« June 2005 | Main | August 2005 »
Back-Door'ed by the Slammer
Another SANS GIAC paper. This one studies the SQLSlammer/Sapphire worm and the disaster recovery process that took place when that worm hit.On Sunday, January 26, 2003, The Company I work for was involved in an incident caused by SQLSlammer. What makes this particularly interesting is that the course of the infection happened from within the company, actually starting at our corporate headquarters. It found its way through a small 56k frame relay connection that had been monitored, but through a configuration mishap, the traffic was allowed through undetected. To make matters worse, a few days before we were hit, we had been in contact with another company that was infected and were taking precautions to avoid being infected ourselves.Source: Back-Door'ed by the Slammer, John HallyThe goal of this paper is show how the incident was handled, and demonstrate that even though you may think you're protected, it's imperative to double check your perimeter protection and have good lines of communication with sites that have direct access to your network. I also plan to touch upon the reasons behind not being sufficiently patched and the importance of patch management, along with how the incident was handled, and in parts, mis-handled.
In each of the 6 steps of incident handling: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned, I will describe how the process took place at the time of the incident and also add comments on how the incident could have been handled more efficiently with the knowledge attained from this class.
July 30, 2005 in papers, SQLSlammer | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
Worms as Attack Vectors: Theory, Threats, and Defenses
Quite a bit of this paper looks very familiar to me ...Self-replicating, self-propagating, malicious programs (worms) are described in the context of being likely attack mechanisms for a variety of illicit or illegal activities. A brief discussion of what constitutes a typical worm is given, along with a brief history of worms, reasons they may be released, and who might gain from their use. A proposal for future worms is presented. Finally, current and future (proposed) defenses are presented and discussed in light of potential new threats.Source: Worms as Attack Vectors: Theory, Threats, and Defenses, Matthew Todd.
July 29, 2005 in new trends, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Security Applications of Peer-to-Peer Networks
An interesting approach describing a P2P architecture to provide both distributed detection and qualification, letting the mesh of systems do the alert aggregation, and then automatic defense instantiation.
Open networks are often insecure and provide an opportunity for viruses and DDOS activities to spread. To make such networks more resilient against these kind of threats, we propose the use of a peer-to-peer architecture whereby each peer is responsible for: (a) detecting whether a virus or worm is uncontrollably propagating through the network resulting in an epidemic; (b) automatically dispatching warnings and information to other peers of a security-focused group; and (c) taking specific precautions for protecting their host by automatically hardening their security measures during the epidemic. This can lead to auto-adaptive secure operating systems that automatically change the trust level of the services they provide. We demonstrate our approach through a prototype application based on the JXTA peer-to-peer infrastructure.
Source: Security Applications of Peer-to-Peer Networks, Vasileios Vlachos, Stephanos Androutsellis-Theotokis, and Diomidis Spinellis. A later version of this paper was published in Computer Networks (Elsevier Science), Volume 45, Issue 2, pp 195-205, June 2004. Also see their JXTA project page for the tool described in the paper, NetBiotic.
July 28, 2005 in defense, detection, papers, Peer To Peer, tools | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Worms: How to stop them?
While a very short paper, it covers an approach that is quite common, namely accurate network worm detection.
These days, networked computers are omnipresent in our day-today life. Their importance in world security in light of recent events related to terrorism is unprecedented. There is no need to belabor the potential havoc that a malicious hand can fix on our lives, upon gaining access to critical computer installations of defense systems or the Internet. Therefore such infrastructure should be protected from being compromised by villains. One of the various ways in which computer systems can be compromised is by deploying a worm.
This research deals with issues such as, when to "cry worm!", proposes models to stop their spread without human intervention, provides simple mathematical models for the proposals, if possible, and provides simulations to test the proposed models. This paper gives a concise overview of the proposed model and shows some of the prelimenary results of the simulations developed.
Source: Worms: How to stop them?, C.G.Senthilkumar. Daisuke Nojiri, Akshay Aggarwal, Jeff Rowe, Karl Levitt.
You can also view C. G. Senthilkumar's master's thesis in PostScript format, which covers worm detection.
July 27, 2005 in detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control
We often don't post much about mass mailers here, but then again I haven't found too much interesting research in that area. This paper looks quite interesting.
Modern society is highly dependent on the smooth and safe flow of information over communication and computer networks. Computer viruses and worms pose serious threats to the society by disrupting the normal information flow and collecting or destroying information without authorization. Compared to the effectiveness and ease of spreading worms and viruses, currently adopted defense schemes are slow to react and costly to implement.
This paper proposes an automated email virus detection and control scheme using attachment chain tracing (ACT) technique. Based on conventional epidemiology, ACT detects virus propagation by identifying the existence of transmission chains in the network. It uses contact tracing to find epidemiological links between hosts. A soft quarantine scheme is proposed to control virus propagation. No virus signature information is needed for detection and quarantine. We also study the effect of delayed, limited immunization on the spread of viruses. We propose a progressive immunization strategy which uses transmission chain information to guide immunization process. Preliminary simulation experiments show that ACT is a promising scheme.
Source: ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control, Jintao Xiong.
July 26, 2005 in detection, mass mailers, papers | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
Detection of New Malicious Code Using N-grams Signatures
This paper takes a somewhat uncommon approach to signature-based detection methods, namely breaking up the detection process. Few people go this route, so it's interesting to study it's efficacy.Signature-based malicious code detection is the standard technique in all commercial anti-virus software. This method can detect a virus only after the virus has appeared and caused damage. Signature-based detection performs poorly when attempting to identify new viruses. Motivated by the standard signature-based technique for detecting viruses, and a recent successful text classification method, n-grams analysis, we explore the idea of automatically detecting new malicious code. We employ n-grams analysis to automatically generate signatures from malicious and benign software collections. The n-gramsbased signatures are capable of classifying unseen benign and malicious code. The datasets used are large compared to earlier applications of n-grams analysis.Source: Detection of New Malicious Code Using N-grams Signatures, by Tony Abou-Assaleh, Nick Cercone, Vlado Keselj, and Ray Sweidan.
July 25, 2005 in detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
SMB Shares and Worms - A Parasitic Relationship?
Another SANS practical report they have on their website. These are useful because you get to see how people learned how to collect and analyze malware.
This document will examine the business and technical ramifications of a variant of the Deborm worm. This incident actually happened in a real business environment and more or less had the business repercussions detailed. The fact that this was not a very powerful worm is a lesson to all that the Internet is, as Tom Cruise said in Top Gun, a "target rich environment". No matter how simple the exploit, there are billions of targets out there to choose from. This paper will help the reader understand the worm lifecycle and how to defend against the various strategies they use to move around networks and invade host machines. This worm studied is simple but the lessons learned can be applied to the more complex worms that are appearing today.
Source: SMB Shares and Worms - A Parasitic Relationship? An analysis of the W32/Deborm.worm.q, by Ken Ramsay.
July 23, 2005 in detection, papers, tools | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
W32 Deloder Worm: The Building of an Army
Deloder is one of the variants of a popular bot these days, very much like Rbot and SDBot.
The recent rash of Internet worms has produced an army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive distributed-denial-of-service attack at any time. These worms allow intruders to remotely control infected computers from one central computer. Officials at the CERT® Coordination Center said the organization is monitoring at least five large networks of compromised machines installed with so-called bots.
The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks is an army of more than 100,000 machines and there are indications that these networks are being used for attacks. Whether the army is used today or held in reserve to be used at some future date for an attack doesn.t really matter. The potential is there for them to cause serious longterm damage.
In addition to the IRC Trojan, computers compromised by the Deloder worm have an additional backdoor which is typically used for network administration. This tool allows the attacker to remotely control the compromised system or spy on every single keystroke. Deloder installs the administration tool with the same password for all systems so that amateur attackers can utilize these compromised systems.
Contributing to the overall problem is the poor security posture of many computer owners with shared resources and broadband Internet access. Deloder and many other recent worms spread by exploiting weak or null passwords used to protect shared network drives and folders.
This paper is a review of the Deloder worm and discusses the vulnerabilities associated with port 445/tcp (Microsoft-ds). The paper has suggestions on how to prevent being a victim of this attack and discusses some techniques for detecting attacks associated with port 445/tcp.
Source: W32 Deloder Worm: The Building of an Army, by Vance Stone.
July 22, 2005 in new worms, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
CARDS: A distributed system for detecting coordinated attacks
Another paper on a distributed data collection and analysis platform. Because worm outbreaks move so quickly and often semi-randomly, a distributed system makes sense: if you can aggregate the information from various disparate sensors, you may be able to detect the worm before it infects all networks.A major research problem in intrusion detection is the efficient Detection of coordinated attacks over large networks. Issues to be resolved include determining what data should be collected, which portion of the data should be analyzed, where the analysis of the data should take place, and howto correlate multi-source information. This paper proposes the architecture of a Coordinated Attack Response & Detection System (CARDS). CARDS uses a signature-based model for resolving these issues. It consists of signature managers, monitors, and directory services. The system collects data in a flexible, distributed manner, and the detection process is decentralized among various monitors and is event-driven. The paper also discusses related implementation issues.Source : CARDS: A distributed system for detecting coordinated attacks, Jiahai Yang, Peng Ning, X. Sean Wang, and Sushil Jajodia.
July 21, 2005 in detection, ids, papers | Permalink
| Comments (5)
Tell others: digg submit
del.icio.us this
Correlation between NetFlow System and Network Views for Intrusion Detection
This approach, marrying network data from NetFlow, together with system alerts is becoming a reality in the security marketplace. It is the marriage of a traffic monitoring tool and a SEM (or SIM) platform.We present several ways to correlate security events from two applications that visualize the same underlying data with two distinct views: system and network. Correlation of security events provide Security Engineers a better understanding of what is happening for enhanced security situational awareness. Visualization leverages human cognitive abilities and promotes quick mental connections between events that otherwise may be obscured in the volume of IDS alert messages.Source: Correlation between NetFlow System and Network Views for Intrusion Detection, Cristina Abad, Yifan Li, Kiran Lakkaraju, Xiaoxin Yin, and William Yurcik.
July 20, 2005 in detection, ids, papers | Permalink
| Comments (3)
Tell others: digg submit
del.icio.us this
