2007
Presently I am doing my project and research work as a student of 4th year (Information Technology department, JIITU) under the guidance and direction of Mrs. Hema N (Lecturer, CS/IT department, JIITU).
According to my experience and observation, the signature technology & patch model of network security system has failed. Supporting examples of zero day exploitations and worms are given below.
My Aim is to develop a large-scale, robust, reliable system that can mitigate current security problems without end-user intervention (mostly end users are from non technical background).I want to develop a system free of DOS attacks , vulnerabilities and exploits, so that end users can rely on internet without getting involved in computer/internet security concerns such as turning on firewalls , antivirus applications , implementing or installing intrusion detection system and applications on their system because it is the fact that every end user is not a technically expert having knowledge of antivirus and firewalls.
Present Scenario of the network:
Internet users are not safe. A secure system is not available to provide security and information safety to end users without end users intervention.
Mostly defense and security systems rely on –
· Fingerprint or Signature Technology
· Patch System
Fingerprint or Signature Technology
Current malware defenses are largely based on fingerprint or signature technology which looks for a type of network behavior or even specific code.
A malware signature or fingerprint is the sequence of network transmissions required to exploit vulnerability.
Patch System
A publicized vulnerability often has a fix (software patch) available; inconveniences of human interaction with these fixes can lead to unpatched systems. Since applying patches is the optimal solution for worm defense Signature-based solutions are limited in their effectiveness, as new variants of worms can bypass the malware defense by changing their signature or fingerprint.
Effectiveness of theses systems
The signature technology & patch model of networked device security has failed.
Evidence:
2001
Code Red worm
July 19, 2001
The first incarnation of the Code-Red worm (CRv1) began to infect hosts running unpatched versions of Microsoft’s IIS webserver on July 12th, 2001. The first version of the worm uses a static seed for it’s random number generator. Then, around 10:00 UTC in the morning of July 19th, 2001, a random seed variant of the Code-Red worm (CRv2) appeared and spread. This second version shared almost all of its code with the first version, but spread much more rapidly. Finally, on August 4th, a new worm began to infect machines exploiting the same vulnerability in Microsoft’s IIS webserver as the original Code-Red virus. Although the new worm shared almost no code with the two versions of the original worm, it contained in its source code the string “CodeRedII” and was thus named CodeRed II. The characteristics of each worm are explained in greater detail below.
On July 19, 2001, more than 359,000 computers were infected with the Code-Red worm in less than 14 hours.
2003
Sapphire Worm (also called Slammer, SQLSlammer, W32.Slammer)
Saturday, January 25
The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes.
The worm (also called Slammer) began to infect hosts slightly before 05:30 UTC on Saturday, January 25. Sapphire exploited a buffer overflow vulnerability in computers on the Internet running Microsoft’s SQL Server or MSDE 2000 (Microsoft SQL Server Desktop Engine). This weakness in an underlying indexing service was discovered in July 2002; Microsoft released a patch for the vulnerability before it was announced. The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures.
In a mere 10 minutes in January 2003, the Sapphire (or Slammer) worm infected at least 75,000 computers — an estimated 90 percent of the computers vulnerable to that worm.
By comparison, it was two orders magnitude faster than the Code Red worm, which infected over 359,000 hosts on July 19th, 2001 . In comparison, the Code Red worm population had a leisurely doubling time of about 37 minutes.
2004
Witty Worm Spread
March 19, 2004
On Friday March 19, 2004 at approximately 8:45pm PST, an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE. The worm takes advantage of a security flaw in these firewall applications that was discovered earlier this month by eEye Digital Security. Once the Witty worm infects a computer, it deletes a randomly chosen section of the hard drive, over time rendering the machine unusable. The worm’s payload contained the phrase “(^.^) insert witty message here (^.^)” so it came to be known as the Witty worm.
The vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. While Witty took 30 minutes longer than SQL Slammer to infect its vulnerable population, both worms spread far faster than human intervention could stop them.
2006
Blackworm
January 15, 2006
Blackworm victim estimate: between 469,507 and 946,835
DOS Attacks
In February of 2000, a series of massive denial-of-service (DoS) attacks incapacitated
several high-visibility Internet e-commerce sites, including Yahoo, Ebay, and E*trade. Then, in January of 2001, Microsoft’s name server infrastructure was disabled by a similar assault, the root DNS servers were targeted in 2002, and SCO’s corporate Web site was incapacitated in late 2003. Indeed, over the last six years, denial-of-service attacks against highly visible Internet sites or services have become commonplace.
