HoneyIM: Fast detection and suppression of instant messaging malware in enterprise-like networks

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2007, Pages 64-73

  Xie, Mengjun ^a   Wu, Zhenyu ^a   Wang, Haining ^a  

^a The College of William and Mary

Author keywords

[No Author keywords available]

Indexed keywords

AND RECOVERY; COMPUTER SECURITY APPLICATIONS; CONTACT LIST; CORE DESIGNS; FALSE POSITIVE; FALSE POSITIVE RATE; HONEY POT; IM SERVICES; INSTANT MESSAGING; MALWARE; MALWARE DETECTION; NETWORK ADMINISTRATORS; NETWORK ENVIRONMENTS; OPEN SOURCES; REAL EXPERIMENTS; SOCIAL ENGINEERING; SUPPRESSION MECHANISM;

COMPUTER APPLICATIONS; MESSAGE PASSING; POLARIZATION; SECURITY OF DATA; SECURITY SYSTEMS; TECHNOLOGY; TURBULENT FLOW; WORLD WIDE WEB;

COMPUTER CRIME;

EID: 48649108112     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2007.24     Document Type: Conference Paper

References (35)

1. Pidgin. http://pidgin.im/, 2007.
2. T. Bu and D. Towsley. On Distinguishing Between Internet Power Law Topology Generators. In Proceedings of the 2002 IEEE INFOCOM, pages 638-647, New York, NY, June 2002.
3. A. Gostev. Social engineering: the latest chapter. http://www.viruslist. com/en/weblog?weblogid=168136245, August 2005.
4. M. Hicks. Reuters suspends im service due to kelvir worm. http://www.eweek.com/article2/0,1759,1786151,00.asp, Apri 2005.
5. N. Hindocha and E. Chien. Malicious Threats and Vulnerabilities in Instant Messaging. http://www.symantec.com/avcenter/reference/malicious.threats. instant.me%ssaging.pdf, 2003.
6. IBM. Lotus Sametime. http://www-142.ibm.com/software/sw-lotus/sametime.
7. Kaspersky. IM-Worm.Win32.Bropia.aj. http://www.viruslist.com/en/viruses/ encyclopedia?virusid=72841.
8. Kaspersky. IM-Worm.Win32.Opanki.d. http://www.viruslist.com/en/viruses/ encyclopedia?virusid=84950.
9. N. Leavitt. Instant messaging: A new target for hackers. Computer, 38(7):20-23, July 2005.
10. Z. Liu and D. Lee. Coping with instant messaging worms - statistical modeling and analysis. In Proceedings of the 15th IEEE Workshop on Local and Metropolitan Area Networks, Princeton, NJ, June 2007.
11. Z. Liu, G. Shu, N. Li, , and D. Lee. Defending against instant messaging worms. In Proceedings of IEEE GLOBECOM 2006, pages 1-6, San Francisco, CA, Nov. 2006.
12. M. Mannan and P. C. van Oorschot. Secure Public Instant Messaging: A Survey. In Proceedings of the 2nd Annual Conference on Privacy, Security, and Trust, pages 69-77, Fredericton, NB, Canada, 2004.
13. M. Mannan and P. C. van Oorschot. On Instant Messaging Worms, Analysis and Countermeasures. In Proceedings of WORM 2005, pages 2-11, Fairfax, VA, Nov. 2005.
14. Microsoft. Office Live Communications Server. http://www.microsoft.com/ office/livecomm/prodinfo/default.mspx.
15. C. D. Morse and H. Wang. The Structure of An Instant Messenger Network and Its Vulnerability to Malicious Codes. In Proceedings of ACM SIGCOMM 2005 Poster Session, Philadelphia, PA, Aug. 2005.
16. Netfilter. iptables project. http://www.netfilter.org/projects/iptables/.
17. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th NDSS, San Diego, CA, Feb. 2005.
18. Norman. Norman sandbox whitepaper. http://download.norman.no/whitepapers/ whitepaper_Norman_SandBox.pdf.
19. G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zeroday attacks. In Proceedings of the EUROSYS 2006, Leuven, Belgium, April 2006.
20. C. Raiu. The IM worms armada. http://www.viruslist.com/en/weblog? weblogid=203678309, October 2006.
21. R. Schouwenberg. Kelvir changes its approach. http://www.viruslist.com/ en/weblog?weblogid=162243612, April 2005.
22. R. Schouwenberg. Do you like photos? http://www.viruslist.com/en/weblog? weblogid=199354341, Sept. 2006.
23. R. Schouwenberg. MSN filter bypassing - part 2. http://www.viruslist.com/ en/weblog?weblogid=199850358, Sept. 2006.
24. R. D. Smith. Instant Messaging as a Scale-Free Network. http://arxiv.org/abs/cond-mat/0206378v2, 2002.
25. Sophos. Troj/Kelvir-M. http://www.sophos.com/virusinfo/analyses/ trojkelvirm.html.
26. Sophos. W32/Jitux-A. http://www.sophos.com/virusinfo/analyses/w32jituxa. html.
27. Sophos. W32/Kelvir-F. http://www.sophos.com/virusinfo/analyses/ w32kelvirf.html.
28. Sophos. W32/Kelvir-Q. http://www.sophos.com/virusinfo/analyses/ w32kelvirq.html.
29. R. Steenson and C. Seifert. Capture: A high interaction client honeypot. http://www.nz-honeynet.org/capture.html.
30. The Honeynet Project. Know Your Enemy: Learning about Security Threats (2nd Edition). Addison-Wesley Professional, May 2004.
31. A. J. Trivedi, P. Q. Judge, and S. Krasser. Analyzing Network and Content Characteristics of Spim Using Honeypots. In Proceedings of the 3rd USENIX SRUTI, Santa Clara, CA, June 2007.
32. Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the 13th NDSS, San Diego, CA, Feb. 2006.
33. M. M. Williamson, A. Parry, and A. Byde. Virus throttling for instant messaging. Technical report, HP Lab Bristol, May 2004.
34. Z. Xiao, L. Guo, and J. Tracey. Understanding Instant Messaging Traffic Characteristics. In Proceedings of the 27th ICDCS, Toronto, Canada, June 2007.
35. C. C. Zou, D. Towsley, and W. Gong. Modeling and Simulation Study of the Propagation and Defense of Internet Email Worm. IEEE Transactions on Dependable and Secure Computing, 4(2):105-118, April-June 2007.