Skip to main content
SpringerLink
Log in

Virtual Playgrounds for Worm Behavior Investigation

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

Abstract

To detect and defend against Internet worms, researchers have long hoped to have a safe convenient environment to unleash and run real-world worms for close observation of their infection, damage, and propagation. However, major challenges exist in realizing such “worm playgrounds”, including the playgrounds’ fidelity, confinement, scalability, as well as convenience in worm experiments. In this paper, we present a virtualization-based platform to create virtual worm playgrounds, called vGrounds, on top of a physical infrastructure. A vGround is an all-software virtual environment dynamically created for a worm attack. It has realistic end-hosts and network entities, all realized as virtual machines (VMs) and confined in a virtual network (VN). The salient features of vGround include: (1) high fidelity supporting real worm codes exploiting real vulnerable services, (2) strict confinement making the real Internet totally invisible and unreachable from inside a vGround, (3) high resource efficiency achieving sufficiently large scale of worm experiments, and (4) flexible and efficient worm experiment control enabling fast (tens of seconds) and automatic generation, re-installation, and final tear-down of vGrounds. Our experiments with real-world worms (including multi-vector worms and polymorphic worms) have successfully exhibited their probing and propagation patterns, exploitation steps, and malicious payloads, demonstrating the value of vGrounds for worm detection and defense research.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bro, http://bro-ids.org

  2. Internet Protocol V4 Address Space, http://www.iana.org/assignments/ipv4-address-space

  3. Linux Ramen Worm, http://service1.symantec.com/sarc/sarc.nsf/html/pf/linux.ramenworm.html

  4. Linux/Lion Worms, http://www.sophos.com/virusinfo/analyses/linuxlion.html

  5. Linux/Slapper Worms, http://www.sophos.com/virusinfo/analyses/linuxslappera.html

  6. Objdump, http://www.gnu.org/software/binutils/manual/html_chapter/binutils_4.html

  7. PlanetLab, http://www.planet-lab.org

  8. Snort, http://www.snort.org

  9. Tcpdump, http://www.tcpdump.org

  10. The DETER Project, http://www.isi.edu/deter/

  11. The Honeynet Project, http://www.honeynet.org

  12. Virtual PC, http://www.microsoft.com/windows/virtualpc/default.mspx

  13. VMware, http://www.vmware.com/

  14. ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability (2001), http://www.securityfocus.com/bid/2302

  15. Linux Adore Worms (2001), http://securityresponse.symantec.com/avcenter/venc/data/linux.adore.worm.html

  16. Linux Lion Worms (2001), http://www.whitehats.com/library/worms/lion/

  17. Ramen Worm (February 2001), http://www.sans.org/y2k/ramen.htm

  18. CERT Advisory CA-2002-27 Apache/mod_ssl Worm, http://www.cert.org/advisories/CA-2002-27.html (2002)

  19. PUD: Peer-To-Peer UDP Distributed Denial of Service (2002), http://www.packetstormsecurity.org/distributed/pud.tgz

  20. Google Smacks Down Santy Worm (December 2004), http://www.pcworld.com/news/article/0,aid,119029,00.asp

  21. MyDoom Worms (2004), http://us.mcafee.com/virusInfo/default.asp?id=mydoom

  22. Santy Worms (December 2004), http://www.f-secure.com/v-descs/santy_a.shtml

  23. Witty Worms (March 2004), http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html

  24. Vanderpool Technology (2005), http://www.intel.com/technology/computing/vptech/

  25. Anderson, T., Peterson, L., Shenker, S., Turner, J.: A Global Communications Infrastructure: A Way Forward (December 2004), http://www.arl.wustl.edu/netv/contrib/nsf_Dec2.ppt

  26. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Alex Ho, R.N., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: SOSP 2003 (2003)

    Google Scholar 

  27. Carella, C., Dike, J., Fox, N., Ryan, M.: UML Extensions for Honeypots in the ISTS Distributed Honeypot Project. In: Proceedings of the 2004 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY (June 2004)

    Google Scholar 

  28. Craveiro, P.: SANS Malware FAQ: What is t0rn rootkit?, http://www.sans.org/resources/malwarefaq/t0rn_rootkit.php

  29. Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J., Owen, H.: HoneyStat: Local Worm Detection Using Honeypots. In: Proceedings of the 7th RAID (September 2004)

    Google Scholar 

  30. Dike, J.: User Mode Linux, http://user-mode-linux.sourceforge.net

  31. Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In: OSDI 2002 (2002)

    Google Scholar 

  32. Jiang, X., Xu, D.: VIOLIN: Virtual Internetworking on Overlay Infrastructure. Technical Report CSD-TR-03-027, Purdue University (July 2003)

    Google Scholar 

  33. Jiang, X., Xu, D., Eigenmann, R.: Protection Mechanisms for Application Service Hosting Platforms. In: CCGrid 2004 (April 2004)

    Google Scholar 

  34. K2. ADMmutate. CanSecWest/Core01 Conference, Vancouver (March 2001), http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz

  35. Kim, H.A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th Usenix Security Symposium (August 2004)

    Google Scholar 

  36. Nazario, J.: Defense and Detection Strategies against Internet Worms. Artech House Publishers (2004) ISBN: 1-58053-537-2

    Google Scholar 

  37. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: Proceedings of Oakland 2005 (May 2005)

    Google Scholar 

  38. Perriot, F., Szor, P.: An Analysis of the Slapper Worm Exploit. Symantec White Paper, http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf

  39. Perumalla, K.S., Sundaragopalan, S.: High-Fidelity Modeling of Computer Network Worms. In: Proceedings of 20th ACSAC (December 2004)

    Google Scholar 

  40. Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the USENIX 13th Security Symposium, San Diego, USA (August 2004)

    Google Scholar 

  41. Ptacek, T., Nazario, J.: Exploit Virulence: Deriving Worm Trends From Vulnerability Data. In: CanSecWest/Core 2004 Conference, Vancouver (April 2004)

    Google Scholar 

  42. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of the ACM/USENIX OSDI (December 2004)

    Google Scholar 

  43. Sundararaj, A., Dinda, P.: Towards Virtual Networks for Virtual Machine Grid Computing. In: Proceedings of the Third USENIX Virtual Machine Technology Symposium (VM 2004) (August 2004)

    Google Scholar 

  44. Szor, P.: Fighting Computer Virus Attacks. In: Invited Talk, the 13th Usenix Security Symposium (Security 2004), San Diego, CA (August 2004)

    Google Scholar 

  45. Touch, J.: Dynamic Internet Overlay Deployment and Management Using the X-Bone. In: Proc. of IEEE ICNP 2000 (November 2000)

    Google Scholar 

  46. Twycross, J., Williamson, M.M.: Implementing and Testing a Virus Throttle. In: Proceedings of the USENIX 12th Security Symposium, Washington, DC (August 2003)

    Google Scholar 

  47. Vahdat, A., Yocum, K., Walsh, K., Mahadevan, P., Kostic, D., Chase, J., Becker, D.: Scalability and Accuracy in a Large-Scale Network Emulator. In: OSDI 2002 (2002)

    Google Scholar 

  48. Whalley, I., Arnold, B., Chess, D., Morar, J., Segal, A.: An Environment for Controlled Worm Replication & Analysis (Internet-inna-Box). In: Proceedings of Virus Bulletin Conference (September 2000)

    Google Scholar 

  49. Whitaker, A., Shaw, M., Gribble, S.D.: Scale and Performance in the Denali Isolation Kernel. In: Proceedings of USENIX OSDI 2002 (December 2002)

    Google Scholar 

  50. White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., Newbold, M., Hibler, M., Barb, C., Joglekar, A.: An Integrated Experimental Environment for Distributed Systems and Networks. In: Proceedings of 5th OSDI (December 2002)

    Google Scholar 

  51. Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Proc. of 7th RAID (September 2004)

    Google Scholar 

  52. Zou, C.C., Towsley, D., Gong, W., Cai, S.: Routing Worm: A Fast, Selective Attack Worm based on IP Address Information. Umass ECE Technical Report TR-03-CSE-06 (November 2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CERIAS and Department of Computer Science, Purdue University, West Lafayette, IN, 47907, USA

    Xuxian Jiang, Dongyan Xu & Eugene H. Spafford

  2. Microsoft Research Redmond, WA, 98052, USA

    Helen J. Wang

Authors
  1. Xuxian Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dongyan Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Helen J. Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eugene H. Spafford
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA

    Alfonso Valdes

  2. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Jiang, X., Xu, D., Wang, H.J., Spafford, E.H. (2006). Virtual Playgrounds for Worm Behavior Investigation. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_1

Download citation

  • DOI: https://doi.org/10.1007/11663812_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31778-4

  • Online ISBN: 978-3-540-31779-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation