« January 2005 | Main | March 2005 »
Wormstat: Monitoring Logfiles
Ever get tired of seeing all of those worm infection attempts against your Apache web server? Don't you think you should do something with this logfile lines? You can analyze them and measure the prevalence of basic worm signatures or other popular web attacks.
This is a simple Perl script I wrote to count the number of attacks from infected MS/IIS reaching my little HTTP server. Since these worms find new targets with simple class C scans, once a client of my ISP is infected, all other clients are attacked. I only focused on MS/IIS worms, because I didn't find any trace of Apache exploits in my logs. Anyway, it is very easy to add a worm signature into the script.
Source: Wormstat homepage, by Vincent Caron.
This is a nicer implementation, and nearly in real time of basic logfile analysis, something I did a few years ago and wrote up in View from a /32.
February 28, 2005 in tools | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
An Approach for Detecting Self-Propagating Email Using Anomaly Detection
This one sort of reminds me of Feedback Email Worm Defense System for Enterprise Networks, by Cliff C. Zou, Weibo Gong, Don Towsley.
This paper develops a new approach for detecting self-propagating email viruses based on statistical anomaly detection. Our approach assumes that a key objective of an email virus attack is to eventually overwhelm mail servers and clients with a large volume of email traffic. Based on this assumption, the approach is designed to detect increases in traffic volume over what was observed during the training period. This paper describes our approach and the results of our simulation-based experiments in assessing the effectiveness of the approach in an intranet setting. Within the simulation setting, our results establish that the approach is effective in detecting attacks all of the time, with very few false alarms. In addition, attacks could be detected sufficiently early so that clean up efforts need to target only a fraction of the email clients in an intranet.
Source: An Approach for Detecting Self-Propagating Email Using Anomaly Detection, Ajay Gupta and R. Sekar.
February 27, 2005 in mass mailers, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
WORM vs. WORM: Preliminary Study of an Active CounterAttack Mechanis
Even more on the good worm strategy:
Self-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to plague the Internet community. Existing anti-virus and intrusion detection systems are clearly inadequate to defend against many recent fast-spreading worms. In this paper we explore an active counter-attack method - anti-worms. We propose a method that transforms a malicious worm into an anti-worm which disinfects its original. The method is evaluated using the CodeRed, Blaster and Slammer worms. We show through simulation the effectiveness of an anti-worm with several propagation schemes and its impact on the overall network. We also discuss important limitations of the proposed method.
Source: WORM vs. WORM: Preliminary Study of an Active CounterAttac Mechanisms, Frank Castañeda, Emre Can Sezery, Jun Xu.
February 26, 2005 in counterworms, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
CFP: The 3rd Workshop on Rapid Malcode (WORM 2005)
The WORM workshop is probably one of the most focused and well known events for researchers studying Internet worms and issues surrounding them. The call for papers has gone out, and now is your chance to get your work submitted. Luckily you have a bit of time to get something together.
In the last several years, Internet-wide infectious epidemics have emerged as one of the leading threats to information security and service availability. The vehicles for these outbreaks, malicious codes called "worms", take advantage of the combination of software monocultures and the uncontrolled Internet communication model to quickly compromise large numbers of hosts. Such worms are increasingly being used as delivery mechanisms for various types of malicious payloads, including remote-controlled "zombies", spyware and botnets. Recent incidents have also reveals the use of new propagation techniques as well as the use of worms to target small user communities or specific applications. Current operational practices have not been able to manage these threats effectively.
Source: The 3rd Workshop on Rapid Malcode (WORM) CFP. WORM05 will be held in Fairfax, VA, USA, November 11th, 2005 in conjunction with ACM CCS.
Important dates for this conference:
- Paper submissions due: June 23rd, 2005
- Acceptance notifications: August 14th, 2005
- Camera ready copy for accepted papers: August 28th, 2005
- CCS Conference: November 7-11, 2005
- WORM Workshop: November 11th, 2005
February 25, 2005 in events | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
What Does the Future Hold?
Predicting the future state of the worm landscape is often of interest to worm researchers. Various researchers will use different means to generate a hypothesis. Sometimes it's a matter of worst possible scenarios, but other times it's done on trend analysis. These two reports fall into that latter category.
The first is from AhnLab. The model, presented by Charles Ahn, president of the securities solution firm AhnLab, at COEX in Korea in February of this year, predicts that 2005 will be a worm-filled year:
In a speech given at an event commemorating cyber safety at COEX, Charles Ahn, president of the securities solution firm AhnLab, said that major damage from computer viruses happens every two years.
"It may be a rash prediction, but it will be safer to be more careful. In 1999, there was the CIH virus, followed by the Code Red worm in 2001. In 2003, Internet networks nationwide were disabled," he said.
Source: AhnLab president warns of big virus risk, by Wohn Dong-hee, JoongAng Daily, February 24, 2005.
The second is from me (worm researcher, Arbor Networks). Together with Dug Song and Thomas Ptacek, we developed a model of what we all "wormability", or the utility of a vulnerability to be used by a worm as its main propogation vector. The method has had mixed success, mainly in overstating the number of vulnerabilities which are candidates for use in a worm, although it correctly predicted Sasser and the WINS scanning from the Winter of 2004. The presentation was made at RSA 2005 in San Francisco, CA.
Security researchers are developing a method to predict the potential for individual vulnerabilities to become the subject of computer worms. Although Arbor Network's "wormability" formula for predicting worms is far from perfect it allows the firm to give better advice on prioritising security remediation actions and insight into the vulnerabilities likely to be wormed.
Source: Wormability formulae weighs malware risks, by John Leyden, 22nd February 2005. You can view an earlier draft of the slides in this PowerPoint deck: Wormability: A Metric for Predicting Global Worm Attacks, from the Arbor Networks website. A paper in forthcoming (it's been submitted to DIMVA 05).
February 24, 2005 in events, media, slides | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
IM Worms: Recent events, events, and models
IM, or instant message worms have been talked about for a while, and some recent events make their topic relevant to wormblog readers.
First up is a paper that discusses the scale-free nature of IM networks:
The topology of an instant messaging system is described. Statistical measures of the network are given and compared with the statistics of a comparable random graph. The scale-free character of the network is examined and implications are given for the structure of social networks and instant messenger security.
Source: Instant Messaging as a Scale-Free Network, Reginald Smith. Simply put, when a worm hits such a network topology it can spread like wildfire. Interested readers will also want to see The Top Speed of Flash Worms, Malicious threats and vulnerabilities in instant messaging by Eric Chien and Neal Hindocha, and also Virus throttling for instant messaging by Matthew Williamson and Alan Parry. I'll be posting a paper here shortly on epidemics and how they spread in scale-free networks. People new to scale-free networks may want to read the book Linked by Albert-Laszlo Barabasi.
Secondly, the Bropia family of worms has been plaguing some MSN Messenger users for a while now. Descriptions from the major AV vendors include: Trend Miro, Symantec, and F-Secure. The worm spreads via the MSN chat protocol and uses various exploit techniques, including social engineering (ie "Click on this link!") methods, to get the malware on your system. Some of the variants have been dropping variants of the SDBot family on affected systems, which spreads using a number of commonly found Windows attack methods.
Microsoft's reaction to this and other recent threats to their MSN Messenger tool is to begin to use their powers as network owners to control access to the network. In a move that will be lauded by some and complained about by others, Microsoft is forcing users to upgrade to the latest MSN messenger client. As detailed in a knowledge base article, Microsoft outlines the increased number of threats to the users of the MSN Messenger client, with one of the latest being a malicious image file threat. This move helps Microsoft ensure the protection of their IM network and protect their clients' systems, and ultimately all of us who use the Internet.
Overall, it's been an interesting year already (and it's only the second month) for IM-based threats.
February 23, 2005 in media | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Effect of Malicious Traffic on the Network
Everyone knows that large-scale attacks have a negative impact on network performance. These guys did a writeup looking at the effects of various attacks.
The Internet has witnessed a steady rise in malicious traffic including DDoS and worm attacks. In this paper, we study the effect of malicious traffic on the background traffic by analyzing recent traces from two different locations. We show that malicious traffic causes an increase in the average DNS latency by 230% and an increase in the average web latency by 30% even on highly over-provisioned links. We also study the effect of the recent linux slapper worm. Using packet-level simulations based on an empirically derived model of the worm, we demonstrate that the effect of worm-infected hosts can be disastrous when they trigger a DDoS attack.
Source: Effect of Malicious Traffic on the Network, Kun-chan Lan, Alefiya Hussain, and Debojyoti Dutta.
February 22, 2005 in papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Early Bird: Catching worms while sysadmins sleep
Not to be confused with the Earlybird project from Savage et al., someone else is using the metaphor.
This honours thesis demonstrates the need for an automated, anomalybased Internet worm detection system that is effective at identifying Internet worm packets with a low false-positive rate.
The theory of general Discrete Symbol Hidden Markov Models and the theory of the equivalent on-line models is discussed, and the general structure of Hidden Markov Models is related to the problem of identifying Internet worm packets in a sequence of normal network packets.
The effectiveness of various on-line Hidden Markov Model configurations in detecting Sapphire Internet worm packets in a sequence of normal UDP packets is evaluated, demonstrating that Hidden Markov Models can be successfully used as the basis of an automated, anomaly-based Internet worm detection system.
Source: Early Bird: Catching worms while sysadmins sleep, Andrew Hill.
February 21, 2005 in papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Using a Vulnerability Assessment to Discover Worm Hosts
The Nessus tool is a popular, powerful open source vulnerability scanner. It has a basic scripting lanaguge you can use to create new plugins and detection modules. Among the many ones available are some to detect Sasser hosts. This is a great example of using one tool for another use.
The first plugin detects the Sasser backdoor and presents the Nessus user with a message when it finds an infected host.
The Sasser worm is infecting this host. Specifically, a backdoored command server may be listening on port 9995 or 9996 and an ftp server (used to load malicious code) is listening on port 5554 or 1023. There is every indication that the host is currently scanning and infecting other systems.
Source: Sasser Virus Detection, plugin page, appearantly developed by Tenable Security (a commercial Nessus organization).
You can also use Nessus to detect the original MS04-011 vulnerability, which is what Sasser used to propagate. The Nessus plugin is described here:
The remote host seems to be running a version of Microsoft OS which is vulnerable to several flaws, ranging from denial of service to remote code execution. Microsoft has released a Hotfix (KB835732) which addresses these issues.
Source: Microsoft Hotfix for KB835732 (SMB check) Nessus detection plugin, also appearantly developed by Tenable.
February 20, 2005 in tools | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
Code-Red: a case study on the spread and victims of an Internet worm
While the Code Red worm was over 3 and a half years ago (July, 2001), this is still an interesting paper.
On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code- Red (CRv2) worm in less than 14 hours. The cost of this epidemic, including subsequent strains of Code-Red, is estimated to be in excess of $2.6 billion. Despite the global damage caused by this attack, there have been few serious attempts to characterize the spread of the worm, partly due to the challenge of collecting global information about worms. Using a technique that enables global detection of worm spread, we collected and analyzed data over a period of 45 days beginning July 2nd, 2001 to determine the characteristics of the spread of Code-Red throughout the Internet.
In this paper, we describe the methodology we use to trace the spread of Code-Red, and then describe the results of our trace analyses. We first detail the spread of the Code-Red and CodeRedII worms in terms of infection and deactivation rates. Even without being optimized for spread of infection, Code-Red infection rates peaked at over 2,000 hosts per minute. We then examine the properties of the infected host population, including geographic location, weekly and diurnal time effects, top-level domains, and ISPs. We demonstrate that the worm was an international event, infection activity exhibited time-of-day effects, and found that, although most attention focused on large corporations, the Code-Red worm primarily preyed upon home and small business users. We also qualified the effects of DHCP on measurements of infected hosts and determined that IP addresses are not an accurate measure of the spread of a worm on timescales longer than 24 hours. Finally, the experience of the Code- Red worm demonstrates that wide-spread vulnerabilities in Internet hosts can be exploited quickly and dramatically, and that techniques other than host patching are required to mitigate Internet worms.
Source: Code-Red: a case study on the spread and victims of an Internet worm, David Moore, Colleen Shannon, Jeffery Brown. There is also a PowerPoint slide deck that is related.
February 19, 2005 in Code Red, papers | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
