Implementation is must
Should be able to capture a few known viruses
Have to do pretty well to get A
Group Members:
Nooruddin Abbas Ali Shah (2004-02-0135)
Shamsulhaq Niaz (2004-02-0170)
Project Name:
Malicious Mobile Code (Propagation & Detection)
Motivation:
Mobile code is software that is transmitted across a network from a remote
source to a local system and is then executed on that local system, often without explicit
action on the part of the user. The local system may be a personal computer or a PDA,
mobile phone, Internet appliance, etc. Mobile code differs from traditional software in
that it need not be installed or executed explicitly by the user. Examples of mobile code
include ActiveX controls, Java applets, script run within the browser, and HTML email.
Mobile code is also known as downloadable code and active content.
Malicious mobile may contain worms or viruses, etc. that can copy files, wipe out
a hard disk, steal passwords, command servers and transfer funds. It can be transmitted
through Web sites, downloads and email. Numerous malicious code attacks have been
identified by researchers and virus writers.
While mobile code attacks can take many forms, there are four primary types of assaults:
Distributed Denial of Service (zombie agents automatically generating hundreds
of authentication requests to clog the server).
Data Modification. The mobile code is instructed to access a file on a local or
network drive, and modifies, deletes or overwrites it with new data. Sometimes
this type of mobile code is used to modify system settings or browser security
settings.
Data Export. Malicious mobile code can steal information from your computer
and forward it over the Internet or email to an attacker. For instance, many Trojan
horses will forward your user name and password to an anonymous email address
on the web. A third party can then use the password to access protected resources.
Launch Point. The malicious mobile code can use the targeted computer as a
launch point to infect and target other computers.
Detection Techniques:
Advanced detection and alert functions are important components of an effective
malicious mobile code security system. A multi-layered security strategy should be
implemented including Signature Scanning (This technology can recognize the digital
fingerprints of all known malicious code, and alert the user.) and Import Scanning
(Malicious mobile code must call upon certain functions in an operating system (OS) in
order to work, so the malicious code carries with it an "import list" of all such OS
functions. We scan the code to find such a list).Heuristics may be used in order to
determine if any mobile code is likely to be harmful. Digital signatures can be used to
identify the origin of a mobile code and its modification status and hence determine the
probability of it being malicious.
Outline:
According to our understanding of the nature of the project, we aim to research
exhaustively on the various types of malicious mobile code and the existing techniques
being used to counter its threat. We will use existing ‘signatures’ to identify certain
known malicious mobile codes and we also hope to discern ‘patterns’ intrinsic to such
codes and use our knowledge of such patterns to come up with an effective scheme for
securing the system.
As a practical demonstration of the above mentioned techniques, we intend to
develop a Windows based application which would run on a win32 based system as a
monitor to analyze all incoming traffic from the network. The software aims to detect
mobile code in order to determine whether it is of a malicious nature as it arrives.
The application will be coded in C and will make use of the windows packet
capture library (WinPcap). The packet capture library contains subroutines that allow
users to communicate with the packet capture facility provided by the operating system to
read unprocessed network traffic. WinPcap is an architecture for packet capture and
network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-
level dynamic link library and a high-level and system-independent library.
The packet filter is a device driver that adds to Windows 95, Windows 98,
Windows ME, Windows NT and Windows 2000 the ability to capture and send raw
data from a network card, with the possibility to filter and store in a buffer the captured
packets.
The application will use ‘content inspection/byte-code’ scanning against known
lists of malicious code and use validation of ‘hash codes’ and ‘certificates’ on traffic
comprising HTTP, FTP, email attachments and compressed files, etc.
We will focus on intercepting malicious mobile code as it arrives through the
network. Time permitting; we shall then also focus on malicious code already resident on
the system.
Development:
Development phases to undergo iteratively, with each iteration averaging around
a week in duration. The initial phase will focus on research using available resources
such as library material, computer magazines, but most prominently the Internet.
Once adequate research has been conducted, we will move on to the next phase of
analyzing and designing the application using the LUMS network as a case study
(analyzing working and potential threats).The Design Phase will include identifying the
major components in detail, studying designs of existing software, identify a working
architecture of the application in order to come up with a feasible design of the software.
After a viable design has been achieved, the next logical phase would be the
actual coding. The coding will try to map the designed structure as far as possible on the
actual program (which will be developed in modules that will comprise of initial packet
pick-up, implementing Signature Scanning, developing Import Scanning and finally
analyzing stand alone terminal).This would be followed by the implementation of the
application, which is most likely to take place in the LUMS hostel. Finally testing and
troubleshooting would be conducted.
We expect to dedicate substantial amount of time to the design phase because in
our view it bears the most weight. We intend on providing constant feedback to the TAs
and instructor on a regular basis.
We intend to complete the project approximately before the final week of the
quarter.
Deliverables:
Complete, documented code for the application to be developed.
Significant documentation including research details, design and analysis details
and diagrams.
Testing and bug report.
User manual for the application.
Network Security ( CS-473 )
Project Phase-1A