Abstract
To detect and defend against Internet worms, researchers have long hoped to have a safe convenient environment to unleash and run real-world worms for close observation of their infection, damage, and propagation. However, major challenges exist in realizing such “worm playgrounds”, including the playgrounds’ fidelity, confinement, scalability, as well as convenience in worm experiments. In this paper, we present a virtualization-based platform to create virtual worm playgrounds, called vGrounds, on top of a physical infrastructure. A vGround is an all-software virtual environment dynamically created for a worm attack. It has realistic end-hosts and network entities, all realized as virtual machines (VMs) and confined in a virtual network (VN). The salient features of vGround include: (1) high fidelity supporting real worm codes exploiting real vulnerable services, (2) strict confinement making the real Internet totally invisible and unreachable from inside a vGround, (3) high resource efficiency achieving sufficiently large scale of worm experiments, and (4) flexible and efficient worm experiment control enabling fast (tens of seconds) and automatic generation, re-installation, and final tear-down of vGrounds. Our experiments with real-world worms (including multi-vector worms and polymorphic worms) have successfully exhibited their probing and propagation patterns, exploitation steps, and malicious payloads, demonstrating the value of vGrounds for worm detection and defense research.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bro, http://bro-ids.org
Internet Protocol V4 Address Space, http://www.iana.org/assignments/ipv4-address-space
Linux Ramen Worm, http://service1.symantec.com/sarc/sarc.nsf/html/pf/linux.ramenworm.html
Linux/Lion Worms, http://www.sophos.com/virusinfo/analyses/linuxlion.html
Linux/Slapper Worms, http://www.sophos.com/virusinfo/analyses/linuxslappera.html
Objdump, http://www.gnu.org/software/binutils/manual/html_chapter/binutils_4.html
PlanetLab, http://www.planet-lab.org
Snort, http://www.snort.org
Tcpdump, http://www.tcpdump.org
The DETER Project, http://www.isi.edu/deter/
The Honeynet Project, http://www.honeynet.org
Virtual PC, http://www.microsoft.com/windows/virtualpc/default.mspx
VMware, http://www.vmware.com/
ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability (2001), http://www.securityfocus.com/bid/2302
Linux Adore Worms (2001), http://securityresponse.symantec.com/avcenter/venc/data/linux.adore.worm.html
Linux Lion Worms (2001), http://www.whitehats.com/library/worms/lion/
Ramen Worm (February 2001), http://www.sans.org/y2k/ramen.htm
CERT Advisory CA-2002-27 Apache/mod_ssl Worm, http://www.cert.org/advisories/CA-2002-27.html (2002)
PUD: Peer-To-Peer UDP Distributed Denial of Service (2002), http://www.packetstormsecurity.org/distributed/pud.tgz
Google Smacks Down Santy Worm (December 2004), http://www.pcworld.com/news/article/0,aid,119029,00.asp
MyDoom Worms (2004), http://us.mcafee.com/virusInfo/default.asp?id=mydoom
Santy Worms (December 2004), http://www.f-secure.com/v-descs/santy_a.shtml
Witty Worms (March 2004), http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html
Vanderpool Technology (2005), http://www.intel.com/technology/computing/vptech/
Anderson, T., Peterson, L., Shenker, S., Turner, J.: A Global Communications Infrastructure: A Way Forward (December 2004), http://www.arl.wustl.edu/netv/contrib/nsf_Dec2.ppt
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Alex Ho, R.N., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: SOSP 2003 (2003)
Carella, C., Dike, J., Fox, N., Ryan, M.: UML Extensions for Honeypots in the ISTS Distributed Honeypot Project. In: Proceedings of the 2004 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY (June 2004)
Craveiro, P.: SANS Malware FAQ: What is t0rn rootkit?, http://www.sans.org/resources/malwarefaq/t0rn_rootkit.php
Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J., Owen, H.: HoneyStat: Local Worm Detection Using Honeypots. In: Proceedings of the 7th RAID (September 2004)
Dike, J.: User Mode Linux, http://user-mode-linux.sourceforge.net
Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In: OSDI 2002 (2002)
Jiang, X., Xu, D.: VIOLIN: Virtual Internetworking on Overlay Infrastructure. Technical Report CSD-TR-03-027, Purdue University (July 2003)
Jiang, X., Xu, D., Eigenmann, R.: Protection Mechanisms for Application Service Hosting Platforms. In: CCGrid 2004 (April 2004)
K2. ADMmutate. CanSecWest/Core01 Conference, Vancouver (March 2001), http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz
Kim, H.A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th Usenix Security Symposium (August 2004)
Nazario, J.: Defense and Detection Strategies against Internet Worms. Artech House Publishers (2004) ISBN: 1-58053-537-2
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: Proceedings of Oakland 2005 (May 2005)
Perriot, F., Szor, P.: An Analysis of the Slapper Worm Exploit. Symantec White Paper, http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf
Perumalla, K.S., Sundaragopalan, S.: High-Fidelity Modeling of Computer Network Worms. In: Proceedings of 20th ACSAC (December 2004)
Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the USENIX 13th Security Symposium, San Diego, USA (August 2004)
Ptacek, T., Nazario, J.: Exploit Virulence: Deriving Worm Trends From Vulnerability Data. In: CanSecWest/Core 2004 Conference, Vancouver (April 2004)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of the ACM/USENIX OSDI (December 2004)
Sundararaj, A., Dinda, P.: Towards Virtual Networks for Virtual Machine Grid Computing. In: Proceedings of the Third USENIX Virtual Machine Technology Symposium (VM 2004) (August 2004)
Szor, P.: Fighting Computer Virus Attacks. In: Invited Talk, the 13th Usenix Security Symposium (Security 2004), San Diego, CA (August 2004)
Touch, J.: Dynamic Internet Overlay Deployment and Management Using the X-Bone. In: Proc. of IEEE ICNP 2000 (November 2000)
Twycross, J., Williamson, M.M.: Implementing and Testing a Virus Throttle. In: Proceedings of the USENIX 12th Security Symposium, Washington, DC (August 2003)
Vahdat, A., Yocum, K., Walsh, K., Mahadevan, P., Kostic, D., Chase, J., Becker, D.: Scalability and Accuracy in a Large-Scale Network Emulator. In: OSDI 2002 (2002)
Whalley, I., Arnold, B., Chess, D., Morar, J., Segal, A.: An Environment for Controlled Worm Replication & Analysis (Internet-inna-Box). In: Proceedings of Virus Bulletin Conference (September 2000)
Whitaker, A., Shaw, M., Gribble, S.D.: Scale and Performance in the Denali Isolation Kernel. In: Proceedings of USENIX OSDI 2002 (December 2002)
White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., Newbold, M., Hibler, M., Barb, C., Joglekar, A.: An Integrated Experimental Environment for Distributed Systems and Networks. In: Proceedings of 5th OSDI (December 2002)
Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Proc. of 7th RAID (September 2004)
Zou, C.C., Towsley, D., Gong, W., Cai, S.: Routing Worm: A Fast, Selective Attack Worm based on IP Address Information. Umass ECE Technical Report TR-03-CSE-06 (November 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jiang, X., Xu, D., Wang, H.J., Spafford, E.H. (2006). Virtual Playgrounds for Worm Behavior Investigation. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_1
Download citation
DOI: https://doi.org/10.1007/11663812_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31778-4
Online ISBN: 978-3-540-31779-1
eBook Packages: Computer ScienceComputer Science (R0)