« May 2005 | Main | July 2005 »
Virus authors choosing to infect fewer people
Another new trend being published by the media at large, the boutique worm or attack scenario. In this new, emerging trend, we're not seeing a huge worm outbreak because worm authors want to build a controlled network of machines (again, the worm to bot evolution, coupled to crimeware they have loaded on those machines for nefarious purposes). This could be an artifact of this new thinking, or of fewer vulnerabilities to utilize in a worm and more competition for fewer resources.Speaking at the AusCERT conference in Australia's Gold Coast on Tuesday, Eugene Kaspersky, founder of Kaspersky Labs, said that the influence of organised crime on the malware industry has led to a change of tactics. Instead of trying to create viruses and worms that infect as many computers as possible, malware authors are instead trying to infect 5,000 or 10,000 computers at a time to create personalised zombie armies.Virus authors choosing to infect fewer people, by Munir Kotadia, ZDNet Australia, posted on 25 May 2005.
June 30, 2005 in media, new trends | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Worm Claims Worm Writer Nabbed
Insults have become the norm in the past year and a half, with the Netsky, Bagle and MyDoom worm authors duking it out via their warez. The latest salvo in this is directed at the MyDoom author, with a new worm claiming that the MyDoom author has been arrested:According to U.K. message filtering firm Sophos, the Kedebe.f worm, which is bundled with mail as an attachment, uses a slew of social engineering-style subject heading and message text to fool users into opening the file, including one that poses as mail about the "arrest" of the MyDoom author.Source: Worm Claims Worm Writer Nabbed, June 28, 2005, posted on TechWeb and Security Pipeline."Author of MyDoom has been ARRESTED!" blares the subject head, said Sophos in its online alert, with the rest of the message reading "Hey, this is to tell you that the author of the Internet Worm 'MyDoom' has been arrested by Microsoft today. He is an OLD MAN, about 50s."
June 29, 2005 in mass mailers, media, new worms | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Trial for German Sasser writer begins next Tuesday
Add another point to the Sasser timeline. The alledged Sasser author will enter a German court as his trial proceedings begin on July 5. Recall that Jaschan was turned in by someone seeking the reward from Microsoft.On July 5, the 19-year-old student will have his first day in court in the city of Verden, Germany, where he will face trial on charges of computer sabotage, data manipulation and disruption of public systems.Source: Trial for German Sasser writer begins next Tuesday, by John Blau, IDG News Service, June 28, 2005.Jaschan was indicted in September for allegedly creating the Sasser worm, which crashed hundreds of thousands of computers worldwide after spreading at lightning speed over the Internet.
June 29, 2005 in government, media, sasser | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
'Super-virus could harness network's power
A South African paper is carrying a story about 'super viruses' which could cause world wide havoc. Indeed, such beasts could cause havoc ... oh wait, they already do! Bear in mind it's a press release from a technology company who is having their ideas published in a general newspaper.An Internet technology security consultancy specialising in virus solutions warned that virus writers were close to releasing "super-viruses" able to harness the collective might of a super-grid of networked computers - causing more devastation than has ever been caused by a computer virus.Source: Super-virus could harness network's power, posted June 16 2005 on IOL South Africa, by Dominique Herman.Shaya Technologies' principal consultant Ian Melamed said once hackers had the combined processing power of the grid of infected machines they could execute a range of destructive activities.
June 28, 2005 in media | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Researchers Stymied By Microsoft Vulnerability
In the June, 2005, patchset, Microsoft released MS05-027: Vulnerability in Server Message Block Could Allow Remote Code Execution. This vulnerability affects most of the Windows installations found on the net, including XP SP2. On the surface, it looks highly useful to a worm author: two service vectors at least (139/TCP, 445/TCP), anonymous (unauthenticated), overflow with arbitrary code execution, and wildly available. However, it may not be that easy:
Mike Murray, the director of research at vulnerability management vendor nCircle, has had his entire team picking through the patch provided by Microsoft to fix a flaw in Windows' SMB (Server Message Block) protocol, and hasn't yet been able to find a way to exploit the vulnerability without going through authentication.
Source: Researchers Stymied By Microsoft Vulnerability, June 15, 2005, by Gregg Keizer, posted on TechWeb News.
Other people are noticing this, too. In a report in InfoWorld, Robert McMillan writes about the 10 June vulnerabilities from Microsoft and what researchers see in them for mass exploit activity:
Port 445 has already been used by so many other attacks, including the Sasser and Nimda worms, that even if a new worm were to be created, it would probably not change things, according to Russ Cooper, senior scientist at Cybertrust and editor of the NTBugtraq discussion list. "The people that have 445 exposed and therefore would be vulnerable to attack by last week's exploit, will likely already have been compromised by anything that's been going around for the last three years," he said on Thursday.Source: Experts split on port 445 security risk, by Robert McMillan, IDG News Service, published on June 23, 2005.
So, does this mean that worm authors wont be using this hole (MS05-027)? Not at all, so keep an eye out. We've seen worm authors use vulnerabilities in combinations, or in creative ways that few people anticipated. As the first wildly wormable vulnerability since MS04-011 (the LSASS.EXE vulnerability used by Sasser and other worms), this is one to watch.
June 27, 2005 in malware , microsoft, new worms | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Evolving Malware
Steven Hofmeyr, one of the chief people at Sana Security, noted security researcher, and author over at Steven Hofmeyr's Nth world commentaries, has a two part series on the possible future evolution of malware, including worms and other self-propogating code.
First, we have to understand what it means to be successful for malware. This can be quite varied. For self-replicating malware such as worms and viruses, success could be very similar to that in biological systems: the number of copies extant. But if we define success in terms of the malware writers' goals, then there could be many definitions. Some goals will lead to destructive malware and some won't.
Source: On the Virulence of Malware, posted on Thursday, 16 June 2005.
One thing I like about these posts is that Hofmeyr is exploring the extension of the analogy of viruses and self-propogating code. All too many folks are willing to make blanket analogies, but only a few do the followups like Hofmeyr has done to really examine what these constraints and their consequences. Read the link and the post from his blog that it references, you'll be glad you did.
These blog posts from Hofmeyr dovetail nicely with a recent piece on SecurityFocus, The True Computer Parasite. The authors make a good case for where malware is headed by studying the trends that we have seen to date:
Alongside replication methods, there has also been an evolution in terms of payload actions. In the early days, the objective was simply to be seen -- virus writers were typically motivated by ego and thus wanted their creations to get attention. With no prior art in the area, the bar for achieving this was set low and thus a virus did not have to do anything too drastic in order for such attention to be gained. Unfortunately, it did not take long for payloads to evolve from being mere distractions or nuisances to something overtly malicious. Destructive malware quickly became the norm, with the corruption of hard disks and even the PC BIOS being possible payload actions. Malware also developed characteristics similar to effective biological parasites. For example, they gained the ability to mutate using polymorphic techniques, to better evade anti-virus programs. Today various strains even attempt to terminate anti-virus processes and block access to vendors' AV websites.
Source: The True Computer Parasite Dr. Steven Furnell, Dr. Jeremy Ward, posted June 1, 2005.
June 25, 2005 in new trends | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Models of Internet Worm Defense
David Nicol has an interesting presentation slide deck available, Models of Internet Worm Defense [PDF]. Sadly, there's no abstract associated with it, but Nicol's slide deck covers a number of mechanisms peple have looked at for worm defense, including quarantine, counter worms, and patching. He backs up his analysis and conclusions with sound mathematical modeling and lots of equations, as well as pretty graphs. You'll want to study the graphs for a while to see the true story there. If you print them out, make sure you get them in color as some of the information is stored in the color spectrum used.
June 24, 2005 in counterworms, defense, modeling, papers | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
A Reputation-based System for the Quarantine of Widespread Malicious Behavior
One of the more unique approach I've seen in a while, one that attempts to mix the idea of reputation networks (which themselves can piggyback on social networks or simply mirror them) with quarantine ideas. I don't know how feasible or even worthwhile this approach can be, but it is one of the more creative solutions I've seen proposed for the management of quarantine risks.People use the recommendations of friends and neighbors to make important decisions daily. For instance, when moving to a new neighborhood people may ask co-workers to recommend good doctors in the area. This idea of reputation, along with peer recommendations, is also heavily used in a number of eCommerce and eBusiness systems, such as eBay and Amazon.com. In order to protect the Internet infrastructure that has become so critical in our everyday lives, we propose a system which uses these ideas of reputation and recommendation to effectively quarantine widespread malicious behavior on the Internet, thereby limiting the bandwidth it consumes and preventing ancillary denial of service at core Internet nodes. In addition to protecting the core Internet infrastructure from this type of ancillary denial of service attack, we have also shown that our system can prevent the spread of self-propagating worms, spam, and typical, human-propagated computer viruses – essentially any widespread malicious activity.Source: A Reputation-based System for the Quarantine of Widespread Malicious Behavior, by Scott E. Coull and Boleslaw K. Szymanski.
June 23, 2005 in defense, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Let free(dom) Ring!
While the Slapper worm dates from 2002, it was an interesting display of a fingerprinting worm. It also showed how remarkably easy it can be to build an effective worm, and one with a P2P control network built in.On 30 July, 2002 a security advisory from A.L. Digital Ltd and The Bunker disclosed four critical vulnerabilities in the OpenSSL package. OpenSSL is a free implementation of the Secure Socket Layer protocol used to secure network communications and it provides cryptographic primitives to many popular software packages, including the Apache web server. Less than two months later, the Linux/Slapper worm successfully exploited one of the buffer overflows described in the advisory and, in a matter of days, spread to thousands of machines around the world.Source: Let free(dom) Ring!, by Frédéric Perriot and Péter Ször.Linux/Slapper is one of the most significant outbreaks on Linux systems to date. Although the worm has the potential to infect many more machines, it skips private network classes such as 192.168.0.0/16 intentionally and thus it will not spread on local networks. Slapper shows many similarities with the FreeBSD/Scalper worm, hence the name.
June 22, 2005 in papers | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
WormShield
A very short (1 page) description of a project that marries some interesting technologies. The authors' main goals appear to be to both use the dstributed nature of a grid computer system to provide detection and control techniques, as well as providing a self-defending nature to the grid system itself, thereby protecting large scale grid computers on an open Internet.
Problem Large-scale worm outbreak is one of the major security threats to today’s Internet. Network worms exploit the vulnerabilities of widely deployed homogenous software to self-propagate quickly. Moore et al show that the react time of worm containment is only a few minutes and the signature-based filtering is more efficient than source-address filtering. Recent work by Earlybird and Autograph suggests that it is promising to automatically detect worm signatures by analyzing their content prevalence and address dispersion. However, most scanning worms will be dispersed on the whole Internet when they start to spread. In the early stage of worm spreading, it is difficult to accumulate enough payloads to generate precise signatures in individual edge networks.
Approach To solve this problem, we propose to design and implement a distributed worm signature detection and dissemination system (WormShield) that collaboratively analyzes worm activities in multiple administrative domains. In WormShield, all monitors deployed in edge networks self-organize into a distributed hash table (DHT) overlay network. Instead of only sharing port-scanning information like Autograph, WormShield monitors collaboratively analyze the global prevalence of payload contents and their address dispersion using distributed aggregation trees (DAT) built on top of the Chord overlay.
Source: WormShield: Collaborative Worm Signature Detection Using Distributed Aggregation Trees, by Min Cai, Runfang Zhou, Kai Hwang, Christos Papadopoulos, and Shanshan Song.
You can see a larger description here, and some examples of the architecture in action.
The USC GridSec project develops distributed security infrastructure and self-defense capabilities to secure wide-area networked resource sites participating in a Grid application. We report new developments in trust modeling, security-binding methodology, and defense architecture against intrusions, worms, and flooding attacks. We propose a novel architectural design of Grid security infrastructure, security binding for enhanced Grid efficiency, distributed collaborative IDS and alert correlation, DHT-based overlay networks for worm containment, and pushback of DDoS attacks. Specifically, we present a new pushback scheme for tracking attack-transit routers and for cutting malicious flows carrying DDoS attacks. We discuss challenging research issues to achieve secure Grid computing effectively in an open Internet environment.
Source: GridSec: Trusted Grid Computing with Security Binding and Self-defense Against Network Worms and DDoS Attacks, by Kai Hwang, Yu-Kwong Kwok, Shanshan Song, Min Cai Yu Chen, Ying Chen, Runfang Zhou, and Xiaosong Lou.
UPDATE: Fixed the link to the first paper, thank you Jim.
June 21, 2005 in defense, detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
