VB2008 call for papers
The Virus Bulletin conference is coming up later this year, but the call for papers closing is only a month and a half away. VB is a nice, fun conference where a lot of top - and rising - AV and malware researchers meet up. There's a growing number of researchers in the field, so getting your research in front of the right people is always a good thing.
I'll skip the long - and interesting - list of topics the conference warmly accepts. About the conference:
Virus Bulletin is seeking submissions from those wishing to present papers at VB2008, which will take place 1-3 October 2008 at the Westin Ottawa, Canada.
To submit a proposal authors should:
- send an abstract of approximately 200 words outlining the proposed paper to firstname.lastname@example.org
- include full contact details with each submission
- indicate whether the paper is intended for the technical or corporate stream
Note: deadline for submissions 7 March 2008
Submissions received later than 7 March 2008 will not be considered.
Authors are advised that, should their paper be selected for the conference programme, the deadline for submission of the completed papers will be Monday 9 June 2008, and that they must be available to present their papers in Ottawa between 1 and 3 October 2008.
I don't know if I'll be submitting anything or if I'll be attending, although I would like to. I hope many of you consider submitting research works there, however.
LEET '08 Call for PapersThe First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08) has a CFP that closes soon. From the CFP:
Overview As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive medium for online criminal enterprise. Today, widespread vulnerabilities in both software and user behavior allow miscreants to compromise millions of hosts (worms, viruses, drive-by exploits, etc.), conceal their activities with sophisticated system software (rootkits), and manage these resources via a distributed command and control framework (botnets). This platform in turn provides economics of scale for a wide range of criminal activities including spam, phishing, DDoS, click fraud, and so on.Source: LEET '08 Call for Papers. Topics for the workshop for readers here include: Infection vectors for malware (worms, viruses, etc.), Boutique and targeted malware, and Reverse engineering.
Topics LEET has evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), which have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.
- Submissions due: February 11, 2008, 11:59 p.m. EST
- Notification of acceptance: March 24, 2008
- Final papers due: April 4, 2008
Hacking the Malware– A reverse-engineer’s analysis
A nice, thorough analysis of a Yahoo! instant messaging worm by Rahul Mohandas, showing how he decoded the exploit, reverse engineered it, and it's effects. Very good example, and something you can learn from.
This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.
I also describe an approach to setting up a flexible laboratory environment using virtual workstation software such as VMware, and demonstrate the process of reverse engineering a worm using a range of system monitoring tools in conjunction with a disassembler.
I hope this document will help the Malware researchers, Intrusion Analysts and other Security professionals to conduct a more viable and comprehensive research.
Source: Hacking the Malware– A reverse-engineer’s analysis, by Rahul Mohandas. Pointed out by B on IRC. Thanks!
A spread model of flash wormsI can't let another week go by and not post a paper on worm modeling. This one looks at a more rigorous model of how a "Flash Worm" would work. Some decent math, it's worth the effort to make sure you understand the equations.
In this work we we introduce a mathematical model for epidemics of worms using hit-list spreading technique. Flash worms to infect the whole vulnerable population. The estimated infection time shows that even heavy network worm can potentially infect large-scale vulnerable population within few seconds. Primarily the work is based on results of the work Top Speed of Flash Worms by S. Staniford et al.. We also genralize infection doubling technique used to increase a resilience of flash worms epidemics. It took the whole day for Code Red I v2 to spread among over 350,000 Internet hosts. Slammer worm infected more than 90 percent of up to 100,000 vulnerable hosts within 10 minutes (Inside the Slammer Worm by D. Moore et al.), Witty worm infected almost all of its 12,000 victims in 45 minutes (The Spread of the Witty Worm by C. Shannon and D. Moore).Source: A spread model of flash worms,Yury Bulygin.
And you thought you were safe after SLAMMER, not so, Swarms not Zombies present the greatest risk to our national internet infrastructure
I had a great time at WORM06 in Fairfax last week, and in my scramble to get work done in preparation for a day out of the office Wormblog updates slipped.
This paper comes from a conference on swarm intelligence and security. This is another one of those "worst worm" design papers, but it uses a novel approach: swarm intelligence.
The problem of attacks where sophisticated communities, such as BLACKHAT users, compromised larger and larger number of unsuspecting (and unsuspected) home personal computers in an effort to launch major attacks on both Government and corporate networks will be addressed in this manuscript. We called these attacks "Swarm Attacks", like a "swarm of bees". The Slammer, which is currently the fastest computer worm in recorded history, is an early precursor to this class of threat. Most proposed countermeasures strategies proposed to deal with such attacks, are based primarily on rate detection and limiting algorithms, or the detection of a sudden increased occurrence of "Destination Unreachable" messages in a network. However, we speculate that such strategies will prove ineffective in the future.
In this manuscript we will introduce the basic principles behind the idea of such "Swarm Worms", the nature of the intelligent behavior that emerges, as well as the basic structure required in order to be considered a "swarm worm", based on our definition. In addition, we will present preliminary results on the propagation speeds of one such swarm worm, called the ZachiK worm. We will show that ZachiK is capable of propagating at a rate 2 orders of magnitude faster than similar worms without swarm capabilities while remaining stealthy.
Source: And you thought you were safe after SLAMMER, not so, Swarms not Zombies present the greatest risk to our national internet infrastructure, Fernando C. Colon Osorio and Zachi Kloppman.
Aim For Bot CoordinationA paper from this year's Virus Bulletin conference that explores IM-based botnet communication channels. While not too long (only 3 pages), it highlights some of the attractive features about the AIM protocol Oscar that could be useful for bots.
In the last few years, there has been increasing interest within the virus-writing community in Internet Relay Chat (IRC) based malware, due to the power afforded by the IRC scripting language and the ease of coordinating infected machines from a chat-room type of structure. What has developed is a very modular, open-source sort of threat which is very rapidly adapted to include new functionality and new infection vectors. More recently, there has also been an increase in the number of threats spreading through Instant Messaging (IM) clients, particularly OSCAR-based clients like AOL Instant Messenger (AIM). IRC bots have begun using this functionality to spread, but there is more capability available within OSCAR than is currently being exploited.Source: Aim For Bot Coordination, Lysa Myers, from Virus Bulletin 2006.
As there has also been an increase in the number of bots using Command and Control (C&C) channels that utilize something other than IRC (primarily web-based currently), it stands to reason that there may be a possibility of virus-writers using OSCAR as a means of control. This paper looks to explore the capabilities of OSCAR for being used in C&C scenarios, and what steps could be taken to mitigate this proactively.
Software Decoys: Intrusion Detection and CountermeasuresFollowing VB, I got to thinking about some of my previous positions on AV and thought about just how hard a problem it is, at times. This paper sort of fits into that thinking, basically trying to discriminate malicious activity from normal activity, a somewhat related topic.
We introduce the notion of an intelligent software decoy, and provide both an architecture and event-based language for automatic implementation of them. Our decoys detect and respond to patterns of suspicious behavior, and maintain a repository of rules for behavior patterns and decoying actions. As an example, we construct a model of system behavior from an initial list of event types and their attributes in the interaction between computer worms and an operating system. The model represents patterns of suspicious or malicious events that the software decoy should detect, and specific actions to be taken in response. Our approach explicitly treats both standard and nonstandard invocations of components, with the latter representing an attempt to circumvent the public interface of the component.Source: Software Decoys: Intrusion Detection and Countermeasures, James Bret Michael, Senior Member, IEEE, Mikhail Auguston, Neil C. Rowe, and Richard D. Riehle.
Global Intrusion Detection in the DOMINO Overlay SystemTo continue a theme from Monday about using a distributed sensor network, this is one of the premeier papers in this arena. DOMINO and it's applicability to the worm problem is well covered in this paper. In it, the authors describe how they efficiently detected major worm outbreaks.
Sharing data between widely distributed intrusion detection systems offers the possibility of significant improvements in speed and accuracy over isolated systems. In this paper, we describe and evaluate DOMINO (Distributed Overlay for Monitoring InterNet Outbreaks); an architecture for a distributed intrusion detection system that fosters collaboration among heterogeneous nodes organized as an overlay network. The overlay design enables DOMINO to be heterogeneous, scalable, and robust to attacks and failures. An important component of DOMINO's design is the use of active-sink nodes which respond to and measure connections to unused IP addresses. This enables efficient detection of attacks from spoofed IP sources, reduces false positives, enables attack classification and production of timely blacklists.Source: Global Intrusion Detection in the DOMINO Overlay System, Vinod Yegneswaran, Paul Barford, Somesh Jha.
We evaluate the capabilities and performance of DOMINO using a large set of intrusion logs collected from over 1600 providers across the Internet. Our analysis demonstrates the significant marginal benefit obtained from distributed intrusion data sources coordinated through a system like DOMINO. We also evaluate how to configure DOMINO in order to maximize performance gains from the perspectives of blacklist length, blacklist freshness and IP proximity. We perform a retrospective analysis on the 2002 SQL-Snake and 2003 SQL-Slammer epidemics that highlights how information exchange through DOMINO would have reduced the reaction time and false-alarm rates during outbreaks. Finally, we provide preliminary results from our prototype active-sink deployment that illustrates the limited variability in the sink traffic and the feasibility of efficient classification and discrimination of attack types
Robust Reactions to Potential Day-Zero Worms through Cooperation and ValidationWhile I'm back from VB, I've also been very busy with work, so posts here slipped a bit.
The COVERAGE algorithm outlined here seems like a decent first step at solving a very knotty problem. This is worth reading if you've given thought to a cooperative IDS system, or even if you just want to look at a specific subset of data correlation across multiple devices.
Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and im- munization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while distributed defensive systems allow detectors to be more conservative (i.e. paranoid) about potential attacks because they manage false alarms efficiently.Source: Robust Reactions to Potential Day-Zero Worms through Cooperation and Validation, K. Anagnostakis, S. Ioannidis, A. D. Keromytis, and M. B. Greenwald.
In this paper we begin a preliminary investigation into the complex tradeoffs in such systems between communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various simulations. Our experiments show that distributed algorithms are better able to bal- ance effectiveness against viruses with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches.
An epidemiological model of virus spread and cleanup
Quite a good, focused paper on the outbreak of malware.
Signature based anti-virus technologies are widely used to fight computer viruses. It is difficult to evaluate such systems because they work in the wild and few companies would be willing to turn them off to be part of a control group! This paper presents a new model of these technologies that can be used to predict and evaluate their effectiveness. The paper will demonstrate how the model can be used to understand the overall system dynamics, calculate expected costs of outbreaks, give insight into the relative importance of parts of the system and suggest ways to improve the technology. It is also used to evaluate new approaches to fighting viruses.
Source: An epidemiological model of virus spread and cleanup, Williamson, Matthew M.; Laeveillae, Jasmin.