Worm Attack

Project MOSES Helps Prepare for Worm Attacks

By Doug Peterson

November 2005

While working at the startup company Renesys in July of 2001, colleagues and former students of CSL professor David Nicol began noticing some strange behavior in machines routing information on the Internet. Routers throughout the network began telling other routers, in effect, that they could no longer find certain places on the Internet.

This “strange routing behavior” coincided with the spread of the Code Red 2 worm across computers that the routers connect. Code Red’s effect on computers throughout the world was widely noticed, but its impact on routing was not understood. This challenge triggered Nicol’s interest in the propagation of worms in large-scale systems -- an interest that he brought with him to CSL when he came on board in 2003.

Nicol leads Project MOSES, which simulates the spread of worms -- programs that can wreak havoc across networks in ways that viruses cannot. A computer virus cannot be triggered unless someone does something, such as click on an attachment in an infected e-mail. Worms, in contrast, are programs that live on their own; they can infect computers on the Internet without any action required.

If a worm locates a susceptible computer, it simply worms its way into the system.

Using the Project MOSES simulator, Nicol has been able to analyze and understand the behavior of worms such as Code Red 2, as well as the faster-spreading worms that have followed.

He said the earlier attackers such as Code Red 2 had to “shake hands” with a target computer before anything could happen -- a process that could take up to 21 seconds to detect when the target computer wasn’t engaged in the protocol. The new worms, which appeared in 2003, do not require this handshake. They can randomly fire out programs in machine-gun fashion, hitting many more computers in a short timespan.

“The earlier worms took about one day to infect 375,000 computers,” Nicol said. “The newer worms, which didn’t have the handshake, took 15 minutes to infect 100,000 computers. The Internet was saturated in a matter of minutes, rather than hours.”

The nature of worm invasions has also changed, he added. Earlier worm attacks were typically demonstrations of “chest-thumping” -- hackers trying to display what they could do.

“Today, there seems to be more criminal intent,” Nicol said. “There’s an underground economy in compromised machines and routers, where they trade the identities of compromised machines for stolen credit card numbers.”

The Project MOSES simulator, developed by Nicol and colleagues with CSL’s Information Trust Institute, can chart the rate at which worms spread by using models similar to those that track the spread of infectious diseases. In addition, it can simulate how effectively organizations respond to worm attacks, even showing what impact the attacks might have on the stock market.

According to Nicol, the simulator has also been used to study S-BGP, or “Secure BGP,” routers. BGP routers are quite vulnerable to intruders, which was why S-BGP was developed in the first place. But the Project Moses simulator recently demonstrated that all of the extra computation required by the S-BGP security system slows down the routers at the worst of possible time -- during a worm attack.

The good news is that Nicol’s students discovered some “clever tricks” that can dramatically reduce the S-BGP slow-down without a memory overload.

Looking ahead, Nicol said they hope to connect their network simulator with a commercialized simulator known as PowerWorld. Tom Overbye, U of I electrical and computer engineering professor, developed PowerWorld to simulate electrical power generation. However, this popular system currently doesn’t simulate the power system’s dependence on computers and networks. Nicol’s system would change that.

“Our simulator, coupled with PowerWorld, could show the impact of a cyber attack on electrical power generation,” Nicol said.

“Finding ways to protect critical infrastructures, such as the nation’s power grid, is something we’ll see more and more of in the Information Trust Institute,” he added. “It’s an effective use for the kind of technology I’ve been talking about.”

CSL News

home