« December 2004 | Main | February 2005 »
Computers and Epidemiology
Worms and viruses have been at an intersection between computer networking and epidemiology for a number of years. The models are fundamentally similar, but they differ in a key way: if I'm sick, I have to make contact with a person to infect or at least travel through a similar space in a time window to pass on my germs. A computer can rapidly infect hosts around the world, randomly, in a very narrow time window, without everyone being physically close. This is a key paper to read and appreciate if you want to start thinking about worms from an epidemilogical stance.Today, computer virus epidemiology is an emerging science that reveals that protective measures are definitely within reach of individuals and organizations. Among its findings:Source: Computers and Epidemiology, Jeffrey O. Kephart, David M. Chess, Steve R. White. Published in the IEEE SPECTRUM, May 1993.
- Computer viruses are far less rife than many have claimed. The rate of PC-DOS virus incidents for medium-sized to large businesses in North America appears to be about one per 1000 PCs per quarter. And fewer machines are caught up in a typical incident if anti-virus measures are in place.
- Few PC-DOS viruses have thrived. Less than 15 percent of the more than 1500 known viruses have ever been observed in a large sample population and most of them only once. The top 10 viruses account for two-thirds of all incidents.
- Because software and diskette sharing tends to be localized, even successful viruses spread at nowhere near the exponential rate that some have claimed. This is good news for the anti-virus industry, which otherwise would have to distribute its software updates even more often.
- Centralized reporting and response within an organization is an extremely effective defense. These policies have more than halved the average incident size within the population monitored by IBM Corp., and can eliminate chronic infections that may afflict even conscientious organizations.
January 31, 2005 in papers | Permalink
| Comments (9)
Tell others: digg submit
del.icio.us this
An Environment for Controlled Worm Replication and Analysis
I actually did something like this for worm detection testing and sample data while I wrote the worm book back 02 and 03. I found a number of things difficult to do with the resources I had available t ome, but this paper shows a much more mature approach to the problem.So-called 'worms' have been a feature of the malware landscape since the beginning, and yet have been largely ignored by anti-virus companies until comparatively recently. However, the near-complete connectivity of computers in today's western world, coupled with the largely Win32-centric base of installed operating systems make the rise of worms inevitable.Source: An Environment for Controlled Worm Replication and Analysis or: Internet-inna-Box, Ian Whalley Bill Arnold, David Chess, John Morar, Alla Segal, Morton Swimmer.The author will describe techniques and mechanisms for constructing and utilising an environment enabling the automatic examination of worms and network-aware viruses. Whilst these techniques are being developed for incorporation into the IBM/Symantec Immune System for Cyberspace, the paper is not intended to be a discussion of the Immune System concept. Instead, the intent is to describe an approach that has been applied to the problem with some measure of success.
The approach involves building a virtual SOHO network, which is in turn connected to a virtual Internet. Both the virtual LAN and WAN are populated with virtual machines. The suspected worm is introduced into this environment, and executed therein. The whole system is closely monitored as execution progresses in the isolated environment, and data is amassed describing what the suspected worm did as it executed. This data is then processed by the system in an attempt to automatically determine whether or not the suspect programming is performing actions indicative of a worm or internet-aware malware.
It turns out that one of the major problems in such an approach is ensuring that a worm host can quickly encounter another vulnerable system in a reasonable amount of time. You may have to play with routing, condense and reverse NAT hosts (ie whole /8 networks to a single host or virtual host), or modify the worm code. This is a tricky act, but it's vital to understand why your worm isn't propagating in your virtual host environment.
January 30, 2005 in papers | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
New Worm Brewing in Japan?
The vauge nature of these media reports makes it difficult to tell if this is a new worm or an old one. All three news stories are very similar.
A new computer virus called "bot," which creates networks of infected computers to mount attacks on specific websites, is spreading, National Police Agency officials said Saturday. The NPA has been monitoring the new virus around the clock, calling on computer users to beware of possible infection.
Source: New computer virus 'bot' spreading, Japan Today, Saturday, January 29, 2005. Also see New virus suspected of infecting 2,500 PCs in Japan, India Times, January 29, 2005, and New 'bot' virus suspected of infecting 2,500 computers in Japan, AFP (via Yahoo!), January 29, 2005.
As always, additional information appreciated. I'll update as needed, should I get more details that confirm or deny something new is happening.
January 29, 2005 in new worms | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Biological Models of Security for Virus Propagation in Computer Networks
Continuing on in the recent thread on biologically inspired worm defenses, a recent overview paper from Sanjay Goel and Stephen F. Bush.
This article discusses the similarity between the propagation of pathogens (viruses and worms) on computer networks and the proliferation of pathogens in cellular organisms (organisms with genetic material contained within a membraneencased nucleus). It introduces several biological mechanisms which are used in these organisms to protect against such pathogens and presents security models for networked computers inspired by several biological paradigms, including genomics (RNA interference), proteomics (pathway mapping), and physiology (immune system). In addition, the study of epidemiological models for disease control can inspire methods for controlling the spread of pathogens across multiple nodes of a network. It also presents results based on the authors' research in immune system modeling.
Source: biological models of security for virus propagation in computer networks, Sanjay Goel and Stephen F. Bush. This paper appeared in Usenix Login Magazine, December, 2004. For people who don't have a Usenix membership (and therefore can't download the PDF), you can grab a copy of the paper from this alternate site. This paper was pointed out to me by Kamal Hilmi Othman.
January 29, 2005 in papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Blaster.B Author to be Sentenced
Earlier:
The authorof the Blaster.B variant (the "teekids" variant of the Blaster worm, from August, 2003) is due to be sentenced soon. The defense is looking to ease up on the sentence.
Jeffrey Lee Parson, the Hopkins teenager who unleashed an Internet worm that infected an estimated 48,000 computers and caused more than $1 million in damage, should be sentenced to 37 months in prison, according to a formal recommendation made by federal prosecutors Tuesday.
Parson's sentencing is scheduled for Friday in U.S. District Court in Seattle. Parson, 19, who was arrested during his senior year at Hopkins High School, pleaded guilty in August to releasing the widely publicized Internet virus.
Source: Prosecutors seek 37-month term in Internet worm case, Paul Levy, Star Tribune, posted on January 26, 2005.
The Sophos company website has more on the subject:
Jeffrey Lee Parson, the man who created and released a version of the Blaster internet worm in August 2003, is due to be sentenced on Friday 28 January. According to media reports, lawyers for the defence and prosecution are disagreeing about the severity of the sentence he should receive.
Source: Lawyers disagree over Blaster virus author sentencing, Sophos reports, posted on 26 January 2005.
And finally, this report from silicon.com gives a bit more info about his potential fine:
Jeffrey Lee Parson, the teen who admitted to writing the Blaster virus, is now facing a three-year jail sentence and a bill for $626,000.
Source: Teen virus writer could pay Microsoft over $600,000, January 26 2005, by Jo Best.
Update:
The Associated Press is reporting his sentencing is complete:
A Minnesota man was sentenced Friday to 18 months in prison and 10 months of community service after pleading guilty to crippling nearly 50,000 computers by unleashing a variant of the "Blaster" Internet worm in the summer of 2003.
Source: Man Sentenced for Releasing Computer Worm, by GENE JOHNSON, Associated Press Writer.
January 28, 2005 in Blaster | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
The EarlyBird System for Real-time Detection of Unknown Worms
Now this is the one I meant to refer to earlier. I knew that Savage and company had done a project called "EarlyBird".
Network worms are a major threat to the security of today's Internet-connected hosts and networks. The combination of unmitigated connectivity and widespread software homogeneity allows worms to exploit tremendous parallelism in propagation. Modern worms spread so quickly that no human-mediated reaction to the outbreak of a new worm can hope to prevent a widespread epidemic. In this paper we propose an automated method for detecting new worms based on traffic characteristics common to most of them: highly repetitive packet content, an increasing population of sources generating infections and an increasing number of destinations being targeted. Our method generates content signatures for the worm without any human intervention. Preliminary results on a small network show promising results: we have identified three confirmed worms with a low percentage of false positives. This gives us reason to believe that our method could form the core of an effective network-level worm detection and countermeasure system capable of substantially slowing down the spread of new worms.
Source: The EarlyBird System for Real-time Detection of Unknown Worms, Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage.
January 27, 2005 in papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Learning to Detect New and Unknown Malicious Programs
As you may have guessed by now, the automated discovery of new threats for rapid response is one of my favorite topics. This paper is up that alley:Malicious programs pose a major threat to security, especially in the Windows platform. The most dangerous of these malicious programs are the ones that are new or unknown because they are not detected by traditional signature based anti-virii software. In this paper we present a data-mining approach to detecting new and unknown malicious programs. We extract a set of features from these programs through static analysis and build a classifier that detects which programs are potentially malicious. This classifier can generalize to other new or other unknown programs. We verify our results by testing our methods on a set of programs not used during training (i.e., programs unknown to our classifier). In one experiment, our method detects 81.54% of previously unknown malicious programs with a 0.96% false-positive rate.Source: Learning to Detect New and Unknown Malicious Programs, Eleazar Eskin, Matthew G. Schultz, Erez Zadok, and Salvatore J. Stolfo.
January 26, 2005 in papers | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
Packetfence - GPL Worm Defense Tool
Packetfence is the name of a new worm defense tool designed for LAN security. Based on the overview, Packetfence looks like it can work in either of two ways. The "Layer 2" approach uses ARP poisoning to stop worm infected hosts from spreading any further. Using it as an inline bridge in the "Layer 3" mode you can basically use it like you would use the Snort plugin Snort-inline (now a part of the main Snort branch). From their website:
PacketFence provides interior worm mitigation and policy enforcement capabilities. PacketFence be placed strategically throughout the enterprise to compartmentalize networks that may present a threat to valuable resources: VPN concentrators, client and guest networks, extranet connectivity points, etc. PacketFence is designed to operate in heterogeneous where users are either unable or unwilling, without assistance, to secure their systems properly.
Looking at the pieces that you assemble (which are all open source), it looks like you have to keep your Snort installation updated to detect worm hosts, so reacting to new worms will always be slowed down a bit due to the time it takes to generate signatures. Secondly, by using ARP poisoning you effectively shut off all communications from those hosts, which can be an undesirable situation. Also, some low-cost switches don't react well to ARP poisoning, so you can cause more damage than good if you're not careful.
January 25, 2005 in tools | Permalink
| Comments (3)
Tell others: digg submit
del.icio.us this
The HoneyTank: a scalable approach to collect malicious Internet traffic
A slight departure from the normal worm centric papers in favor of one that focuses on anomaly and intrusion detection technologies. These are readily applied to worm detection.
During the last few years, the amount of malicious traffic on the Internet has increased due to the spreading of worms, various port scanning activities, intrusion attempts or spammers. Collecting and analyzing this malicious traffic is an important issue. It can teach us what are the latest trends in computer misuse, it can help us discovering new kinds of attacks or it can be used to automatically generate signatures for network-based intrusion detection systems. In this paper, we propose an efficient method for collecting large amounts of malicious traffic running over TCP. The key advantage of our method is that it does not need to maintain any state to emulate TCP services running on a large number of emulated end-systems. We implemented a prototype on the ASAX IDS and provide in this paper several examples of the malicious activities which were collected on a campus network attached to the Internet. We explain how we implemented various protocols in a stateless way and we discuss limitations of our approach. We also discuss how our method can be improved to make an accurate but still stateless emulation of stateful protocols.
Source: The HoneyTank : a scalable approach to collect malicious Internet traffic, Nicolas Vanderavero, Xavier Brouckaert, Olivier Bonaventure, and Baudouin Le Charlier. This paper appeared at IISW04 in December, 2004.
Looking over this paper shows that they have extended the normal IDS techniques to be far more flexible, and appearantly met with some success. In doing so, one can detect novel worm outbreaks if the services that are abused are sufficiently well instrument and analyzed. This does provide a means to measure Internet "waste" traffic, however, and quantify worm outbreaks.
January 24, 2005 in sasser | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
MINDS - Minnesota Intrusion Detection System
Another paper on traditional IDS technologies and how they can be used to detect worm activity.
This paper introduces the Minnesota Intrusion Detection System (MINDS), which uses a suite of data mining techniques to automatically detect attacks against computer networks and systems. While the long-term objective of MINDS is to address all aspects of intrusion detection, this paper focuses on two specific contributions: (i) an unsupervised anomaly detection technique that assigns a score to each network connection that reflects how anomalous the connection is, and (ii) an association pattern analysis based module that summarizes those network connections that are ranked highly anomalous by the anomaly detection module. Experimental results on live network traffic at the University of Minnesota show that our anomaly detection techniques are very promising and are successful in automatically detecting several novel intrusions that could not be identified using popular signature-based tools such as SNORT. Furthermore, given the very high volume of connections observed per unit time, association pattern based summarization of novel attacks is quite useful in enabling a security analyst to understand and characterize emerging threats.
Source: MINDS - Minnesota Intrusion Detection System, Levent Ertöz, Eric Eilertson, Aleksandar Lazarevic, Pang-Ning Tan, Vipin Kumar, Jaideep Srivastava, Paul Dokas.
This paper covers how they used MINDS to detect various worm instances on a large network. What is interesting is how they did it, basically using behavioral based approaches to monitor the in- and out-degree of network nodes. When the out-degree surges higher than expected, it's often a sign of an infected host attempting to propagate to other hosts. All scanned hosts will have their in-degree values rise in this scenario.
January 23, 2005 in papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
