Finding diversity in remote code injection exploits

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Finding diversity in remote code injection exploits

Full text

Pdf (241 KB)

Source

Internet Measurement Conference archive
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement table of contents

Rio de Janeriro, Brazil

SESSION: Security and privacy table of contents

Pages: 53 - 64

Year of Publication: 2006

ISBN:1-59593-561-4

Authors

Justin Ma	University of California, San Diego
John Dunagan	Microsoft Research
Helen J. Wang	Microsoft Research
Stefan Savage	University of California, San Diego
Geoffrey M. Voelker	University of California, San Diego

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 14, Downloads (12 Months): 77, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1177080.1177087 What is a DOI?

ABSTRACT

Remote code injection exploits inflict a significant societal cost, and an active underground economy has grown up around these continually evolving attacks. We present a methodology for inferring the phylogeny, or evolutionary tree, of such exploits. We have applied this methodology to traffic captured at several vantage points, and we demonstrate that our methodology is robust to the observed polymorphism. Our techniques revealed non-trivial code sharing among different exploit families, and the resulting phylogenies accurately captured the subtle variations among exploits within each family. Thus, we believe our methodology and results are a helpful step to better understanding the evolution of remote code injection exploits on the Internet.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	BBC News. Sasser Creator Avoids Jail Term. http://news.bbc.co.uk/2/hi/technology/4659329.stm, July 2005.
	2	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	3	J. R. Crandall. Minos: A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), Fairfax, VA, Oct. 2004.
	4	Jedidiah R. Crandall , Zhendong Su , S. Felix Wu , Frederic T. Chong, On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA [doi>10.1145/1102120.1102152]
	5	T. Dullien and R. Rolles. Graph-Based Comparison of Executable Objects. In Symposium sur la Sécurité des Technologies de l'Information et des Communications (SSTIC), June 2005.
	6	H. Flake. Structural Comparison of Executable Objects. In Proceedings of the IEEE Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2004.
	7	Dorit S. Hochbaum, Approximation algorithms for NP-hard problems, PWS Publishing Co., Boston, MA, 1996
	8	G. Keizer. Sasser Worm Impacted Businesses Around the World. http://www.techweb.com/wire/story/TWB20040507S0008, May 2004.
	9	H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004.
	10	C. Kreibich and J. Crowcroft. Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In Proceedings of the 2nd ACM Workshop on Hot Topics in Networks (HotNets-II), Cambridge, MA, Nov. 2003.
	11	C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic Worm Detection Using Structural Information of Executables. In Proceedings of Symposium on Recent Advances in Intrusion Detection (RAID), Seattle, WA, Sept. 2005.
	12	R. Lemos. MSBlast Epidemic Far Larger than Believed. http://news.com.com/2100-7349 3-5184439.html, Apr. 2004.
	13	Chi-Keung Luk , Robert Cohn , Robert Muth , Harish Patil , Artur Klauser , Geoff Lowney , Steven Wallace , Vijay Janapa Reddi , Kim Hazelwood, Pin: building customized program analysis tools with dynamic instrumentation, Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, June 12-15, 2005, Chicago, IL, USA
	14	Metasploit Project. The Metasploit Framework. http://www.metasploit.com/projects/Framework/.
	15	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003 [doi>10.1109/MSECP.2003.1219056]
	16	D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Network telescopes. Technical Report CS2004-0795, UCSD, July 2004.
	17	Nepenthes Development Team. ShellcodeHandler Generic LinkTrans. http://nepenthes.mwcollect.org/.
	18	J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, Feb. 2005.
	19	A. Ng, M. Jordan, and Y. Weiss. On Spectral Clustering: Analysis and an Algorithm. In Proceedings of Advances in Neural Information Processing Systems, 2001.
	20	Ruoming Pang , Vinod Yegneswaran , Paul Barford , Vern Paxson , Larry Peterson, Characteristics of internet background radiation, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy [doi>10.1145/1028788.1028794]
	21	P. Royal, D. Dagon, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Packed Malware. http://www-static.cc.gatech.edu/ ranma1/polyunpack/.
	22	S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), San Francisco, CA, Dec. 2004.
	23	spoonm. Recent Shellcode Developments. In REcon, Montreal, QC, June 2005.
	24	A. E. Stepan. Defeating Polymorphism: Beyond Emulation. In Proceedings of the Virus Bulletin International Conference, Dublin, Ireland, Oct. 2005.
	25	Symantec. Trojan.Netdepix. http://www.symantec.com/avcenter/venc/data/trojan.netdepix.html.
	26	Symantec. W32.Korgo.AB. http://www.symantec.com/avcenter/venc/data/w32.korgo.ab.html, Apr. 2004.
	27	Peter Szor, The Art of Computer Virus Research and Defense, Addison-Wesley Professional, 2005
	28	Trend Micro. Virus Encyclopedia. http://www.trendmicro.com/vinfo/virusencyclo/.
	29	Helen J. Wang , Chuanxiong Guo , Daniel R. Simon , Alf Zugenmaier, Shield: vulnerability-driven network filters for preventing known vulnerability exploits, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA