« April 2005 | Main | June 2005 »
Creator Of Sasser Worm Faces Trial
The author of the Sasser worm, the Blaster-clone that appeared just over a year ago (May, 2004), is facing trial. Even though he was caught only a short while after the worm was released (see this timeline for a summary of the worm), due in part to the Microsoft bounty, he's only now facing trial.
BERLIN (AP)--A German teenager who authorities say confessed to creating the Sasser computer worm last year will face trial in July on charges of computer sabotage, a state court said Friday.
Sven Jaschan, 19, was arrested at his home in northern Germany in May of last year after Microsoft Corp. received a tip from an informant seeking a reward. Jaschan's worm had raced around the world, exploiting a flaw in the company's Windows operating system.
Computer sabotage carries a maximum sentence of five years in prison.
Source: Creator Of Sasser Worm Faces Trial, by The Associated Press, posted on May 27, 2005.
May 31, 2005 in media, sasser | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Who Might be Lurking at Your Cyber Front Door?
In mid-2004, the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census (under the House Committee on Government Reform) looked at the Internet threats posed by malware and attackers. A number of bright people were brought before the committee to testify and give expert opinions on the matter. This body of work is available on the Internet for anyone to view and learn from.
Computer worms have been around for some time now. However, they are becoming more and more popular and seemingly easier to produce than ever before. One of the first known records of a computer worm stems all the way back to 1988 when Robert T. Morris Jr. released the first computer worm, seemingly by accident. One interesting aspect of the first computer worm was not specifically about the worm itself but more so about the author. The father of Robert T. Morris Jr., at the time the worm was released, was none other than Robert Morris who was then the Chief Scientist of the National Security Agency (NSA). Some would later speculate whether or not Robert T. Morris Jr. came up with the concept of the computer worm on his own. While there is interesting mystique surrounding the first computer worm, we must remember one thing. The first computer worm was written over 16 years ago. We have had 16 years to think about, analyze and create solutions to guard against computer worms. So why after all of this time, are businesses constantly impacted by computer worms? More so, why are businesses still impacted by vulnerabilities?
Source: Testimony given by Marc Maiffret (eEye), Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Wednesday, June 02, 2004.
UPDATE: Corrected the quote attribution.
May 30, 2005 in government | Permalink
| Comments (6)
Tell others: digg submit
del.icio.us this
Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
An increaisng number of people are seeing the intersection of malware and automated delivery mechanisms rise in frequency and impact. I've long since looked at worms as an excellent malware distribution platform. The result is often called a 'botnet'. In this paper, three German researchers describe how they cna detect the presence of a botnet and infer its structure using very direct techniques.Denial-of-Service (DoS) attacks pose a significant threat to the Internet today especially if they are distributed, i.e., launched simultaneously at a large number of systems. Reactive techniques that try to detect such an attack and throttle down malicious traffic prevail today but usually require an additional infrastructure to be really effective. In this paper we show that preventive mechanisms can be as effective with much less effort: We present an approach to (distributed) DoS attack prevention that is based on the observation that coordinated automated activity by many hosts needs a mechanism to remotely control them. To prevent such attacks, it is therefore possible to identify, infiltrate and analyze this remote control mechanism and to stop it in an automated fashion. We show that this method can be realized in the Internet by describing how we infiltrated and tracked IRC-based botnets which are the main DoS technology used by attackers today.Source: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks, Felix C. Freiling and Thorsten Holz and Georg Wicherski.
May 28, 2005 in defense, honeypots, papers | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
Anti-Malware Tools: Intrusion Detection Systems
Martin Overton, from IBM in the UK, is back with another interesting malware paper. He's got an outline of how to use Snort to detect malware in transit on the wire.When most people think of tools to combat malware, very few will give a passing thought to Intrusion Detection Systems, why?Anti-Malware Tools: Intrusion Detection Systems, Martin Overton, IBM, UK. Presented at the 2005 EICAR conference.Common reasons include:
This paper will investigate the use of IDS systems, specifically to counter/block/detect malware. What’s more, this paper will focus on SNORT (which is a free IDS system available for both UNIX and Windows).
- They don’t realise that IDS systems can be used against malware (viruses, Trojans, worms, etc.)
- They are too difficult to setup, maintain and use.
- That they are too prone to false alarms.
This paper will include instructions and guidance on the setup of such a system, numerous examples of suitable rules to detect and block malware and useful tools that can make the sifting of logs easier and more palatable as well as configuration and other tools and utilities that may be useful in managing and maintaining SNORT.
The use of an IDS system can be extremely useful in cases of fast burning or very complex malware outbreaks as a stop-gap until the anti-virus vendors manage to get reliable updates out to their customers.
An IDS is also useful in identifying infected systems in your organization that need remedial action before the ‘trickle’ of infections become a ‘torrent’ and you are left fighting to keep your head above the rising waters.
This paper is based on the recent two-part article written for Virus Bulletin [October and November 2004] and parts of that article have been used with their permission.
May 27, 2005 in detection, ids, papers, tools | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
Outwitting the Witty Worm
An interesting analysis of the Witty work (March, 2004) data from the CAIDA team and another author. It shows the power of analyzing a raw data set with information about the worm itself. Have a look at a recent paper that was here on Wormblog, too, Worm Hotspots: Explaining Non-Uniformity in Worm Targeting Behavior. What at first appears random isn't, and just when you think you've done a thorough analysis you realize there's more to do, and more that can be done.Network ``telescopes'' that record packets sent to unused blocks of Internet address space have emerged as an important tool for observing Internet-scale events such as the spread of worms and the backscatter from flooding attacks that use spoofed source addresses. Current telescope analyses produce detailed tabulations of packet rates, victim population, and evolution over time. While such cataloging is a crucial first step in studying the telescope observations, incorporating an understanding of the underlying processes generating the observations allows us to construct detailed inferences about the broader "universe" in which the Internet-scale activity occurs, greatly enriching and deepening the analysis in the process.Source: Outwitting the Witty Worm: Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event, by Abhishek Kumar, Vern Paxson, Nicholas Weaver.In this work we apply such an analysis to the propagation of the Witty worm, a malicious and well-engineered worm that when released in March 2004 infected more than 12,000 hosts worldwide in 75 minutes. We show that by carefully exploiting the structure of the worm, especially its pseudo-random number generation, from limited and imperfect telescope data we can with high fidelity: extract the individual rate at which each infectee injected packets into the network priorto loss; correct distortions in the telescope data due to the worm's volume overwhelming the monitor; reveal the worm's inability to fully reach all of its potential victims; determine the number of disks attached to each infected machine; compute when each infectee was last booted, to sub-second accuracy; explore the "who infected whom" infection tree; uncover that the worm specifically targeted hosts at a US military base; and pinpoint Patient Zero, the initial point of infection, i.e., the IP address of the system the attacker used to unleash Witty.
May 26, 2005 in papers, witty | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
Superworms and Cryptovirology: a Deadly Combination
This paper seems more like an excuse to mix a few topics together to try and create a nightmare scenario than actual research.
Understanding the possible extent of the future attacks is the key to successfully protecting against them. Designers of protection mechanisms need to keep in mind the potential ferocity and sophistication of viruses that are just around the corner. That is why we think that the potential destructive capabilities of fast spreading worms like the Warhol worm, Flash worm and Curious Yellow need to be explored to the maximum extent possible. While re-visiting some techniques of viruses from the past, we can come across some that utilize cryptographic tools in their malicious activity. That alarming property, combined with the speed of the so-called superworms, is explored in the present work. Suggestions for countermeasures and future work are given.
Source: Superworms and Cryptovirology: a Deadly Combination, Ivan Balepin.
Although this may not be as unfathomable as I originally thought. According to this AP report, ransomware has been found in the wild:
Security researchers at San Diego-based Websense Inc. uncovered the unusual extortion plot when a corporate customer they would not identify fell victim to the infection, which encrypted files that included documents, photographs and spreadsheets.
A ransom note left behind included an e-mail address, and the attacker using the address later demanded $200 for the digital keys to unlock the files.
Source: Internet infection holds computer files 'hostage', by Ted Bridis (Associated Press), Tuesday, May 24, 2005.
UPDATE: The original link to the paper was broken in the time between the composition of this post and it's appearance. The link has been updated.
May 25, 2005 in papers | Permalink
| Comments (6)
Tell others: digg submit
del.icio.us this
Traffic Characterization of the Web Server Attacks of Worm Viruses
I like this paper because it looks at the worm problem from another approach, namely making software more fault tolerant in the face of a massive attack. Recall the number of non-infected web servers that fell off the network during Code Red and Nimda. This paper seems like a natural follow on to that observation. I'd be curious to see someone code a plugin for a web server that attempted to implement some of the findings from this paper.
With the explosive popularity of the Internet, the number of accessible web servers has proliferated as well. Subsequently, malicious attacks on these servers via viruses have become more prevalent. Due to the self-propagation and self-duplication nature of these viruses, such attacks can congest the network quickly, aggravating the already limited bandwidth available and curtail service provided by the server, eventually leading to denial of all services. The IIS, in particular, has been gravely affected by such Denial of Service (DoS) attacks. Hence, various methods to prevent such attacks from affecting the network and server have been researched and proposed. In this paper, we analyze the characteristics of worm virus attack traffics, by extracting and analyzing virus attack logs. With the use of various statistical methods, we show that worm attack patterns show self-similarity with Hurst parameter H. Our purpose is to use this characteristic in annulling the negative effects of worm attacks.
Source: Traffic Characterization of the Web Server Attacks of Worm Viruses, Kihun Chong A, Ha Yoon Song A, Sam H. Noh A.
May 24, 2005 in papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
New computer viruses seeking financial data
From Joongang Ilbo, a publication from South Korea, a discussion of a new trend: the marriage of data mining software with the worm distribution mechanism. The rise of the "bot" in recent years has been propelled by the worm in many ways. Worms themselves are interesting to study, but ultimately what people are after is a means to spread malware far and wide. Worms offer a cost effective means to do that. Secondly, harvesting data from end-users' systems, as opposed to centralized and heavily protected servers, is much more attractive. As such, this is a marriage made in malware heaven:
Recent computer viruses and worms in Korea are hacking into personal computers to access financial information, such as credit card numbers, bank account numbers and related passwords. Although personal computers have always been subject to various infections, current viruses are different in that they are not just pranks, but have specific hacking functions.
A few years ago, most viruses disabled basic functions of computers, bogging down the computer's processing speed or mess up the system and delete or duplicate files at random. Recent variants, however, are programmed to silently search for personal financial information and are therefore harder to detect.
"Many people don't even know that their computer is contaminated until they run a vaccine program. Spyware, viruses, for worms work secretly," said Kang Eun-sung, a director at AhnLab.
Source: New computer viruses seeking financial data, Joongang Ilbo, by Chang Chung-hoon, Wohn Dong-hee, published in South Korea, Apr 7, 2005.
May 23, 2005 in media, new trends | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Call for participation - Adaptive and Resilient Computer Security
From Matthew Williamson (formerly of HP Labs, now at Sana Security, researcher behind the virus throttle idea) comes this call for participation:ARCS 2005 is the fourth meeting of a workshop designed to bring together senior industrial researchers, policy makers and leading academics in the area of adaptive approaches to computer security. The format of the meeting is two days of presentations and discussions. It is sponsored by the Santa Fe Institute, and British Telecom.Source: Adaptive and Resilient Computing Security Workshop (ARCS2005), 2nd & 3rd Nov. 2005, Santa Fe Institute, New Mexico, USA.We are seeking high quality presentations that can educate and stimulate discussion. In order to attend, please submit a 2-4 page paper to the Program Chair. The deadline for submissions is July 31st 2005. The topic areas of relevance are broadly in adaptive and biologically inspired approaches to all aspects of computer security:
This year’s workshop will again be held at the Santa Fe Institute, in a superb setting with opportunities to interact with the resident world-class researchers. In addition the event precedes the annual SFI Business Network meeting on 4-5th Nov., to be held in Santa Fe, and attendees will have an opportunity to also register for this event.
- Buffer overflow mitigation
- Worm and virus containment
- Anti-virus & Anti-spyware
- Denial of service protection
- Effects of diversity
- Immunological approaches
- Topological effects in computer networks
- Machine learning and defence strategies
- Design of self-healing networks
- Alternative models – economic, + predator/prey
May 21, 2005 in events, papers | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
More Worm and Virus Source Code
From Wormblog reader Adli Abdul W., more virus and worm source code. The Neworder site contains links to the virus source code for Melissa, ILOVEYOU, and other mass mailers and traditional viruses. Note that these are for educational purposes only, are detected by any decent AV engine, and use only on a testbed network you have the authority to use.So, what can you do with these sorts of things? You can set up a research lab that tests, for example, your detection algorithms and implementations. If you're developing a plugin to a mail client or even a mail server, this can be an invaluable aid in your testbed. If you're testing a new AV signature engine, this is also useful. While the worms themselves aren't all that complex, the techniques they used are still around.
May 20, 2005 in malware , mass mailers, tools | Permalink
| Comments (38)
Tell others: digg submit
del.icio.us this
