Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

341 346


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

341 346

  1. 1. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 2012 Detection of traditional and new types of Malware using Host-based detection scheme Satish N.Chalurkar1, Dr.B.B.Meshram2 1 Computer Department,VJTI,Mumbai 1 2 Head of Computer Department,VJTI,Mumbai 2 In this paper, we have discussed many What makes them so deadly and unidentifiable istraditional and new types of worms including c- the way they reach your PC and go unnoticed underworms also-worms stands for camouflaging wormsbecause of its nature of self propagating and hiding the camouflage of reliable software. Most of thenature. An active worm refers to a malicious software advertisers banking on adware use third partyprogram that propagates itself on the Internet to software bundles to pack their adware in. Sinceinfect other computers. The propagation of the worm people want to install these software, they also endis based on exploiting vulnerabilities of computers on up installing the adware.the Internet. This paper also shows the working ofvarious worms and their detection system. These Malware also use rootkits to manipulate thedetection techniques not only detect worms but also operating system. What they do is make changesdetect various malware attacks. such that they are not identified on the Task Manager Panel. So in essence your PC might runKeywords--- active worms, c-worms, host baseddetection system, network based detection system, evidently slow, you still can’t see the applicationstypes of worms running in the back ground and thus give malware ample time to spread to all the roots. Malware can be roughly broken down into types I. INTRODUCTION according to the malwares method of operation.Malware can infect systems by being bundled with Anti-"virus" software, despite its name, is able toother programs or attached as macros to files. detect all of these types of malware.Others are installed by exploiting a knownvulnerability in an operating system (OS), networkdevice, or other software, such as a hole in abrowser that only requires users to visit a website An active worm refers to a malicious softwareto infect their computers. The vast majority, program that propagates itself on the Internet tohowever, are installed by some action from a user, infect other computers. The propagation of thesuch as clicking an e-mail attachment or worm is based on exploiting vulnerabilities ofdownloading a file from the Internet. computers on the Internet.Some of the more commonly known types ofmalware are viruses, worms, Trojans, bots, back “A worm is a program that can run by itself anddoors, spyware, and adware. Damage from can propagate a fully working version of itself tomalware varies from causing minor irritation (such other machines. It is derived from the wordas browser popup ads), to stealing confidential tapeworm, a parasitic organism that lives inside ainformation or money, destroying data, and host and saps its resources to maintain itself.”compromising and/or entirely disabling systemsand networks. The worm used an interesting hook-and-haulMalware cannot damage the physical hardware of method of propagation that masked its entrance to asystems and network equipment, but it can damage site and kept its mechanisms secret. It was alsothe data and software residing on the equipment. multifaceted and multi-architecture, using multipleMalware should also not be confused with methods to gain entrance to a machine anddefective software, which is intended for legitimate affecting two entirely different computerpurposes but has errors or bugs. architectures. It had an intensely computational part 341 All Rights Reserved © 2012 IJARCET
  2. 2. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 2012that was meant to give it resilience through the financial, transportation, and governmentability to infiltrate through many user accounts, but institutions and precluding any human-basedit had an ineffective mechanism to limit its growth response[2].rate.Particularly, the epidemic dynamic model assumes Slammer’s most novel feature is its propagationthat any given computer is in one of the following speed. In approximately three minutes, the wormstates: achieved its full scanning rate (more than 55 immune, vulnerable, or infected. An immune million scans per second), after which the growth computer is one that cannot be infected by a rate slowed because significant portions of the worm; network had insufficient bandwidth to accommodate more growth. a vulnerable computer is one that has the The worm’s spreading strategy uses random potential of being infected by a worm; scanning-it randomly selects IP addresses, eventually finding and infecting all susceptible an infected computer is one that has been hosts. Random-scanning worms initially spread infected by a worm. exponentially, but their rapid new-host infectionIn this paper,Section II described various types of slows as the worms continually retry infected orworms and the details of active worms.Active immune addresses. Thus, as with the Code Redworms are those that infect system.Section III worm, Slammer’s infected-host proportion followsdescribed c-worms and various detection a classic logistic form of initial exponential growthsystem.Section IV contain conclusion. in a finite label this growth behaviour a random constant spread (RCS) model. II. RELATED WORK While Slammer spread nearly two orders of magnitude faster than Code Red, it probablyA. Types of worms infected fewer machines. Both worms use the same basic scanning strategy to find vulnerable machinesMany real-world worms have caused notable and transfer their exploitive payloads; however,damage on the Internet. These worms include they differ in their scanning constraints. While“Code-Red” worm, “Slammer” worm, and “Witty”/ Code Red is latency-limited, Slammer is“Sasser” worms. Many active worms are used to bandwidth-limited, enabling Slammer to scan as fast as a compromised computer can transmitinfect a large number of computers and recruit packets or a network can deliver them.them as bots or zombies, which are networkedtogether to form botnets. 3) Sobig Worms1) Slapper WormsSlapper would attempt to remotely compromise Like its predecessors, Sobig.E is unremarkable in many ways. It’s a piece of malicious code thatsystems by randomly selecting a network to scan targets Microsoft Windows operating systems.and doing a sequential sweep of all IP addresses in Written in Microsoft Visual C++, it makes use ofthe network while looking for vulnerable Web threads, its executable is compressed with eitherservers. UPX or TeLock, it collects email addresses byThe Slapper worm’s P2P communications protocol harvesting files (such as Windows Address Bookwas designed to be used by a hypothetical client to [WAB], Outlook Express mailbox [DBX], HTM,send commands to and receive responses from an HTML, Mail message [EML], or text [TXT]), and attempts to infect new systems by sending them aninfected host (a node). In this way, the client can infected email message or by copying itself to anperform several different actions while hiding its open network share. The worm also includes itsnetwork location and making communications own simple mail transport protocol (SMTP) engine,more difficult to monitor[1]. spoofs its emails’ source address, encrypts and decrypts text strings as needed, and creates a2) Slammer Worms mutual exclusion object (mutex) on infectedSlammer (sometimes called Sapphire) was the systems to ensure they are not infected more than once.fastest computer worm in history. As it beganspreading throughout the Internet, the worminfected more than 90 percent of vulnerable hostswithin 10 minutes, causing significant disruption to 342 All Rights Reserved © 2012 IJARCET
  3. 3. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 20124) Morris Worms • It spread through a population almost an order of magnitude smaller than that of previous worms, It attacked one operating system, but two demonstrating worms’ viability as an automated different computer architectures. mechanism to rapidly compromise machines on the It had three distinct propagation vectors. Internet, even in niches without a software It had several mechanisms for finding both monopoly. potential nodes to infect, particularly information about the local system’s IP B. Active Worms connectivity (its network class and gateway), and information found in user accounts. Active worms are similar to biological viruses in It traversed trusted accounts using password terms of their infectous and self-propagating guessing. nature. They identify vulnerable computers, infect The worm made heavy use of this them and the worm-infected computers propagate computationally intensive method by the infection further to other vulnerable computers. employing four information sources: accounts In order to understand worm behavior, we first with null passwords (no password), need to model it. Active worms use various scan information related to the user account, an mechanisms to propagate themselves efficiently. internal dictionary, and a word list on the local machines, /usr/dict/words. The basic form of active worms can be categorized It installed its software via a two-step “hook as having the Pure Random Scan (PRS) nature. In and haul” method (explained later in the the PRS form, a worm-infected computer “Inside the worm” subsection) that required the continuously scans a set of random Internet IP use of a C compiler, link loader, and a callback addresses to find new vulnerable computers. Other network connection to the infecting system. worms propagate themselves more effectively than It evaded notice by obscuring the process PRS worms using various methods, e.g., network parameters and rarely leaving files behind. port scanning, email, file sharing, Peer-to-Peer It attempted to limit the reinfection rate on (P2P) networks, and Instant Messaging (IM). In each node (but not the total number). addition, worms usedifferent scan strategies during It attempted to run forever on as many nodes different stages of propagation.In order to increase as possible. propagation efficiency, they use a local network or hitlist to infect previously identified vulnerable Although there had been worms before, no one computers at the initial stage of propagation.had tried to run one on a complex topology. Forthis worm to achieve its purpose of widespread They may also use DNS, network topology andpropagation, it had to discover local topology in an routing information to identify active computersarbitrary graph[7]. instead of randomly scanning IP addresses.They split the target IP address space during propagation5) Witty Worms in order to avoid duplicate scans. Li et al. studied a divide-conquer scanning technique that couldWhile the Witty worm is only the latest in a string potentially spread faster and stealthier than aof self-propagating remote exploits, it distinguishes traditional random-scanning worm. Ha et al.itself through several interesting features: Formulated the problem of finding a fast and resilient propagation topology and propagation• It was the first widely propagated Internet worm schedule for Flash worms. Yang et al. studied theto carry a destructive payload. worm propagation over the sensor networks.• It started in an organized manner with an order ofmagnitude more ground-zero hosts than any III. PROPOSED TOOL FORprevious worm. MALWARE DETECTION• It represents the shortest known interval A. C-Wormbetween vulnerability disclosure and wormrelease—it began spreading the day after the ISS The C-Worm camouflages its propagation byvulnerability was publicized. controlling scan traffic volume during its propagation. The simplest way to manipulate scan• It spread through a host population in which every traffic volume is to randomly change the number ofcompromised host was proactive in securing its worm instances conducting and networks. As other alternatives, a worm attacker may use an open-loop control (non-feedback) mechanism by 343 All Rights Reserved © 2012 IJARCET
  4. 4. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 2012choosing a randomized and time related pattern for distribution of destination addresses. Other worksthe scanning and infection in order to avoid being study worms that attempt to take on new patterns todetected. Nevertheless, the open-loop control avoid detection[10] .approach raises some issues of the invisibility ofthe attack. Here are some of the techniques for identifying the worms in the host or in the networks.First, as we know, worm propagation over theInternet can be considered a dynamic system. 1) Distributing sensorsWhen an attacker launches worm propagation, it isvery challenging for the attacker to know the Determining the number and strategic placement ofaccurate parameters for worm propagation distributed sensors (for example, at an enclave’sdynamics over the Internet. gateway, at an upstream peering point, or both) forConsequently, the overall worm scan traffic a particular-size enclavemaximizes coverage andvolume in the open-loop control system will expose minimizes communication cost and time to detecta much higher probability to show an increasing propagations and attack precursors.trend with the progress of worm propagation. Asmore and more computers get infected, they, in 2) Inferring intentturn, take part in scanning other computers. Hence,we consider the Cworm as a worst case attacking The relationships among common targeted victimsscenario that uses a closedloop control for suggest what a scanning source’s intent might be.regulating the propagation speed based on the For example, a common source of stealthyfeedback propagation statuseasy way to comply scanning from an attacking IP address directedwith the conference paper formatting requirementsis to use this document as a template and simply toward a set of unrelated victims appearstype your text into it[10]. fundamentally different than an attacker scanning a set of IP addresses all owned by, say, several different banks.B. Existing Detection System 3) Profiling behavior.1) Host Based Detection System A longitudinal study of attacker behavior and intentWorm detection has been intensively studied in the and their attacks against victims provide sufficientpast and can be generally classified into two repeated behavior to accurately predict futurecategories: “host-based” detection and “network- attack steps.based” detection. 4) Classifying activitiesHost-based detection systems detect worms bymonitoring, collecting, and analyzing worm We need a way to quickly classify worms and scanbehaviors on end hosts.Since worms are maliciousprograms that execute on these computers, or probe activity into useful clusters and profilesanalyzing the behavior of worm executables plays according to their characteristics (destination ports,an important role in host based detection systems. interprobe delay, and payload length, for example) and behaviour.2) Network Based Detection SystemIn contrast, network-based detection systems detect C. Proposed Detection Schemeworms primarily by monitoring, collecting, andanalyzing the scan traffic (messages to identify There are three existing system to detect the wormsvulnerable computers) generated by worm attacks. as well as malware attack.Network-based detection schemes commonlyanalyze the collected scanning traffic data by The first scheme is the volume mean-basedapplying certain decision rules for detecting the (MEAN) detection scheme which uses mean ofworm propagation. For example,Venkataraman et scan traffic to detect worm propagation; the secondal. and Wu et al. in proposed schemes to examine scheme is the trend-based (TREND) detectionstatistics of scan traffic volume, Zou et al. scheme which uses the increasing trend of scanpresented a trend-based detection scheme to traffic to detect worm propagation; and the thirdexamine the exponential increase pattern of scan scheme is the victim number variance based (VAR)traffic , Lakhina et al proposed schemes to examine detection scheme which uses the variance of theother features of scan traffic, such as the scan traffic to detect worm propagation. 344 All Rights Reserved © 2012 IJARCET
  5. 5. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 2012The C-Worm adapts their propagation traffic Recall that the C-Worm goes undetected bypatterns in order to reduce the probability of detection schemes that try to determine the wormdetection, and to eventually infect more computers. propagation only in the time domain. Instead ofThe C-Worm is different from polymorphic worms time domain,frequency domain is used to detect thethat deliberately change their payload signatures c worms as well as traditional worms.during propagation. The user give file to the scan block.It has to option,either it scan sequentially or it can1) Architecture of Detection Tool: randomly.For each file,it calculate value using the Fourier Transform.At every time,the file is scan,that value is compared with Window sliding number.if value of that file that is to be scanned are greater than WSN then it detect as malware otherwise it shows non-detection of malware.If the malware is found then analysis the malware and prepare the chart for that analysis. Notice that the frequency domain analysis will require more samples in comparison with the time domain analysis,since the frequency domain analysis technique such as the Fourier transform, needs to derive power spectrum amplitude for different frequencies. Fig 1:Architecture of detection Tool When we scan system,first it will take the singleThe above diagram shows the architecture of file and then generates its number using fourierdetection tool.The First block take the file to read transform.if that number is larger than the numberthen it passed to detection tool block which contain which are gererated from the window slidingthe various block that shown in below diagram then number then it will shows that worms or malwareit finally generate the report. is detected.The flow of above architecture are givenbelow,which are also proposed in the paper. It will not only scan sequential but also randomly because of its nature of self propogation in different location in the system. IV. CONCLUSION In this paper, we studied a new class of smart- worm called CWorm,which has the capability to camouflage its propagation and further avoid the detection. It showed that, although the C-Worm successfully camouflages its propagation in the time domain, its camouflaging nature inevitably manifests as a distinct pattern in the frequency domain. Based on observation, we creates Host- based detection scheme to detect the C-Worm. 345 All Rights Reserved © 2012 IJARCET
  6. 6. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 2012 REFERENCES ON DEPENDABLE AND SECURE COMPUTING ,VOL. 8, NO. 3, MAY-JUNE 2011[1] IVAN ARCE,ELIAS LEVY ,” An Analysis of [11] Zhenhai Duan, Peng Chen, Fernando Sanchezthe Slapper Worm”. ,Yingfei Dong ,Mary Stephenson, James Barker” Detecting Spam Zombies by Monitoring Outgoing[2] DAVID MOORE, VERN PAXSON,” Inside Messages”the Slammer Worm” [12]Yanfang Ye, Tao Li, Qingshan Jiang, and[3] ELIAS LEVY,” The Making of a Spam Zombie Youyu Wang” CIMDS: Adapting PostprocessingArmy” Techniques of Associative Classification for Malware Detection”[4] Yong Tang, Bin Xiao, Member, IEEE, andXicheng Lu” Signature Tree Generation for [13] Carlos Raniery P. dos Santos, Rafael SantosPolymorphic Worms”, IEEE TRANSACTIONS Bezerra, Joao Marcelo Ceron,” Botnet MasterON COMPUTERS, VOL. 60, NO. 4, APRIL 2011 Detection Using a Mashup-based Approach”[5] Wei Yu, Member, IEEE, Nan Zhang, Member, [14] Zongqu Zhao” A Virus Detection SchemeIEEE, Xinwen Fu, Member, IEEE, and Wei Zhao, Based on Features of Control Flow Graph”Fellow, IEEESelf-Disciplinary Worms andCountermeasures: Modeling and Analysis”, IEEE [15] Mohamad Fadli Zolkipli Aman Jantan “AnTRANSACTIONS ON PARALLEL AND Approach for Malware Behavior Identification andDISTRIBUTED SYSTEMS, VOL. 21, NO. 10, Classification”OCTOBER 2010 [16] M. Shankarapani, K. Kancherla, S.[6] Yong Tang and Shigang Chen,” An Automated Ramammoorthy, R. Movva, and S. MukkamalaSignature-Based Approach against Polymorphic “Kernel Machines for Malware Classification andInternet Worms” IEEE TRANSACTIONS ON Similarity Analysis”PARALLEL AND DISTRIBUTED SYSTEMS,VOL. 18, NO. 7, JULY 2007 [17] Felix Leder, Bastian Steinbock, Peter Martini“Classification and Detection of[7] HILARIE ORMAN,” The Morris Worm: A Metamorphic Malware using Value Set Analysis”Fifteen-Year Perspective” [18] Desmond Lobo, Paul Watters and Xinwen Wu[8] Guanhua Yan and Stephan Eidenbenz,” “RBACS: Rootkit Behavioral Analysis andModeling Propagation Dynamics of Bluetooth Classification System”Worms (Extended Version)”, IEEETRANSACTIONS ON MOBILE COMPUTING, [19] Siddiqui M.A.:” Data Mining Methods forVOL. 8, NO. 3, MARCH 2009 Malware Detection.”[9] SALVATORE J. STOLFO,” Worm and Attack [20] Moskovitch R, Feher, Tzachar N, Berger E,Early Warning” Gitelman M, Dolev S,et al.” Unknown malcode detection using OPCODE representation. “[10] Wei Yu, Xun Wang, Prasad Calyam, DongXuan, and Wei Zhao," Modeling and Detection of [21]Michael Erbschloe “A Computer SecurityCamouflaging Worm”, IEEE TRANSACTIONS Professional’s Guide to Malicious. 346 All Rights Reserved © 2012 IJARCET