« March 2005 | Main | May 2005 »
Nasty worm gives state computers indigestion
I almost missed this article from March of this year. It seems the Washington State Taxation office suffered a downtime period of about 2 1/2 days due to a worm being lose on their network. What's not clear from this article is if this worm was specifically targeting the state's computer systems or was a generic worm which simply caused problems.
The FBI and the Washington State Patrol are investigating the source of an Internet worm that crippled the state Department of Revenues computer network this week and double-billed 1,400 businesses for tax payments.
The worm, a variant of a computer program that infected state government networks a few months ago, most likely entered the system over the weekend, according to Ralph Osgood, the Revenue Departments deputy director.
As employees logged onto their computers Monday morning, Osgood said it multiplied very rapidly and took the system down.
Source: Nasty worm gives state computers indigestion, Kenneth P. Vogel, The News Tribune (Tacoma, Washington), March 24th, 2005. Found via Security Manifest, a weblog from Benjamin Johnstone-Anderson, Microsoft MVP, Windows Security.
April 30, 2005 in media, new worms | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
In Depth Bagle Analysis
Jason Gordon, who runs the Infection Vectors website (a great complement to Wormblog, by the way), has written an in depth analysis of the Bagle worm. This is a good continuation of the writeup posted yesterday from Kaspersky Labs.
Beagle.A was discovered in late January 2004 and was an immediate success, spreading across the globe with a very simple infection strategy: just sending the worm as an attachment to a plain email message. Over the course of the spring, Beagle ran up over two dozen variants and thousands of compromised hosts.
Infectionvectors has published two in-depth reviews of Beagle and its development history, for details and commentary on the worm, see the first report, part two, and part three.
Beagle returned from a brief hiatus in early July 2004 with variants that attacked Internet hosts with a renewed ferocity. With even more success than previous versions, Beagle.X, AA, AB, and AO made special imprints on clients around the world, turning them into mail relaying robots.
Source: Beagle Alert, published on infectionvectors.com in March, 2005.
April 29, 2005 in Bagle, mass mailers, new trends, new worms, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
The Bagle botnet
A virus analyst from Kaspersky Lab has posted a timeline of the Bagle worm, showing how the worm has changed over the past year. Bagle, a mass mailer, has been prolifically spreading through the Internet over the past year. It's an interesting worm to study because you can see the evolution of the writer's techniques, clues to the motivation behind the creation, and hints at what is next to come.
January 18, 2004 Email-Worm.Win32.Bagle.a appears. This new malicious program immediately causes a worldwide epidemic. No one in the antivirus industry was sure what the author's plans for his creation might be.
A detailed analysis of Bagle.a code showed that it would cease propagating on January 29, 2004. Kaspersky Lab analysts decided this meant that new versions were bound to appear. The first modifications of Bagle did indeed appear within a month.
Each new version contained new features which made it harder to detect and/or caused a more serious outbreak - that is, more machines were infected.
Source: The Bagle botnet, by Yury Mashevsky, Virus Analyst, Kaspersky Lab, posted on April 22, 2005.
April 28, 2005 in Bagle, mass mailers, new trends, new worms | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Design of a System for Real-Time Worm Detection
Another new worm detection mechanism. I like this approach, too, it seems to focus on one of the attributes that is a key differentiator of static worms compared to normal traffic, namely the increase in the same payload across observations in a short period of time. Note that you have to do some analysis to differentiate a worm from a flash crowd (the Slashdot effect) for example.
Recent well publicized attacks have made it clear that worms constitute a threat to Internet security. Systems that secure networks against malicious code are expected to be a part of critical Internet infrastructure in the future. Intrusion Detection and Prevention Systems (IDPS) currently have limited use because they can filter only known worms. In this paper, we present the design and implementation of a system that automatically detects new worms in real-time by monitoring traffic on a network. The system uses Field Programmable Gate Arrays (FPGAs) to scan packets for patterns of similar content. Given that a new worm hits the network and the rate of infection is high, the system is automatically able to detect an outbreak. Frequently occuring strings in packet payloads are instantly reported as likely worm signatures.
Source: Design of a System for Real-Time Worm Detection, Bharath Madhusudan, John Lockwood.
April 27, 2005 in papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
MP3 zapping malware worms onto P2P network
A new vigilante worm has emerged. This one seeks to delete illegally obtained MP3 music files which have violated copyrights:
The Nopir-B worm, which appears to have originated in France, poses on P2P networks as a program to make copies of commercial DVDs. In reality the application offers no such function. Instead it attempts to delete MP3 music files on infected PCs. Nopir-B also attempts to disable various system utilities and wipe .COM programs whilst displaying an anti-piracy graphic. Nopir-B only infects Windows machines.
Source: MP3 zapping malware worms onto P2P network, by John Leyden, published in The Register online on Friday 22nd April 2005.
The worm, dubbed Win32.Nopir.B, has been seeded into P2P networks for download by it's potential victims. There's no reason this worm wouldn't attack legitimate MP3 files, too, on infected computers, so you'll want to be careful. Such strategies have been proposed within the blackhat community as a means of controling illegally copied music and video material, specifically by making the P2P networks more dangerous to use. However, this doesn't appear to be the work of anyone connected to the industry. This new incident reminds me of the Noped worm from 2001, which attempted to take on child pornography.
April 26, 2005 in new worms, Peer To Peer | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Virus writers turn from worms
An interesting study from Kaspersky Labs has hit the street with some of the flair and fanfair associated with the interesting things that the group is known for. This time it's an analysis based on recent trends showing malware authors turning away from mail-based worms and towards IM based worms. Wormblog readers know this sort of thing is sort of happening already, but now it's out in the wide open. This report from VNUNet discusses the findings:
Email worms are falling out of favour with the hacking community, according to a report investigating malicious internet activity.
Instead malware authors are increasingly subverting vulnerable instant messenger (IM) systems and using network viruses that do not require user interaction to spread. Other threats identified include botnets and increasingly intrusive adware.
Source: Virus writers turn from worms: Easier pickings elsewhere, by Iain Thomson, posted on vnunet.com 19 Apr 2005.
The actual writeup from Kaspersky is also available to the general public:
Kaspersky Lab presents its quarterly report on malware evolution by Alexander Gostev, Senior Virus Analyst. The report addresses questions such as why email worms no longer seem to be causing epidemics, the increase in worms targeting instant messenger applications, what effect the release of SP2 for Windows XP has had on security, and why adware and spyware are the latest buzzwords in the field of IT security.
Source: Malware Evolution: January - March 2005, posted on Apr 18 2005 by Alexander Gostev, Senior Virus Analyst, Kaspersky Lab.
We posted about the uptick in IM worm activity in March of this year thanks to some analysis done by Kamal, a regular contributor and friend. See that article for various links to some recent worms and defense mechanisms you can use to analyze the trend for yourself. Note that none of this seems to be set in stone, as a new variant of the Sober worm was spammed out earlier in the week. I also don't buy the impact of Windows SP2. Recent reports show a slow adoption rate in enterprises for SP2, given software incompatabilities. Never mind the home user adoption rate, either. In short, the penetration rate hovers arund 25%, while the userbase is still considerably large (millions of users). It doesn't add up.
Obviously there are trends and movements within any dynamic community, and like we said then, IM worms are surely growing more interesting to attackers and malware authors. However, the email worm is tried, true, and trusted, and still effective under the best of conditions. There's no reason it wont be going away any time soon.
April 25, 2005 in media | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
Distributed Worm Simulation with a Realistic Internet Model
Another PADS paper, this one by researchers at the University of Delaware. I like this paper because they have developed a simulation framework much like the one I was hoping to have, which modeled topology and bandwith together to try and understand worm propoagation dynamics.
Internet worm spread is a phenomenon involving millions of hosts, who interact in complex and diverse environment. Scanning speed of each infected host depends on its resources and the defenses at work in its network. Aggressive worms further interact with the underlying Internet topology---the dynamics of the spread is constrained by the limited bandwidth of network links, and high-volume scan traffic leads to BGP router failure thus affecting global routing. Worm traffic also interacts with legitimate background traffic competing for (and often winning) the limited bandwidth resources. To faithfully simulate worm spread and other Internet-wide events such as DDoS, flash crowds and spam we need a detailed Internet model, a packet-level simulation of relevant event features, and a realistic model of background traffic on the whole Internet. The memory and CPU requirements of such simulation exceed a single machine's resources, creating a need for distributed simulation. We propose a design and present implementation of a distributed worm simulator, called PAWS. PAWS runs on Emulab testbed, which facilitates its use by other researchers. We validate PAWS in a variety of scenarios, and evaluate costs and benefits of distributed worm simulation.
Source: Distributed Worm Simulation with a Realistic Internet Model, Sonjie Wei, Jelena Mirkovic, Martin Swany.
April 24, 2005 in modeling, papers, routing | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Software Diversity as a Defense against Viral Propagation: Models and Simulations
Several months ago, at the suggestion by David Nicol, we posted the call for papers for the PADS workshop. Nichols wrote me again to say that papers are up, and several worm papers are included in the lineup, and they look very good. The conference, 19th ACM/IEEE/SCS Workshop on Principles of Advanced and Distributed Simulation (PADS 2005), will be held on June 1-3, 2005, in Monterey, CA., USA. Nicol also notes, "We've made the registration costs as low as we can - particularly for students -in order to make it attractive for those in the Monterey, Santa Cruz, and Bay Areas. Important dates to remember are
Over the next few days I'll be posting several of the abstracts and links to the papers. The first one is from two researchers examining a very fundamental question in computer and network security, diversity. O'Donnell is a friend of mine, and I've read various drafts of his work in other areas. It's a rigorous treatment of a relatively simple question with a complex answer.
The use of software diversity has often been discussed in the research literature as an effective means to break up the software monoculture present on the Internet and to thus prevent malcode propagation. However, there have been no quantitative studies that examine the effectiveness of software diversity on viral propagation. In this paper, we study both real (an IPv6 BGP topology) and synthetically generated (an Erdos-Renyi random graph) network topologies and employ a popular metric called the epidemic threshold to measure resistance to viral propagation in the presence of software diversity. We show that one can increase the epidemic threshold of a network even with a naive, random distribution of diverse software on the nodes of a network. We also show that an algorithm-driven diversity assignment further increases the epidemic threshold. These results confirm the value of strategic topology-sensitive assignment of diversity to improving the tolerance of a network to malcode propagation.
Source: Software Diversity as a Defense against Viral Propagation: Models and Simulations, Adam O'Donnell, Harish Sethu. Interested readers will want to see this paper for more background information.
April 23, 2005 in modeling, papers, routing | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
The Threat of Internet Worms
I found an interesting slide deck online recently. It appears to be from one of David Wagner's courses at UC Berkeley, CS 261, Fall 2004, Computer Security. The presentation is several slides of research that many of us have seen already. You can view the slide deck, The Threat of Internet Worms [PPT], which is a presentation given by Vernon Paxson, an ICIR and UC Berkeley researcher who is well known for his work in the worm field. In it, Paxson outlines many of the worms we've seen analyzed previously: Code Red, Nimda, Witty, and Sapphire/SQLSlammer. He then points to some of his newer analysis with Nick Weaver and Stuart Staniford on "worst case worms" and hardware damage. From there he points to some of the new directions the field is being taken in and some of the challenges that lie ahead. All in all a useful slide deck to familiarize yourself with.
April 22, 2005 in slides | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Worm Hotspots: Explaining Non-Uniformity in Worm Targeting Behavior
I like this paper a lot, not simply because I know the authors, but because it's an interesting finding that goes a long way towards showing us some of the inherent limitations in our measurement methodologies. It also challenges some of the assumptions we've worked with for a few years and shows the aggregate power of lots of packets flying around.
Long after the Blaster, Slammer/Sapphire, and CodeRedII worms caused significant worldwide disruptions, a huge number of infected hosts from these worms continue to probe the Internet today. This paper investigates hotspots (non-uniformities) in the targeting behavior of these important Internet worms. Recent data collected over the period of a month and a half using a distributed blackhole data collection infrastructure covering 18 networks including ISPs, enterprises, and academic networks show 75K Blaster infected hosts, 180K slammer infected hosts, and 55K CodeRedII hosts. We discover through detailed analysis how critical flaws and side effects in the targeting behavior lead to a significant bias for certain destination address blocks. In particular, we demonstrate three previously unexplored biases: a severely restricted initial random seed forcing infection attempts to certain blocks; flaws in the parameters of a random number generator making certain hosts cycle through limited target addresses; and the widespread use of private address space dramatically changing the targeting distribution of certain worms. A direct consequence of these biases is that certain blocks are subjected to far more infection attempts than others. We discuss the implication of these hotspots on worm simulation and modeling, placement of blackhole sensors, worm detection and quarantine.
Source: Worm Hotspots: Explaining Non-Uniformity in Worm Targeting Behavior, Evan Cooke, Z. Morley Mao, Farnam Jahanian.
April 21, 2005 in papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
