Copyright 2004 Sheng Bai The Classification and Detection of Computer Worms (60-592 survey report)...

Copyright 2004 Sheng Bai

The Classification and Detection of Computer Worms

(60-592 survey report)

Instructor: Dr. A. K. Aggarwal

Session: Winter 2004

Student Name: Sheng Bai


Agenda

Introduction Motivation Classification Detection Conclusion Reference


Introduction

I.A taxonomy of computer worms

II.Detection of injected, dynamically generated, and obfuscated malicious code


Introduction

First widespread notice in 1988 Self-propagating & Malicious objectives. Malicious codes Comparison

Virus require some sort of user action to trigger their propagation

Worms have high speed in propagation

Definition


Motivation

experimental curiosity; pride; extortion and criminal gain;

random protest; political protest; terrorism; and cyber warfare


I. Experimental Curiosity

“Morris Worm”, launched on November 2, 1988 Experimental Self-replicating

“ILOVE YOU”


II. Pride

Showing off knowledge about security Showing off uncommon abilities Gaining respects in hacker’s world


III.Extortion and Criminal Gain

Internet-based business Denial of Service(DOS) attack Threaten some major e-commerce or

portal companies Some other worms search for credit-

card information


IV.Random Protest

No particular or clear objectives Disrupt networks and infrastructure Topological, optimized worms


V.Political Protest

Some radical groups Prevent opponent’s publicizing on the In

ternet Yaha Mail worm, DOS attack


VI.Terrorism

The large corporations are an evil Animosity directed against particular nat

ions or governments Execute worms in large, networked envi

ronments Always target all computers infectible Aim to cause significant monetary disru

ption


VII.Cyber Warfare

Base on computing infrastructure,both economic and governmental firms

All countries face the threaten of an electronic attack

Governmental computers, networked military, and large e-commerce sites

Could frame others as the apparent perpetrators


Classification

Target discovery

Carrier

Activation

Payloads


I. Target Discovery

Scanning Externally Generated Target Lists Internal Target Lists Passive


Scanning

Sending probes to a set of addresses Two types

Sequential form Random form

Slow propagating speed Optimizations

Emphasized on local addresses Permutation scanning

Anomalous from normal Internet traffic


Externally Generated Target Lists An target list maintained on a server A worm first queries the list server to get

the target list If using Google as the list server Not be found in the real world yet


Internal Target Lists

Network-based applications always contain information about other hosts

Create an attack by searching local information

Appear normal in local traffic Need highly distributed sensors


Passive

Not positively search for victim hosts Waiting for potential victims’ contact Low spread speed Producing no abnormal traffic More stealthy Some example

Gnuman bait worm works as a Gnutella node CRClean “anti-worm” waits for a Code Red II relat

ed probe


II. Propagation Carriers

Two basic types positively spread itself machine by machine be carried along with normal communication.

Some implements Self-Carried Second Channel Embedded


Self-Carried

Actively transmit itself to the target host Commonly used in self-activating scanni

ng or topological worms Some passive worms, such as CRClea

n


Second Channel

Need second communication channel Two steps

At first, the worm communicates with the victim machine using original channel

Then the victim machine connects back to the infecting machine using another channel to download the worm body


Embedded

Either appending to or replacing normal messages

Always viewed as a common communication

Stealthy, very difficult to detect Suitable for worms that also use

stealthy target discovery strategy.


III. Action

Human Activation Human Activity-Based Activation Scheduled Process Activation Self Activation


Human Activation

The slowest worm activation method Try to convince people by using social

engineering techniques Indicating urgency, “Attached is an important

message for you” Using people’s vanity, “Open this message to see

who loves you”

Using bugs in the software that brought the worms


Human Activity-Based Activation Also needs some user operations These operations is not directly related

to the worm Resetting the machine Logging in Opening a remotely infected file


Scheduled Process Activation

Auto-updater programs Periodically backup and other network

software Using the vulnerabilities of these

scheduled system process Infecting Activating


Self Activation

The fastest worm activation Utilizing vulnerabilities in

Services that are always on The libraries that the running services use

Methods Attach themselves to running services Execute other commands using the permissions

Reduce vulnerabilities, Limit the access


IV. Payloads

None/nonfunctional Internet Remote Control(Code Red II) Spam-Relays HTML-Proxies Internet DOS(Code Red, Yaha…) Data Collection(target on sensitive data)


Payloads Cont.

Data Damage(erase data…) Physical-world Damage

Reflashing the BIOSs Destroying the motherboards

Worm Maintenance


Detection

DOME

A host-based technique


Introduction

Simple two steps working theory: Static analysis the system calls Runtime monitor for validating

Very powerful, could detect Injected MC Dynamically generated MC Obfuscated MC

Can be applied to different operating systems


Preprocessing

Disassembling software executables Recording

A pair of the virtual address of the instruction and the Win32 API name called

The address of the instruction immediately after the identified Win32 API calls


Monitoring and detection

Monitoring Win32 API calls Validation of Win32 API calls


Monitoring Win32 API callsDetours package 1.Makes a call into the

API function 2.Unconditional jump to

Detours wrapper 3.Execute pre-stub

code(validation) 4.Returning control to

the Win32 API body 5.Control is returned

back to Detours 6.Execute post-stub

code, return control


Validation of Win32 API calls

Pre-stub code mentioned above Checking

The API name The return address


Conclusion

Motivations analyzing helps understand the implement goals of worms

Detailed classification of worms helps understand the theory and instrument of worms

Techniques like DOME could helps detect and prevent malicious codes.

Still a lot of work need to do.


Reference

Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham: ”A taxonomy of computer worms”, Proceedings of the 2003 ACM workshop on Rapid Malcode

Jesse C. Rabek, Roger I. Khazan, Scott M. Lewandowski, Robert K. Cunningham: “Detection of injected, dynamically generated, and obfuscated malicious code” Proceedings of the 2003 ACM workshop on Rapid Malcode


Questions?

Copyright 2004 Sheng Bai The Classification and Detection of Computer Worms (60-592 survey report)...

Documents

Transcript of Copyright 2004 Sheng Bai The Classification and Detection of Computer Worms (60-592 survey report)...