Enabling Worm and Malware Investigation Using Virtualization - From Dongyan Xu, Xuxian Jiang

1. Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu , Xuxian Jiang CERIAS and Department of Computer Science Purdue University

6. The Big Picture Proxy ARP Domain A Domain B GRE Worm Analysis Worm Analysis Worm Capture

7. Front-End: Collapsar Enabling Worm/Malware Capture * X. Jiang, D. Xu, “Collapsar: a VM-Based Architecture for Network Attack Detention Center”, 13 th USENIX Security Symposium (Security’04), 2004. Part I

11. Collapsar Architecture VM-based Honeypot Redirector Redirector Redirector Correlation Engine Management Station Production Network Production Network Production Network Collapsar Center Attacker Front-End

20. Back-End: vGround Enabling Worm/Malware Analysis Part II * X. Jiang, D. Xu, H. J. Wang, E. H. Spafford, “Virtual Playgrounds for Worm Behavior Investigation”, 8 th International Symposium on Recent Advances in Intrusion Detection (RAID’05), 2005.

23. A Worm Playground Picture by Peter Szor, Symantec Corp.

26. An Example Run : Internet Worms A shared infrastructure (e.g. PlanetLab) A worm playground Virtual Physical

32. Project Planetlab-Worm template slapper { image slapper.ext2 cow enabled startup { /etc/rc.d/init.d/httpd start } } template router { image router.ext2 routing ospf startup { /etc/rc.d/init.d/ospfd start } } router R1 { superclass router network eth0 { switch AS1_lan1 address 128.10.1.250/24 } network eth1 { switch AS1_AS2 address 128.8.1.1/24 } } switch AS1_lan1 { unix_sock sock/as1_lan1 host planetlab6.millennium. berkeley.edu } switch AS1_AS2 { udp_sock 1500 host planetlab6.millennium. berkeley.edu } node AS1_H1 { superclass slapper network eth0 { switch AS1_lan1 address 128.10.1.1/24 gateway 128.10.1.250 } } node AS1_H2 { superclass slapper network eth0 { switch AS1_lan1 address 128.10.1.2/24 gateway 128.10.1.250 } } switch AS2_lan1 { unix_sock sock/as2_lan1 host planetlab1.cs.purdue.edu } switch AS2_AS3 { udp_sock 1500 host planetlab1.cs.purdue.edu } node AS2_H1 { superclass slapper network eth0 { switch AS2_lan1 address 128.11.1.5/24 gateway 128.11.1.250 } } node AS2_H2 { superclass slapper network eth0 { switch AS2_lan1 address 128.11.1.6/24 gateway 128.11.1.250 } } switch AS3_lan1 { unix_sock sock/as3_lan1 host planetlab8.lcs.mit.edu } router R2 { superclass router network eth0 { switch AS2_lan1 address 128.11.1.250/24 } network eth1 { switch AS1_AS2 address 128.8.1.2/24 } network eth2 { switch AS2_AS3 address 128.9.1.2/24 } } node AS3_H1 { superclass slapper network eth0 { switch AS3_lan1 address 128.12.1.5/24 gateway 128.12.1.250 } } node AS3_H2 { superclass slapper network eth0 { switch AS3_lan1 address 128.12.1.6/24 gateway 128.12.1.250 } } router R3 { superclass router network eth0 { switch AS3_lan1 address 128.12.1.250/24 } network eth1 { switch AS2_AS3 address 128.9.1.1/24 } } AS1_H1 R1 AS1_H2 AS2_H1 AS2_H2 R2 R3 AS3_H1 AS3_H2 Networked Node Network System Template

37. Probing: Target Network Selection Lion Worms Slapper Worms 13 243 80,81 http://www.iana.org/assignments/ipv4-address-space .

38. Exploitation (Lion) 1: Probing 2: Exploitation! 3: Propagation!

39. Exploitation (Slapper) 1: Probing 2: Exploitation! 3: Propagation!

40. Malicious Payload (Lion)

45. Combining Collapsar and vGround Domain A Domain B GRE Worm Analysis Worm Analysis Worm Capture

48. Thank you. Stop by our poster and demo this afternoon! For more information: Email: d [email_address] URL: http://www.cs.purdue.edu/~dxu Google: “ Purdue Collapsar Friends ”