« October 2004 | Main | December 2004 »
Combatting Mail-Based Malware using Bayesian Filters
And you thought it was just for spam ... since mobile malware has many of the same properties as spam, it's a natural fit.
When most people think of tools to combat malware, very few will give a passing thought to Bayesian Filtering, why?
Common reasons include:
- They don’t realize that Bayesian Filtering can be used against malware (viruses, Trojans, worms, etc.)
- They are just for spam.
- They don’t know how to train them for malware.
This paper will investigate the use of Bayesian Filtering, specifically to counter/block/detect malware. What’s more, this paper will focus on tools such as POPfile and SpamPal (which are free anti-spam systems available for both UNIX and Windows).
The use of Bayesian Filtering systems can be extremely useful in cases of fast burning or very complex malware outbreaks as a stop-gap until the anti-virus vendors manage to get reliable updates out to their customers.
Bayesian Filtering of internal mail can also be useful in identifying infected systems in your organization that need remedial action before the ‘trickle’ of infections become a ‘torrent’ and you are left fighting to keep your head above the rising waters.
The paper will include statistics clearly showing the accuracy of Bayesian Filtering, not just for malware, but also SPAM and 419 advance-fee-frauds too.
Source: Canning More Than SPAM With Bayesian Filtering, Martin Overton. Appeared at the Virus Bulletin conference in 2004.
Several Bayesian filtering tools are available. I personally use ifile (for UNIX and POSIX systems), although the most popular one is probably SpamAssassin has used Bayesian methods since the 2.5 series (it is currently at 3.x). Several mail client plugins exist which can make use of Bayesian methods, including many for Microsoft Outlook, Mozilla mail include Bayesian filtering methods, and also for Mail.app on OS X and SpamSieve on OS X. Martin's paper shows how you can use these tools to keep mail-based malware off of your desktop, too. A decent set of links on Bayesian Statistics is available via WikiPedia.
November 30, 2004 in mass mailers, papers, tools | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
Standardized Malware Names
As a followup to the recent post of thoughts on the state of the AV industry, a friend points me at a story about a new effort to standardize malware names:The identifiers will look something like "CME-1234567", the letter says. Headline writers need not be too dismayed, however, as it appears there could be room to apply media-friendly names like "Blaster" and "Slammer" to new threats.Source: Virus names could be standardized, 25 November 2004, Computer Business Online.
A quick search of the MITRE website didn't turn up any related hits for CME or malware, but this could still be a quiet project within their research corridors. If so, this could be promising. Right now, digging for malware information requires that you know the nickname of the malware and any variants and consult a vendor website. A central site with common names would be ideal, and if it moves faster than Vgrep (which is updated frequently, but certainly not daily), that would be great.
November 29, 2004 in tools | Permalink
| Comments (1)
| TrackBack
Tell others: digg submit
del.icio.us this
Italian Senate Network hit by Rbot Worm
According to media reports, the Italian senate in Rome was ground to a halt as it was hit by one of the many variants of the Rbot worm ... First noticed on Monday night, computers in the senate chamber, and every senator's office, were said to have been affected by Tuesday morning.
Source: Italian senate hit by gay porn worm attack, Sophos comments (Sophos press release), 24 November, 2004. Original news report from Ansa.it, Hacker da 2 giorni attaccano Senato, November 23, 2004 (in Italian).
What this underscores is that every new worm, and many old worms, are not simple threats to Internet systems but internal networks, perhaps more so. Due to the lax security measures in most internal networks when compared to perimeter security measures, worms treat your network as a petri dish and can grow, unfettered by network access control measures. This is one reason why you're seeing such a huge push towards internal security tools from various companies like Cisco, Arbor, Juniper, and Sana. They recognize that the threat has always existed on the inside of the network but has been poorly addressed.
Found via Donna's security weblog, one of the excellent MS MVP bloggers.
November 29, 2004 in media | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
Ongoing Investigation into SQLSlammer
A Czech news site, Viry.cz, is reporting that Czech authorities are investigating the former 29A member Benny for information regarding the SQLSlammer worm.
"It seems that the police have questioned him about a virus that was really significant," said Graham Cluley, senior technology consultant at Sophos. "Benny has always said that he never released his viruses into the wild, so it will be interesting to see if any charges will be brought against him.
Source: Ex-virus writer questioned over Slammer, Dan Ilett, ZDNet UK, November 29, 2004.
When the original flaw was found, it was given the Microsoft vulnerability note MS02-039, a Bugtraq database ID of 5311 and the CVE candidate name CAN-2002-0649. Enough details about the attack were released by NGSSSoftware in July, 2002, so that it could be openly explored by attackers. In fact, several versions of the attack exist which differ slightly from the worm's attack (there are no dates on these exploits, it is hard to say if these are prior to the worm's outbreak or post SQLSlammer). What is clear, though, is that enough details were released prior to the worm's release for knowledgable exploit authors to construct their own attack for this hole.
If Benny had any role in this is hard to say, I'm not privvy to the investigation. What is clear, though, is that this attack wasn't a big secret.
November 29, 2004 in editorial, government, SQLSlammer | Permalink
| Comments (1)
| TrackBack
Tell others: digg submit
del.icio.us this
Skulls Mobile Phone Malware On the Loose
A new piece of malicious mobile code is on the loose:
A virus has struck Nokia smartphone users. Once downloaded, the virus, called Skulls, replaces all phone desktop icons with images of a skull.
It also renders all phone applications, including SMSs and MMSs, useless.
While Skulls is not the first virus to affect smartphones, it is the first malicious one to do so.
Source: First malicious virus invades cellphones, November 24 2004, Independent Online (South Africa).
This isn't a worm or a virus at all, though, but instead a Trojan Horse piece of code. The F-Secure Writeup on Skulls is very informative and discusses removal. Some portions of the media have been referring to this as a worm or as a virus, but it's neither since it is not self propelled. However, it does suggest that networked devices, even mobile devices like phones, are increasingly interesting targets of attack by mobile code. Skulls follows in Cabir's footsteps in form and function. F-Secure sells a AV tool for mobile phones.
The Washington Post has a decent article on the topic, Cell Phones Increasingly Attractive To Hackers, from Friday, November 26, 2004, page A01.
"The nightmare scenario with cell phones is a virus that would delete the contents of your phone, or start calling [a toll number] on its own from the phone or recording every single one of your conversations and sending the recorded conversation somewhere," said Mikko Hypponen, director of anti-virus research at F-Secure Corp., a Finnish security firm.The article is worth a read.
November 28, 2004 in media | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
De-Worming Tools for MS Windows
Via a recent post on Jerry's Security Weblog (he's one of the MSMVPs on security), some tools for people to use to remove, detect, or prevent worms on their MS Windows hosts:- Mydoom, Zindos, and Doomjuice Worm Removal Tool. "Microsoft has released a tool to help you remove variants of the Mydoom, Zindos, and Doomjuice worms from your computer. Version 4.0 of the Microsoft Mydoom Worm Removal Tool supports removal of the Mydoom variants A, B, E, F, G, J, L, O, Zindos.A, and Doomjuice variants A and B."
- A tool is available to remove the Sasser worm variants. "Version 4.0 of the Sasser Worm Removal Tool includes support for removing the Sasser.A, Sasser.B, Sasser.C, Sasser.D, and Sasser.E variants of the worm and adds support for removing the Sasser.F variant of the worm. Version 4.0 is available from the Microsoft Download Center."
- How to obtain and use the MS04-028 Enterprise Update Scanning Tool in environments that do not use Systems Management Server. "Microsoft has released the MS04-028 Enterprise Update Scanning Tool (MS04-028_Updatescan_886988.exe). IT professionals can use the MS04-028_Updatescan_886988.exe tool to scan computers for the required MS04-028 security updates and to apply any missing updates from a local area network (LAN) share. The tool can be run from a startup or logon script or by a user with local administrator rights. The tool is intended for use in environments where Microsoft Systems Management Server (SMS) or any other enterprise management solution is not used for update management." MS04-028 is GDI+ buffer overrun vulnerability, more comonly known as the JPEG image overflow vulnerability. This was used by attackers on Usenet groups to attack unsuspecting MS Usenet users. Surprisingly, it was not widely developed as a mail-based worm or even a file sharing worm.
- Security Tools from MS TechNet. Great links, everyone who runs MS machines should be aware of them and keep abreast of their frequent updates.
November 27, 2004 in sasser, tools | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
Detecting Worms using DIB:S and ICMP Unreachable Messages
Berk, Gray, and Bakos present a system called DIB:S which can monitor for worms over large networks. Thier system is described as such:
Identification of an Internet worm is a manual process where security analysts must observe and analyze unusual activity on multiple firewalls, intrusion-detection systems or hosts. A worm might not be positively identied until it already has spread to most of the Internet, eliminating many defensive options. In this paper, we present an automated system that can identify active worms seconds or minutes after they first begin to spread, a necessary precursor to halting the spread of a worm, rather than simply cleaning up afterward. Our implemented system collects ICMP Unreachable messages from instrumented network routers, identies those patterns of unreachable messages that indicate malicious scanning activity, and then searches for patterns of scanning activity that indicate a propagating worm. In this paper, we examine the problem of active worms, describe our ICMP-based detection system, and present simulation results that illustrate the speed with which it can detect a worm.
Source: Using Sensor Networks and Data Fusion for Early Detection, Vincent H. Berk, Robert S. Gray, and George Bakos.
While this is an interesting and low-hanging fruit approach, their system only looks for ICMP unreachable messages (forwarded to a centralized collection system). If these are filtered or otherwise not found (ie the worm uses a hitlist to scan), it will fail to detect the worm. While such worms may seem to be uncommon, consider this: any application layer worm essentially has a hitlist granted to it from every infected node, either an IM buddy list or a list of email addresses that the client has contacted. Windows file sharing networks, too, have centralized information about hosts online, allowing a worm to make connection attempts on the local network without hitting hosts that don't exist. Finally, under load many IP stacks will throttle the rate of ICMP message generation, which may dampen the effectiveness of the system. However, using such information allows the detectors to be relatively stateless, allowing them to monitor large numbers of subnets or networks. If the worm generates enough ICMP messages in a short enough time frame, the rate of collection of these messages at the TRAFEN analsysi subsystem may trigger an alert.
November 26, 2004 in detection, papers | Permalink
| Comments (2)
| TrackBack
Tell others: digg submit
del.icio.us this
Detecting Worms with the Willow Architecture
Another distributed worm detection system. This one is called Willow and its use in detecting worms is described in a paper by Scandariato and Knight (which appeared at SRDS 2004, 23rd Symposium on Reliable Distributed Systems Florianopolis, Brazil, October 2004):
Many areas of society have become heavily dependent on services such as transportation facilities, utilities and so on that are implemented in part by large numbers of computers and communications links. Both past incidents and research studies show that a well-engineered Internet worm can disable such systems in a fairly simple way and, most notably, in a matter of a few minutes. This indicates the need for defenses against worms but their speed rules out the possibility of manually countering worm outbreaks. We present a platform that emulates the epidemic behavior of Internet active worms. For purposes of experimentation, the platform has been deployed on a cluster of computers to emulate worm outbreaks in very large networks. A wide variety of worm properties can be studied and network topologies of interest constructed. A reactive control system, based on the Willow architecture and the OOPS policy framework, operates on top of the platform and provides a monitor/analyze/respond approach to deal with infections automatically. The logic driving the control system is synthesized from a formal specification, which is based on control rules correlating sensor events. Details of our highly configurable platform, the theory of operation of the Willow architecture, the features of the specification language, and various experimental performance results are presented.
Source: The Design and Evaluation of a Defense System for Internet Worms, Riccardo Scandariato and John C. Knight.
The Willow architecture is designed to detect de novo worms by monitoring for failures in scanning activity. This should work for most existing worms, but relying on this as a detection feature can be fatal if hitlist-only worms are widely deployed. However, since WIllow attempts to provide a means to improve network survivability when under attack, this is a reasonable foundation to use.
November 25, 2004 in detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Even More "Good Worm" Papers
An interesting paper by Nicol and Liljenstam makes a decent theoretical case for a defensive worm. This paper takes into account various forms of an active defensive worm. It ignores any ethical or legal implications of such a worm and only provides an analytical model.
The recent proliferation of Internet worms has raised questions about defensive measures. To date most techniques proposed are passive, in-so-far as they attempt to block or slow a worm, or detect and filter it. Active defenses take the battle to the worm—trying to eliminate or isolate infected hosts, and/or automatically and actively patch susceptible but as-yet-uninfected hosts, without the knowledge of the host’s owner. The concept of active defenses raises important legal and ethical questions that may have inhibited consideration for general use in the Internet. However, active defense may have immediate application when con- fined to dedicated networks owned by an enterprise or government agency. In this paper we model the behavior and effectiveness of different active worm defenses. Using a discrete stochastic model we prove that these approaches can be strongly ordered in terms of their worm-fighting capability. Using a continuous model we consider effectiveness in terms of the number of hosts that are protected from infection, the total network bandwidth consumed by the worms and the defenses, and the peak scanning rate the network endures while the worms and defenses battle. We develop optimality results, and quantitative bounds on defense performance. Our work lays a mathematical foundation for further work in analysis of active worm defense.
Source: Models of Active Worm Defenses, David M. Nicol and Michael Liljenstam. This paper is related to their paper listed in an October, 2004, rundown of papers on this blog.
Their paper finds a number of interesting conclusions, but also notes that they fail to address truly real world scenarios. These include detecting the worm's initial outbreak and how rapidly a counterworm can be deployed.
November 24, 2004 in counterworms, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Thoughts: Antivirus industry needs to get its act together
In a recent editorial, Chris Mosby writes that the AV industry is quickly falling behind the speed with which variants of the latest worms appears:
With all of this going on, customers dealt with it as they usually do: working together as community. We sorted through all the information that trickled down to us. As usual, we got through it, with some of us showing a few more gray hairs.
I think I can speak for everyone in the security community when I say that "dealing with it" is not acceptable anymore. As customers, we should not have to work so hard to figure out which products keep us protected.
While the piece deals with the confusion among AV companies about which malware maps to which name, it touches upon a larger underlying problem. The speed with which new mobile malware (ie worms) can appear and spread on a network proves to be a highly challenging scenario for the traditional signature or hueristic based detection product. By discarding everything that is unknown as acceptable and only flagging known malware, traditional AV products and IDS/IPS sensors simply fail increasingly under the growing speed with which worms and mobile malware appears and spreads.
This is why I have advocated approaches that focus on the invariant behaviors of such malware, namely the attempts to propagate rapidly from host to host. Solutions such as virus throttling and such work to detect and help mitigate threats by assuming a reasonable position, namely that malware typically attempts to propagate aggressively, and thus rapidly, from host to host and thus cause the infected systems to behave fundamentally different than they normally do.
I firmly beleive that such systems are what we must migrate to if we are to detect worms at a pace that can afford real benefits to networks and otherwise defenseless hosts. There are a variety of approaches actively under research and finding their way to market, making this a promising future. However, we have a long way to go and simply must continue along paths that afford true de novo threat detection.
November 23, 2004 in editorial, media | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
