SLIDE 1
On Instant Messaging Worms, Analysis and Countermeasures Mohammad - - PowerPoint PPT Presentation
On Instant Messaging Worms, Analysis and Countermeasures Mohammad - - PowerPoint PPT Presentation
COMP 4108 Presentation - Sept 20, 2005 On Instant Messaging Worms, Analysis and Countermeasures Mohammad Mannan School of Computer Science Carleton University, Canada Goals of this talk Discuss a few IM worms Analyze well-known
SLIDE 2
SLIDE 3
Definition of IM worms ➠ Worm: Malicious code that propagates over a network, with or
without human assistance (Kienzle and Elder in WORM 2003)
➠ IM worms: Worms that spread in IM networks, by exploiting fea-
tures and vulnerabilities of IM clients and protocols
Mohammad Mannan
Page 3
COMP 4108 Presentation - Sept 20, 2005
SLIDE 4
IM worms: why do we need to worry? ➠ IM is a popular application ☞ instant communication (home users) ☞ instant collaboration (enterprise users) ➠ A big target for attackers
Mohammad Mannan
Page 4
COMP 4108 Presentation - Sept 20, 2005
SLIDE 5
“I don’t use IM. Why should I care?” ➠ The user base is big enough to impact the whole network ➠ You may use it unknowingly! (integrated IM in popular applica-
tions)
Mohammad Mannan
Page 5
COMP 4108 Presentation - Sept 20, 2005
SLIDE 6
Outline of the talk ➠ IM overview ➠ Examples of IM worms and vulnerabilities ➠ Distinguishing features of IM networks ➠ Topology of IM contacts ➠ Existing techniques and remarks on them ➠ New proposals ➠ Discussion
Mohammad Mannan
Page 6
COMP 4108 Presentation - Sept 20, 2005
SLIDE 7
IM communication model (1)
Client−Server Communications Client−Client (Direct) Communications Client−Client (Server−mediated) Communications A C H B D E H
Server Client A
B’s contact list
Client B
Single (Centralized) IM Server Model A’s contact list
Figure 1: Centralized server model
Mohammad Mannan
Page 7
COMP 4108 Presentation - Sept 20, 2005
SLIDE 8
IM communication model (2)
Client−Server Communications Client−Client (Direct) Communications Client−Client (Server−mediated) Communications B D E H A C H
Server 2 Client A Client B Server 1
Multiple (Distributed) IM Server Model B’s contact list A’s contact list
Figure 2: Distributed server model
Mohammad Mannan
Page 8
COMP 4108 Presentation - Sept 20, 2005
SLIDE 9
Examples: IM worms (1) ➠ SoFunny
– File transfer – Runs as a service process in Windows
➠ JS Menger
– URL – IE vulnerability
➠ Bropia/Kelvir
– File transfer – Disables Task Manager, debugging tools etc. – Installs a variant of the Agobot/Spybot worm – Custom language
Mohammad Mannan
Page 9
COMP 4108 Presentation - Sept 20, 2005
SLIDE 10
Examples: IM worms (2) ➠ Serflog
– URL or P2P file-sharing – Terminates anti-virus processes – Modifies the system’s HOSTS file
Mohammad Mannan
Page 10
COMP 4108 Presentation - Sept 20, 2005
SLIDE 11
Examples: client vulnerabilities ➠ Buffer overflows ➠ PNG (display picture) ➠ GIF (emoticon)
Mohammad Mannan
Page 11
COMP 4108 Presentation - Sept 20, 2005
SLIDE 12
IM worm replication mechanisms ➠ File transfer ➠ URL message ➠ IM client vulnerabilities ➠ OS or commonly used application vulnerabilities
Mohammad Mannan
Page 12
COMP 4108 Presentation - Sept 20, 2005
SLIDE 13
What makes IM networks different? ➠ Popular and connected ➠ Instant hit-list ➠ Instant user-action ➠ Integration with popular applications
Mohammad Mannan
Page 13
COMP 4108 Presentation - Sept 20, 2005
SLIDE 14
Scale-free (SF) networks ➠ Preferential attachment and strong local clustering (hubs) ➠ Epidemic threshold: In a fully connected network, if an infected
node has a chance β of infecting another, and a chance of δ being cured, then the virus will have a sustained population if β/δ > 1
➠ There is no critical threshold for epidemics in scale-free networks ➠ Highly resistant to accidental failures: Internet will be functional
even with 80% randomly failed routers
➠ Fragile against targeted/deliberated attacks
Mohammad Mannan
Page 14
COMP 4108 Presentation - Sept 20, 2005
SLIDE 15
Topology of the IM contacts network ➠ The topology of the IM contacts network is shown to be scale-free ➠ Following aspects may complicate the SF model:
- 1. IM worms may ‘successfully’ guess contacts
- 2. Each node can become a hub by joining a chatroom
➠ Implication – restoring a finite epidemic threshold by patching most
- f the hubs in an infected network would be difficult
Mohammad Mannan
Page 15
COMP 4108 Presentation - Sept 20, 2005
SLIDE 16
Existing techniques to restrict IM worms ➠ Temporary server shutdown ➠ Temporarily disabling the most-connected users ➠ Virus throttling for IM
Mohammad Mannan
Page 16
COMP 4108 Presentation - Sept 20, 2005
SLIDE 17
Virus throttling for IM – the mechanism
g f e b c d a n = 4 working set request h delay queue new add Queue length detector rate timer clock update process not−new
Figure 3: Throttling algorithm for IM
Mohammad Mannan
Page 17
COMP 4108 Presentation - Sept 20, 2005
SLIDE 18
Virus throttling for IM – shortcomings ➠ One new contact/day may be too restrictive ➠ Instant messages may get delayed ➠ User confirmation may be bypassed by a worm ➠ Data size is small – only 710 users and 2.5 messages/user/day ➠ Group chat ➠ Large memory requirement at the IM server ➠ Worm may ‘learn’ a user’s working set
Mohammad Mannan
Page 18
COMP 4108 Presentation - Sept 20, 2005
SLIDE 19
New proposals – background ➠ File transfer and URL messages are the mostly used replication
mechanisms
➠ File transfer is not expected to be instant ➠ Challenge senders of potentially damaging payloads ➠ Assumptions: ☞ File transfer and URL messages are much less frequently used
than normal text messages
☞ IM connections are secure ➠ Let’s restrict file transfer and URL messages
Mohammad Mannan
Page 19
COMP 4108 Presentation - Sept 20, 2005
SLIDE 20
New proposals – mechanisms ➠ Throttle file transfer requests and URL messages ➠ Challenge senders of a file transfer request or URL message with
a CAPTCHA
☞ Some users send more files than others – use secure cookies ☞ Challenges may come from the IM server or the recipient IM
client
Mohammad Mannan
Page 20
COMP 4108 Presentation - Sept 20, 2005
SLIDE 21
Frequency of IM text messaging and file transfer (1)
Feature
- Avg. Number
File Transfer (FT) 143 Text Message (TM) 25953 Online Users 7459 Table 1: Average file transfer, text messages, and online users over 15-minute intervals
Mohammad Mannan
Page 21
COMP 4108 Presentation - Sept 20, 2005
SLIDE 22
Frequency of IM text messaging and file transfer (2)
Ratio Value FT/TM 0.0055 FT/user/day 1.84 TM/user/day 334.03 Table 2: Comparison of file transfer (FT) and text message (TM) usage
Mohammad Mannan
Page 22
COMP 4108 Presentation - Sept 20, 2005
SLIDE 23
Findings from the user study ➠ File transfer requests are less frequent than text messages ➠ Assumption: An IM connection is opened more often for text mes-
saging than file transfer
➠ Also true for URL messages? ➠ We don’t know interesting user behavior e.g., how many users sent
- ne or more files, the maximum number of files sent by a user
Mohammad Mannan
Page 23
COMP 4108 Presentation - Sept 20, 2005
SLIDE 24
Comparing virus throttling to new proposals ➠ Throttling minimize the number of IM worm connections – a worm
can establish a certain number of connections unchecked
➠ New proposals restrict only file transfers and URL messages, not
IM connections (e.g. for text messages) – apparently more user- friendly
➠ Throttling connections is more effective than our techniques when
connection establishment implicitly transfers user-configurable file data (e.g. MSN display picture file)
☞ Automatic file data transfer may not be a good idea
Mohammad Mannan
Page 24
COMP 4108 Presentation - Sept 20, 2005
SLIDE 25
Concluding remarks ➠ Usability should be seriously considered – IM users are mostly
‘casual’
➠ CAPTCHAs can be broken by machines ➠ New proposals presented here are preliminary
Mohammad Mannan
Page 25
COMP 4108 Presentation - Sept 20, 2005
SLIDE 26
- Discussion. . .