COMP 4108 Presentation - Sept 20, 2005 On Instant Messaging Worms, Analysis and Countermeasures Mohammad Mannan School of Computer Science Carleton University, Canada
Goals of this talk ➠ Discuss a few IM worms ➠ Analyze well-known countermeasures for IM worms ➠ Present two variations of current techniques Page 2 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Definition of IM worms ➠ Worm : Malicious code that propagates over a network, with or without human assistance (Kienzle and Elder in WORM 2003) ➠ IM worms : Worms that spread in IM networks, by exploiting fea- tures and vulnerabilities of IM clients and protocols Page 3 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
IM worms: why do we need to worry? ➠ IM is a popular application ☞ instant communication (home users) ☞ instant collaboration (enterprise users) ➠ A big target for attackers Page 4 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
“I don’t use IM. Why should I care?” ➠ The user base is big enough to impact the whole network ➠ You may use it unknowingly! (integrated IM in popular applica- tions) Page 5 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Outline of the talk ➠ IM overview ➠ Examples of IM worms and vulnerabilities ➠ Distinguishing features of IM networks ➠ Topology of IM contacts ➠ Existing techniques and remarks on them ➠ New proposals ➠ Discussion Page 6 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
IM communication model (1) Single (Centralized) IM Server Model Server Client−Server Communications Client−Client (Direct) Communications Client−Client (Server−mediated) Communications Client B Client A A’s contact list B’s contact list B A D C E H H Figure 1: Centralized server model Page 7 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
IM communication model (2) Multiple (Distributed) IM Server Model Client−Server Communications Server 1 Server 2 Client−Client (Direct) Communications Client−Client (Server−mediated) Communications Client A Client B A’s contact list B’s contact list B A D C E H H Figure 2: Distributed server model Page 8 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Examples: IM worms (1) ➠ SoFunny – File transfer – Runs as a service process in Windows ➠ JS Menger – URL – IE vulnerability ➠ Bropia/Kelvir – File transfer – Disables Task Manager, debugging tools etc. – Installs a variant of the Agobot/Spybot worm – Custom language Page 9 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Examples: IM worms (2) ➠ Serflog – URL or P2P file-sharing – Terminates anti-virus processes – Modifies the system’s HOSTS file Page 10 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Examples: client vulnerabilities ➠ Buffer overflows ➠ PNG (display picture) ➠ GIF ( emoticon ) Page 11 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
IM worm replication mechanisms ➠ File transfer ➠ URL message ➠ IM client vulnerabilities ➠ OS or commonly used application vulnerabilities Page 12 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
What makes IM networks different? ➠ Popular and connected ➠ Instant hit-list ➠ Instant user-action ➠ Integration with popular applications Page 13 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Scale-free (SF) networks ➠ Preferential attachment and strong local clustering (hubs) ➠ Epidemic threshold : In a fully connected network, if an infected node has a chance β of infecting another, and a chance of δ being cured, then the virus will have a sustained population if β/δ > 1 ➠ There is no critical threshold for epidemics in scale-free networks ➠ Highly resistant to accidental failures : Internet will be functional even with 80% randomly failed routers ➠ Fragile against targeted/deliberated attacks Page 14 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Topology of the IM contacts network ➠ The topology of the IM contacts network is shown to be scale-free ➠ Following aspects may complicate the SF model: 1. IM worms may ‘successfully’ guess contacts 2. Each node can become a hub by joining a chatroom ➠ Implication – restoring a finite epidemic threshold by patching most of the hubs in an infected network would be difficult Page 15 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Existing techniques to restrict IM worms ➠ Temporary server shutdown ➠ Temporarily disabling the most-connected users ➠ Virus throttling for IM Page 16 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Virus throttling for IM – the mechanism request h delay queue working set n = 4 g Queue new add length not−new f a b c d detector e update rate timer clock process Figure 3: Throttling algorithm for IM Page 17 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Virus throttling for IM – shortcomings ➠ One new contact/day may be too restrictive ➠ Instant messages may get delayed ➠ User confirmation may be bypassed by a worm ➠ Data size is small – only 710 users and 2.5 messages/user/day ➠ Group chat ➠ Large memory requirement at the IM server ➠ Worm may ‘learn’ a user’s working set Page 18 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
New proposals – background ➠ File transfer and URL messages are the mostly used replication mechanisms ➠ File transfer is not expected to be instant ➠ Challenge senders of potentially damaging payloads ➠ Assumptions: ☞ File transfer and URL messages are much less frequently used than normal text messages ☞ IM connections are secure ➠ Let’s restrict file transfer and URL messages Page 19 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
New proposals – mechanisms ➠ Throttle file transfer requests and URL messages ➠ Challenge senders of a file transfer request or URL message with a CAPTCHA ☞ Some users send more files than others – use secure cookies ☞ Challenges may come from the IM server or the recipient IM client Page 20 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Frequency of IM text messaging and file transfer (1) Feature Avg. Number File Transfer (FT) 143 Text Message (TM) 25953 Online Users 7459 Table 1: Average file transfer, text messages, and online users over 15-minute intervals Page 21 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Frequency of IM text messaging and file transfer (2) Ratio Value FT/TM 0.0055 FT/user/day 1.84 TM/user/day 334.03 Table 2: Comparison of file transfer (FT) and text message (TM) usage Page 22 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Findings from the user study ➠ File transfer requests are less frequent than text messages ➠ Assumption: An IM connection is opened more often for text mes- saging than file transfer ➠ Also true for URL messages? ➠ We don’t know interesting user behavior e.g., how many users sent one or more files, the maximum number of files sent by a user Page 23 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Comparing virus throttling to new proposals ➠ Throttling minimize the number of IM worm connections – a worm can establish a certain number of connections unchecked ➠ New proposals restrict only file transfers and URL messages, not IM connections (e.g. for text messages) – apparently more user- friendly ➠ Throttling connections is more effective than our techniques when connection establishment implicitly transfers user-configurable file data (e.g. MSN display picture file) ☞ Automatic file data transfer may not be a good idea Page 24 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Concluding remarks ➠ Usability should be seriously considered – IM users are mostly ‘casual’ ➠ CAPTCHAs can be broken by machines ➠ New proposals presented here are preliminary Page 25 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Discussion. . . Page 26 Mohammad Mannan COMP 4108 Presentation - Sept 20, 2005
Recommend
More recommend
