Fighting malware and spam

'Last-minute' presentations

15:40 - 16:00 Andrew Walenstein University of Louisiana at Lafayette
16:00 - 16:20 Erik Wu and Feike Hacquebord Trend Micro

15:40 - 16:00 Andrew Walenstein. Phylogenetic comparisons of malware

  download slides (PDF)

The presentation will focus on the evolutionary history of botnet trojans. Malware evolves over time. Like any software 'product', bugs are fixed, features are added, and changes are made as the operating systems evolve. Plus, like some other products, new malware projects may be based on previous ones, or may import software from other projects in the form of libraries or imported routines.

The presentation has three main sections, described in more detail below:

• Background & motivation - the problems of understanding and relating different samples.
• Phylogenetic techniques - phylogenetic techniques, including review of the three main types of methods published.
• Bot families & evolution - exploration of different phylogenetic models using thousands of bots and two different phylogeny generation techniques.
• Summary/software

Part 1: Background & motivation. The background and motivation serves to ensure the audience understands the purpose of the talk. Thus it will briefly explain the basic problem, i.e. that malware evolves, that tracking this evolution is difficult and important, and that understanding how the malware evolves is important to knowing how to defend against it.

Part 2: Phylogenetic techniques. The phylogenetic techniques serves to introduce the necessary material to understand the primary content portion of the talk. It will introduce the key ideas behind phylogenetic model construction in malware, including the basic idea of how to reconstruct derivation trees or networks. Three main methods for doing so (including one presented at VB2002) will described, and references will be cited for those wishing to follow up on the techniques, including a link to our own free software to use in computing these phylogenies.

Part 3: Bot families & evolution. To ensure the presentation is focused and topical, it will focus on Agobot, since it has been used as a basis of several of the main bot families. It will also focus on application of phylogenies, unlike previous work in the area, which has primarily been proof-of-concept. First, the question of how 'good' the phylogeny models can be is raised. Using a lattice of generated Agobot descendants, the 'goodness' measures of two different phylogeny extraction techniques are measured. A basic recipe is given for how to use this lattice-based phylogeny evaluation method for any other malware that can be broken down into functional pieces. Second, the evolution of Agobot-related families is retraced using thousands of bot samples in addition to our generated Agobot descendants. Unlike prior proof-of-concept work, we use extracted phylogeny models to identify sub-families that are seen to be closely related, and to identify likely key evolution branch points.

16:00 - 16:20 Erik Wu and Feike Hacquebord. Can you trust your DNS? A case study of a large-scale rogue DNS network

  download slides (PDF)

The DNS (Domain Name System) service is one of the most important Internet services allowing users to enter website domain name addresses like www.vb2007.com instead of the site's numerical IP address, which can be difficult to remember. DNS is responsible for translating entered domain names to their equivalent IP addresses. In this case, it translates www.vb2007.com to, say, 198.252.244.2.

But can users trust a DNS server? What if the user's system is infected by a rogue DNS-changing trojan that directs users to a rogue DNS server? In this case, the rogue DNS server can translate www.vb2007.com to an IP address controlled by bad guy(s), who can present a fake website looking like the legitimate VB2007 site to steal user personal information.

In this talk, we are going to present an in-depth analysis of a real, large-scale rogue DNS network, which is comprised of more than 600 identical rogue DNS servers. We are going to show concrete examples and to discuss how the rogue DNS servers are used for click fraud and stealing personal information. We will also describe how to automatically detect such a large-scale rogue DNS network, and to prevent rogue DNS attacks in the future.

The fact that there is such a large-scale rogue DNS network suggests that the bad guys are making a lot of profit by deploying their rogue DNS servers. Rogue DNS-changing trojans and their corresponding servers are a serious threat to Internet users; the fact that changes in DNS settings might remain unnoticed by affected users for a long time makes them dangerous. It can monitor user Internet surfing habits for a long period of time. The bad guys behind the rogue DNS servers can also launch targeted attacks aimed at limited groups of infected Internet users.

Poll

VB100 certification