« Superworms and Cryptovirology: a Deadly Combination | Main | Anti-Malware Tools: Intrusion Detection Systems »
Outwitting the Witty Worm
An interesting analysis of the Witty work (March, 2004) data from the CAIDA team and another author. It shows the power of analyzing a raw data set with information about the worm itself. Have a look at a recent paper that was here on Wormblog, too, Worm Hotspots: Explaining Non-Uniformity in Worm Targeting Behavior. What at first appears random isn't, and just when you think you've done a thorough analysis you realize there's more to do, and more that can be done.Network ``telescopes'' that record packets sent to unused blocks of Internet address space have emerged as an important tool for observing Internet-scale events such as the spread of worms and the backscatter from flooding attacks that use spoofed source addresses. Current telescope analyses produce detailed tabulations of packet rates, victim population, and evolution over time. While such cataloging is a crucial first step in studying the telescope observations, incorporating an understanding of the underlying processes generating the observations allows us to construct detailed inferences about the broader "universe" in which the Internet-scale activity occurs, greatly enriching and deepening the analysis in the process.Source: Outwitting the Witty Worm: Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event, by Abhishek Kumar, Vern Paxson, Nicholas Weaver.In this work we apply such an analysis to the propagation of the Witty worm, a malicious and well-engineered worm that when released in March 2004 infected more than 12,000 hosts worldwide in 75 minutes. We show that by carefully exploiting the structure of the worm, especially its pseudo-random number generation, from limited and imperfect telescope data we can with high fidelity: extract the individual rate at which each infectee injected packets into the network priorto loss; correct distortions in the telescope data due to the worm's volume overwhelming the monitor; reveal the worm's inability to fully reach all of its potential victims; determine the number of disks attached to each infected machine; compute when each infectee was last booted, to sub-second accuracy; explore the "who infected whom" infection tree; uncover that the worm specifically targeted hosts at a US military base; and pinpoint Patient Zero, the initial point of infection, i.e., the IP address of the system the attacker used to unleash Witty.
May 26, 2005 in papers, witty | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
Great paper. No two ways about it. The authors squeeze an amazing amount of information about the worm population and the hardware it ran on out of two sets of packet traces.
Posted by: Bruce Ediger | Jun 5, 2005 12:12:36 AM
The comments to this entry are closed.
