'Last-minute' presentations
15:40 - 16:00 Andrew Walenstein University of Louisiana at Lafayette
16:00 - 16:20 Erik Wu and Feike Hacquebord Trend Micro
15:40 - 16:00 Andrew Walenstein. Phylogenetic comparisons of malware
download slides (PDF)
The presentation will focus on the evolutionary history of botnet trojans. Malware evolves over time.
Like any software 'product', bugs are fixed, features are added, and changes are made as the operating
systems evolve. Plus, like some other products, new malware projects may be based on previous ones,
or may import software from other projects in the form of libraries or imported routines.
The presentation has three main sections, described in more detail below:
-
Background & motivation - the problems of understanding and relating different samples.
- Phylogenetic techniques - phylogenetic techniques, including review of the three main types of methods published.
- Bot families & evolution - exploration of different phylogenetic models using thousands of bots and
two different phylogeny generation techniques.
- Summary/software
Part 1: Background & motivation. The background and motivation serves to ensure the
audience understands the purpose of the talk. Thus it will briefly explain the basic problem, i.e. that
malware evolves, that tracking this evolution is difficult and important, and that understanding how the
malware evolves is important to knowing how to defend against it.
Part 2: Phylogenetic techniques. The phylogenetic techniques serves to introduce
the necessary material to understand the primary content portion of the talk. It will introduce
the key ideas behind phylogenetic model construction in malware, including the basic idea of
how to reconstruct derivation trees or networks. Three main methods for doing so (including one
presented at VB2002) will described, and references will be cited for those wishing to follow
up on the techniques, including a link to our own free software to use in computing these
phylogenies.
Part 3: Bot families & evolution. To ensure the presentation is focused and
topical, it will focus on Agobot, since it has been used as a basis of several of the main bot
families. It will also focus on application of phylogenies, unlike previous work in the area, which
has primarily been proof-of-concept. First, the question of how 'good' the phylogeny models can be
is raised. Using a lattice of generated Agobot descendants, the 'goodness' measures of two different
phylogeny extraction techniques are measured. A basic recipe is given for how to use this
lattice-based phylogeny evaluation method for any other malware that can be broken down into
functional pieces. Second, the evolution of Agobot-related families is retraced using thousands
of bot samples in addition to our generated Agobot descendants. Unlike prior proof-of-concept work,
we use extracted phylogeny models to identify sub-families that are seen to be closely related,
and to identify likely key evolution branch points.
16:00 - 16:20 Erik Wu and Feike Hacquebord. Can you trust your DNS? A case study of a large-scale rogue DNS network
download slides (PDF)
The DNS (Domain Name System) service is one of the most important Internet services allowing users to enter website
domain name addresses like www.vb2007.com instead of the site's numerical IP address, which can be difficult
to remember. DNS is responsible for translating entered domain names to their equivalent IP addresses. In this
case, it translates www.vb2007.com to, say, 198.252.244.2.
But can users trust a DNS server? What if the user's system is infected by a rogue DNS-changing trojan that
directs users to a rogue DNS server? In this case, the rogue DNS server can translate www.vb2007.com to an IP
address controlled by bad guy(s), who can present a fake website looking like the legitimate VB2007 site to
steal user personal information.
In this talk, we are going to present an in-depth analysis of a real, large-scale rogue DNS network, which is
comprised of more than 600 identical rogue DNS servers. We are going to show concrete examples and to discuss
how the rogue DNS servers are used for click fraud and stealing personal information. We will also describe how
to automatically detect such a large-scale rogue DNS network, and to prevent rogue DNS attacks in the future.
The fact that there is such a large-scale rogue DNS network suggests that the bad guys are making a lot of
profit by deploying their rogue DNS servers. Rogue DNS-changing trojans and their corresponding servers are a
serious threat to Internet users; the fact that changes in DNS settings might remain unnoticed by affected users
for a long time makes them dangerous. It can monitor user Internet surfing habits for a long period of time.
The bad guys behind the rogue DNS servers can also launch targeted attacks aimed at limited groups of infected
Internet users.
