« May 2006 | Main | September 2006 »
Detecting Intra-Enterprise Scanning Worms Based on Address Resolution
Another paper that looks at the fact that when worms scan for victims, they generate a lot of failed connection attempts. By looking at the signs of these failures - TCP RSTs, ICMP unreachable errors, or, in this case, ARP traffic - you can efficiently find active worms.Signature-based schemes for detecting Internet worms often fail on zero-day worms, and their ability to rapidly react to new threats is typically limited by the requirement of some form of human involvement to formulate updated attack signatures. We propose an anomaly-based detection technique detailing a method to detect propagation of scanning worms within individual network cells, thus protecting internal networks from infection by internal clients. Our software implementation indicates that this technique is both accurate and rapid enough to enable automatic containment and suppression of worm propagation within a network cell. Our approach relies on an aggregate anomaly score, derived from the correlation of Address Resolution Protocol (ARP) activity from individual network attached devices. Our preliminary analysis and prototype indicate that this technique can be used to rapidly detect zero-day worms within a very small number of scans.Source: Detecting Intra-Enterprise Scanning Worms Based on Address Resolution, D. Whyte, P.C. van Oorschot, E. Kranakis.
August 31, 2006 in detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
A Monitoring System for Detecting Repeated Packets with Applications to Computer Worms
An interesting paper that proposes a design to efficiently count the frequency of similar observations. When a worm attempts to propagate, the initial attack vectors will look the same for standard worms (excluding polymorphic worms) from one or more sources to a growing number of destinations. This paper attempts to exploit that fact and discover when a worm is active by looking at the payload in a time-space efficient fashion.
We present a monitoring system which detects repeated packets in network traffic, and has applications including detecting computer worms. It uses Bloom filters with counters. The system analyzes traffic in routers of a network. Our preliminary evaluation of the system involved traffic from our internal lab and a well known historical data set. After appropriate configuration, no false alarms are obtained under these data sets and we expect low false alarm rates are possible in many network environments. We also conduct simulations using real Internet Service Provider topologies with realistic link delays and simulated traffic. These simulations confirm that this approach can detect worms at early stages of propagation. We believe our approach, with minor adaptations, is of independent interest for use in a number of network applications which benefit from detecting repeated packets, beyond detecting worm propagation. These include detecting network anomalies such as dangerous traffic fluctuations, abusive use of certain services, and some distributed denial-of-service attacks.
A Monitoring System for Detecting Repeated Packets with Applications to Computer Worms, P.C. van Oorschot, J.M. Robert, M. Vargas Martin.
August 30, 2006 in detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Instant Messaging Worms, Analysis and Countermeasures
IM worms are an interesting beast. They have both built-in speedups for propagation via a buddy list, an a great control mechanism in the message routers for each network. We haven't seen the end of them, but they seem to be dominated by bots using link-spamming techniques to propagate. This paper, from WORM05, proposes throttling (which works) and CAPTCHA mechanisms to give a challenge-response mechanism for possibly malicious content. As I recall, the latter wasn't well received by the audience at WORM05, who felt that if you suspected content was dangerous why don't you just block it.We provide a collection of minor results on the area of Instant Messaging (IM) worms, which has received relatively little attention in the formal literature. We review selected IM worms and summarize their main characteristics, motivating a brief overview of the network formed by IM contact lists, and a discussion of theoretical consequences of worms in such networks. Existing methods to restrict an IM worm epidemic are analyzed in terms of usability and effectiveness, leading to the suggestion of two minor variations to limit IM worm propagation. We believe these variations are more user-friendly and effective than existing published methods. We also provide brief results of a three and a half year user study of IM text messaging and file transfer frequency in a moderate-size public IM network – the largest such study to date – which is of independent interest, but also supports in part the preceding claim regarding user-friendliness.Source: Instant Messaging Worms, Analysis and Countermeasures, M. Mannan, P.C. van Oorschot. WORM 2005 (ACM Workshop on Rapid Malcode).
August 29, 2006 in defense, IM worms, papers | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
MS06-040 and the Death of the Worm
A couple of years ago, when a vulnerability like the recently disclosed Microsoft Security Bulletin MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution was released, you figured a worm was not far behind. And not just a basic worm, the kind that can infect hundreds of thousands of machines quickly. After all, we've been expecting that to happen given what we saw in the past with MS05-039 (Zotob, which really was a bot), MS04-011 (Sasser) and MS03-039 (Blaster).But this is 2006, and people recognize that if you were able to get your code onto hundreds of thousands of systems, you should be able to do something with them. And so we have bots like W32.Wargbot taking advantage of that vulnerability. It didn't spread nearly as aggressively as Blaster did, but it showed that we're beyond simple worms, for whatever reason.
During my haitus, I spent some time wondering if Wormblog was even still needed. It's only been a few years, but it seems like worm detection systems are no longer as high pressure as they were in the past. For one, you have a significant amount of background noise from bots scanning for victims. Also, you have a dramatic slowdown in malcode propagation compres to a couple of years ago. Don't be surprised if you see more botnet stuff on here because of such changes. I think that there's still interesting research going on in worms and not just in bots, and I'll keep digging for it.
August 28, 2006 in botnets, editorial, malware , new trends | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
Watershed in malicious code evolution
Another link from my good friend Kamal. Another link that has been sitting in my inbox for too long ...I think we'd all agree that the types of threats we're seeing now are changing radically. If we look at the past few years of malware, we see a change in the nature of the threat. One of the things I've noticed is that malware authors seem to be hitting a brick wall in attempting to exploit systems the old fashioned way (ie a buffer overflow) and instead are back to the weakest link - people. Social engineering tricks, such as those used by IM-based malware, and password guessing techniques seem to be popular with some people. Just as popular as ever are mass mailers. But even more popular than ever are client-side exploits that launch a download of some malware to bootstrap itself onto a victim machine. This piece from VirusList is a good set of numbers to infer what's going on and where things are headed.
Accordingly, there has been a watershed in how Kaspersky Lab classifies malware. A professional malware market started to emerge at the very end of 2003, gained ground during 2004, and was well established by the beginning of 2005. Therefore, 2004 could be called the year in which the Internet became comprehensively criminal. Data based on Kaspersky Virus Lab statistics clearly demonstrates this trend. Some of this data is used in the discussion of the malware classifications used by Kaspersky virus analysts which follows.Source: Watershed in malicious code evolution, from VirusList.
August 26, 2006 in malware , mass mailers, new trends | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
Worms as a Threat to Online Gaming -- and Worms Disappearing
Two small pieces that hit a mailing list.In Worm threat to online gaming, some of the folks over at McAfee's AVERT blog note that there's an intersection between some online games (like WoW) and worms through the language Lua.
McAfee Avert received several worms implemented in a scripting language called ‘Lua’ (see http://www.lua.org). It is a free scripting language first version of which was released in 1994!I don't know the architecture of these games, but the interactions could be interesting and, the folks at AVERT think, devastating. I don't know why some of the malware authors chose Lua.There are two things that make this an interesting development. Firstly, this language is widely used for online gaming (”World of Warcraft”, “Garry’s Mod”, “Illarion”, “Escape From Monkey Island”, “Daimonin” MMORPG and many others). The list of games using ‘Lua’ is quite long (see full list of projects at http://www.lua.org/uses.html).
A second short piece comes from Dan and looks at the big question about where worms are. In The Cyber War Threat, the authors lament that the number of major worm outbreaks is decreasing.
Worst of all, the Cyber War threat is fading from public view. That's because spectacular virus and worm attacks that, in the past, hit millions of PC users, are becoming rather rare. Between 2002 and 2004, there were some one hundred large scale attacks (using viruses or worms). But last year there were only six such attacks, and fewer this year. The more professional black hats (criminal hackers) are in it for the money now, not so show off, and prefer to operate beneath the radar.There is an undeniable difficulty in securing funding for a threat that's diminishing, which is something the author notes (mainly from the military side of things). For others, it just means that the threat has shifted.
August 25, 2006 in new trends | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
WORM06: I'll have a panel
Just a quick note to say I'll have a panel at WORM06 this fall. It's entitled "Where the worms aren't" and is going to explore the question "Where are the worms we were lead to believe were going to consume the Internet?" This is, I think, due to a number of factors, including the dramatic rise of bots, the change in the vulnerability landscape, and the reactions of ISPs to the problem of suspicious hosts.Participants will include Dan Ellis, Nick Weaver, and David Dagon, and the audience. I think this is an important question for a variety of reasons. I hope you can join us or just share your thoughts on this matter in the comments here.
August 24, 2006 in events | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Detecting Worms with Ourmon
Again from Kamal, and again something that's been sitting in my inbox for far too long.The folks over at Ourmon (a play on RMON, get it?) have been coming up with ways to use statistics to do anomaly detection. Obviously, one of the things you can do with such a tool is detect ... worms lose on a network. Or bots.
Here's a description of the Ourmon tool:
Ourmon is a statistically oriented open-source network monitoring and anomaly detection system. Ourmon is based on promiscuous mode packet collection on Ethernet (typically) interfaces. A probe collects packets deemed important and sends internally defined tuples back to a graphics display system which may or may not be on the same host. Ourmon does not collect all the packets because one principle design goal is to extract signal from noise, not store all the noise in a giant bag under the assumption that you can peruse it "later" (there is no later).Kamal, who attended the 2005 Freenix event, notes that they had a paper on Ourmon describing the system and its applications.Ourmon analyzes data using both multiple instances of the Berkeley Packet Filter, and also various hashed top N lists and then displays the data using RRDTOOL graphs, histograms, and perl reports. Data is produced in near realtime every thirty seconds.
Charlie Schluting has a two part article on using Ourmon to detect worms. Something Wormy on Your Net? Investigate with Ourmon (part 1) and part 2 is available over at the EnterpriseNetworkingPlanet website.
You can see Ourmon in a live demo at the PDX website. Of interest to Wormblog readers is the TCP Worm graph, which comes from analysis of hosts that "generate more TCP SYNS than TCP FINS."
All in all a neat project (but the web interface could use some work ...).
August 22, 2006 in detection, tools | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
Animations form CAIDA
Via Kamal (and in my inbox for far too long ...) ...CAIDA has a neat set of animations over the years of various important worm events. SQLSlammer, Code Red, and Witty. They use a map tool and (presumably) GeoIP-type information along with their sensors to map the source of infected boxes and animate it over time. You can see things spread geographically.
All of this is in the Animations section of the CAIDA publications page.
August 21, 2006 in Code Red, SQLSlammer, witty | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Death of the IM-Worm?
A short analysis piece from the folks over at VirusList, which is always a good site. This piece looks at the IM worm. I had expected 2006 to be the year of the IM worm, everything pointed that way. Looks like I was wrong. We still see a lot of bots have IM capabilities in them, but we're not seeing many pure IM worms. This article looks at the first half of 2006 and the trends in the IM worm space.This article examines the evolution of the IM worm since the beginning of 2005. It is written from a European standpoint: this means that it does not include information about certain IM-Worms which did not spread widely in Europe. It also does not cover the topic of malware for certain IM clients such as icq, which are less commonly used in Europe.Source: Death of the IM-Worm?, Roel Schouwenberg, Senior Research Engineer, Kaspersky Lab BNL.Although the first IM-Worm appeared in 2001, this type of malware didn’t become really common until the beginning of 2005. If we take a look at this period, it becomes clear that it’s very important to differentiate between IM Worms which were written with a range of aims.
August 20, 2006 in IM worms, new trends | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
