Contenu connexe
Plus de Editor IJARCET (20)
341 346
- 1. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
Detection of traditional and new types of
Malware using Host-based detection scheme
Satish N.Chalurkar1, Dr.B.B.Meshram2
1
Computer Department,VJTI,Mumbai
1
satishchalurkar1@gmail.com
2
Head of Computer Department,VJTI,Mumbai
2
bbmeshram@vjti.org.in
Abstract--- In this paper, we have discussed many What makes them so deadly and unidentifiable is
traditional and new types of worms including c-
the way they reach your PC and go unnoticed under
worms also-worms stands for camouflaging worms
because of its nature of self propagating and hiding the camouflage of reliable software. Most of the
nature. An active worm refers to a malicious software advertisers banking on adware use third party
program that propagates itself on the Internet to software bundles to pack their adware in. Since
infect other computers. The propagation of the worm people want to install these software, they also end
is based on exploiting vulnerabilities of computers on
up installing the adware.
the Internet. This paper also shows the working of
various worms and their detection system. These Malware also use rootkits to manipulate the
detection techniques not only detect worms but also
operating system. What they do is make changes
detect various malware attacks.
such that they are not identified on the Task
Manager Panel. So in essence your PC might run
Keywords--- active worms, c-worms, host based
detection system, network based detection system, evidently slow, you still can’t see the applications
types of worms running in the back ground and thus give malware
ample time to spread to all the roots.
Malware can be roughly broken down into types
I. INTRODUCTION
according to the malware's method of operation.
Malware can infect systems by being bundled with Anti-"virus" software, despite its name, is able to
other programs or attached as macros to files. detect all of these types of malware.
Others are installed by exploiting a known
vulnerability in an operating system (OS), network
device, or other software, such as a hole in a
browser that only requires users to visit a website An active worm refers to a malicious software
to infect their computers. The vast majority, program that propagates itself on the Internet to
however, are installed by some action from a user, infect other computers. The propagation of the
such as clicking an e-mail attachment or worm is based on exploiting vulnerabilities of
downloading a file from the Internet. computers on the Internet.
Some of the more commonly known types of
malware are viruses, worms, Trojans, bots, back “A worm is a program that can run by itself and
doors, spyware, and adware. Damage from can propagate a fully working version of itself to
malware varies from causing minor irritation (such other machines. It is derived from the word
as browser popup ads), to stealing confidential tapeworm, a parasitic organism that lives inside a
information or money, destroying data, and
host and saps its resources to maintain itself.”
compromising and/or entirely disabling systems
and networks.
The worm used an interesting hook-and-haul
Malware cannot damage the physical hardware of method of propagation that masked its entrance to a
systems and network equipment, but it can damage site and kept its mechanisms secret. It was also
the data and software residing on the equipment. multifaceted and multi-architecture, using multiple
Malware should also not be confused with methods to gain entrance to a machine and
defective software, which is intended for legitimate affecting two entirely different computer
purposes but has errors or bugs. architectures. It had an intensely computational part
341
All Rights Reserved © 2012 IJARCET
- 2. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
that was meant to give it resilience through the financial, transportation, and government
ability to infiltrate through many user accounts, but institutions and precluding any human-based
it had an ineffective mechanism to limit its growth response[2].
rate.
Particularly, the epidemic dynamic model assumes Slammer’s most novel feature is its propagation
that any given computer is in one of the following speed. In approximately three minutes, the worm
states: achieved its full scanning rate (more than 55
immune, vulnerable, or infected. An immune million scans per second), after which the growth
computer is one that cannot be infected by a rate slowed because significant portions of the
worm; network had insufficient bandwidth to
accommodate more growth.
a vulnerable computer is one that has the
The worm’s spreading strategy uses random
potential of being infected by a worm;
scanning-it randomly selects IP addresses,
eventually finding and infecting all susceptible
an infected computer is one that has been
hosts. Random-scanning worms initially spread
infected by a worm.
exponentially, but their rapid new-host infection
In this paper,Section II described various types of
slows as the worms continually retry infected or
worms and the details of active worms.Active
immune addresses. Thus, as with the Code Red
worms are those that infect system.Section III
worm, Slammer’s infected-host proportion follows
described c-worms and various detection
a classic logistic form of initial exponential growth
system.Section IV contain conclusion.
in a finite system.it label this growth behaviour a
random constant spread (RCS) model.
II. RELATED WORK While Slammer spread nearly two orders of
magnitude faster than Code Red, it probably
A. Types of worms infected fewer machines. Both worms use the same
basic scanning strategy to find vulnerable machines
Many real-world worms have caused notable and transfer their exploitive payloads; however,
damage on the Internet. These worms include they differ in their scanning constraints. While
“Code-Red” worm, “Slammer” worm, and “Witty”/ Code Red is latency-limited, Slammer is
“Sasser” worms. Many active worms are used to bandwidth-limited, enabling Slammer to scan as
fast as a compromised computer can transmit
infect a large number of computers and recruit packets or a network can deliver them.
them as bots or zombies, which are networked
together to form botnets.
3) Sobig Worms
1) Slapper Worms
Slapper would attempt to remotely compromise Like its predecessors, Sobig.E is unremarkable in
many ways. It’s a piece of malicious code that
systems by randomly selecting a network to scan
targets Microsoft Windows operating systems.
and doing a sequential sweep of all IP addresses in Written in Microsoft Visual C++, it makes use of
the network while looking for vulnerable Web threads, its executable is compressed with either
servers. UPX or TeLock, it collects email addresses by
The Slapper worm’s P2P communications protocol harvesting files (such as Windows Address Book
was designed to be used by a hypothetical client to [WAB], Outlook Express mailbox [DBX], HTM,
send commands to and receive responses from an HTML, Mail message [EML], or text [TXT]), and
attempts to infect new systems by sending them an
infected host (a node). In this way, the client can
infected email message or by copying itself to an
perform several different actions while hiding its open network share. The worm also includes its
network location and making communications own simple mail transport protocol (SMTP) engine,
more difficult to monitor[1]. spoofs its emails’ source address, encrypts and
decrypts text strings as needed, and creates a
2) Slammer Worms mutual exclusion object (mutex) on infected
Slammer (sometimes called Sapphire) was the systems to ensure they are not infected more than
once.
fastest computer worm in history. As it began
spreading throughout the Internet, the worm
infected more than 90 percent of vulnerable hosts
within 10 minutes, causing significant disruption to
342
All Rights Reserved © 2012 IJARCET
- 3. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
4) Morris Worms • It spread through a population almost an order of
magnitude smaller than that of previous worms,
It attacked one operating system, but two demonstrating worms’ viability as an automated
different computer architectures. mechanism to rapidly compromise machines on the
It had three distinct propagation vectors. Internet, even in niches without a software
It had several mechanisms for finding both monopoly.
potential nodes to infect, particularly
information about the local system’s IP B. Active Worms
connectivity (its network class and gateway),
and information found in user accounts. Active worms are similar to biological viruses in
It traversed trusted accounts using password terms of their infectous and self-propagating
guessing. nature. They identify vulnerable computers, infect
The worm made heavy use of this them and the worm-infected computers propagate
computationally intensive method by the infection further to other vulnerable computers.
employing four information sources: accounts In order to understand worm behavior, we first
with null passwords (no password), need to model it. Active worms use various scan
information related to the user account, an mechanisms to propagate themselves efficiently.
internal dictionary, and a word list on the local
machines, /usr/dict/words. The basic form of active worms can be categorized
It installed its software via a two-step “hook as having the Pure Random Scan (PRS) nature. In
and haul” method (explained later in the the PRS form, a worm-infected computer
“Inside the worm” subsection) that required the continuously scans a set of random Internet IP
use of a C compiler, link loader, and a callback addresses to find new vulnerable computers. Other
network connection to the infecting system. worms propagate themselves more effectively than
It evaded notice by obscuring the process PRS worms using various methods, e.g., network
parameters and rarely leaving files behind. port scanning, email, file sharing, Peer-to-Peer
It attempted to limit the reinfection rate on (P2P) networks, and Instant Messaging (IM). In
each node (but not the total number). addition, worms usedifferent scan strategies during
It attempted to run forever on as many nodes different stages of propagation.In order to increase
as possible. propagation efficiency, they use a local network or
hitlist to infect previously identified vulnerable
Although there had been worms before, no one computers at the initial stage of propagation.
had tried to run one on a complex topology. For
this worm to achieve its purpose of widespread They may also use DNS, network topology and
propagation, it had to discover local topology in an routing information to identify active computers
arbitrary graph[7]. instead of randomly scanning IP addresses.They
split the target IP address space during propagation
5) Witty Worms in order to avoid duplicate scans. Li et al. studied a
divide-conquer scanning technique that could
While the Witty worm is only the latest in a string potentially spread faster and stealthier than a
of self-propagating remote exploits, it distinguishes traditional random-scanning worm. Ha et al.
itself through several interesting features: Formulated the problem of finding a fast and
resilient propagation topology and propagation
• It was the first widely propagated Internet worm schedule for Flash worms. Yang et al. studied the
to carry a destructive payload. worm propagation over the sensor networks.
• It started in an organized manner with an order of
magnitude more ground-zero hosts than any III. PROPOSED TOOL FOR
previous worm. MALWARE DETECTION
• It represents the shortest known interval A. C-Worm
between vulnerability disclosure and worm
release—it began spreading the day after the ISS The C-Worm camouflages its propagation by
vulnerability was publicized. controlling scan traffic volume during its
propagation. The simplest way to manipulate scan
• It spread through a host population in which every traffic volume is to randomly change the number of
compromised host was proactive in securing its worm instances conducting port-scans.
computer and networks.
As other alternatives, a worm attacker may use an
open-loop control (non-feedback) mechanism by
343
All Rights Reserved © 2012 IJARCET
- 4. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
choosing a randomized and time related pattern for distribution of destination addresses. Other works
the scanning and infection in order to avoid being study worms that attempt to take on new patterns to
detected. Nevertheless, the open-loop control avoid detection[10] .
approach raises some issues of the invisibility of
the attack. Here are some of the techniques for identifying the
worms in the host or in the networks.
First, as we know, worm propagation over the
Internet can be considered a dynamic system. 1) Distributing sensors
When an attacker launches worm propagation, it is
very challenging for the attacker to know the Determining the number and strategic placement of
accurate parameters for worm propagation distributed sensors (for example, at an enclave’s
dynamics over the Internet.
gateway, at an upstream peering point, or both) for
Consequently, the overall worm scan traffic a particular-size enclavemaximizes coverage and
volume in the open-loop control system will expose minimizes communication cost and time to detect
a much higher probability to show an increasing propagations and attack precursors.
trend with the progress of worm propagation. As
more and more computers get infected, they, in 2) Inferring intent
turn, take part in scanning other computers. Hence,
we consider the Cworm as a worst case attacking The relationships among common targeted victims
scenario that uses a closedloop control for suggest what a scanning source’s intent might be.
regulating the propagation speed based on the For example, a common source of stealthy
feedback propagation statuseasy way to comply scanning from an attacking IP address directed
with the conference paper formatting requirements
is to use this document as a template and simply toward a set of unrelated victims appears
type your text into it[10]. fundamentally different than an attacker scanning a
set of IP addresses all owned by, say, several
different banks.
B. Existing Detection System
3) Profiling behavior.
1) Host Based Detection System
A longitudinal study of attacker behavior and intent
Worm detection has been intensively studied in the and their attacks against victims provide sufficient
past and can be generally classified into two repeated behavior to accurately predict future
categories: “host-based” detection and “network-
attack steps.
based” detection.
4) Classifying activities
Host-based detection systems detect worms by
monitoring, collecting, and analyzing worm
We need a way to quickly classify worms and scan
behaviors on end hosts.Since worms are malicious
programs that execute on these computers, or probe activity into useful clusters and profiles
analyzing the behavior of worm executables plays according to their characteristics (destination ports,
an important role in host based detection systems. interprobe delay, and payload length, for example)
and behaviour.
2) Network Based Detection System
In contrast, network-based detection systems detect C. Proposed Detection Scheme
worms primarily by monitoring, collecting, and
analyzing the scan traffic (messages to identify There are three existing system to detect the worms
vulnerable computers) generated by worm attacks. as well as malware attack.
Network-based detection schemes commonly
analyze the collected scanning traffic data by The first scheme is the volume mean-based
applying certain decision rules for detecting the (MEAN) detection scheme which uses mean of
worm propagation. For example,Venkataraman et scan traffic to detect worm propagation; the second
al. and Wu et al. in proposed schemes to examine scheme is the trend-based (TREND) detection
statistics of scan traffic volume, Zou et al. scheme which uses the increasing trend of scan
presented a trend-based detection scheme to traffic to detect worm propagation; and the third
examine the exponential increase pattern of scan scheme is the victim number variance based (VAR)
traffic , Lakhina et al proposed schemes to examine detection scheme which uses the variance of the
other features of scan traffic, such as the scan traffic to detect worm propagation.
344
All Rights Reserved © 2012 IJARCET
- 5. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
The C-Worm adapts their propagation traffic Recall that the C-Worm goes undetected by
patterns in order to reduce the probability of detection schemes that try to determine the worm
detection, and to eventually infect more computers. propagation only in the time domain. Instead of
The C-Worm is different from polymorphic worms time domain,frequency domain is used to detect the
that deliberately change their payload signatures c worms as well as traditional worms.
during propagation. The user give file to the scan block.It has to
option,either it scan sequentially or it can
1) Architecture of Detection Tool: randomly.For each file,it calculate value using the
Fourier Transform.At every time,the file is
scan,that value is compared with Window sliding
number.if value of that file that is to be scanned are
greater than WSN then it detect as malware
otherwise it shows non-detection of malware.If the
malware is found then analysis the malware and
prepare the chart for that analysis.
Notice that the frequency domain analysis will
require more samples in comparison with the time
domain analysis,since the frequency domain
analysis technique such as the Fourier transform,
needs to derive power spectrum amplitude for
different frequencies.
Fig 1:Architecture of detection Tool
When we scan system,first it will take the single
The above diagram shows the architecture of file and then generates its number using fourier
detection tool.The First block take the file to read transform.if that number is larger than the number
then it passed to detection tool block which contain which are gererated from the window sliding
the various block that shown in below diagram then number then it will shows that worms or malware
it finally generate the report. is detected.
The flow of above architecture are given
below,which are also proposed in the paper. It will not only scan sequential but also randomly
because of its nature of self propogation in different
location in the system.
IV. CONCLUSION
In this paper, we studied a new class of smart-
worm called CWorm,which has the capability to
camouflage its propagation and further avoid the
detection. It showed that, although the C-Worm
successfully camouflages its propagation in the
time domain, its camouflaging nature inevitably
manifests as a distinct pattern in the frequency
domain. Based on observation, we creates Host-
based detection scheme to detect the C-Worm.
345
All Rights Reserved © 2012 IJARCET
- 6. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
REFERENCES ON DEPENDABLE AND SECURE
COMPUTING ,VOL. 8, NO. 3, MAY-JUNE 2011
[1] IVAN ARCE,ELIAS LEVY ,” An Analysis of [11] Zhenhai Duan, Peng Chen, Fernando Sanchez
the Slapper Worm”. ,Yingfei Dong ,Mary Stephenson, James Barker”
Detecting Spam Zombies by Monitoring Outgoing
[2] DAVID MOORE, VERN PAXSON,” Inside Messages”
the Slammer Worm”
[12]Yanfang Ye, Tao Li, Qingshan Jiang, and
[3] ELIAS LEVY,” The Making of a Spam Zombie Youyu Wang” CIMDS: Adapting Postprocessing
Army” Techniques of Associative Classification for
Malware Detection”
[4] Yong Tang, Bin Xiao, Member, IEEE, and
Xicheng Lu” Signature Tree Generation for [13] Carlos Raniery P. dos Santos, Rafael Santos
Polymorphic Worms”, IEEE TRANSACTIONS Bezerra, Joao Marcelo Ceron,” Botnet Master
ON COMPUTERS, VOL. 60, NO. 4, APRIL 2011 Detection Using a Mashup-based Approach”
[5] Wei Yu, Member, IEEE, Nan Zhang, Member, [14] Zongqu Zhao” A Virus Detection Scheme
IEEE, Xinwen Fu, Member, IEEE, and Wei Zhao, Based on Features of Control Flow Graph”
Fellow, IEEESelf-Disciplinary Worms and
Countermeasures: Modeling and Analysis”, IEEE [15] Mohamad Fadli Zolkipli Aman Jantan “An
TRANSACTIONS ON PARALLEL AND Approach for Malware Behavior Identification and
DISTRIBUTED SYSTEMS, VOL. 21, NO. 10, Classification”
OCTOBER 2010
[16] M. Shankarapani, K. Kancherla, S.
[6] Yong Tang and Shigang Chen,” An Automated Ramammoorthy, R. Movva, and S. Mukkamala
Signature-Based Approach against Polymorphic “Kernel Machines for Malware Classification and
Internet Worms” IEEE TRANSACTIONS ON Similarity Analysis”
PARALLEL AND DISTRIBUTED SYSTEMS,
VOL. 18, NO. 7, JULY 2007 [17] Felix Leder, Bastian Steinbock, Peter
Martini“Classification and Detection of
[7] HILARIE ORMAN,” The Morris Worm: A Metamorphic Malware using Value Set Analysis”
Fifteen-Year Perspective”
[18] Desmond Lobo, Paul Watters and Xinwen Wu
[8] Guanhua Yan and Stephan Eidenbenz,” “RBACS: Rootkit Behavioral Analysis and
Modeling Propagation Dynamics of Bluetooth Classification System”
Worms (Extended Version)”, IEEE
TRANSACTIONS ON MOBILE COMPUTING, [19] Siddiqui M.A.:” Data Mining Methods for
VOL. 8, NO. 3, MARCH 2009 Malware Detection.”
[9] SALVATORE J. STOLFO,” Worm and Attack [20] Moskovitch R, Feher, Tzachar N, Berger E,
Early Warning” Gitelman M, Dolev S,et al.” Unknown malcode
detection using OPCODE representation. “
[10] Wei Yu, Xun Wang, Prasad Calyam, Dong
Xuan, and Wei Zhao," Modeling and Detection of [21]Michael Erbschloe “A Computer Security
Camouflaging Worm”, IEEE TRANSACTIONS Professional’s Guide to Malicious.
346
All Rights Reserved © 2012 IJARCET