer networks a host might be participating in, etc. Some ([13]) note that a “spider” type of virus, which would operate similarly to web indexing and email collecting spiders, might also be efficient. That kind of a virus would be completely topology-dependent, traversing the network using popular protocols (HTTP, FTP, etc.) following the links it collects on its way. Such a possibility can also be considered in a separate work. Giving Warhol worm spider-like capabilities appears to be another improvement in its propagation techniques
Reply
#2
hi plz send ppt n related documents of SUPER WORMS AND CRYPTO VIROLOGY: A DEADLY COMBINATION ..thnks in advance...my email-id:pravi65[at]ymail.com
Reply

Important Note..!

If you are not satisfied with above reply ,..Please

ASK HERE

So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page
Popular Searches: crypto dual clutch, crypto, zfs crypto, crypto watermarking, 2 name combination, seminar topic related to combination laogic circuit, digital combination lock,

[-]
Quick Reply
Message
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  A survey of usage of Data Mining and Data Warehousing in Academic Institution and Lib seminar class 1 2,118 29-11-2012, 12:56 PM
Last Post: seminar details
  Intelligent Electronic Devices (IEDs) and Supervisory Control and Data Acquisition computer girl 0 1,140 09-06-2012, 06:01 PM
Last Post: computer girl
  Grayscale Image Retrieval using DCT on Row mean, Column mean and Combination computer girl 0 1,052 06-06-2012, 04:57 PM
Last Post: computer girl
  The 8051 Microcontroller and Embedded Systems Using Assembly and C computer girl 0 1,035 04-06-2012, 05:41 PM
Last Post: computer girl
  Lean and Zoom: Proximity-Aware User Interface and Content Magnification seminar class 0 927 05-05-2011, 02:39 PM
Last Post: seminar class
  Seminar Report on Study of Viruses and Worms seminar surveyer 1 2,680 04-05-2011, 12:58 PM
Last Post: seminar class
  Efficient and Secure Content Processing and Distribution by Cooperative Intermediarie project topics 5 4,718 03-05-2011, 10:33 AM
Last Post: seminar class
  An Automated Signature-Based Approach against Polymorphic Internet Worms project topics 0 654 02-05-2011, 09:56 AM
Last Post: project topics
  Network Monitoring and Measurement and its application in security field seminar surveyer 1 1,411 28-03-2011, 10:36 AM
Last Post: seminar class
  Virus Attack on Computers And Mobiles And Palmtops full report computer science technology 2 3,456 18-03-2011, 12:08 PM
Last Post: seminar class

Forum Jump: