Catch me, if you can: evading network signatures with web-based polymorphic worms

Authors:
Matthew Van Gundy;Davide Balzarotti;Giovanni Vigna
Affiliations:
University of California, Davis;University of California, Santa Barbara;University of California, Santa Barbara
Venue:
WOOT '07 Proceedings of the first USENIX workshop on Offensive Technologies
Year:
2007

Citing 8
Cited 2

How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
A taxonomy of computer worms

Proceedings of the 2003 ACM workshop on Rapid malcode
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
MisleadingWorm Signature Generators Using Deliberate Noise Injection

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Polymorphic worm detection using structural information of executables

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Paragraph: thwarting signature learning by training maliciously

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

Mimimorphism: a new approach to binary code obfuscation

Proceedings of the 17th ACM conference on Computer and communications security
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues

Information Sciences: an International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

Polymorphic worms are self-replicating malware that change their representation as they spread throughout networks in order to evade worm detection systems. A number of approaches to detect polymorphic worms have been proposed. These approaches use samples of a polymorphic worm (and of benign traffic as well) to derive a signature that can detect all instances of the worm without producing excessive false positives. Even though these systems claim to be able to generate signatures for any type of worm, all the examples that are used to show the ability to detect polymorphic worms are based on exploits that target memory corruption vulnerabilities. In this paper, we show how a different class of worms, namely those based on web vulnerabilities and scripting languages, can be much harder to detect than "traditional" polymorphic worms. We developed a polymorphic engine for PHP code and we tested the ability of state-of-the-art tools to detect this type of worm. The results of our experiments show that a PHP-based polymorphic worm would be able to successfully evade existing signature generation systems.