[转载]Analyzing Worms using Compression
文章作者:S. Wehner (wehner at cwi.nl)<BR>原始连接:<A href="http://homepages.cwi.nl/~wehner/worms/" target=_blank>[url]http://homepages.cwi.nl/~wehner/worms/[/url]</A><BR><BR>Given an unknown internet worm, can we determine its family ? For example, given Sasser C can we easily guess that it's a Sasser variant without any manual analysis if we're given Sasser A and B ? It appears that this is possible using compression alone. Our tests below show that we can successfully cluster different kinds of worms using the standard compressor bzip2. This method is extremely simple. Given Sasser A, for example, it was very easy to determine that Sasser D was a Sasser variant without taking a single look at the file. <BR><DIV><BR><B>This project is work in progress. You can contribute! I'm looking for all kinds of worms. I'm especially looking for worms which come in more then one version. In particular, I would like to obtain Sasser variants other then A and D. Please send identified worms to <A href="mailto:worms@r4k.net">worms@r4k.net</A>. You can attach them without problems. Your name will be added to the acknowledgements below for eternal fame :) I've also used this method for traffic analysis. Since I don't have a lab setup to easily gather worm traffic, any full packet traces from worms are also appreciated. </B><BR><BR>
<H3>Introduction</H3><BR>
<DIV>The aim of this project is investigate how techniques based on Kolmogorov Complexity can be applied to the analysis of internet worms. The Kolmogorov Complexity of an object is approximated using compression. This method does not search for specific patterns or use any other pre-selected features. Instead, we leave it to the compressor to figure out similarities. <BR><BR>Each worm often comes in a number of variants. These are usually successive versions released by the author to extend the worm's functionality, as was the case with the recent Sasser worm. All such versions together then form a family of related worms. Using Normalized Compression Distance (NCD), we first cluster the different versions of worms by family. Computing the NCD of an unknown worm to a number of known worms often allows us to guess its family. This very simple approach does not make use of any manual comparisons of text or especially selected patterns contained in the worm used in conventional analysis. Many worms are compressed using UPX, which is then modified to prevent decompression for analysis. This approach still works even if UPX is used, although it becomes less accurate than without UPX. Therefore this may be a useful tool in the initial analysis of newly captured worms. </DIV><BR>
<P><BR>
<P><BR><BR>
<HR>
<BR><!--Table of Child-Links--><A name=CHILD_LINKS></A><BR>
<UL><BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/node4.html" name=tex2html18>Preliminaries</A> <BR><BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/node23.html" name=tex2html37>Analyzing Worms</A> <BR>
<UL><BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/node25.html" name=tex2html39>Method</A> <BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/ex1.html" name=tex2html40>Experiment 1: Different Classes of Worms</A> <BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/ex2.html" name=tex2html43>Experiment 2: Windows Worms</A> <BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/ex3.html" name=tex2html46>Experiment 3: UPX Compressed Windows Worms</A> <BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/ex4.html" name=tex2html49>Experiment 4: UPX Compressed Windows Worms after Decompression</A> <BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/ex5.html" name=tex2html52>Experiment 5: Clustering Worms and Legitimate Windows Programs</A> <BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/ex6.html" name=tex2html55>Experiment 6: Classifying Worms</A> <BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/open.html" name=tex2html58>Conclusion and Open Questions</A> <BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/ack.html" name=tex2html59>Acknowledgments</A> </LI></UL><BR><BR>
<LI><A href="http://homepages.cwi.nl/~wehner/worms/node46.html" name=tex2html60>Bibliography</A> </LI></UL><!--End of Table of Child-Links--></DIV>
页:
[1]