An Email Worm Vaccine Architecture

We present an architecture for detecting "zero-day" worms and viruses in incoming email. Our main idea is to intercept every incoming message, pre-scan it for potentially dangerous attachments, and only deliver messages that are deemed safe. Unlike traditional scanning techniques that rely on some form of pattern matching (signatures), we use behavior-based anomaly detection. Under our approach, we "open" all suspicious attachments inside an instrumented virtual machine looking for dangerous actions, such as writing to the Windows registry, and flag suspicious messages. The attachment processing can be offloaded to a cluster of ancillary machines (as many as are needed to keep up with a site's email load), thus not imposing any computational load on the mail server. Messages flagged are put in a "quarantine" area for further, more labor-intensive processing. Our implementation shows that we can use a large number of malware-checking VMs operating in parallel to cope with high loads. Finally, we show that we are able to detect the actions of all malicious software we tested, while keeping the false positive rate to under 5%

Smashing the Stack with Hydra: The Many Heads of Advanced Polymorphic Shellcode

Recent work on the analysis of polymorphic shellcode engines suggests that modern obfuscation methods would soon eliminate the usefulness of signature-based network intrusion detection methods and supports growing views that the new generation of shellcode cannot be accurately and efficiently represented by the string signatures which current IDS and AV scanners rely upon. In this paper, we expand on this area of study by demonstrating never before seen concepts in advanced shellcode polymorphism with a proof-of-concept engine which we call Hydra. Hydra distinguishes itself by integrating an array of obfuscation techniques, such as recursive NOP sleds and multi-layer ciphering into one system while offering multiple improvements upon existing strategies. We also introduce never before seen attack methods such as byte-splicing statistical mimicry, safe-returns with forking shellcode and syscall-time-locking. In total, Hydra simultaneously attacks signature, statistical, disassembly, behavioral and emulation-based sensors, as well as frustrates offline forensics. This engine was developed to present an updated view of the frontier of modern polymorphic shellcode and provide an effective tool for evaluation of IDS systems, Cyber test ranges and other related security technologies

Shadow Honeypots

We present Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network or service. Traffic that is considered anomalous is processed by a "shadow honeypot" to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular ("production") instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Honeypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives

Employing Program Semantics for Malware Detection

In recent years, malware has emerged as a critical security threat. Additionally, malware authors continue to embed numerous anti–detection features to evade existing malware detection approaches. Against this advanced class of malicious programs, dynamic behavior–based malware detection approaches outperform the traditional signature–based approaches by neutralizing the effects of obfuscation and morphing techniques. The majority of dynamic behavior detectors rely on system–calls to model the infection and propagation dynamics of malware. However, these approaches do not account an important anti–detection feature of modern malware, i.e., system–call injection attack. This attack allows the malicious binaries to inject irrelevant and independent system–calls during the program execution thus modifying the execution sequences defeating the existing system–call based detection. To address this problem, we propose an evasion–proof solution that is not vulnerable to system–call injection attacks. Our proposed approach precisely characterizes the program semantics using Asymptotic Equipartition Property (AEP) mainly applied in information theoretic domain. The AEP allows us to extract the information–rich call sequences that are further quantified to detect the malicious binaries. Furthermore, the proposed detection model is less vulnerable to call–injection attacks as the discriminating components are not directly visible to malware authors. This particular characteristic of proposed approach hampers a malware author’s aim of defeating our approach. We run a thorough set of experiments to evaluate our solution and compare it with existing system-call based malware detection techniques. The results demonstrate that the proposed solution is effective in identifying real malware instances

Enabling Technologies of Cyber Crime: Why Lawyers Need to Understand It

This Article discusses the enabling technologies of cyber crime and analyzes their role in the resolution of related legal issues. It demonstrates the translation of traditional legal principles to a novel technological environment in a way that preserves their meaning and policy rationale. It concludes that lawyers who fail to understand the translation will likely pursue a suboptimal litigation strategy, face speculative recovery prospects, and may overlook effective and potentially powerful defenses

Bagheera: an advanced polimorphic and infection engine for Linux

Computer viruses have been evolving since the '80s, adopting new techniques with the intention of avoiding being detected by anti-virus programs. One of these techniques is polymorphism, which is used to change the virus' structure each time an infection is carried out. This technique was broadly adopted by the virus-writing community and led to the birth of Polymorphic Engines, which can grant polymorphism to any virus. This project focuses on the study of those engines and, in particular, on exploring the techniques used to avoid detection from anti-viruses. In addition, this project also focuses on the analysis and development of techniques to infect ELF binaries on Linux platforms. The final goal is to design and build a modern polymorphic and infection engine, namely Bagheera, and to evaluate its effectiveness against a state of the art anti-virus in a Linux platform

Opinionated Software

Information security is an important and urgent priority in the computer systems of corporations, governments, and private users. Malevolent software, such as computer viruses and worms, constantly threatens the confidentiality, integrity, and availability of digital information. Virus detection software announces the presence of a virus in a program by issuing a virus alert. A virus alert presents two conflicting legal issues. A virus alert, as a statement on an issue of great public concern, merits protection under the First Amendment. The reputational interest of a plaintiff disparaged by a virus alert, on the other hand, merits protection under the law of defamation. The United States Supreme Court has struck a balance by constitutionalizing the common law of defamation in a series of influential decisions. This article focuses on two implications of these decisions, namely that (1) a plaintiff must show that the defamatory statement is objectively verifiable as true or false; and (2) a plaintiff must prove its falsity with convincing clarity, while the defendant may prove the truthfulness of the statement as a defense. The crucial issues in these implications are truth, falsity, and verifiability. This article analyzes the balance between the conflicting legal rights associated with a virus alert. It focuses on the legal meanings of truth, falsity, and verifiability of a virus alert, and the resolution of these issues in the context of the technology involved in a virus alert. The analysis merges perspectives from constitutional law, the law of defamation, and information technology. Insights from theoretical computer science demonstrate, for instance, that the truth of a virus alert may be unverifiable. In such a case the alert would receive full constitutional protection under the Supreme Court\u27s First Amendment defamation jurisprudence

Reliable Identification of Bounded-length Viruses is NP-complete

A virus is a program that replicates itself by copying its code into other files. A common virus protection mechanism involves scanning files to detect code patterns of known viruses. We prove that the problem of reliably identifying a bounded-length mutating virus is NP-complete by showing that a virus detector for a certain virus strain can be used to solve the satisfiability problem. The implication of this result is that virus identification methods will be facing increasing strain as virus mutation and hosting strategies mature, and that different protection methods should be developed and employed