Copyright 2004 Sheng Bai The Classification and Detection of Computer Worms (60-592 survey report)...
-
Upload
damon-beasley -
Category
Documents
-
view
213 -
download
0
Transcript of Copyright 2004 Sheng Bai The Classification and Detection of Computer Worms (60-592 survey report)...
Copyright 2004 Sheng Bai
The Classification and Detection of Computer Worms
(60-592 survey report)
Instructor: Dr. A. K. Aggarwal
Session: Winter 2004
Student Name: Sheng Bai
Copyright 2004 Sheng Bai
Agenda
Introduction Motivation Classification Detection Conclusion Reference
Copyright 2004 Sheng Bai
Introduction
I.A taxonomy of computer worms
II.Detection of injected, dynamically generated, and obfuscated malicious code
Copyright 2004 Sheng Bai
Introduction
First widespread notice in 1988 Self-propagating & Malicious objectives. Malicious codes Comparison
Virus require some sort of user action to trigger their propagation
Worms have high speed in propagation
Definition
Copyright 2004 Sheng Bai
Motivation
experimental curiosity; pride; extortion and criminal gain;
random protest; political protest; terrorism; and cyber warfare
Copyright 2004 Sheng Bai
I. Experimental Curiosity
“Morris Worm”, launched on November 2, 1988 Experimental Self-replicating
“ILOVE YOU”
Copyright 2004 Sheng Bai
II. Pride
Showing off knowledge about security Showing off uncommon abilities Gaining respects in hacker’s world
Copyright 2004 Sheng Bai
III.Extortion and Criminal Gain
Internet-based business Denial of Service(DOS) attack Threaten some major e-commerce or
portal companies Some other worms search for credit-
card information
Copyright 2004 Sheng Bai
IV.Random Protest
No particular or clear objectives Disrupt networks and infrastructure Topological, optimized worms
Copyright 2004 Sheng Bai
V.Political Protest
Some radical groups Prevent opponent’s publicizing on the In
ternet Yaha Mail worm, DOS attack
Copyright 2004 Sheng Bai
VI.Terrorism
The large corporations are an evil Animosity directed against particular nat
ions or governments Execute worms in large, networked envi
ronments Always target all computers infectible Aim to cause significant monetary disru
ption
Copyright 2004 Sheng Bai
VII.Cyber Warfare
Base on computing infrastructure,both economic and governmental firms
All countries face the threaten of an electronic attack
Governmental computers, networked military, and large e-commerce sites
Could frame others as the apparent perpetrators
Copyright 2004 Sheng Bai
Classification
Target discovery
Carrier
Activation
Payloads
Copyright 2004 Sheng Bai
I. Target Discovery
Scanning Externally Generated Target Lists Internal Target Lists Passive
Copyright 2004 Sheng Bai
Scanning
Sending probes to a set of addresses Two types
Sequential form Random form
Slow propagating speed Optimizations
Emphasized on local addresses Permutation scanning
Anomalous from normal Internet traffic
Copyright 2004 Sheng Bai
Externally Generated Target Lists An target list maintained on a server A worm first queries the list server to get
the target list If using Google as the list server Not be found in the real world yet
Copyright 2004 Sheng Bai
Internal Target Lists
Network-based applications always contain information about other hosts
Create an attack by searching local information
Appear normal in local traffic Need highly distributed sensors
Copyright 2004 Sheng Bai
Passive
Not positively search for victim hosts Waiting for potential victims’ contact Low spread speed Producing no abnormal traffic More stealthy Some example
Gnuman bait worm works as a Gnutella node CRClean “anti-worm” waits for a Code Red II relat
ed probe
Copyright 2004 Sheng Bai
II. Propagation Carriers
Two basic types positively spread itself machine by machine be carried along with normal communication.
Some implements Self-Carried Second Channel Embedded
Copyright 2004 Sheng Bai
Self-Carried
Actively transmit itself to the target host Commonly used in self-activating scanni
ng or topological worms Some passive worms, such as CRClea
n
Copyright 2004 Sheng Bai
Second Channel
Need second communication channel Two steps
At first, the worm communicates with the victim machine using original channel
Then the victim machine connects back to the infecting machine using another channel to download the worm body
Copyright 2004 Sheng Bai
Embedded
Either appending to or replacing normal messages
Always viewed as a common communication
Stealthy, very difficult to detect Suitable for worms that also use
stealthy target discovery strategy.
Copyright 2004 Sheng Bai
III. Action
Human Activation Human Activity-Based Activation Scheduled Process Activation Self Activation
Copyright 2004 Sheng Bai
Human Activation
The slowest worm activation method Try to convince people by using social
engineering techniques Indicating urgency, “Attached is an important
message for you” Using people’s vanity, “Open this message to see
who loves you”
Using bugs in the software that brought the worms
Copyright 2004 Sheng Bai
Human Activity-Based Activation Also needs some user operations These operations is not directly related
to the worm Resetting the machine Logging in Opening a remotely infected file
Copyright 2004 Sheng Bai
Scheduled Process Activation
Auto-updater programs Periodically backup and other network
software Using the vulnerabilities of these
scheduled system process Infecting Activating
Copyright 2004 Sheng Bai
Self Activation
The fastest worm activation Utilizing vulnerabilities in
Services that are always on The libraries that the running services use
Methods Attach themselves to running services Execute other commands using the permissions
Reduce vulnerabilities, Limit the access
Copyright 2004 Sheng Bai
IV. Payloads
None/nonfunctional Internet Remote Control(Code Red II) Spam-Relays HTML-Proxies Internet DOS(Code Red, Yaha…) Data Collection(target on sensitive data)
Copyright 2004 Sheng Bai
Payloads Cont.
Data Damage(erase data…) Physical-world Damage
Reflashing the BIOSs Destroying the motherboards
Worm Maintenance
Copyright 2004 Sheng Bai
Detection
DOME
A host-based technique
Copyright 2004 Sheng Bai
Introduction
Simple two steps working theory: Static analysis the system calls Runtime monitor for validating
Very powerful, could detect Injected MC Dynamically generated MC Obfuscated MC
Can be applied to different operating systems
Copyright 2004 Sheng Bai
Preprocessing
Disassembling software executables Recording
A pair of the virtual address of the instruction and the Win32 API name called
The address of the instruction immediately after the identified Win32 API calls
Copyright 2004 Sheng Bai
Monitoring and detection
Monitoring Win32 API calls Validation of Win32 API calls
Copyright 2004 Sheng Bai
Monitoring Win32 API callsDetours package 1.Makes a call into the
API function 2.Unconditional jump to
Detours wrapper 3.Execute pre-stub
code(validation) 4.Returning control to
the Win32 API body 5.Control is returned
back to Detours 6.Execute post-stub
code, return control
Copyright 2004 Sheng Bai
Validation of Win32 API calls
Pre-stub code mentioned above Checking
The API name The return address
Copyright 2004 Sheng Bai
Conclusion
Motivations analyzing helps understand the implement goals of worms
Detailed classification of worms helps understand the theory and instrument of worms
Techniques like DOME could helps detect and prevent malicious codes.
Still a lot of work need to do.
Copyright 2004 Sheng Bai
Reference
Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham: ”A taxonomy of computer worms”, Proceedings of the 2003 ACM workshop on Rapid Malcode
Jesse C. Rabek, Roger I. Khazan, Scott M. Lewandowski, Robert K. Cunningham: “Detection of injected, dynamically generated, and obfuscated malicious code” Proceedings of the 2003 ACM workshop on Rapid Malcode
Copyright 2004 Sheng Bai
Questions?