worm in at or

7/31/2019 Worm in at Or

1/46

Presented by


2/46

Active Worms

Malicious software program

Propagates itself on internet

Infect other hosts


3/46

Worms can cause

Massive DDoS attack disrupting

Internet utilities

Access confidential InformationDestroy data


4/46

Traditional Worm

BehaviorA worm instance identifies & infects a

vulnerable host

Newly infected hosts will automaticallyscan IP address to identify othervulnerable host


5/46

Camouflaging Worm

BehaviorAlso has Self propagating nature

Smart worms that avoid detection by

hibernatingCarefully controls its scan rate

Ultimately infecting as many hosts as

possibleCause serious Internet damage


6/46

Analysis of C Worm

PropagationC Worm needs to adapt to the dynamics of

Internet to manipulate overall scan trafficvolume

This involves steady increase followed bydecrease in scan traffic volume

Scan traffic volume does not crossthresholds that could reveal its propagation


7/46

Analysis of C Worm

Propagation

Such changes do not manifest any

trends in time domainBut demonstrates distinct pattern in

frequency domain

There is a concentration within anarrow range of frequency


8/46

MALWARE

Malicious software

Disrupt normal computing activity

Several typesViruses

Worms

Trojans

Keyloggers


9/46

Viruses Vs Worms

Virus is a small program that spreads

from computers to computers to

interfere operationWorms are viruses which are able to

run & copy itself on a huge scale with

no human assistance


10/46

How Computers get

infected?

Worms & viruses are nefarious

All that needs for virus propagation isfor someone to click the file & open

Worms dont even require that muchaction.


11/46

Fighting Computer

viruses & worms

Best defense is an updated computer

Protective measures are also adoptedby browsing software


12/46

Conficker : A new family of

worms

Exploits vulnerability on Microsoft Windows

Also spreads via USB devices

Designed to download other malwarevariants


13/46

Conficker : A new family of

worms

Allows attackers to execute remote code

Spread by RPC callsVulnerable machines will download a copy

of worm

Worm constantly updates

Changes its IP making it difficult to getblocked


14/46

COMPUTER WORMS

Worms cause some harm to the

network

Payload : code in the worm designedto do more than spread


15/46

EXISTING SYSTEM

Assumes that each infected computer

scans and propagates at a high

speed.Will not be able to detect smart worms


16/46

PROPOSED SYSTEM

Based on the global scan traffic

monitor


17/46

MODULES

C-Worm detection modules

Malicious worm detectionmodule/anomaly detection

Pure random scan(PRS)module

Worm propagation module


18/46

SOFTWARE REQUIREMENTS

Hardware Requirements

Processor :Pentium IV 2.6 GHz

RAM :512 MB DD RAM

Monitor :15color

Hard disk :20 GB

Floppy Drive:1.44 MB

CD Drive :LG 52X

Keyboard :Standard 102 keys

Mouse :3 Button


19/46


Software Requirements

Front End : Java, JFC(Swing)

Tools Used : Eclipse 3.3

Operating Systems : Windows XP/7


20/46


FRONT END:JAVA

Developed by James Gosling at Sun Micro

systems released in 1995 Syntax derived from C & C++

General purpose, concurrent, class -based,

object-oriented. Lets developers WORA.

Client-server web application


21/46

java

Primary Goals

Simple, object-oriented & familiar

Robust & Secure

Architecture-neutral & portal

High performanceInterpreted, threaded & dynamic


22/46

java

Pcap(packet capture)Application program for capturing network traffic

Windows uses a port of libpcap known as

Winpcap Libpcap/Winpcap support saving captured

packets

Jpcapjava library for capturing & sending networking

packets

Open sources & is licensed under GNU LGPL


23/46

java

Jnetpcap

True java wrapper around the native libpcap &winpcap libraries

Libpcap

Developed by the tcpdump

Capture file reading & writing code of tcpdump

Winpcap

Implementations of a lower level library for thelisted O.S to communicate


24/46

Java networking

Provides many built-in networking class objectsthrough its .net, .nio & .rmi packages

Java.net provides http connections & streams as

well as protocol sockets Internet address uniquely identifies each

computer on the network

Servers to share resources

Network socket uses in TCP/IP protocol

Internet streams allow to access remotedocument data

BACKGROUND AND RELATED


25/46

BACKGROUND AND RELATED

WORK

Active WormsSimilar to biological viruses in terms

of their infectious and self-

propagating nature. Identify vulnerable computers, infect

them and the worm-infected

computers propagate the infection.Use DNS, network topology and

routing information


26/46

Active worms use various scan

mechanisms to propagate themselvesefficiently like

PRS(Pure Random Scan)

network port scanning,email, file sharing,

Peer-to-Peer (P2P) networks, andInstant Messaging (IM).

W


27/46

Worm Detection

Worm DetectionWorm detection can be generally

classified into two categories:

1.host-based detection and2. network-based detection.

C-Worm

The C-Worm camouflages its propagationby controlling scan traffic volume duringits propagation.


28/46


29/46

Generic Worm Detection

Architecture

Deplo ment of Monitoring


30/46

Deplo ment of MonitoringComponents

The detection networks consist of a set ofaddresses monitored by monitoring components.

The monitoring components can be deployed on

virtual machines or on gateways of local networks.

Also be traffic analyzers beside routers,observing the traffic to a set of addresses.

Worms may not choose to scan the entire IPv4address space. In addition, different worms mightuse different target spaces.


31/46

Detection Of C-Worm

Jpcap : for capturing & sending

network packets

Host based detection/Network baseddetection

C worm undetected try to determine

only in time domain

Use novel spectrum-based detection


32/46

Novel spectrum-based

detection

Frequency domain based scheme

Use distribution

Power spectrum density(PSD)

Spectrum flatness measure(SFM)


33/46

Power spectrum density(PSD)

How the power time series is

distributed in frequency domain

Spectrum flatness measure(SFM)

Ratio of the geometric mean to thearithmatic mean of PSD coefficient


34/46

Detection Decision Rule

SFM value used to distinguish the c-

worm & normal non-worm traffic

Compare SFM with predefinedthreshold

SFM value is smaller than the

threshold, then c-worm occured


35/46

ADVANTAGE

Reduced detection time

Effectively detect C-Worm

Traditional worms are also detected


36/46

CONCLUSION

Developed a novel spectrum-based

detection scheme

Superior detection performanceLays the foundation for ongoing

studies of smart worms


37/46

REFERENCE

[1] D. Moore, C. Shannon, and J. Brown, Code-red: a case study on the

spread and victims of an internet worm, in Proceedings of the 2-th Internet Measurement Workshop (IMW), Marseille, France, November

2002.

[2] D. Moore, V. Paxson, and S. Savage, Inside the slammer worm, in

IEEE Magazine of Security and Privacy, July 2003.

[3] CERT, CERT/CC advisories, http://www.cert.org/advisories/.

[4] P. R. Roberts, Zotob Arrest Breaks Credit Card Fraud Ring, http:

//www.eweek.com/article2/0,1895,1854162,00.asp.

[5] W32/MyDoom.B Virus, http://www.us-cert.gov/cas/techalerts/

TA04-028A.html.

[6] W32.Sircam.Worm@mm, http://www.symantec.com/avcenter/venc/data/

[email protected].

[7] Worm.ExploreZip, http://www.symantec.com/avcenter/venc/data/worm.

explore.zip.html.


38/46

SCREENSHOT :Main frame


39/46

SCREENSHOT :systems scan


40/46

SCREENSHOT :scan drive


41/46

SCREENSHOT :scan folder


42/46

SCREENSHOT :task manager


43/46

SCREENSHOT : report


44/46

SCREENSHOT : log file


45/46

SCREENSHOT : about us


46/46

THANK YOU.

worm in at or

Documents