« August 2006 | Main | October 2006 »
Optimising Malware
In this paper, the authors look at ways of fine tuning the efficacy of malware, ie making it speedier and more lethal.
In recent years, malicious software (malware) has become one of the most insidious threats in computer security, having been used, in its various forms, with high level of success for a myriad of nefarious purposes. However, this is arguably not the result of increased sophistication in malware design or attack strategies, but rather of the increased presence of computers and computer networks within every aspect of society, offering an increased number of services through increasingly complex and vulnerability-ridden software.
In this paper, we address and defend the commonly shared point of view that the worst is very much yet to come. We introduce an aim-oriented performance theory for malware and malware attacks, within which we identify some of the performance criteria for measuring their “goodness” with respect to some of the typical objectives for which they are currently used. We also use the OODA-loop model, a wellknown paradigm of command and control borrowed from military doctrine, as a tool for organising (and reasoning about) the behavioural characteristics of malware and orchestrated attacks using it. We then identify and discuss particular areas of malware design and deployment strategy in which very little development has been seen in the past, and that are likely sources of increased future malware threats. Finally, we discuss how standard optimisation techniques could be applied to malware design, in order to allow even moderately equipped malicious actors to quickly converge towards optimal malware attack strategies and tools fine-tuned for the current Internet.
Source: Optimising Malware, José M. Fernandez and Pierre-Marc Bureau.
Update 5 October: Update the paper link to a newer version, from Pierre-Marc.
September 30, 2006 in malware , papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
CCS 2006
Just a reminder that early registration deadline for 13th ACM Conference on Computer and Communications Security (CCS 2006) and many of the associated workshops including Workshop on Recurring Malcode (WORM) and Workshop on Visualization for Computer Security (VizSEC) is September 30th. Please see the CCS website for details.
September 29, 2006 in events | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Enabling Internet Worms And Malware Investigation And Defense Using Virtualization
While lengthy, it's good reading if you're wondering about large-scale studies of real malware in a controlled laboratory network setting.
Source: Enabling Internet Worms And Malware Investigation And Defense Using Virtualization, a Ph.D. thesis by Xuxian Jiang.Internet worms and malware remain a threat to the Internet, as demonstrated by a number of large-scale Internet worm outbreaks, such as the MSBlast worm in 2003 and the Sasser worm in 2004. Moreover, every new wave of outbreak reveals the rapid evolution of Internet worms and malware in terms of infection speed, virulence, and sophistication. Unfortunately, our capability to investigate and defend against Internet worms and malware has not seen the same pace of advancement.
In this dissertation, we present an integrated, virtualization-based framework for malware capture, investigation and defense. This integrated framework consists of a frontend and a back-end. The front-end is a virtualization-based honeyfarm architecture, called Collapsar, to attract and capture real-world malware instances from the Internet. Collapsar is the first honeyfarm that virtualizes full systems and enables centralized management of honeypots while preserving their distributed presence. The back-end is a virtual malware "playground," called vGround, to perform destruction-oriented experiments with captured malware or worms, which were previously expensive, inefficient, or even impossible to conduct.
On top of the integrated framework, we have developed a number of defense mechanisms from various perspectives. More specifically, based on the unique infection behavior of each worm we run in vGround, we define a behavioral footprinting model for worm profiling and identification, which complements the state-of-the-art content-based signature approach. We also develop a provenance-aware logging mechanism, called process coloring, that achieves higher efficiency and accuracy than existing systems in revealing malware break-ins and contaminations.
September 29, 2006 in malware , papers, tools | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Intelligent Worms: Searching for Preys
Another paper showing why, at least in theory, a worm that has some roadmap about its victims should be more efficient than one that blindly looks for victims.Internet worms have been a persistent security threat in recent years since the Morris worm arose in 1988. After the Code Red and Nimda worms were released into the Internet in 2001, the Slammer worm was unleashed with a 376-byte User Datagram Protocol (UDP) packet and infected at least 160,000 computers worldwide on January 25, 2003. Later, the Blaster and Witty worms flooded the Internet in 2003 and 2004, respectively. These active worms caused large parts of the Internet to be temporarily inaccessible, costing both public and private sectors millions of dollars. The frequency and virulence of active-worm outbreaks have been increasing dramatically in the last few years, presenting a significant threat to today's Internet. In this article, we review the prey-searching methods that worms use currently, and may potentially exploit in the future. While reviewing what has been used by worms is doable, predicting what worms may use seems to be prohibitive: There would be million ways for active worms to attack the Internet. We show how mathematics has been playing an important role in providing both a guidance and methodology in studying current and futuristic worm attacks. In particular, we outline how mathematical tools (e.g., epidemic model, statistics, machine learning, and game theory) can be applied in this area.Source: Intelligent Worms: Searching for Preys, by Zesheng Chen and Chuanyi Ji.
September 28, 2006 in new trends, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Experiences With Internet Traffic Measurement and Analysis
Most of this worm data isn't new to regular readers of Wormblog. If you've seen much of Vern Paxson's work, or that of his colleagues at CAIDA, then you're familiar with much of the data. However, this slide deck puts together the worm data with Internet-scale meausrement data of the normal Internet, not something you see often. A neat set of slides. From: Experiences With Internet Traffic Measurement and Analysis [PPT], a slide deck by Vern Paxson.
September 27, 2006 in modeling, slides | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Experiences Using Minos as A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities
Time got away from me the past few days, better late than never. This is an interesting paper mixing host-level behaviors with detecting new worm activity.
We present a honeypot technique based on an emulated environment of the Minos architecture and describe our experiences and observations capturing and analyzing attacks. The main advantage of a Minos-enabled honeypot is that exploits based on corrupting control data can be stopped at the critical point where control ow is hijacked from the legitimate program, facilitating a detailed analysis of the exploit. Although Minos hardware has not yet been implemented, we are able to deploy Minos systems with the Bochs full system Pentium emulator. We discuss complexities of the exploits Minos has caught that are not accounted for in the simple model of "buffer overflow exploits" prevalent in the literature. We then propose the Epsilon-Gamma-Pi model to describe control data attacks in a way that is useful towards understanding polymorphic techniques. This model can not only aim at the centers of the concepts of exploit vector (ε), bogus control data (γ), and payload (π); but also give them shape. This paper will quantify the polymorphism available to an attacker for γ and π, while so characterizing ε is left for future work.
Source: Experiences Using Minos as A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities, Jedidiah R. Crandall, S. Felix Wu, and Frederic T. Chong.
September 26, 2006 in detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
A FastWorm Scan Detection Tool for VPN Congestion Avoidance
Speaking of DIMVA, here's a set of slides from last year's conference that describe a scanning worm detection system. While none of the foundations are new (detect scanning by looking for failed connection requests and unanswered packets), this is a real- world demonstration of it's efficacy. Not surprisingly, P2P apps tend to give false positives. From a slide deck, A FastWorm Scan Detection Tool for VPN Congestion Avoidance, by Arno Wagner,Thomas Dubendorfer, Roman Hiestand, Christoph Goldi, and Bernhard Plattner, from DIMVA 2006.
September 23, 2006 in detection, tools | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
DIMVA 2007 - Call for Papers
It's that time of the year again, time to look at your research and look at publishing it. DIMVA 2007 will be held in Lucerne, Switzerland, July 12-13, 2007.The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year DIMVA brings together international experts from academia, industry and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group Security - Intrusion Detection and Response of the German Informatics Society (GI). The conference proceedings will appear in Springer's Lecture Notes in Computer Science (LNCS) series.You can see full details on the DIMVA 2007 website. For an idea of what they publish, have a look at the DIMVA 2006 program.Dates:
February 9, 2007: Deadline for submission of full and short papers.
July 12-13, 2007: DIMVA conference.
September 22, 2006 in events | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Google Search API Worms
Worms that search Google to find new victims aren't new. Look at Santy from late 2004, it found vulnerable phpBB sites via Google queries. While web application worms and the idea of a worm that has some target preknowledge to spread is nothing new, the author here suggests that it may be simpler than previously thought. I'm still not convinced.One of the main disadvantages of all AJAX application is the lack of cross domain request capabilities. In simple words, a web object from one site cannot access another one from a different site. The reason for this security feature is hidden deeply inside every modern browser security sandbox which is responsible for keeping your personal information private and safe.Source: Google Search API Worms on the GNUCITIZEN website.Unfortunately, with the rise of AJAX enabled application the need to break out the security sandbox receives a lot of enthusiastic support among AJAX developers. Even Google, one of the biggest AJAX evangelist today, provides JavaScript APIs to allow developers to mashup their services with Google’s enormous capabilities. As a result Google unconsciously enables various types of worms to craw and exploit the web.
...
Web worms can use Google’s infrastructure to propagate. If a malicious mind finds a vulnerability in WordPress for example and this vulnerability allows SQL Injection, a worm may be written to craw blogs in search for this vulnerability and embed itself into everything that is vulnerable. Once a user visits an infected blog the worm starts another cycle.
September 21, 2006 in malware , new trends, new worms | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
Simulation and Analysis on the Resiliency and Efficiency of Malnets
More work by the team from yesterday's paper, again on difficult to remove malware.Future network intruders will probably use an organized army of malicious nodes (here called "malnodes", or collectively a "malnet") to deliver many different attacks, rather than recruiting a disorganized set of compromised nodes per attack. However, partly due to the lack of understanding of the resiliency and efficiency a malnet can have, countering malnets has been ineffctive.Source: Simulation and analysis on the resiliency and efficiency of malnets, Jun Li, Toby Ehrenkranz, Geoff Kuenning, and Peter Reiher, in Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation PADS '05.This paper begins to address this defficiency Through calculation and simulation for three representative malnets|random, small-world, and Gnutella-like|we show that extremely resilient malnets can be formed to deliver attack code quickly. In particular, we show that disconnecting malnets is possible, but extremely naive approaches such as randomly disinfecting malnodes will not suffice, and effective defenses must either happen very quickly during a second-wave attack, or take effect prior to it.
September 20, 2006 in defense, modeling, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
