Optimization of Blaster worms

Performance Evaluation Laboratory

s1080060 Tatehiro Kaiwa

Supervised by Prof. Hiroshi Toyoizumi

by Stochastic Modeling

Purpose Modeling a Blaster worm, we investigate

influence on a local network. Optimizing a Blaster worm, we observe and

investigate the threat. To compare the difference between the existing

Blaster worms and the optimized ones in local network.

Target Virus Name: W32.Blaster.Worm (Symantec) WORM_MSBLAST.A (Trend Micro) W32/Lovsan.worm.a (McAfee) Type : Worm Systems Affected : Windows 2000, XP

Blaster worm exploits a vulnerability of DCOM RPC Service to penetrate.

Causes system instability

Select an IP address

Complete Random

Local

Create malicious Packets

For XP For 2000

Start to sendmany malicious packets

Spread Algorithm (1)

0.40.6

0.8 0.2

These methods selected only once when the Blaster worm is executed.

selecting address IP random a ofy Probabilit :Random

selecting address IP Local a ofy Probabilit : Local

XP sfor Window are packetsy that Probabilit :

2000 sfor Window are packetsy that Probabilit :)1(

Spread Algorithm (2) When the worm use own IP address, A.B.C.D, the worm

change D into 0. Then the worm make the target address increasing monotonically.

Probability a first worm and other worms attack to the same IP address with is very high.

Infection rate of all worm except a first worm in the local network become smaller.

The Experimental Network

This figure shows a local experimental network to collect Blaster worm packets data.

To confirm and obtain some information about the Blaster worm.

Worm Data Collection

Blaster

HUB

Sniffer

Target

Systems attacked and infected by Blaster worm may be instability, then sometimes shutdown.

We cannot capture some packets with a infected PC and all target PCs installed Sniffer.

Prepare a PC no infect, and connection as the figure, then capture all packets.

The Infection ModelThis figure is the worm infection model.

νν

νν

λ

λλλ

ν

ν: Infection rate of a Blaster worm outside of the local network.

λ: Infection rate of Blaster worms inside of the local network.

The Model Solution (1)

3

We obtain the new model to mix a Poisson Process and a Yule Process.

2

1

n

1

2

0

n

ν

ν

ν

ν

ν

λ

2λ

(n-1)λ

1

2

0

n

ν+(n-1)λ

ν+2λ

ν+λ

ν

ν+nλnλ

nppn

ntNP )1(1)/(

1)/(})({ /

.1

ep twhere

The process with infection rate ν is Poisson Process, and the process with infection rate λ is Yule Process.

Each infection activities are independent.

The Model Solution (2)

Windows XP

Windows 2000

XP

XP

kXP RR 2:

A ratio of each systems having the vulnerability in a local network.

})1({2

2

2 kXP

k

kXP

XP

RRR

RRR

HitP kXP

XP

RRR

2 VulP

The Model Solution (3)

Rate of successful infection

Average of the number of packets:M

:SucR

SucHit RPM LocalRPM SucHit

Each Infection Rate

Graphs of changing a ratio of each systems in the network

The performance of the Blaster worms can be improved if the ratio of the Windows XP machines is high in the local network.

All WinXPAll Win2000

XP:2000=1:8

}70)({ tNP

The difference between optimized and existing

The Optimized Blaster worms prove great threat.Thus, the existing Blaster worm also has a potential threat the same.

Existing Blaster

Optimized Blaster

}70)({ tNPXP:2000=1:8

Conclusion A performance of the Blaster worm is great

influence a ratio of each OS in the target network.

Optimized Blaster worms is the worm having a great threat. Thus, we need to be careful individually.

Future Works As the stochastic model may be different from

existing Blaster worms、we need to close to the accurate model of the existing Blaster worms in the future.