Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Slides:

Advertisements

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.

DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

When Experts Agree: Using Non-Affiliated Experts To Rank Popular Topics Meital Aizen.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

ACT: Attachment Chain Tracing Scheme for Virus Detection and Control Jintao Xiong Proceedings of the 2004 ACM workshop on Rapid malcode Presented.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Detecting Dominant Locations from Search Queries Lee Wang, Chuang Wang, Xing Xie, Josh Forman, Yansheng Lu, Wei-Ying Ma, Ying Li SIGIR 2005.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Topic 5: Basic Security.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Malicious Software.

Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

NETWORK SECURITY Definitions and Preventions Toby Wilson.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:

A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

The Anatomy of a Large-Scale Hypertextual Web Search Engine S. Brin and L. Page, Computer Networks and ISDN Systems, Vol. 30, No. 1-7, pages , April.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Internet Quarantine: Requirements for Containing Self-Propagating Code

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Information Security Session October 24, 2005

Internet Worm propagation

Chap 10 Malicious Software.

Brad Karp UCL Computer Science

Chap 10 Malicious Software.

Introduction to Internet Worm

Presentation transcript:

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

A worm is malicious code that propagates over a network, with or without human assistance worm authors are looking for new ways to acquire vulnerable targets search worms propagates automatically by copying itself to target systems search worms can severely harm search engines worms send carefully crafted queries to search engines which evade identification mechanisms that assume random scanning 2

Search worms generate search queries, analyze search results and infects identified targets return as many unique targets as possible using a list of prepared queries search for popular domains to extract addresses prune search results, remove duplicates, ignore URLs that belong to the search engine itself exploit identified targets, reformat URLs to include the exploit and bootstrapping code 3

MyDoom.O, a type of search worm requires human intervention to spread 4 spreads via containing an executable file as an attachment searches local hard drive for addresses figure below shows the number of infected hosts and the number of MyDoom.O queries that Google received per second Peak scan rate, more than 30,000 queries per second.

Santy is the first search worm to propagate automatically, without any human intervention 5 written in Perl, exploits a bug in phpBB bulletin board system after injecting arbitrary code into Web server running phpBB, uses google to search for more targets and connects infected machine to an IRC botnet graph below shows a time-line of infected IP addresses for three different Santy variants in December 2004 each variant manages to infect about four thousand different IP addresses.

Graphical description of the dependencies between different Santy variants using a honeypot 6 shows the dependency between Santy variants from August 2005 to May 2006 each node is labelled by the filename downloaded to the infected host, two nodes are connected with an edge if their line difference computed via diff is minimal in respect to all other variants this graph shows that some variants of Santy have been continuously modified for over six months

architecture of the worm mitigation system is split into three phases: 7 Anomaly identification step Signature generation step Index based filtering

Identifying abnormal traffic automatically blocks parts of the worm traffic after observing IP addresses 8 classify the IP addresses responsible for abnormal traffic maintaining a map of frequent words which are used to compute the compound probability for a query flag an IP address abnormal which sends too many low probability queries

signature generation step generates signatures based on Polygraph 9 extracts tokens from bad queries to create signatures matching the bad traffic hierarchical clustering is used to merge signatures until a predefined false positive threshold is reached false positives are computed by matching signatures against a good query set. following signature was generated in an experiment token extraction on a cluster of GHz Intel Xeon machines GET /search\?q=.*\+-modules&num=[0-9][0-9]+&start=

Index-based filtering modifies search index to handle multiple search queries mapping to similar result pages 10 search worm relies on a search engine to obtain a list of potentially vulnerable targets. If the search engine does not provide any vulnerable targets in the search results, the worm fails to spread tag all pages that seem to contain vulnerable information while crawling query results are not returned if they have pages from many hosts and when majority of them are tagged as vulnerable

Conclusion 11 worms spread by querying a search engine for new targets to infect and uses the information collected by search engines signature generation along with anomaly identification is not effective in preventing a worm from spreading proposed solution is CPU efficient and is query independent as well as classifies web pages as vulnerable if they belong to an exploitable server or contain potential infection targets

Pros and Cons Pros query independent index- based filtering using word based features(tokenization), Phishing URLs contain several suggestive word tokens. Cons signature-based approach is a good option if given good seed queries cannot find new attacks for which we have no prior knowledge lacks a module which could analyze malicious pages to automatically extract the searches which in turn can help in finding vulnerable targets