Justin Ma
Stefan Savage
ABSTRACT
Remote code injection exploits inflict a significant societal cost, and an active underground economy has grown up around these continually evolving attacks. We present a methodology for inferring the phylogeny, or evolutionary tree, of such exploits. We have applied this methodology to traffic captured at several vantage points, and we demonstrate that our methodology is robust to the observed polymorphism. Our techniques revealed non-trivial code sharing among different exploit families, and the resulting phylogenies accurately captured the subtle variations among exploits within each family. Thus, we believe our methodology and results are a helpful step to better understanding the evolution of remote code injection exploits on the Internet.
- BBC News. Sasser Creator Avoids Jail Term. http://news.bbc.co.uk/2/hi/technology/4659329.stm, July 2005.Google Scholar
- M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005. Google ScholarDigital Library
- J. R. Crandall. Minos: A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), Fairfax, VA, Oct. 2004. Google ScholarDigital Library
- J. R. Crandall, Z. Su, S. F. Wu, and F. T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In Proceedings of the ACM Conference on Computer and Communications Security, Alexandria, VA, Nov. 2005. Google ScholarDigital Library
- T. Dullien and R. Rolles. Graph-Based Comparison of Executable Objects. In Symposium sur la Sécurité des Technologies de l'Information et des Communications (SSTIC), June 2005.Google Scholar
- H. Flake. Structural Comparison of Executable Objects. In Proceedings of the IEEE Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2004.Google Scholar
- D. Hochbaum. Approximation Algorithms for NP-Hard Problems. PWS Publishing Company, Boston, MA, 1997. Google ScholarDigital Library
- G. Keizer. Sasser Worm Impacted Businesses Around the World. http://www.techweb.com/wire/story/TWB20040507S0008, May 2004.Google Scholar
- H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004. Google ScholarDigital Library
- C. Kreibich and J. Crowcroft. Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In Proceedings of the 2nd ACM Workshop on Hot Topics in Networks (HotNets-II), Cambridge, MA, Nov. 2003.Google Scholar
- C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic Worm Detection Using Structural Information of Executables. In Proceedings of Symposium on Recent Advances in Intrusion Detection (RAID), Seattle, WA, Sept. 2005. Google ScholarDigital Library
- R. Lemos. MSBlast Epidemic Far Larger than Believed. http://news.com.com/2100-7349 3-5184439.html, Apr. 2004.Google Scholar
- C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In Programming Language Design and Implementation (PLDI), Chicago, IL, June 2005. Google ScholarDigital Library
- Metasploit Project. The Metasploit Framework. http://www.metasploit.com/projects/Framework/.Google Scholar
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Security and Privacy, 1(4):33--39, July 2003. Google ScholarDigital Library
- D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Network telescopes. Technical Report CS2004-0795, UCSD, July 2004.Google Scholar
- Nepenthes Development Team. ShellcodeHandler Generic LinkTrans. http://nepenthes.mwcollect.org/.Google Scholar
- J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, Feb. 2005.Google Scholar
- A. Ng, M. Jordan, and Y. Weiss. On Spectral Clustering: Analysis and an Algorithm. In Proceedings of Advances in Neural Information Processing Systems, 2001.Google Scholar
- R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation. In Proceedings of the USENIX/ACM Internet Measurement Conference, Taormina, Sicily, Italy, Oct. 2004. Google ScholarDigital Library
- P. Royal, D. Dagon, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Packed Malware. http://www-static.cc.gatech.edu/ ranma1/polyunpack/.Google Scholar
- S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), San Francisco, CA, Dec. 2004. Google ScholarDigital Library
- spoonm. Recent Shellcode Developments. In REcon, Montreal, QC, June 2005.Google Scholar
- A. E. Stepan. Defeating Polymorphism: Beyond Emulation. In Proceedings of the Virus Bulletin International Conference, Dublin, Ireland, Oct. 2005.Google Scholar
- Symantec. Trojan.Netdepix. http://www.symantec.com/avcenter/venc/data/trojan.netdepix.html.Google Scholar
- Symantec. W32.Korgo.AB. http://www.symantec.com/avcenter/venc/data/w32.korgo.ab.html, Apr. 2004.Google Scholar
- P. Szor. The Art of Computer Virus Research and Defense. Addison Wesley, 2005. Google ScholarDigital Library
- Trend Micro. Virus Encyclopedia. http://www.trendmicro.com/vinfo/virusencyclo/.Google Scholar
- H. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In Proceedings of the ACM SIGCOMM Conference, Portland, Oregon, Sept. 2004. Google ScholarDigital Library
Index Terms
- Finding diversity in remote code injection exploits
Recommendations
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
CCS '05: Proceedings of the 12th ACM conference on Computer and communications securityVulnerabilities that allow worms to hijack the control flow of each host that they spread to are typically discovered months before the worm outbreak, but are also typically discovered by third party researchers. A determined attacker could discover ...
The Dropper Effect: Insights into Malware Distribution with Downloader Graph Analytics
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityMalware remains an important security threat, as miscreants continue to deliver a variety of malicious programs to hosts around the world. At the heart of all the malware delivery techniques are executable files (known as downloader trojans or droppers) ...
An Advanced Hybrid Peer-to-Peer Botnet
A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently, botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and ...
Comments