« Worms and Viruses Are A Thing of the Past | Main | Trip Report: Worm05 »
Wormboy
One of the things I saw on Friday at WORM05 was "Wormboy", a new tool released as part of a research project. The author, David Malan, is interested in using a Peer to Peer communication system of nodes to determine if any of their processes are possibly malware. The tool "Wormboy" examines a process's system calls and can determine if it's a suspicious pattern of behavior or not with pretty decent frequency.
To trace, as part of my research, the behavior of worms, we have implemented Wormboy, a kernel-mode driver for Windows XP with Service Pack 2 that inserts hooks into _KeServiceDescriptorTable before and after all but two system services. Inspired by Strace for NT, as well as by work by Nebbett and Dabak et al., Wormboy not only captures a call's service ID and input parameters, but also its output parameters and return value, along with a caller's name, process ID, thread ID, and mode.
Source: Wormboy website, where you can download the tool and test it out for yourself.
November 15, 2005 in detection, Peer To Peer, tools | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
The big problem:
I LOVE the idea. Its creative, its unique, its VERY cool.
Unfortunatly, its also trivial to evade. Currently, so much malcode first kills AV/monitor, or can replace it with something which lies.
But beyond that, this feels VERY vulnerable to the Wagner/Soto mimicry attack/mutation techniques.
Posted by: Nicholas Weaver | Nov 15, 2005 11:25:03 AM
Product vs. Research -- Take 7.14E30
Nicholas, you're right, but this is research, not a product. Let's be careful in requiring too much practicality in research. It would kill research and thus the advancement of technology. This is a kick I've been on for a little while now and I'm just starting to see it clearly myself. Almost all technology is born out of ideas that were once so far-fetched and impractical that people scoffed, but eventually changed the world as other bright people like yourself were able to smoothen out the research and make real, applicable technologies out of it. Please remember and honor those before us who did such fanciful research and were laughed at.
I think Wormboy is real progress and needs to be encouraged as much as we can. Certainly, point out its weak points, but please keep it in the proper perspective.
In the security arena, it's cool to cut down each other's work and find flaws with everything. This is great when security needs to be ensured or, as often occurs, insecure systems are promoted as secure much to the harm of the user. Wormboy is neither of these things. It's research, and good research at that. Kudos to David and best wishes.
Posted by: Chris | Nov 19, 2005 11:08:29 PM
The comments to this entry are closed.
