Network "telescopes" that record packets sent to unused blocks of Internet address space have emerged as an important tool for observing Internet-scale events such as the spread of worms and the backscatter from flooding attacks that use spoofed source addresses. Current telescope analyses produce detailed tabulations of packet rates, victim population, and evolution over time. While such cataloging is a crucial first step in studying the telescope observations, incorporating an understanding of the underlying processes generating the observations allows us to construct detailed inferences about the broader "universe" in which the Internet-scale activity occurs, greatly enriching and deepening the analysis in the process.
In this work we apply such an analysis to the propagation of the Witty worm, a malicious and well-engineered worm that when released in March 2004 infected more than 12,000 hosts world-wide in 75 minutes. We show that by carefully exploiting the structure of the worm, especially its pseudo-random number generation, from limited and imperfect telescope data we can with high fidelity: extract the individual rate at which each infectee injected packets into the network prior to loss; correct distortions in the telescope data due to the worm's volume overwhelming the monitor; reveal the worm's inability to fully reach all of its potential victims; determine the number of disks attached to each infected machine; compute when each infectee was last booted, to sub-second accuracy; explore the "who infected whom" infection tree; uncover that the worm specifically targeted hosts at a US military base; and pinpoint Patient Zero, the initial point of infection, i.e., the IP address of the system the attacker used to unleash Witty.
[1]
Jon A. Rochlis,et al.
With microscope and tweezers: an analysis of the Internet virus of November 1988
,
1989,
Proceedings. 1989 IEEE Symposium on Security and Privacy.
[2]
Eugene H. Spafford,et al.
The internet worm program: an analysis
,
1989,
CCRV.
[3]
David Thomas,et al.
The Art in Computer Programming
,
2001
.
[4]
Vern Paxson,et al.
How to Own the Internet in Your Spare Time
,
2002,
USENIX Security Symposium.
[5]
Donald F. Towsley,et al.
Code red worm propagation modeling and analysis
,
2002,
CCS '02.
[6]
David Moore,et al.
Code-Red: a case study on the spread and victims of an internet worm
,
2002,
IMW '02.
[7]
Stefan Savage,et al.
The Spread of the Sapphire/Slammer Worm
,
2003
.
[8]
Stefan Savage,et al.
Inside the Slammer Worm
,
2003,
IEEE Secur. Priv..
[9]
Zhuoqing Morley Mao,et al.
Toward understanding distributed blackhole placement
,
2004,
WORM '04.
[10]
David Moore,et al.
The Spread of the Witty Worm
,
2004,
IEEE Secur. Priv..
[11]
Stefan Savage,et al.
Network Telescopes: Technical Report
,
2004
.
[12]
Vinod Yegneswaran,et al.
Characteristics of internet background radiation
,
2004,
IMC '04.
[13]
Farnam Jahanian,et al.
The Internet Motion Sensor - A Distributed Blackhole Monitoring System
,
2005,
NDSS.
[14]
Stefan Savage,et al.
Inferring Internet denial-of-service activity
,
2001,
TOCS.