Wormboy
One of the things I saw on Friday at WORM05 was "Wormboy", a new tool released as part of a research project. The author, David Malan, is interested in using a Peer to Peer communication system of nodes to determine if any of their processes are possibly malware. The tool "Wormboy" examines a process's system calls and can determine if it's a suspicious pattern of behavior or not with pretty decent frequency.
To trace, as part of my research, the behavior of worms, we have implemented Wormboy, a kernel-mode driver for Windows XP with Service Pack 2 that inserts hooks into _KeServiceDescriptorTable before and after all but two system services. Inspired by Strace for NT, as well as by work by Nebbett and Dabak et al., Wormboy not only captures a call's service ID and input parameters, but also its output parameters and return value, along with a caller's name, process ID, thread ID, and mode.
Source: Wormboy website, where you can download the tool and test it out for yourself.
November 15, 2005 in detection, Peer To Peer, tools | Permalink | Comments (2)
Security Applications of Peer-to-Peer Networks
An interesting approach describing a P2P architecture to provide both distributed detection and qualification, letting the mesh of systems do the alert aggregation, and then automatic defense instantiation.
Open networks are often insecure and provide an opportunity for viruses and DDOS activities to spread. To make such networks more resilient against these kind of threats, we propose the use of a peer-to-peer architecture whereby each peer is responsible for: (a) detecting whether a virus or worm is uncontrollably propagating through the network resulting in an epidemic; (b) automatically dispatching warnings and information to other peers of a security-focused group; and (c) taking specific precautions for protecting their host by automatically hardening their security measures during the epidemic. This can lead to auto-adaptive secure operating systems that automatically change the trust level of the services they provide. We demonstrate our approach through a prototype application based on the JXTA peer-to-peer infrastructure.
Source: Security Applications of Peer-to-Peer Networks, Vasileios Vlachos, Stephanos Androutsellis-Theotokis, and Diomidis Spinellis. A later version of this paper was published in Computer Networks (Elsevier Science), Volume 45, Issue 2, pp 195-205, June 2004. Also see their JXTA project page for the tool described in the paper, NetBiotic.
July 28, 2005 in defense, detection, papers, Peer To Peer, tools | Permalink | Comments (0)
MP3 zapping malware worms onto P2P network
A new vigilante worm has emerged. This one seeks to delete illegally obtained MP3 music files which have violated copyrights:
The Nopir-B worm, which appears to have originated in France, poses on P2P networks as a program to make copies of commercial DVDs. In reality the application offers no such function. Instead it attempts to delete MP3 music files on infected PCs. Nopir-B also attempts to disable various system utilities and wipe .COM programs whilst displaying an anti-piracy graphic. Nopir-B only infects Windows machines.
Source: MP3 zapping malware worms onto P2P network, by John Leyden, published in The Register online on Friday 22nd April 2005.
The worm, dubbed Win32.Nopir.B, has been seeded into P2P networks for download by it's potential victims. There's no reason this worm wouldn't attack legitimate MP3 files, too, on infected computers, so you'll want to be careful. Such strategies have been proposed within the blackhat community as a means of controling illegally copied music and video material, specifically by making the P2P networks more dangerous to use. However, this doesn't appear to be the work of anyone connected to the industry. This new incident reminds me of the Noped worm from 2001, which attempted to take on child pornography.
April 26, 2005 in new worms, Peer To Peer | Permalink | Comments (0)
Analyze the Worm-based Attack in Large Scale P2P Networks
Another paper looking at the modeling of epidemics (like worms) on P2P networks. This one is much shorter, however.
Peer-to-Peer (P2P) computing has become an interesting research topic during recent years. In this paper, we address issue related to analyzing the worm-based attack in P2P systems. Particularly, our technologies include: 1) generic mathematical models for attacker/defender and different P2P systems; 2) practical and effective attack prevention schemes. We find that our proposed defense strategy can efficiently improve the performance of worm detection and system recovery.
Source: Analyze the Worm-based Attack in Large Scale P2P Networks, Wei Yu.
March 27, 2005 in papers, Peer To Peer | Permalink | Comments (0)
A First Look at Peer-to-Peer Worms: Threats and Defenses
A conspiracy theorist might look at the author affiliations and think that Microsoft is attempting to discredit the P2P networks that are so popular. However, these networks provide an excellent breeding ground for epidemics such as worms and viruses, along with other forms of malware. Luckily, for most enterprise and SP networks, removing this traffic specifically is somewhat easy once a problem has erupted, unlike it would be for SMTP, HTTP or DNS traffic.
Peer-to-peer (P2P) worms exploit common vulnerabilities in member hosts of a P2P network and spread topologically in the P2P network, a potentially more effective strategy than random scanning for locating victims. This paper describes the danger posed by P2P worms and initiates the study of possible mitigation mechanisms. In particular, the paper explores the feasibility of a self-defense infrastructure inside a P2P network, outlines the challenges, evaluates how well this defense mechanism contains P2P worms, and reveals correlations between containment and the overlay topology of a P2P network. Our experiments suggest a number of design directions to improve the resilience of P2P networks to worm attacks.
Source: A First Look at Peer-to-Peer Worms: Threats and Defenses, Lidong Zhou, Lintao Zhang, Frank McSherry, Nicole Immorlica, Manuel Costa, and Steve Chien.
March 23, 2005 in papers, Peer To Peer | Permalink | Comments (1)
Peer-to-Peer Traffic and Worms
From Kannan and Lakshminarayanan comes an interesting paper out of their CS project from Autumn, 2003.
Recently, two trends have emerged in the field of peer-to-peer networks: widespread deployment of peer-to-peer systems for file sharing and development of distributed hash tables that provide efficient lookups. In this paper, we study how to harness the power of these technologies to further the state-ofthe- art in both designing and defending against Internet worms. We quantify this advance from three different viewpoints. Firstly, peer-to-peer traffic characteristics differs from traditional Internet traffic in several aspects, and we quantitatively analyze the effect of these differences on worm propagation and control. Secondly, we show that a DHT is an ideal model for coordination among worms, and design a DHT-enabled worm that is an improvement over existing worm designs in a number of aspects, mainly stealth in propagation and speed of propagation. Our DHT-based worm designs can be used to implement a variety of policies aimed at circumventing existing schemes for worm propagation control. Our results also show that a coordinated worm can spread more than twice as fast as worms such as Slammer, while halving the number of unsuccessful probes. In this way, this paper attempts to “raise the bar” in worm design, and this is essential to the development of suitable defenses. Finally, we offer some preliminary insights on how a DHT can be used to be defend against worms
Source: Implications of Peer-to-Peer Networks on Worm Attacks and Defenses, Jayanthkumar Kannan and Karthik Lakshminarayanan.
This paper is interesting because it explores and analyzes the possibility of using a distributed hash tabe to coordinate worm activity. Previously this had been largely the field of speculation and conjecture. Their results are worth reading.
A very related paper is from Wei Yu, Corey Boyer, and Dong Xuan:
Recent active worm propagation events show that active worms can spread in an automated fashion and flood the Internet in a very short period of time. Due to the recent surge of Peer-to-Peer (P2P) systems with large numbers of users, P2P systems can be a potential vehicle for the active worm attacker to achieve fast worm propagation in the Internet. In this paper, we address the issue by studying the impact of P2P systems on propagation of active worm attacks. In particular: 1) we define the P2P-based attack model and study two P2P-based attack strategies; 2) we develop an analytical approach to analyze the impact of P2P-based attack mechanisms and P2P related factors such as size, vulnerability, topology degree, and the structured/unstructured property. Based on numerical results, we observe that a P2P-based attack can significantly worsen attack effects (improve the attack performance) and some P2P related parameters also have an impact on worm attack effects. Our initial work is the first study providing the guidance for P2P systems to address worm attack concerns.
Source: Analyzing Impacts of Peer-to-Peer Systems on Propagation of Active Worm Attacks, Wei Yu, Corey Boyer, Dong Xuan.
Both of these papers are interesting from the standpoint of topology effects on worm propagation.
December 16, 2004 in papers, Peer To Peer | Permalink | Comments (0) | TrackBack
