A Study of Massmailing Worms

Mass-mailer worms get the short end of the stick here on Wormblog. They're usually derivatives of eachother, at this point, and while they can disrupt an enterprise's e-mail infrastructure, they don't usually display much novelty. Detection is also pretty easy. So, a paper like this is nice to see.

Mass-mailing worms have made a significant impact on the Internet. These worms consume valuable network resources and can also be used as a vehicle for DDoS attacks. In this paper, we analyze network traffic traces collected from a col- lege campus and present an in-depth study on the effects of two mass-mailing worms, SoBig and MyDoom, on outgoing traffic. Rather than proposing a defense strategy, we focus on studying the fundamental behavior and characteristics of these worms. This analysis lends insight into the possibili- ties and challenges of automatically detecting, suppressing and stopping mass-mailing worm propagation in an enter- prise network environment.

Source: A Study of Massmailing Worms, Cynthia Wong, Stan Bielski, Jonathan M. McCune, Chenxi Wang, from WORM04.

September 12, 2006 in mass mailers, papers | Permalink | Comments (2)

Watershed in malicious code evolution

Another link from my good friend Kamal. Another link that has been sitting in my inbox for too long ...

I think we'd all agree that the types of threats we're seeing now are changing radically. If we look at the past few years of malware, we see a change in the nature of the threat. One of the things I've noticed is that malware authors seem to be hitting a brick wall in attempting to exploit systems the old fashioned way (ie a buffer overflow) and instead are back to the weakest link - people. Social engineering tricks, such as those used by IM-based malware, and password guessing techniques seem to be popular with some people. Just as popular as ever are mass mailers. But even more popular than ever are client-side exploits that launch a download of some malware to bootstrap itself onto a victim machine. This piece from VirusList is a good set of numbers to infer what's going on and where things are headed.

Accordingly, there has been a watershed in how Kaspersky Lab classifies malware. A professional malware market started to emerge at the very end of 2003, gained ground during 2004, and was well established by the beginning of 2005. Therefore, 2004 could be called the year in which the Internet became comprehensively criminal. Data based on Kaspersky Virus Lab statistics clearly demonstrates this trend. Some of this data is used in the discussion of the malware classifications used by Kaspersky virus analysts which follows.
Source: Watershed in malicious code evolution, from VirusList.

August 26, 2006 in malware , mass mailers, new trends | Permalink | Comments (2)

Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network

Given all of the recent mass-mailer worm activity, it makes sense to put a paper on dealing with them here.

Malicious mass-mailing activity on the Internet is a serious and continuing threat that includes mass- mailing worms, spam, and phishing. A mechanism commonly used to deliver such malicious mass mail is an SMTP-engine, which turns an infected system into a malicious mail server. We present a technique that enables, in certain network environments, detection and containment of (even zero-day) SMTP-engine based mass-mailing activity within a single mailing attempt. Contrary to other mass- mailing detection techniques our approach is content independent and requires no attachment processing, statistical measures, or system behavioral analysis. It relies strictly on the observation of DNS MX queries within the enterprise network. Our approach can be used as an alternative to port 25 blocking and in conjunction with current proposals to address mass-mailing abuses (e.g. SPF, DomainKeys). Our analysis on network traces from a medium sized university network indicates that MX query activity from client systems is a viable SMTP-engine detection method with a very low false positive rate. Our detection and containment approach has been successfully tested with a prototype using a live mass- mailing worm in an isolated test network.

Source: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network, David Whyte P.C. van Oorschot Evangelos Kranakis.

February 9, 2006 in mass mailers, papers | Permalink | Comments (2)

The Nyxem Email Virus: Analysis and Inferences

This came out this morning. The amazing finding: 45k of the half million computers (up to about 10%) had other malware easily identifiable on them. Looks like some people can't help but pick up all sorts of crud.
While email viruses and worms are a ubiquitous part of the online environment, Nyxem was relatively rare in that newly infected hosts connect once to a single website, providing a single source of information about the infected population.

Of more critical interest to those infected, the virus also contained a malicious payload designed to overwrite files with certain extensions on the 3rd of every month (beginning February 3, 2006). Affected file types include: .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp.

We estimate that between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC. At least 45,401 of the infected computers were also compromised by other forms of spyware or bot software.

Source: The Nyxem Email Virus: Analysis and Inferences, an analysis by David Moore (dmoore@caida.org) and Colleen Shannon (cshannon@caida.org) of the spread of the Nyxem (or Blackworm or Kama Sutra or MyWife or CME 24) Virus in January and early February 2006.

February 6, 2006 in mass mailers, papers | Permalink | Comments (10)

A Two-Layer Approach for Novel Email Worm Detection

We don't cover enough mass-mailer detection on wormblog. A pretty simple approach, and one that seems to have some merit.
The rapid proliferation of novel email-borne worms poses new challenges for systems administrators. Traditional techniques for scanning email messages for viruses rely on up-to-date virus signatures. However, these signatures are primarily manually generated, can only be created after a sample of a virus has been received and identified by an antivirus company, and must be disseminated to each virus scanner. This process can take anywhere from hours to days to complete, an insufficient amount of time to prevent epidemics for rapidly propagating viruses. In this paper, we propose and evaluate an approach for catching such infections quickly. We combine sensitive novelty detection with a parametric classifier for increased accuracy. We provide preliminary results for six separate email-borne viruses with varying characteristics.
Source: A Two-Layer Approach for Novel Email Worm Detection, Steve Martin Anil Sewani Blaine Nelson, Karl Chen Anthony D. Joseph.

December 2, 2005 in mass mailers, papers | Permalink | Comments (0)

Semi-Supervised Learning on Email Characteristics for Novel Worm Detection

Posts have been a little erratic lately, exhaustion is setting in. Thanks for your continued patronage.

You know me, I love novel detection methods, and mass-mailers are always interesting in some fashion. The good news is that there's never a shortage of them.

A major drawback of unsupervised learning for worm detection is the possibility of false negatives. Previous work copes with this problem by increasing the sensitivity of the unsupervised classification algorithms. This, in turn, creates many more false positives. Our focus is narrowed to worms propagating through email.

We present the following contributions. First, we examine a wide range of features calculated on email traffic to determine indicators that discriminate between infected from normal email behavior. Using these features, we next present a new method that uses semi-supervised learning for adaptive virus detection that leverages system administrator feedback to improve classification. Our approach combines the strengths of sensitive novelty detection with a parametric classifier to drastically reduce the false positives.

Source: Semi-Supervised Learning on Email Characteristics for Novel Worm Detection, Steve Martin and Anil Sewani.

October 22, 2005 in detection, mass mailers, papers | Permalink | Comments (0)

MS Malware Tool Updated (October, 2005)

Microsoft has updated the malware removal tool they wrote and maintain for October, 2005. The new malware entities they detect are: As always, this is just one tool in a Windows malware remediation toolkit. Also, it does not run in real-time, so it offers no ongoing protection. Instead, look at an AV solution for that. This only looks for the obvious signs of these malware families, but may not catch all future variants.

As always, make sure you get the latest version from Microsoft. The number of families they detect and clean up is always growing.

October 11, 2005 in Bagle, Blaster, defense, mass mailers, microsoft, sasser, witty, Zotob | Permalink | Comments (0)

Blocking Windows Worms at the Server with Procmail on a VPS

I've been using the procmail tool for several years now to detect and stop mass mailer malware from getting into my inbox. It works pretty well, despite some false negatives. Here's another document showing you some basic recipes to trap such malware.
My own humble list of worm recipes (the bulk of this document) may serve as a starting point for those new to procmail, but for more complete anti-worm protection, the seeker is directed to Nancy McGough's list first (the other links below may also be found on her site).
Source: Blocking Windows Worms at the Server with Procmail on a VPS by Scott Wiersdorf.

October 5, 2005 in defense, mass mailers, tools | Permalink | Comments (0)

A Closer Look at the Worm_Mimail.A

While Mimail started appearing in mid-2003, many of the same techniques you see used in that are common in many mass mailers. This analysis is a bit cursory, but reveals how these things work.

On August 1, 2003, I encountered several emails from my email admin account informing me that my email address will be expiring and that I should read an attachment for further details. Being suspicious, I analyzed that file and the affects of it. This is a short overview of what I have found so far.

Source: A Closer Look at the Worm_Mimail.A  by  Charles Hornat.

October 1, 2005 in malware , mass mailers, papers | Permalink | Comments (0)

DDoSVax Worm Traffic Analysis

The Swiss research group hosted under the banner of 'DDoSVAX' has been known for many years for doing good work. They have used some of their measurement infrastructure to analyze worm traffic, as well. Several worms are studied and presented on their website:

August 3, 2005 in Blaster, mass mailers, sasser, tools | Permalink | Comments (1)