worm blog

« February 2005 | Main | April 2005 »

Continuous Worm Reports from Honeynet Projects

Anton Chuvakin keeps a neat page up with regularily updated reports on honeynet activity.

Goals of the project

   
• To learn about attacker techniques, methods and tools    
• a Test netForensics SIM framework under realistic attack conditions    
• Develop novel attack data analysis techniques for real-time correlation, anomaly detection and log data mining    
• Study possibilities for statistical attack prediction    
• Try various computer forensics tools to recover penetrated systems    
• Experiment with various software and hardware configurations to accumulate attack statistics    
• Collect Internet threat intelligence information

Source: Anton Chuvakin's Honeynet, a page that he keeps updated with malicious activity tracked by his honeynet machines, including worm activity.

Niels keeps the honeyd.org site updated with live statistics, too:

Recent versions of Honeyd support real-time capture of network traffic statistics. A new console will visualize the data using the internal Honeyd web server. In the following, you see an example of live data captured from several Honeyd machines.

The following statistics are currently available:

   
• Operating System Distribution    
• Destination Port Distribution    
• Spammer IP Address Distribution

The information often tracks back to worm hosts, including the source of spam. An interesting analysis.

March 31, 2005 in honeypots, new worms | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Adjustment to Blaster.B Author's Sentence

Found via the eWeek security blog, it looks like the $500,000 restitution that Jeffrey Parson was ordered to pay may be worked off over a 3 year stint doing community service after an agreement between Parson's lawyers and Microsoft. The judge in the case still has to approve the deal, but this would alleviate some burden from Parson while still providing some measure of restitution from him:

Parson was also ordered to pay Microsoft $500,000 in restitution but - pending agreement from Judge Pechman - Parson will now work off his debt to Microsoft during his three years of supervised release, working 75 hours per year. Microsoft has stipulated that the community service is not to involve computers or the Internet, and is to benefit less fortunate members of the community.

Source: Blaster author avoids restitution, posted on the Virus Bulletin site.

Wormblog has been tracking fallout from the Blaster worm for some time now. While Parson is the more high profile of the two people who have been taken to court for making variants of the Blaster worm, the actual author of the original Blaster worm remains unknown to the public. Microsoft has a reward open for information leading to the arrest and conviction of the Blaster.A author.

March 30, 2005 in Blaster, media | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Honetnet report: Internet Worms

A writeup of a worm captured by a honeypot. While it's a bit short on details of how the analysis was done, it does reveal the powerful insight you get from using a honeypot to track worm activity.

A worm attack captured by the Honeynet Project in recent times is a good example of how exactly these worms work and gives us a good indication as to what can be done to prevent them. This month we will analyse a worm infection of a windows 98 home computer. If the google search engine’s statistics are a good indicator of the prevalence of a given operating system almost one quarter, or 24%, of computers on the Internet are still running the Windows 98 operating System and many of these have a dedicated broadband Internet connection.

Source Internet Worms, a HoneyNet report from the HoneyNet group in Ireland.

March 30, 2005 in detection, honeypots, new worms, papers | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

HoneyStat: LocalWorm Detection Using Honeypots

The next series of papers are going to look at honeypots and their roles in detecting and countering network worms. Many people like to use honeypots as detection systems, but there's a bit of an art to it. For effective scan and worm detection, you can't simply stick a box up on an IP address and hope it works, you really have to architecture it right. Secondly, once you have a honeypot, you'll want to monitor it and track what you find. And thirdly, you can do a few interesting things with honeypots, since you control ther target.

A couple of links before we begin:

• An earlier piece on ForeScout, who used a honeypot to track a new worm.
• Have a look at Malware Blog, Eric Johansen's blog about his ongoing research into network malware using honeypots. He's always writing something new, great information.
• The HoneyTank architecture falls into the honeypot discussion and is worth a review, too.
• SMB Lure is effectively a Windows filesharing honeypot, also great for tracking Windows worms.
• For a great description of how you can create a malicious honeypot, have a look at Towards Evil Honeypots?! When they bite back ... by Laurent Oudot, presented in spring 2004 at CanSecWest.

And now, on to the paper series. We'll cover actual honeypot tools, papers that show how they react to worms, and the like.

Worm detection systems have traditionally used global strategies and focused on scan rates. The noise associated with this approach requires statistical techniques and large data sets (e.g., 220 monitored machines) to yield timely alerts and avoid false positives. Worm detection techniques for smaller local networks have not been fully explored.

We consider how local networks can provide early detection and compliment global monitoring strategies. We describe HoneyStat, which uses modified honeypots to generate a highly accurate alert stream with low false positive rates. Unlike traditional highly-interactive honeypots, HoneyStat nodes are script-driven, automated, and cover a large IP space.

The HoneyStat nodes generate three classes of alerts: memory alerts (based on buffer overflow detection and process management), disk write alerts (such as writes to registry keys and critical files) and network alerts. Data collection is automated, and once an alert is issued, a time segment of previous traffic to the node is analyzed. A logit analysis determines what previous network activity explains the current honeypot alert. The result can indicate whether an automated or worm attack is present.

We demonstrate HoneyStat’s improvements over previous worm detection techniques. First, using trace files from worm attacks on small networks, we demonstrate how it detects zero day worms. Second, we show how it detects multi vector worms that use combinations of ports to attack. Third, the alerts from HoneyStat provide more information than traditional IDS alerts, such as binary signatures, attack vectors, and attack rates. We also use extensive (year long) trace files to show how the logit analysis produces very low false positive rates.

Source: HoneyStat: Local Worm Detection Using Honeypots, David Dagon, Xinzhou Qin, Guofei Gu,Wenke Lee, Julian Grizzard, John Levine, and Henry Owen.

March 29, 2005 in detection, honeypots, papers | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

A Network Worm Vaccine Architecture

This is the same group that I posted about earlier with the aproach of countering worms with patches.

The ability of worms to spread at rates that effectively preclude human-directed reaction has elevated them to a first-class security threat to distributed systems. We present the first reaction mechanism that seeks to automatically patch vulnerable software. Our system employs a collection of sensors that detect and capture potential worm infection vectors. We automatically test the effects of these vectors on appropriately-instrumented sandboxed instances of the targeted application, trying to identify the exploited software weakness. Our heuristics allow us to automatically generate patches that can protect against certain classes of attack, and test the resistance of the patched application against the infection vector. We describe our system architecture, discuss the various components, and propose directions for future research.

Source: A Network Worm Vaccine Architecture, Stelios Sidiroglou and Angelos D. Keromytis.

March 28, 2005 in papers | Permalink | Comments (1)
Tell others: digg submit del.icio.us this

Analyze the Worm-based Attack in Large Scale P2P Networks

Another paper looking at the modeling of epidemics (like worms) on P2P networks. This one is much shorter, however.

Peer-to-Peer (P2P) computing has become an interesting research topic during recent years. In this paper, we address issue related to analyzing the worm-based attack in P2P systems. Particularly, our technologies include: 1) generic mathematical models for attacker/defender and different P2P systems; 2) practical and effective attack prevention schemes. We find that our proposed defense strategy can efficiently improve the performance of worm detection and system recovery.

Source: Analyze the Worm-based Attack in Large Scale P2P Networks, Wei Yu.

March 27, 2005 in papers, Peer To Peer | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Analyzing the Spread of Active Worms over VANET

This is the first paper of it's kind that I've seen. It marries traditional epidemic spreading models together  with network threat modeling to achieve a new, very relevant analysis. Make sure you look at this Slashdot story, Lexus Computers Infected Via Bluetooth, for just how serious a threat this can be.

Interactive communications among nodes in Vehicular Ad Hoc Networks (VANET) and the safety-oriented nature of many VANET applications necessitate a robust security framework. An active worm over VANET can, in addition to the well-known threats to information confidentiality, integrity and service availability, pose a whole new class of trafficrelated threats (ranging from congestion to large-scale accidents). This paper investigates the parameters governing the spread of active worms over VANET. To this end, we first define the average effective distance between two VANET vehicles using parameters of freeway traffic (such as velocity, time lag, number of lanes and traffic density). This effective distance measure is then used to describe the behavior of a VANET link as a log-normal shadow fading channel. The channel model is employed to define the VANET topology as a geometric random graph. We derive an analytic expression describing the average node degree of the VANET graph. The spread of a worm over VANET is modeled using a stochastic model of infectious diseases, namely the standard Susceptible, Infected, Removed (SIR) epidemic model. We run the stochastic SIR epidemic model on the VANET graph. For both congested and low-density traffic scenarios, we derive expressions for the rate of worm spread as a function of the average degree of the graph and the patching process. Analysis is provided for: 1) preemptive patching, where the number of patched VANET nodes remains constant; 2) interactive patching, where real-time patching is performed during a worm outbreak. We demonstrate that the latter can effectively curb the spread of a VANET worm in both congested and lowdensity traffic scenarios.

Source: Analyzing the Spread of Active Worms over VANET, Syed A. Khayam and Hayder Radha.

March 26, 2005 in papers | Permalink | Comments (2)
Tell others: digg submit del.icio.us this

Internet Intrusions: Global Characteristics and Prevalence

I have a soft spot in my heart for large scale measurement projects. These guys know what they're doing.

Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address this problem by systematically analyzing a set of firewall logs collected over four months from over 1600 different networks world wide. The first part of our study is a general analysis focused on the issues of distribution, categorization and prevalence of intrusions. Our data shows both a large quantity and wide variety of intrusion attempts on a daily basis. We also find that worms like CodeRed, Nimda and SQL Snake persist long after their original release. By projecting intrusion activity as seen in our data sets to the entire Internet we determine that there are typically on the order of 25B intrusion attempts per day and that there is an increasing trend over our measurement period. We further find that sources of intrusions are uniformly spread across the Autonomous System space. However, deeper investigation reveals that a very small collection of sources are responsible for a significant fraction of intrusion attempts in any given month and their on/off patterns exhibit cliques of correlated behavior. We show that the distribution of source IP addresses of the non-worm intrusions as a function of the number of attempts follows Zipf’s law. We also find that at daily timescales, intrusion targets often depict significant spatial trends that blur patterns observed from individual “IP telescopes”; this underscores the necessity for a more global approach to intrusion detection. Finally, we investigate the benefits of shared information, and the potential for using this as a foundation for an automated, global intrusion detection framework that would identify and isolate intrusions with greater precision and robustness than systems with limited perspective.

Source: Internet Intrusions: Global Characteristics and Prevalence, Vinod Yegneswaran, Paul Barford and Johannes Ullrich.

March 25, 2005 in papers | Permalink | Comments (1)
Tell others: digg submit del.icio.us this

Broadband Network Virus Detection System Based on Bypass Monitor

While a short paper, it's a neat idea for an implementation.

Network virus are always detected in serial device such as router and firewall generally, limited to the performance of device, the effect virus impose on Internet cannot be detected accurately. To resolve this problem, we have developed a Virus Detection System (VDS) based on bypass monitor that can work on GE level network. With VDS, the virus can be detected in package or data stream according to four methods like binary, URL, E-mail, script. The statistical information of the virus including the virus name, source IP, target IP, spread times and the traffic are provided accurately and presented in charts.

Source: Broadband Network Virus Detection System Based on Bypass Monitor, Wu Bing, Yun Xiaochun, Xiao Xinguang. This paper appeared at the 2004 AAVAR conference.

March 24, 2005 in papers | Permalink | Comments (2)
Tell others: digg submit del.icio.us this

A First Look at Peer-to-Peer Worms: Threats and Defenses

A conspiracy theorist might look at the author affiliations and think that Microsoft is attempting to discredit the P2P networks that are so popular. However, these networks provide an excellent breeding ground for epidemics such as worms and viruses, along with other forms of malware. Luckily, for most enterprise and SP networks, removing this traffic specifically is somewhat easy once a problem has erupted, unlike it would be for SMTP, HTTP or DNS traffic.

Peer-to-peer (P2P) worms exploit common vulnerabilities in member hosts of a P2P network and spread topologically in the P2P network, a potentially more effective strategy than random scanning for locating victims. This paper describes the danger posed by P2P worms and initiates the study of possible mitigation mechanisms. In particular, the paper explores the feasibility of a self-defense infrastructure inside a P2P network, outlines the challenges, evaluates how well this defense mechanism contains P2P worms, and reveals correlations between containment and the overlay topology of a P2P network. Our experiments suggest a number of design directions to improve the resilience of P2P networks to worm attacks.

Source: A First Look at Peer-to-Peer Worms: Threats and Defenses, Lidong Zhou, Lintao Zhang, Frank McSherry, Nicole Immorlica, Manuel Costa, and Steve Chien.

March 23, 2005 in papers, Peer To Peer | Permalink | Comments (1)
Tell others: digg submit del.icio.us this