« September 2004 | Main | November 2004 »

Mac OS X Possible Worm Fuels Debate

This week the media has been abuzz with concerns over a possible Mac OS X worm, dubbed Penepo.b or even Opener.b. See writeups here at Business week, A "Worm" with Eyes for Apple, and here at PC Advisor, Mac worm sparks security concerns. Early analysis made it sound like this was a self propagating threat, but later analysis (thanks, MacInTouch!) showed it to be a basic backdoor/rootkit installed on an OS X system, and a kit that was installed manually.

More interestingly, this has helped touch off the debate of what really makes a worm a worm. We have some fuzzy lines, but I think we'd all agree that something that propagates under it's own volition from host to host is a worm, ie a network aware virus. It sounds like Opener misses some critical elements of this, but it does begin to resemble the patterns of Linux breakins I saw in the late 90's that got me thinking about worms back in 2001.

So, while I debated with myself about posting this, it's turned out to have kicked up a fun debate. Please note that we've struggled with a firm, clear set of boundaries of what makes a worm a worm for years. The definition I give in my book is from the Morris case in the late 1980's and basically boils down to "network aware and self propagating malware". Fuzzy lines are found in application layer worms that require some user intervention, ie opening an attachment or following a link in an IM message. However, it's clear to most of us that asking a user to run a program as root hardly counts as a worm.

But this is probably the tip of the iceberg with OS X network malware, just as topics like the Shaft DDoS toolkit was a prelude to other Linux worms.

October 29, 2004 in media | Permalink | Comments (0) | TrackBack
Tell others: digg submit del.icio.us this

Dynamic Quarantine of Computer-Based Worm Attacks (DQW) (from DARPA)

Part of the DARPA program to quickly, accurately, and effectively detect and quarantine worms on networks large and small.

The goal of the Dynamic Quarantine of Worms is to develop dynamic quarantine defenses for U.S. military networks against large-scale malicious code attacks such as computer-based worms. The ever-growing sophistication of the malicious code threat has surpassed the ability of commercial industry to address this problem. As the U.S. military pushes forward with network-centric warfare, terrorists and other nation-states are likely to develop and employ malicious code to impede our ability to fight efficiently and effectively. This program will develop the capability to automatically detect and respond to worm-based attacks against military networks, provide advanced warning to other DoD enterprise networks, study and determine the worm’s propagation and epidemiology, and provide off-line rapid response forensic analysis of malicious code to identify its capabilities, modalities, and future behavior. Further, the program will develop defenses against cyber attacks on mobile ad hoc network (MANET) systems that can to sense failures and attacks and auto-recover in real-time. Technical approaches include the automatic and dynamic quarantine response and forensics analysis of malicious code that will employ static and dynamic code analysis for program understanding. Defense Against Cyber Attacks on MANET Systems project under this program will develop the means to monitor and control the trustworthiness of distributed tactical applications used in network centric warfare operations. This program will develop technology to ensure network centric warfare systems are able to fulfill their mission in spite of cyber attacks such as computer worms unleashed on MANETs and runtime failures.

Source: DARPA Advanced Technology Office - Dynamic Quarantine of Computer-Based Worm Attacks (DQW).

Have a look around the site, lots of information is available. Some of it is program specific, but some of it lists the requirements and technologies sought. This problem (accurate worm detection in early phases) appears to be widely seen as one of the current grand challenges of information security, and has been for the past year or two.

October 17, 2004 in government | Permalink | Comments (0) | TrackBack
Tell others: digg submit del.icio.us this

Recent worm papers (October, 2004)

Several papers on worm detection and quarantine caught my attention recently. Here are their abstracts and links.

The security of the Internet can be improved using Programmable Logic Devices (PLDs). A platform has been implemented that actively scans and filters Internet traffic for Internet worms and viruses at multi-Gigabit/second rates using the Field-programmable Port Extender (FPX). Modular components implemented with Field Programmable Gate Array (FPGA) logic on the FPX process packet headers and scan for signatures of malicious software (malware) carried in packet payloads. FPGA logic is used to implement circuits that track the state of Internet flows and search for regular expressions and fixed-strings that appear in the content of packets. The FPX contains logic that allows modules to be dynamically reconfigured to scan for new signatures. Network-wide protection is achieved by the deployment of multiple systems throughout the Internet.

Source: Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware, John W. Lockwood, James Moscola, Matthew Kulig, David Reddick, and Tim Brooks, from the Applied Research Laboratory, Washington University, Saint Louis, MO, and Global Velocity, Saint Louis, MO.

Recent large-scale and rapidly evolving worm epidemics have led to interest in automated defensive measures against self-propagating network worms. We present models of network worm propagation and defenses that permit us to compare the effectiveness of "passive" measures, attempting to block or slow down a worm, with "active" measures, that attempt to proactively patch hosts or remove infections. We extend relatively simple deterministic epidemic models to include connectivity of the underlying infrastructure, thus permitting us to model quarantining defenses deployed either in customer networks or towards the core of the Internet. We compare defensive strategies in terms of theireffectiveness in preventing worm infections and found that with sufficient deployment, content based quarantining defenses are more effective than the counter-worms we consider. For less ideal deployment or blocking based on addresses, a counter-worm can be more effective if released quickly and aggressively enough. However, active measures (such as counter-worms) also have other technical issues, including causing additional network traffic and increased risk of failures, that need to be considered.

Source: Comparing Passive and Active Worm Defenses, Michael Liljenstam and David M. Nicol, University of Illinois at Urbana-Champaign.

As email becomes one of the most convenient and indispensable communication mediums in our life, it is very important to protect email users from increasing email worm attacks. In this paper, we present the architecture and system design of a “feedback email worm defense system” to protect email users in enterprise networks. The defense system is flexible and able to integrate many existing detection techniques to provide effective and efficient email worm defense. First, in response to a “detection score” of a detected worm email and information on the possible appearance of a malicious emailworm in the global Internet, the defense system adaptively chooses a cost-effective defense action that can range from simply labelling this email to aggressively deleting it from an email server. Second, the system uses “honeypot” to thoroughly detect worm emails received by email servers and also to early detect the presence of an email worm in the global Internet. Third, the defense system implements a “multi-sifting detection” technique and “differential email service” to achieve accurate detection without causing much delay on most emails. Furthermore, the defense system separates email attachments from email texts and saves attachments in separate “attachment caching servers”, which facilitate both email worm detection and email service efficiency.

Source: Feedback Email Worm Defense System for Enterprise Networks, Cliff C. Zou, Weibo Gong, Don Towsley.

The availability of reliable models of computer virus propagation would prove useful in a number of ways, in order both to predict future threats, and to develop new containment measures. In this paper, we review the most popular models of virus propagation, analyzing the underlying assumptions of each of them, their strengths and their weaknesses. We also introduce a new model, which extends the Random Constant Spread modeling technique, allowing us to draw some conclusions about the behavior of the Internet infrastructure in presence of a self-replicating worm. A comparison of the results of the model with the actual behavior of the infrastructure during recent worm outbreaks is also presented.

Source: LNCS 2965 - Computer Virus Propagation Models, Giuseppe Serazzi and Stefano Zanero, Dipartimento di Elettronica e Informazione, Politecnico di Milano, Milano, Italy. (This entry requires payment to receive or an institutional subscription.)

The need for a global monitoring system for Internet worm detection is clear. Likewise, the need for local
detection and response is also obvious. In this study, we used a large data set to review some of the worm monitoring and detection strategies proposed for large networks, and found them difficult to apply to local networks. In particular, the Kalman filter and victimnumber-based approaches proved unsuitable for smaller networks. They are of course appropriate for large systems, but what work well for local networks?

We propose two algorithms tailored for local network monitoring needs. First, the Destination Source Correlation (DSC) algorithm focuses on the infection relation, and tracks real infected hosts (and not merely scans) to provide an accurate response. Second, the HoneyStat system provides a way to track the short-term infection behavior used by worms. Potentially, this provides a basisfor statistical inference about a worm’s behavior on a network.


Source: Worm Detection Using Local Networks, Xinzhou Qin, David Dagon, Guofei Gu, Wenke Lee, Georgia Institute of Technology.

We present a payload-based anomaly detector, we call PAYL, for intrusion detection. PAYL models the normal application payload of network traffic in a fully automatic, unsupervised and very effecient fashion. We first compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port. We then use Mahalanobis distance during the detection phase to calculate the similarity of new data against the pre-computed profile. The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold. We demonstrate the surprising effectiveness of the method on the 1999 DARPA IDS dataset and a live dataset we collected on the Columbia CS department network. In once case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Source: Anomalous Payload-based Network Intrusion Detection, Ke Wang, Salvatore J. Stolfo, Computer Science Department, Columbia University.

This paper proposes a new approach to detecting aggregated anomalous events by correlating host file system changes across space and time. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatial locality. The intuition is that abnormal state changes, which may be hard to detect in isolation, become apparent when they are correlated with similar changes on other hosts. In particular, the goal is to detect similar, coincident changes to the patterns of file updates that are shared across multiple hosts. We have implemented this approach in a prototype system called Seurat and demonstrated its effectiveness using a combination of real workstation cluster traces gathered over three months, simulated attacks, and a manually launched Linux worm.

Source: Seurat: A Pointillist Approach to Anomaly Detection, Yinglian Xie, Hyang-Ah Kim, David R. O’Hallaron, Michael K. Reiter, and Hui Zhang, Carnegie Mellon University. Also see Seurat: A Pointillist Approach to Anomaly Detection form RAID04.

October 16, 2004 in papers | Permalink | Comments (1) | TrackBack
Tell others: digg submit del.icio.us this

WORM04 Program Online

The workshop program for WORM04 (the Workshop on Rapid Malware) is now online. The workshop itself is a 1 day event, held on October 29th, 2004 at George Mason University, Fairfax, VA, USA. Speakers include industry and academic participants. You can view the program and see the list of papers that will be presented there. Lots of good topics in detection and quarantine of worms is going to be presented.

October 14, 2004 in events, papers | Permalink | Comments (0) | TrackBack
Tell others: digg submit del.icio.us this

Several new stories

Several stories to note from recent news items.

A new IM worm is hitting MSN Messenger, evidently. As reported by eWeek, the Funner worm appears to be causing service disruptions for the MSN Messenger servers, causing delays in login or disconnections while they perform emergency maintenance. While this sort of thing is annoying, it shows how centralized choke points can be effectively used to detect and stop an application layer worm.

It looks like Iron Port, makers of mail server filters and appliances, has a new virus and worm detection system. Dubbed the Virus Outbreak FIlter (VOF), this technology allows Iron Port deployments to detect and fliter worm and spam outbreaks quickly, according to this Tech News World article. Sadly, it's lacking on a technical description, however a whitepaper on VOF is available which may contain more details on how it works. This sounds sort of like some things I've been developing in my spare time to complement tools like vthrottle, harkening back to my old days of running mail servers and deploying mail firewalls.

Sort of similar, this eWeek article discusses technology from Aviniti, Inc. Dubbed the iSolation Server, this technology is based on virtual machine technology and an understanding of malicious or questionable code paths. Nothing too new, although the placement may be. More stories around their press release on Bored Guru and Yahoo! Tech News.

In So Many Worms, So Little Time, Help Net Security covers some recent worm history and activity. Yes, it's been a busy time for worm outbreaks, and sadly we're not moving quickly in the detection and counter phase, instead constantly relying on signature based approaches. Plenty of room for enterprising young minds to develop new approaches and bring them to market, or even just open source them.

And finally, a discussion with Matthew Williamson, formerly of HP Labs and now at Sana Security, discusses the effect of the power law on worm outbreaks. Williamson is well known as the the main thrust behind virus throttling, which he and his team developed while at HP Labs in Bristol, UK. Again, while nothing too new (see Technological networks and the spread of computer viruses, Balthrop et al., 2004, and Email networks and the spread of computer viruses, Newman et al., 2002), it's good to see it getting a wider exposure.

October 13, 2004 in media | Permalink | Comments (1) | TrackBack
Tell others: digg submit del.icio.us this

Witty growth and decay rate modeled by Zou

Cliff Zou has modeled the Witty worm's propagation using differential equations, accounting for the destructive aspect of the worm. This analysis gives a compelling reason as to the decay rate and accounts for significant portions of the observations. The data used in the analysis comes from the University of Michigan Internet Motion Sensor project's collection.

In our Witty propagation modeling, we have not considered other factors that could possibly affect Witty's propagation. For example, some infected computers could have been patched or filtered out by people before they were crashed by Witty worm.  However, if this factor played a major role, then the I(t) shown in Fig. 2 should have decreased more quickly instead of slower than what our model predicts. Therefore, the same as researchers in [2] said, we believe the rapid decay in the number of active infected hosts is primarily caused by Witty's destructive action.

Source: Witty Worm Progattion Modeling, Cliff C. Zou.

October 2, 2004 in modeling, papers, witty | Permalink | Comments (0) | TrackBack
Tell others: digg submit del.icio.us this

Instant messaging worm exploits JPEG vulnerability

A worm appearantly trying to take advantage of the vulnerability announced in September 2004 Security Update for JPEG Processing (GDI+) has appeared. It uses the IM network from AOL to spread.

Researchers at the SANS Institute's Internet Storm Center have had two reports of users receiving messages on America Online Inc.'s AOL Instant Messenger service that lured them to Web sites containing malicious code, Johannes Ullrich, chief technology officer at the center, said yesterday. The messages told the users to "Check out my profile, click GET INFO!"

Source: Instant messaging worm exploits JPEG vulnerability,  September 30, 2004.

While this isn't a very successful worm at this stage, it does illustrate how some people may try and operationalize the threat to develop a self-propagating worm. Note that shared component holes like this one and others are very attractive to worm authors. With one vulnerability they can target multiple vectors of entry, including email, IM, and your web browser. The trick for client side vulnerabilities is getting the malicious content into the vulnerable data path. In email worms, this is achived by flooding recipients with malicious mails. However, the requirements are no less and no greater with other applications, you simply must fool your victim into acting on the malicious content and exposing the vulnerable application codepath to the exploit. How you do that in other systems to a wide degree is still being worked on by malware authors, but it will eventually work for them.

October 1, 2004 in IM worms, new worms | Permalink | Comments (0) | TrackBack
Tell others: digg submit del.icio.us this