1 / 17

The wonderful world of worm traps

The wonderful world of worm traps. Gabor Szappanos gszappanos@virusbuster.hu. Why we need worm traps?. Shorten reaction time (eliminate user factor). Get new variants (repacked, recompiled). Get a sample for disinfection (if known). Know what is spreading. Instantly.

nelia
Download Presentation

The wonderful world of worm traps

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The wonderful world of worm traps Gabor Szappanos gszappanos@virusbuster.hu

  2. Why we need worm traps? Shorten reaction time (eliminate user factor) Get new variants (repacked, recompiled) Get a sample for disinfection (if known) Know what is spreading

  3. Instantly Sample is captured in a trap Virus lab alerted Shorten reaction time Malware starts spreading/seeding Hours/days Users notice something unusual Hours/days Submit the sample to a virus lab Hours Sample proves to be malicious Database update released

  4. Know what is spreading

  5. Port listeners No (or low) interaction traps Capture TCP/UDP port traffic + Very easy to implement - Truncated samples on broken connections

  6. Mydoom port listener Using the backdoor and keeping it (same group) (Mydoom.E, .F, Doomjuice.A, .B) Using the backdoor and removing it (Nachi.H, Doomhunter) Using the backdoor (Vesser, Agobot variants) Not using the backdoor, but seeded via the backdoor (downloader Agent, Apher, Rscrt; Spybots) Not using the backdoor, but removing it (Netsky variants)

  7. E-mail traps Seeded addresses Attachment filtering Attachment filtering + spam filter Attachment filtering + RPD that support file sharing

  8. SMB traps Captures worms spreading via open networks shares Create open shares and/or shares with weak username/password combinations Implementation on every OS that support file sharing

  9. SMB traps + Easy to implement on non-vulnerable platforms Easy maintenance - Damaged samples Reinfection loops Depends on ISP settings

  10. Location matters • Identical traps on different ISPs show very different results • Different filtering rules • Local spreading preference for most worms

  11. Native traps Default install without patches Carefully designed (DMZ) Security measures to stop spreading

  12. Native traps + Shows exactly what is affecting user population Get downloaded and dropped components properly - Need to be careful in design not to get infective Collects malware specific to the installed OS / patch state

  13. Protocol emulators Emulate common vulnerabilities Parse shell codes Implemented on different platforms Windows: WormRadar, HBPot, Multipot Linux: MWCollect, Nepenthes

  14. Protocol emulators In a selected 37 hour period 6699 attempts, of them 3057 successful, 73 different malware samples. It takes about 1.3 minutes for an average user to get infected. + Safe to use - no danger of getting infective Emulates many OS version at once - Needs to be updated for new vulnerabilities/shell codes Captures may be truncated

  15. URL traps • Monitor known download sites • Keep track of the new variants • Source: • URLs obtained from malware analysis • URLs extracted from mass-distributed e-mails

  16. Other places to monitor IRC channels P2P networks Usenet Self-spreading malware Seeding Botnet commands

  17. Questions?

More Related