Optimization of Blaster worms
description
Transcript of Optimization of Blaster worms
Optimization of Blaster worms
Performance Evaluation Laboratory
s1080060 Tatehiro Kaiwa
Supervised by Prof. Hiroshi Toyoizumi
by Stochastic Modeling
Purpose Modeling a Blaster worm, we investigate
influence on a local network. Optimizing a Blaster worm, we observe and
investigate the threat. To compare the difference between the existing
Blaster worms and the optimized ones in local network.
Target Virus Name: W32.Blaster.Worm (Symantec) WORM_MSBLAST.A (Trend Micro) W32/Lovsan.worm.a (McAfee) Type : Worm Systems Affected : Windows 2000, XP
Blaster worm exploits a vulnerability of DCOM RPC Service to penetrate.
Causes system instability
Select an IP address
Complete Random
Local
Create malicious Packets
For XP For 2000
Start to sendmany malicious packets
Spread Algorithm (1)
0.40.6
0.8 0.2
These methods selected only once when the Blaster worm is executed.
selecting address IP random a ofy Probabilit :Random
selecting address IP Local a ofy Probabilit : Local
XP sfor Window are packetsy that Probabilit :
2000 sfor Window are packetsy that Probabilit :)1(
Spread Algorithm (2) When the worm use own IP address, A.B.C.D, the worm
change D into 0. Then the worm make the target address increasing monotonically.
Probability a first worm and other worms attack to the same IP address with is very high.
Infection rate of all worm except a first worm in the local network become smaller.
The Experimental Network
This figure shows a local experimental network to collect Blaster worm packets data.
To confirm and obtain some information about the Blaster worm.
Worm Data Collection
Blaster
HUB
Sniffer
Target
Systems attacked and infected by Blaster worm may be instability, then sometimes shutdown.
We cannot capture some packets with a infected PC and all target PCs installed Sniffer.
Prepare a PC no infect, and connection as the figure, then capture all packets.
The Infection ModelThis figure is the worm infection model.
νν
νν
λ
λλλ
ν
ν: Infection rate of a Blaster worm outside of the local network.
λ: Infection rate of Blaster worms inside of the local network.
The Model Solution (1)
3
We obtain the new model to mix a Poisson Process and a Yule Process.
2
1
n
1
2
0
n
ν
ν
ν
ν
ν
λ
2λ
(n-1)λ
1
2
0
n
ν+(n-1)λ
ν+2λ
ν+λ
ν
ν+nλnλ
nppn
ntNP )1(1)/(
1)/(})({ /
.1
ep twhere
The process with infection rate ν is Poisson Process, and the process with infection rate λ is Yule Process.
Each infection activities are independent.
The Model Solution (2)
Windows XP
Windows 2000
XP
XP
kXP RR 2:
A ratio of each systems having the vulnerability in a local network.
})1({2
2
2 kXP
k
kXP
XP
RRR
RRR
HitP kXP
XP
RRR
2 VulP
The Model Solution (3)
Rate of successful infection
Average of the number of packets:M
:SucR
SucHit RPM LocalRPM SucHit
Each Infection Rate
Graphs of changing a ratio of each systems in the network
The performance of the Blaster worms can be improved if the ratio of the Windows XP machines is high in the local network.
All WinXPAll Win2000
XP:2000=1:8
}70)({ tNP
The difference between optimized and existing
The Optimized Blaster worms prove great threat.Thus, the existing Blaster worm also has a potential threat the same.
Existing Blaster
Optimized Blaster
}70)({ tNPXP:2000=1:8
Conclusion A performance of the Blaster worm is great
influence a ratio of each OS in the target network.
Optimized Blaster worms is the worm having a great threat. Thus, we need to be careful individually.
Future Works As the stochastic model may be different from
existing Blaster worms、we need to close to the accurate model of the existing Blaster worms in the future.