Simulation and Analysis on the Resiliency and Efficiency of MalnetsMore work by the team from yesterday's paper, again on difficult to remove malware.
Future network intruders will probably use an organized army of malicious nodes (here called "malnodes", or collectively a "malnet") to deliver many different attacks, rather than recruiting a disorganized set of compromised nodes per attack. However, partly due to the lack of understanding of the resiliency and efficiency a malnet can have, countering malnets has been ineffctive.Source: Simulation and analysis on the resiliency and efficiency of malnets, Jun Li, Toby Ehrenkranz, Geoff Kuenning, and Peter Reiher, in Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation PADS '05.
This paper begins to address this defficiency Through calculation and simulation for three representative malnets|random, small-world, and Gnutella-like|we show that extremely resilient malnets can be formed to deliver attack code quickly. In particular, we show that disconnecting malnets is possible, but extremely naive approaches such as randomly disinfecting malnodes will not suffice, and effective defenses must either happen very quickly during a second-wave attack, or take effect prior to it.
Midgard Worms: Sudden Nasty Surprises from a Large Resilient Zombie Army
Almost another "worst-case worm scenario", but unlike most people propose self-defending worms, these folks actually do some design and analysis of how it may work.
Future network intruders will probably use a zombie army to deliver many different attacks, rather than recruiting a new army per attack. We describe a Midgard Worm, which can build an extremely resilient and scalable overlay network to deliver attack code quickly. The worm's master could disseminate a 1-megabyte exploit or upgrade to a million zombies from any zombie in less than six minutes. Even if 80% of the zombies were disinfected, 70% of the remainder would remain connected and ready to receive new exploits. We discuss the basic design principles behind such a worm and methods of combating this kind of attack.
Source: Midgard Worms: Sudden Nasty Surprises from a Large Resilient Zombie Army, by Peter Reiher, Jun Li, and Geoff Kuenning.
Review and Analysis of Synthetic Diversity for Breaking Monocultures
This is a pretty large (40 slides, lots of text) slide deck given at WORM04 about software defense mechanisms. Remember, many people think that a large monoculture (ie Microsoft dominated world) is responsible for the high number of malware outbreaks that we see every year. This paper goes over some of the techniques and how they contribute to security. Review and Analysis of Synthetic Diversity for Breaking Monocultures, by James E. Just, Mark W. Cornwell, from a slide deck given at WORM-04.
You can see their paper, too.
The increasing monoculture in operating systems and key applications and the enormous expense of N-version programming for custom applications mean that lack of diversity is a fundamental barrier to achieving survivability even for high value systems that can afford hot spares. This monoculture makes flash worms possible. Our analysis of vulnerabilities and exploits identifies key assumptions required to develop successful attacks. We review the literature on synthetic diversity techniques, focusing primarily on those that can be implemented at the executable code level, since this is where we believe there is the most potential to reduce the common mode failure problem in COTS applications. Finally we propose a functional architecture for synthetic diversity at the executable code level that reduces the common mode failure problem in COTS applications by several orders of magnitude.
Source: Review and Analysis of Synthetic Diversity for Breaking Monocultures, by James E. Just, Mark W. Cornwell.
Some Anti-Worm Efforts at Microsoft
A brief slide deck from Helen Wang at Microsoft describing what was then (this is from WORM04) upcoming measures designed to put a dent in the worm's future. It's been a couple of years and I think that what the folks at Microsoft have done - XP SP2's firewall, non-executable stack, etc - havs been partly responsible for the dent in the worm outbreak frequency for the past couple of years. Source: Some Anti-Worm Efforts at Microsoft, from a talk given by Helen J. Wang at WORM04.
Automatically deducing propagation sequences that circumvent a collaborative worm defenseA veyr short paper (only 6 pages), but this one is worm defense flipped on it's ear: the worm defends is propagation strategy. Kind of neat.
We present an approach to the question of evaluating worm defenses against future, yet unseen, and possibly defense-aware worm behavior. Our scheme employs model checking to produce worm propagation sequences that defeat a worm defense of interest. We demonstrate this approach using an exemplar collaborative worm defense, in which LANs share alerts about encountered infections. Through model checking experiments, we then generate propagation sequences that are able to infect the whole population in the modeled network. We discuss these experimental results and also identify open problems in applying formal methods more generally in the context of worm quarantine research.Source: Automatically deducing propagation sequences that circumvent a collaborative worm defense. Linda Briesemeister and Phillip A. Porras. In Proceedings of the 25th International Performance Computing and Communications Conference (Workshop on Malware), pages 587-592, April 2006.
Formally Specifying Design Goals of Worm Defense StrategiesA formal paper, but this is one of a small set of interesting works I'll post this week. While this is a short work (it's an extended abstract), it provides a nice framework to think about worm defense measures.
There are many key challenges to developing the apparatus and methodologies necessary to evaluate the emerging suite of approaches to large-scale worm defense. Within the DETER/EMIST initiative, challenges that have arisen during the development of our experimental framework include the need to support experiment repeatability, greater scalability in network topology, and greater realism in traffic dynamics. Among these key challenges, we also seek to expand the rigor with which we model the protection claims of the worm defense algorithm, particularly as we design tests that we hope can fully stress and evaluate the protection claims of the algorithm of interest.Source: Formally specifying design goals of worm defense strategies. Linda Briesemeister and Phillip A. Porras. Proceedings of DETER Community Workshop on Cyber Security Experimentation and Test, June 2006.
To date, most of the work in understanding the behavior of malicious code propagation and defense has centered exclusively on understanding the effects of a proposed malware countermeasure on the global infection growth rate given a specific modeled network and malicious code scenario. In this study we consider how to more rigorously express design goals regarding the local impact of a defensive algorithm from the perspective of those who participate in the defense. We contrast this perspective of local benefit from what we view as the current tradition of evaluating worm defense performance based on assessing growth rate impact on an abstracted topology of global population.
A Multi-Resolution Approach forWorm Detection and ContainmentAn interesting paper. I worry it's more complicated than it needs to be, though.
Despite the proliferation of detection and containment techniques in the worm defense literature, simple threshold-based methods remain the most widely deployed and most popular approach among practitioners. This popularity arises out of the simplistic appeal, ease of use, and independence from attack-specific properties such as scanning strategies and signatures. However, such approaches have known limitations: they either fail to detect low-rate attacks or incur very high false positive rates. We propose a multi-resolution approach to enhance the power of threshold-based detection and rate-limiting techniques. Using such an approach we can not only detect fast attacks with low latency, but also discover low-rate attacks – several orders of magnitude less aggressive than today’s fast propagating attacks – with low false positive rates. We also outline a multi-resolution rate limiting mechanism for throttling the number of new connections a host can make, to contain the spread of worms. Our trace analysis and simulation experiments demonstrate the benefits of a multiresolution approach for worm defense.Source: A Multi-Resolution Approach for Worm Detection and Containment, Vyas Sekar. Yinglian Xie, Michael K. Reiter, Hui Zhang.
Instant Messaging Worms, Analysis and CountermeasuresIM worms are an interesting beast. They have both built-in speedups for propagation via a buddy list, an a great control mechanism in the message routers for each network. We haven't seen the end of them, but they seem to be dominated by bots using link-spamming techniques to propagate. This paper, from WORM05, proposes throttling (which works) and CAPTCHA mechanisms to give a challenge-response mechanism for possibly malicious content. As I recall, the latter wasn't well received by the audience at WORM05, who felt that if you suspected content was dangerous why don't you just block it.
We provide a collection of minor results on the area of Instant Messaging (IM) worms, which has received relatively little attention in the formal literature. We review selected IM worms and summarize their main characteristics, motivating a brief overview of the network formed by IM contact lists, and a discussion of theoretical consequences of worms in such networks. Existing methods to restrict an IM worm epidemic are analyzed in terms of usability and effectiveness, leading to the suggestion of two minor variations to limit IM worm propagation. We believe these variations are more user-friendly and effective than existing published methods. We also provide brief results of a three and a half year user study of IM text messaging and file transfer frequency in a moderate-size public IM network – the largest such study to date – which is of independent interest, but also supports in part the preceding claim regarding user-friendliness.Source: Instant Messaging Worms, Analysis and Countermeasures, M. Mannan, P.C. van Oorschot. WORM 2005 (ACM Workshop on Rapid Malcode).
Updated Microsoft Malicious Software Removal Tool (March, 2006)
Microsoft has updated their malware removal tool. This is a tool that runs at Windows Update time and can also be downloaded and run on-demand. It is not a continual defense, unlike most AV products. Updates for March, 2006, include:
Source: Malicious Software Removal Tool, updated March 14, 2006.
A Self-Learning Worm Using Importance ScanningAnother "smart worm" design paper. I don't think I see many of these sorts of things in the wild, but they're always fun to dream up and try and defend against.
The use of side information by an attacker can help a worm speed up the propagation. This philosophy has been the basis for advanced worm scanning mechanisms such as hitlist scanning, routable scanning, and importance scanning. Some of these scanning methods use information on vulnerable hosts. Such information, however, may not be easy to collect before a worm is released. Questions then arise whether and how a worm can self-learn and use such information while propagating, and how virulent the resulting worm may be. In this paper, we design a self-learning worm using importance scanning. An optimal yet practical importancescanning strategy is derived based on a new metric. A selflearning worm is demonstrated to have the ability to accurately estimate the underlying vulnerable-host distribution if a sufficient number of infected hosts are observed. Experimental results based on parameters chosen from Code Red show that after accurately estimating the distribution of vulnerable hosts, a self-learning worm can spread much faster than a random-scanning worm, a permutation-scanning worm, and a Class A routing worm. Some guidelines for detecting and defending against such self-learning worms are also discussed.Source: A Self-Learning Worm Using Importance Scanning, Zesheng Chen, Chuanyi Ji.