A Study of Massmailing Worms
Mass-mailer worms get the short end of the stick here on Wormblog. They're usually derivatives of eachother, at this point, and while they can disrupt an enterprise's e-mail infrastructure, they don't usually display much novelty. Detection is also pretty easy. So, a paper like this is nice to see.
Mass-mailing worms have made a significant impact on the Internet. These worms consume valuable network resources and can also be used as a vehicle for DDoS attacks. In this paper, we analyze network traffic traces collected from a col- lege campus and present an in-depth study on the effects of two mass-mailing worms, SoBig and MyDoom, on outgoing traffic. Rather than proposing a defense strategy, we focus on studying the fundamental behavior and characteristics of these worms. This analysis lends insight into the possibili- ties and challenges of automatically detecting, suppressing and stopping mass-mailing worm propagation in an enter- prise network environment.
Source: A Study of Massmailing Worms, Cynthia Wong, Stan Bielski, Jonathan M. McCune, Chenxi Wang, from WORM04.
Watershed in malicious code evolutionAnother link from my good friend Kamal. Another link that has been sitting in my inbox for too long ...
I think we'd all agree that the types of threats we're seeing now are changing radically. If we look at the past few years of malware, we see a change in the nature of the threat. One of the things I've noticed is that malware authors seem to be hitting a brick wall in attempting to exploit systems the old fashioned way (ie a buffer overflow) and instead are back to the weakest link - people. Social engineering tricks, such as those used by IM-based malware, and password guessing techniques seem to be popular with some people. Just as popular as ever are mass mailers. But even more popular than ever are client-side exploits that launch a download of some malware to bootstrap itself onto a victim machine. This piece from VirusList is a good set of numbers to infer what's going on and where things are headed.
Accordingly, there has been a watershed in how Kaspersky Lab classifies malware. A professional malware market started to emerge at the very end of 2003, gained ground during 2004, and was well established by the beginning of 2005. Therefore, 2004 could be called the year in which the Internet became comprehensively criminal. Data based on Kaspersky Virus Lab statistics clearly demonstrates this trend. Some of this data is used in the discussion of the malware classifications used by Kaspersky virus analysts which follows.Source: Watershed in malicious code evolution, from VirusList.
Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network
Given all of the recent mass-mailer worm activity, it makes sense to put a paper on dealing with them here.
Malicious mass-mailing activity on the Internet is a serious and continuing threat that includes mass- mailing worms, spam, and phishing. A mechanism commonly used to deliver such malicious mass mail is an SMTP-engine, which turns an infected system into a malicious mail server. We present a technique that enables, in certain network environments, detection and containment of (even zero-day) SMTP-engine based mass-mailing activity within a single mailing attempt. Contrary to other mass- mailing detection techniques our approach is content independent and requires no attachment processing, statistical measures, or system behavioral analysis. It relies strictly on the observation of DNS MX queries within the enterprise network. Our approach can be used as an alternative to port 25 blocking and in conjunction with current proposals to address mass-mailing abuses (e.g. SPF, DomainKeys). Our analysis on network traces from a medium sized university network indicates that MX query activity from client systems is a viable SMTP-engine detection method with a very low false positive rate. Our detection and containment approach has been successfully tested with a prototype using a live mass- mailing worm in an isolated test network.
Source: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network, David Whyte P.C. van Oorschot Evangelos Kranakis.
The Nyxem Email Virus: Analysis and InferencesThis came out this morning. The amazing finding: 45k of the half million computers (up to about 10%) had other malware easily identifiable on them. Looks like some people can't help but pick up all sorts of crud.
While email viruses and worms are a ubiquitous part of the online environment, Nyxem was relatively rare in that newly infected hosts connect once to a single website, providing a single source of information about the infected population.Source: The Nyxem Email Virus: Analysis and Inferences, an analysis by David Moore (email@example.com) and Colleen Shannon (firstname.lastname@example.org) of the spread of the Nyxem (or Blackworm or Kama Sutra or MyWife or CME 24) Virus in January and early February 2006.
Of more critical interest to those infected, the virus also contained a malicious payload designed to overwrite files with certain extensions on the 3rd of every month (beginning February 3, 2006). Affected file types include: .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp.
We estimate that between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC. At least 45,401 of the infected computers were also compromised by other forms of spyware or bot software.
A Two-Layer Approach for Novel Email Worm DetectionWe don't cover enough mass-mailer detection on wormblog. A pretty simple approach, and one that seems to have some merit.
The rapid proliferation of novel email-borne worms poses new challenges for systems administrators. Traditional techniques for scanning email messages for viruses rely on up-to-date virus signatures. However, these signatures are primarily manually generated, can only be created after a sample of a virus has been received and identified by an antivirus company, and must be disseminated to each virus scanner. This process can take anywhere from hours to days to complete, an insufficient amount of time to prevent epidemics for rapidly propagating viruses. In this paper, we propose and evaluate an approach for catching such infections quickly. We combine sensitive novelty detection with a parametric classifier for increased accuracy. We provide preliminary results for six separate email-borne viruses with varying characteristics.Source: A Two-Layer Approach for Novel Email Worm Detection, Steve Martin Anil Sewani Blaine Nelson, Karl Chen Anthony D. Joseph.
Semi-Supervised Learning on Email Characteristics for Novel Worm DetectionPosts have been a little erratic lately, exhaustion is setting in. Thanks for your continued patronage.
You know me, I love novel detection methods, and mass-mailers are always interesting in some fashion. The good news is that there's never a shortage of them.
A major drawback of unsupervised learning for worm detection is the possibility of false negatives. Previous work copes with this problem by increasing the sensitivity of the unsupervised classification algorithms. This, in turn, creates many more false positives. Our focus is narrowed to worms propagating through email.Source: Semi-Supervised Learning on Email Characteristics for Novel Worm Detection, Steve Martin and Anil Sewani.
We present the following contributions. First, we examine a wide range of features calculated on email traffic to determine indicators that discriminate between infected from normal email behavior. Using these features, we next present a new method that uses semi-supervised learning for adaptive virus detection that leverages system administrator feedback to improve classification. Our approach combines the strengths of sensitive novelty detection with a parametric classifier to drastically reduce the false positives.
MS Malware Tool Updated (October, 2005)Microsoft has updated the malware removal tool they wrote and maintain for October, 2005. The new malware entities they detect are:
As always, make sure you get the latest version from Microsoft. The number of families they detect and clean up is always growing.
Blocking Windows Worms at the Server with Procmail on a VPSI've been using the procmail tool for several years now to detect and stop mass mailer malware from getting into my inbox. It works pretty well, despite some false negatives. Here's another document showing you some basic recipes to trap such malware.
My own humble list of worm recipes (the bulk of this document) may serve as a starting point for those new to procmail, but for more complete anti-worm protection, the seeker is directed to Nancy McGough's list first (the other links below may also be found on her site).Source: Blocking Windows Worms at the Server with Procmail on a VPS by Scott Wiersdorf.
A Closer Look at the Worm_Mimail.A
While Mimail started appearing in mid-2003, many of the same techniques you see used in that are common in many mass mailers. This analysis is a bit cursory, but reveals how these things work.
On August 1, 2003, I encountered several emails from my email admin account informing me that my email address will be expiring and that I should read an attachment for further details. Being suspicious, I analyzed that file and the affects of it. This is a short overview of what I have found so far.
Source: A Closer Look at the Worm_Mimail.A by Charles Hornat.
DDoSVax Worm Traffic Analysis
The Swiss research group hosted under the banner of 'DDoSVAX' has been known for many years for doing good work. They have used some of their measurement infrastructure to analyze worm traffic, as well. Several worms are studied and presented on their website:
13.8.2003: Traffic Analysis for the W32.Blaster Worm
19.8.2003: Traffic Analysis for the Sobig.F Worm
26.1.2004: Traffic Analysis for the Novarg/MyDoom Worm
9.5.2004: Traffic Analysis for the Sasser Worm