DATA MINING TECHNIQUES
3.5 Time and Logic Bombs
In the software paradigm, time bomb refers to a computer program that stops functioning after a prespecified time or date has reached. This is usually imposed by software companies in beta versions of software so that the software stops functioning after a certain date. An example is the Windows Vista Beta 2, which stopped functioning on May 31, 2007 [Vista, 2007].
A logic bomb is a computer program that is intended to perform malicious activities when certain predefined conditions are met. This technique is sometimes injected into viruses or worms to increase the chances of survival and spreading before getting caught.
An example of a logic bomb is the Fannie Mae bomb in 2008 [Claburn, 2009]. A logic bomb was discovered at the mortgage company Fannie Mae on October 2008. An Indian citizen and IT contractor, Rajendrasinh Babubhai Makwana, who worked in Fannie Mae’s Urbana, Maryland, facility, allegedly planted it, and it was set to activate on January 31, 2009, to wipe all of Fannie Mae’s 4,000 servers. As stated in [Claburn, 2009], Makwana had been terminated around 1:00 pm on October 24, 2008, and planted the bomb while he still had network access. He was indicted in a Maryland court on January 27, 2009, for unauthorized computer access.
3.6 Botnet
Botnet is a network of compromised hosts, or bots, under the control of a human attacker known as the botmaster. The botmaster can issue commands to the bots to perform malicious actions, such as recruiting new bots, launching coordinated DDoS attacks against some hosts, stealing sensitive information from the bot machine, sending mass spam emails, and so on. Thus, botnets have emerged as an enormous threat to the Internet community.
According to [Messmer, 2009], more than 12 million
controlled by the top 10 notorious botnets. Among them, the highest number of compromised machines is due to the Zeus botnet. Zeus is a kind of Trojan (a malware), whose main purpose is to apply key-logging techniques to steal sensitive data such as login information (passwords, etc.), bank account numbers, and credit card numbers. One of its key-logging techniques is to inject fake HTML forms into online banking login pages to steal login information.
The most prevailing botnets are the IRC-botnets [Saha and Gairola, 2005], which have a centralized architecture. These botnets are usually very large and powerful, consisting of thousands of bots [Rajab et al., 2006]. However, their enormous size and centralized architecture also make them vulnerable to detection and demolition. Many approaches for detecting IRC botnets have been proposed recently ([Goebel and Holz, 2007], [Karasaridis et al., 2007], [Livadas et al., 2006], [Rajab et al., 2006]). Another type of botnet is the peer-to-peer (P2P) botnet. These botnets are distributed and much smaller than IRC botnets. So, they are more difficult to locate and destroy. Many recent works in P2P botnet analyzes their characteristics ([Grizzard et al., 2007], [Group, 2004], [Lemos, 2006]).
3.7 Spyware
As stated in [Spyware, 2011], spyware is a type of malware that can be installed on computers, which collects information about users without their knowledge. For example, spyware observes the web sites visited by the user, the emails sent by the user, and, in general, the activities carried out by the user
in his or her computer. Spyware is usually hidden from the user. However, sometimes employers can install spyware to find out the computer activities of the employees.
An example of spyware is keylogger (also called keystroke logging) software. As stated in [Keylogger, 2011], keylogging is the action of tracking the keys struck on a keyboard, usually in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.
Another example of spyware is adware, when advertisement pops up on the computer when the person is doing some usually unrelated activity. In this case, the spyware monitors the web sites surfed by the user and carries out targeted marketing using adware.
3.8 Summary
In this chapter, we have provided an overview of malware (also known as malicious software). We discussed various types of malware, such as viruses, worms, time and logic bombs, Trojan horses, botnets, and spyware. As we have stated, malware is causing chaos in society and in the software industry. Malware technology is getting more and more sophisticated. Developers of malware are continuously changing patterns so as not to get caught. Therefore, developing solutions to detect and/or prevent malware has become an urgent need.
In this book, we discuss the tools we have developed to detect malware. In particular, we discuss tools for email worm
also discuss our stream mining tool that could potentially detect changing malware. These tools are discussed in Parts III through VII of this book. InChapter 4, we will summarize the data mining tools we discussed in our previous book [Awad et al., 2009]. Our tools discussed in our current book have been influenced by the tools discussed in [Awad et al., 2009].
References
[Awad et al., 2009] Awad, M., L. Khan, B. Thuraisingham, L.
Wang, Design and Implementation of Data Mining Tools, CRC Press, 2009.
[CME, 2011]http://cme.mitre.org
[Claburn, 2009] Claburn, T., Fannie Mae Contractor Indicted
for Logic Bomb,
InformationWeek,http://www.informationweek.com/news/
security/management/
showArticle.jhtml?articleID=212903521
[Dressler, 2007] Dressler, J.“United States v. Morris”: Cases and Materials on Criminal Law, St. Paul, MN, Thomson/
West, 2007.
[Frei et al., 2008] Frei, S., B. Tellenbach, B. Plattner, 0-Day Patch—Exposing Vendors(In)security Performance, techzoom.net Publications, http://www.techzoom.net/
publications/0-day-patch/index.en
[Goebel and Holz, 2007] Goebel, J., and T. Holz, Rishi:
Identify Bot Contaminated Hosts by IRC Nickname Evaluation, in USENIX/Hotbots ’07 Workshop, 2007.
[Grizzard et al., 2007] Grizzard, J. B., V. Sharma, C.
Nunnery, B. B. Kang, D. Dagon, Peer-to-Peer Botnets:
Overview and Case Study, in USENIX/Hotbots ’07 Workshop, 2007.
[Group, 2004] LURHQ Threat Intelligence Group, Sinit p2p Trojan Analysis, LURHQ,http://www.lurhq.com/sinit.html [Karasaridis et al., 2007] Karasaridis, A., B. Rexroad, D.
Hoeflin, Wide-Scale Botnet Detection and Characterization, in USENIX/Hotbots ’07 Workshop, 2007.
[Keylogger, 2011] http://en.wikipedia.org/wiki/
Keystroke_logging
[Kim and Karp, 2004] Kim, H. A., and Karp, B. (2004).
Autograph: Toward Automated, Distributed Worm Signature Detection, in Proceedings of the 13th USENIX Security Symposium (Security 2004),pp. 271–286.
[Lemos, 2006] Lemos, R. Bot Software Looks to Improve Peerage,http://www.securityfocus.com/news/11390
[Livadas et al., 2006] Livadas, C., B. Walsh, D. Lapsley, T.
Strayer, Using Machine Learning Techniques to Identify Botnet Traffic, in 2nd IEEE LCN Workshop on Network Security (WoNS’2006),November 2006.
[Masud et al., 2007] Masud, M., L. Khan, B. Thuraisingham, E-mail Worm Detection Using Data Mining, International Journal of Information Security and Privacy, Vol. 1, No. 4, 2007, pp. 47–61.
[Masud et al., 2008] Masud, M., L. Khan, B. Thuraisingham, A Scalable Multi-level Feature Extraction Technique to Detect Malicious Executables, Information System Frontiers, Vol. 10, No. 1, 2008, pp. 33–45.
[Messmer, 2009] Messmer, E., America’s 10 Most Wanted Botnets, Network World, July 22, 2009, http://www.networkworld.com/news/2009/
072209-botnets.html
[Newsome et al., 2005] Newsome, J., B. Karp, D. Song, Polygraph: Automatically Generating Signatures for Polymorphic Worms, in Proceedings of the IEEE Symposium on Security and Privacy,2005, pp. 226–241.
[Rajab et al., 2006] Rajab, M. A., J. Zarfoss, F. Monrose, A.
Terzis, A Multifaceted Approach to Understanding the Botnet Phenomenon, in Proceedings of the 6th ACM SIGCOMM on Internet Measurement Conference (IMC),2006, pp. 41–52.
[Saha and Gairola, 2005] Saha, B., and A. Gairola,Botnet: An Overview,CERT-In White Paper CIWP-2005-05, 2005.
[SecureList, 2011] Securelist.com Threat Analysis and Information, Kaspersky Labs, http://www.securelist.com/en/
threats/detect
[Signature, 2011] Virus Signature, PC Magazine Encyclopedia, http://www.pcmag.com/encyclopedia_term/
0,2542,t=virus+signature&i=53969,00.asp
[Spyware, 2011]http://en.wikipedia.org/wiki/Spyware
[Trojan Horse, 2011] http://en.wikipedia.org/wiki/
Trojan_horse_(computing)
[Vista, 2007] Windows Vista,http://windows.microsoft.com/
en-us/windows-vista/products/home