« September 2006 | Main | November 2006 »
Aim For Bot Coordination
A paper from this year's Virus Bulletin conference that explores IM-based botnet communication channels. While not too long (only 3 pages), it highlights some of the attractive features about the AIM protocol Oscar that could be useful for bots.In the last few years, there has been increasing interest within the virus-writing community in Internet Relay Chat (IRC) based malware, due to the power afforded by the IRC scripting language and the ease of coordinating infected machines from a chat-room type of structure. What has developed is a very modular, open-source sort of threat which is very rapidly adapted to include new functionality and new infection vectors. More recently, there has also been an increase in the number of threats spreading through Instant Messaging (IM) clients, particularly OSCAR-based clients like AOL Instant Messenger (AIM). IRC bots have begun using this functionality to spread, but there is more capability available within OSCAR than is currently being exploited.Source: Aim For Bot Coordination, Lysa Myers, from Virus Bulletin 2006.As there has also been an increase in the number of bots using Command and Control (C&C) channels that utilize something other than IRC (primarily web-based currently), it stands to reason that there may be a possibility of virus-writers using OSCAR as a means of control. This paper looks to explore the capabilities of OSCAR for being used in C&C scenarios, and what steps could be taken to mitigate this proactively.
October 28, 2006 in new trends, papers | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
Software Decoys: Intrusion Detection and Countermeasures
Following VB, I got to thinking about some of my previous positions on AV and thought about just how hard a problem it is, at times. This paper sort of fits into that thinking, basically trying to discriminate malicious activity from normal activity, a somewhat related topic.We introduce the notion of an intelligent software decoy, and provide both an architecture and event-based language for automatic implementation of them. Our decoys detect and respond to patterns of suspicious behavior, and maintain a repository of rules for behavior patterns and decoying actions. As an example, we construct a model of system behavior from an initial list of event types and their attributes in the interaction between computer worms and an operating system. The model represents patterns of suspicious or malicious events that the software decoy should detect, and specific actions to be taken in response. Our approach explicitly treats both standard and nonstandard invocations of components, with the latter representing an attempt to circumvent the public interface of the component.Source: Software Decoys: Intrusion Detection and Countermeasures, James Bret Michael, Senior Member, IEEE, Mikhail Auguston, Neil C. Rowe, and Richard D. Riehle.
October 26, 2006 in detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Global Intrusion Detection in the DOMINO Overlay System
To continue a theme from Monday about using a distributed sensor network, this is one of the premeier papers in this arena. DOMINO and it's applicability to the worm problem is well covered in this paper. In it, the authors describe how they efficiently detected major worm outbreaks.Sharing data between widely distributed intrusion detection systems offers the possibility of significant improvements in speed and accuracy over isolated systems. In this paper, we describe and evaluate DOMINO (Distributed Overlay for Monitoring InterNet Outbreaks); an architecture for a distributed intrusion detection system that fosters collaboration among heterogeneous nodes organized as an overlay network. The overlay design enables DOMINO to be heterogeneous, scalable, and robust to attacks and failures. An important component of DOMINO's design is the use of active-sink nodes which respond to and measure connections to unused IP addresses. This enables efficient detection of attacks from spoofed IP sources, reduces false positives, enables attack classification and production of timely blacklists.Source: Global Intrusion Detection in the DOMINO Overlay System, Vinod Yegneswaran, Paul Barford, Somesh Jha.We evaluate the capabilities and performance of DOMINO using a large set of intrusion logs collected from over 1600 providers across the Internet. Our analysis demonstrates the significant marginal benefit obtained from distributed intrusion data sources coordinated through a system like DOMINO. We also evaluate how to configure DOMINO in order to maximize performance gains from the perspectives of blacklist length, blacklist freshness and IP proximity. We perform a retrospective analysis on the 2002 SQL-Snake and 2003 SQL-Slammer epidemics that highlights how information exchange through DOMINO would have reduced the reaction time and false-alarm rates during outbreaks. Finally, we provide preliminary results from our prototype active-sink deployment that illustrates the limited variability in the sink traffic and the feasibility of efficient classification and discrimination of attack types
October 25, 2006 in detection, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
IM Worms in 2006
I've written about IM worms in the past, and even went so far as to write a paper for work (internal-only distribution, sorry about that) where I went on to state that 2006 was shaping up to be the year of the IM worm. 2005 saw a flurry of IM worm families, and a lot more bots were including IM capabilities. The methods remained the same, namely link spamming.
And yet we haven't seen an explosion of IM worms. I don't know why, to be honest with you, all of the evidence suggested that attackers were picking that up dramatically. This does discount the Rbot/SpyBot/etc families using an AIM or MSN Messenger vector (in addition to their other vectors) to propagate, I'm focusing specifically on IM-specific worms. Why wasn't 2006 the year of the IM worm? We saw some, but it ddn't become a huge problem, and we didn't hear about massive network outages due to the IM worm problem like we did in 2005.
This is all prompted by The IM worms armada, posted on the Kaspersky AV weblog:
We've noticed an increase in the prevalence of Y!/MSN-aware worms. These rely on various social engineering tricks to lure the user into a malicious website.
We saw some reactions from the MSN Messenger network operators when they began blocking .pif links, which helped slow down some of the common links being spammed. It had a problem (case sensitivity), but it shows that they're trying to deal with the problem. Could this have cut down on the flurry of IM worms in 06?
October 24, 2006 in IM worms | Permalink
| Comments (3)
Tell others: digg submit
del.icio.us this
SIS Analysis Toolkit
A departure from the normal, boring academic stuff, and actually on to something I've never featured here before (I think): mobile phone malware. The SIS Analysis Toolkit, according to the website, "consists of a base Perl module, SisDump, and a number of perl scripts and utilities useful for analyzing malware." I have to admit I've never looked at mobile phone malware. Surprisingly, it seems to be a growth niche in the past couple of years, from the early days of things like Caribe to more recent SIS malware likeMabir and more, mobile phone malware has been evolving. Most of it seems to target the Symbian60 platform, which is popular with Nokia phones and is a rich mobile computing environment.
I haven't played with these tools (I don't own a Symbian60 phone), but if you're curious about exploring your phone or any of the malware that may be on it, this looks like the right place to start.
October 24, 2006 in new trends, tools | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation
While I'm back from VB, I've also been very busy with work, so posts here slipped a bit.The COVERAGE algorithm outlined here seems like a decent first step at solving a very knotty problem. This is worth reading if you've given thought to a cooperative IDS system, or even if you just want to look at a specific subset of data correlation across multiple devices.
Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and im- munization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed defensive systems allow detectors to be more conservative (i.e. paranoid) about potential attacks because they manage false alarms efficiently.Source: Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation, K. Anagnostakis, S. Ioannidis, A. D. Keromytis, and M. B. Greenwald.In this paper we begin a preliminary investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to bal- ance effectiveness against viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.
October 23, 2006 in detection, papers | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
HotBots '07 Call for Papers
The call for papers for the First Workshop on Hot Topics in Understanding Botnets (HotBots '07) has been posted on the Usenix website. Topics solicited for short papers include:
- Architecture: Types of botnet topologies, Command&Control, infection vectors, resource sharing across bots and networks, stealthy botnets.
- Detection: Passive or active approaches to detecting participating hosts, C&C communication or botnet activities.
- Measurements: Numbers of botnets and bots, trends over time, geographic distribution, time of life and attrition, identification of parties behind botnet activity.
- Case studies: Experiences with particular botnet cases.
- Mitigation: How to protect against botnets and DDoS, spam, identify theft, etc., originating from them.
- Motivation: Economic value of botnets, purpose and use of botnets, targeted or special-interest botnets.
- Legal: What forms of mitigation are permissible, what the policy and legal problems in honeynet operation are, interactions with botnet participants, data collection, and traceback. Policy analysis should be focused toward the practical implementation of botnet monitoring and response systems.
October 18, 2006 in events | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
An epidemiological model of virus spread and cleanup
Quite a good, focused paper on the outbreak of malware.
Signature based anti-virus technologies are widely used to fight computer viruses. It is difficult to evaluate such systems because they work in the wild and few companies would be willing to turn them off to be part of a control group! This paper presents a new model of these technologies that can be used to predict and evaluate their effectiveness. The paper will demonstrate how the model can be used to understand the overall system dynamics, calculate expected costs of outbreaks, give insight into the relative importance of parts of the system and suggest ways to improve the technology. It is also used to evaluate new approaches to fighting viruses.
Source: An epidemiological model of virus spread and cleanup, Williamson, Matthew M.; Laeveillae, Jasmin.
October 14, 2006 in modeling, papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Worms: Taxonomy and Detection
More slides ... fitting, given that I'm at VBCon.
I like this slide deck, Worms: Taxonomy and Detection by Mark Shaneck (PPT, 2004), because it's a clean, well organized summary of the problem space. It also introduces you to the Kalman Filter and Hidden Markov Models in detecting worms, not something you see very often.
Happy Friday the 13th, by the way.
October 13, 2006 in detection, slides | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Worms of the future: Trying to exorcise the worst
Another "worst case" scenario, but this one has seen a few of the preditions (ie messing with debuggers) come true in the botnet world.
According to [Wikipedia], a worm could be defined as: a self-replicating computer program that does not need to be part of another program to propagate itself. This document is an attempt at predicting the worst possible future of worms, given the current computer science possibilities.
Up to now, we've seen many different kind of worms, each new generation improving on the precedent. The fact is that all such threats, for now, have suffered from a few vulnerabilities that prevented them (much to our relief) from functioning to their full potential. Some have achieved their result to a greater extent than others, but none of them seem to have realised the greatest fear: wreaking havoc on the Internet and on Informations Systems on a global scale (although some have come close).
This document tries to look at these present vulnerabilities from a security point of view (that is, by considering the Confidentiality, Integrity and Availability of worms) and in the next chapter, how to maintain these security requirements throughout the life-span of the worm, that is to say, as long as possible.
Following this, the document then attempts to provide hints on solutions that could be used in defense against new threats.
As it has been pointed out to me, other similar papers exist, one of them being [Warhol]. Surely a nice complementary reading to this paper.
Source: Worms of the future: Trying to exorcise the worst, by Nicolas Stampf.
October 12, 2006 in new trends, new worms, papers | Permalink
| Comments (2)
Tell others: digg submit
del.icio.us this
