A Survey of Internet Worm Detection and Containment
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress
Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic, -
A Taxonomy of Computer Worms ∗
A Taxonomy of Computer Worms ∗ † ‡ § ¶ Nicholas Vern Stuart Robert Weaver Paxson Staniford Cunningham UC Berkeley ICSI Silicon Defense MIT Lincoln Laboratory ABSTRACT 1. INTRODUCTION To understand the threat posed by computer worms, it is A computer worm is a program that self-propagates across necessary to understand the classes of worms, the attackers a network exploiting security or policy flaws in widely-used who may employ them, and the potential payloads. This pa- services. They are not a new phenomenon, having first per describes a preliminary taxonomy based on worm target gained widespread notice in 1988 [16]. discovery and selection strategies, worm carrier mechanisms, We distinguish between worms and viruses in that the worm activation, possible payloads, and plausible attackers latter infect otherwise non-mobile files and therefore require who would employ a worm. some sort of user action to abet their propagation. As such, viruses tend to propagate more slowly. They also have more Categories and Subject Descriptors mature defenses due to the presence of a large anti-virus industry that actively seeks to identify and control their D.4.6 [Operating Systems]: Security and Protection—In- spread. vasive Software We note, however, that the line between worms and viruses is not all that sharp. In particular, the contagion worms General Terms discussed in Staniford et al [47] might be considered viruses Security by the definition we use here, though not of the traditional form, in that they do not need the user to activate them, but Keywords instead they hide their spread in otherwise unconnected user activity. Thus, for ease of exposition, and for scoping our computer worms, mobile malicious code, taxonomy, attack- analysis, we will loosen our definition somewhat and term ers, motivation malicious code such as contagion, for which user action is not central to activation, as a type of worm. -
Strategies of Computer Worms
304543_ch09.qxd 1/7/05 9:05 AM Page 313 CHAPTER 9 Strategies of Computer Worms “Worm: n., A self-replicating program able to propagate itself across network, typically having a detrimental effect.” —Concise Oxford English Dictionary, Revised Tenth Edition 313 304543_ch09.qxd 1/7/05 9:05 AM Page 314 Chapter 9—Strategies of Computer Worms 9.1 Introduction This chapter discusses the generic (or at least “typical”) structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within CARO (Computer Antivirus Researchers Organization), researchers do not share a common view about what exactly can be classified as a “worm.” We wish to share a common view, but well, at least a few of us agree that all computer worms are ultimately viruses1. Let me explain. The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take con- trol of remote systems without any help from the users, usually exploiting a vul- nerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold. Table 9.1 shows several well-known threats. Table -
Storm: When Researchers Collide 7 Based on the Kademlia DHT Algorithm [5]
When It comes to Internet threats, B R a n d o n E n R i g h t, g E o ff V o E l k er , few topics get researchers and the media as Stefan SaVagE, ChRiS kaniCh, and kiRill LevchEnko excited as the propagation speed and vital- ity of modern malware. One such example is the SQL Slammer worm, which was the first so-called Warhol Worm, a term used to Storm: when describe worms that get their “15 minutes of fame” by spreading at an exponential researchers collide rate—infecting every vulnerable machine Brandon Enright is a network security analyst at in under 15 minutes [1]. It is ironic, then, that the University of California, San Diego. He is pri- the latest malware to capture the attention marily interested in malware and exploit research. of researchers is not one of the shortest- [email protected] lived but one of the longest, largest, and most successful bots ever: Storm. Geoff Voelker is an associate professor of computer science at the University of California, San Diego. He works in computer systems and networking. Storm got its name from a particular self-propa- [email protected] gation spam email subject line used in early 2007: “230 dead as storm batters Europe.” Storm, also known as the Storm worm, is not actually a worm. It is hybrid malware: part worm, part bot (a pro- Stefan Savage is an associate professor of computer gram designed to perform automated tasks), part science at the University of California, San Diego. -
Compromised by Design? Securing the Defense Electronics Supply Chain
Compromised By Design? Securing the Defense Electronics Supply Chain John Villasenor November 2013 Executive Summary Electronic “chips” are found everywhere—not just in critical defense systems, but John Villasenor is a also in the broader infrastructure for power, finance, communications, and nonresident senior fellow transportation. All of these systems function effectively only when the electronic in Governance Studies circuits at their heart can be trusted to operate as intended. and the Center for Technology Innovation at Brookings. He is also a Unfortunately, ensuring trust has become much more difficult in recent years. professor of electrical Concern over the growth of counterfeit electronics (parts that have been harvested from discarded systems, relabeled, and sold as new to unsuspecting buyers) has engineering and public 1 policy at UCLA. grown in recent years. These parts can fail prematurely, with potentially disastrous consequences. Thanks to recent congressional attention, improved detection methods, and heightened screening requirements for parts destined for defense systems, however, the threat of counterfeits is being actively addressed. Yet the supply chain is almost completely unprotected against a threat that may turn out to be more significant in the long term: Chips could be intentionally compromised during the design process, before they are even manufactured. If placed into the design with sufficient skill, these built-in vulnerabilities would be extremely difficult to detect during testing. And, they could be exploited months or years later to disrupt—or exfiltrate data from—a system containing the compromised chip. As chips have gotten more complex and design teams have grown larger and more globalized, the opportunities to insert hidden malicious functionality have increased. -
Detection, Propagation Modeling and Designing of Advanced Internet Worms
DETECTION, PROPAGATION MODELING AND DESIGNING OF ADVANCED INTERNET WORMS By PARBATI KUMAR MANNA A DISSERTATION PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY UNIVERSITY OF FLORIDA 2008 1 °c 2008 Parbati Kumar Manna 2 To my family, friends, and teachers 3 ACKNOWLEDGMENTS I want to take this opportunity to thank all the people who helped me during my doctoral sojourn. I understand that it is rather late to acknowledge their contributions, but as the saying goes, better late than never! First, I want to thank my committee, starting with my advisor and Chair, Dr. Sanjay Ranka. He expressed his intention to work with me during my very first week of class at University of Florida, and has been a true guide to me in every aspect since then. He offered me complete freedom in pursuing my research in any area that I felt passionate about, and provided ample research direction from time to time. I am truly thankful and honored to work as his student for the past six years. It has also been a pleasure to work with Dr. Shigang Chen, who served as my co-chair. A stalwart in the network research community, he has been instrumental in providing his domain expertise to my research area in a very big way. Without his help, I can barely imagine myself to be where I am now. I would also like to thank Dr. Alin Dobra, Dr. Christopher Germaine, Dr. Sartaj Sahni and Dr. Malay Ghosh who helped me in various academic as well as non-academic matters throughout my stay at Gainesville. -
Cyber Warfare: Surviving an Attack
14 Cyber Warfare: Surviving an Attack By Devabhaktuni Srikrishna Cyberspace is a new domain of warfare. Created to minimize the vulnerability of United States communications networks to a crippling nuclear first strike by the Soviet Union, the Internet that was originally envisioned to enhance U.S. security is turning into a battlefield 1 for nations or sub-national groups to launch virally spreading attacks 2 and induce network failures potentially involving critical infrastructure systems.3 Cyber warfare and cyberoffense 4 have been a part of U.S. military operations for decades.5 Treaties and rules of engagement define what is off-limits during a cyberwar.6 The more vulnerable the system is, the more policy is necessary to deter adversarial nations from launching attacks, and vice-versa. Some cyberattacks are analogous to air forces probing one anotherʼs defenses or perhaps to espionage during the Cold War, which occurred though there was no official war and no physical harm. Cyberespionage largest recent cyberattacks in their book, but due to a gap in theory and practice. operations of China, for example, against the United States and its allies Cyber War: The Next Threat to National Organizations are vulnerable to the extent have been going on for years and will Security and What to Do About It. Once a they want to be and to how much they want never really end.7 virus or malware is inadvertently to spend to address vulnerabilities. 14 And downloaded onto a networked personal cyber vulnerabilities can be completely U.S. Air Force General Kevin Chilton, computer (PC) by a user9, the PC can be eliminated -- unlike conventional, nuclear, former Commander-in-Chief of commandeered to perform cyberattacks chemical, or biological which are permanent Strategic Command, has stated that ranging from electronic banking crimes, vulnerabilities due to laws of nature. -
A Research on Different Types of Malware and Detection Techniques
International Journal of Recent Technology and Engineering (IJRTE) ISSN: 2277-3878, Volume-8 Issue-2S8, August 2019 A Research on Different Types of Malware and Detection Techniques Chandini S B, Rajendra A B,Nitin Srivatsa G Abstract—Malware has become a serious threat. Malware that load on to memory by inserting infected code into an analysis is one of the challenging domain. The increase in the executable file. malware exploitation has made the detailed study of the malware, understand the different types of malware and its behavior model Resident Virus and analyze the existing detection system with their short comes to This type of virus hides within the computer memory and identify the research gaps [8] to solve the specific problem. So in gets activated whenever the operating system starts or this paper, we have presented the different malware taxonomy and different malware detection techniques with its features and also execute a specific action. presented the malware model and the research gaps in the Non-resident Virus malware analysis domain. This type of virus does not reside in memory. It infects the Keywords: Polymorphic virus, Malware genesis, target and transfers the control to the infected application Self-replicating cellular automata, Zero-day threat, obfuscation program. It consists of finder module and replicating modules technique, and Anomaly-based detection. finder will find the new targets to infect the new file and the replicates will infect the file. I. INTRODUCTION Macro Virus Malware is a malicious code which comes with the intention to destruct the system [1]. Some of the symptoms of This virus is written in a macro language. -
Computer Viruses and Malware Advances in Information Security
Computer Viruses and Malware Advances in Information Security Sushil Jajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA 22030-4444 email: [email protected] The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development. The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance. ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles. The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment. Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series. Additional tities in the series: HOP INTEGRITY IN THE INTERNET by Chin-Tser Huang and Mohamed G. Gouda; ISBN-10: 0-387-22426-3 PRIVACY PRESERVING DATA MINING by Jaideep Vaidya, Chris Clifton and Michael Zhu; ISBN-10: 0-387- 25886-8 BIOMETRIC USER AUTHENTICATION FOR IT SECURITY: From Fundamentals to Handwriting by Claus Vielhauer; ISBN-10: 0-387-26194-X IMPACTS AND RISK ASSESSMENT OF TECHNOLOGY FOR INTERNET SECURITY.'Enabled Information Small-Medium Enterprises (TEISMES) by Charles A. -
The Internet Worm Incident
Purdue University Purdue e-Pubs Department of Computer Science Technical Reports Department of Computer Science 1989 The Internet Worm Incident Eugene H. Spafford Purdue University, [email protected] Report Number: 89-933 Spafford, Eugene H., "The Internet Worm Incident" (1989). Department of Computer Science Technical Reports. Paper 793. https://docs.lib.purdue.edu/cstech/793 This document has been made available through Purdue e-Pubs, a service of the Purdue University Libraries. Please contact [email protected] for additional information. THE INTEUNET WORM INCIDENT Eugene H. Spafford CSD TR·933 November 1989 The Internet Worm Incident Techmcal• Report CSD·TR·933• Eugene H. Spafford Department of Computer Sciences Purdue University West Lafayetlc. IN USA 47907-2004 [email protected] On the cvening of 2 November 1988. someone "inrccLcd" lhe Internet with a worm progrnm. That progrnm exploited flaws in utility progrnms in systems based on BSD-derived versions of UNIX. The flaws allowed lhc program to break into those machines and copy itself. thus infccling those syslems. This program eventually spread to thousands of machines. and disrupted nonnal activities and Inlcrnet connectivity for many days. TIlis paper explains why this program was a wonn (as opposed to a virus). and provides a brief chronology of both the spread and eradication of the program. That is followed by discussion of some specific issues raised by the community's reaction and subsequent discussion of the event. Included are some interesting lessons learned from thc incident November 20. 1989 The Internet Worm Incident Techmcal• Report CSD·TR-933• Eugene H. Spafford Deparunent of Computer Scicnces Purdue University West Lafayette, IN USA 47907-2004 [email protected] 1. -
Ryuk 04/08/2021
The Evolution of Ryuk 04/08/2021 TLP: WHITE, ID# 202104081030 Agenda • What is Ryuk? • A New Ryuk Variant Emerges in 2021 • Progression of a Ryuk Infection • Infection Chains • Incident: Late September Attack on a Major US Hospital Network • Incident: Late October Attack on US Hospitals • UNC1878 – WIZARD SPIDER • Danger to the HPH Sector • Mitigations and Best Practices • References Slides Key: Non-Technical: Managerial, strategic and high- level (general audience) Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT) 2 What is Ryuk? • A form of ransomware and a common payload for banking Trojans (like TrickBot) • First observed in 2017 • Originally based on Hermes(e) 2.1 malware but mutated since then • Ryuk actors use commercial “off-the-shelf” products to navigate victim networks o Cobalt Strike, Powershell Empire • SonicWall researchers claimed that Ryuk represented a third of all ransomware attacks in 2020 • In March 2020, threat actor group WIZARD SPIDER ceased deploying Ryuk and switched to using Conti ransomware, then resumed using Ryuk in mid-September • As of November 2020, the US Federal Bureau of Investigation (FBI) estimated that victims paid over USD $61 million to recover files encrypted by Ryuk 3 A New Ryuk Variant Emerges in 2021 • Previous versions of Ryuk could not automatically move laterally through a network o Required a dropper and then manual movement • A new version with “worm-like” capabilities was identified in January 2021 o A computer worm can spread copies of itself from device to device -
Payload Based Internet Worm Detection Using Neural Network Classifier
A.Tharani et al. / International Journal of Computer Science Engineering (IJCSE) PAYLOAD BASED INTERNET WORM DETECTION USING NEURAL NETWORK CLASSIFIER A.Tharani MSc (CS) M.Phil. Research Scholar Full Time B.Leelavathi, MCA, MPhil., Assistant professor, Dept. of information technology, Sri Jayendra Saraswathy Maha Vidyalaya CAS ABSTARCT With the capability of infecting hundreds of thousands of hosts, worms represent a major threat to the Internet. The detection against Internet worms is largely an open problem. Internet worms pose a serious threat to computer security. Traditional approaches using signatures to detect worms pose little danger to the zero day attacks. The focus of this research is shifting from using signature patterns to identifying the malicious behavior displayed by the Internet worms. This paper presents a novel idea of extracting flow level features that can identify worms from clean programs using data mining technique such as neural network classifier. Our approach showed 97.90% detection rate on Internet worms whose data was not used in the model building process. Keywords: Internet Worm Detection, Flow features, neural network, Novel detection. 1. INTRODUCTION As computer and communication networks become prevalent, the Internet has been a battlefield for attackers and defenders. One of the most powerful weapons for attackers is the Internet worm [1]. Specifically, a worm attacks vulnerable computer systems and employs self-propagating methods to flood the Internet rapidly. As a result, worms, such as Code Red, Slammer, and Witty, have infected hundreds of thousands of hosts and become a significant threat to network security and management. Moreover, the attacking methods generated by worms’ designers have become increasingly sophisticated, which poses considerable challenges to defenders.