Mengjun Xie et al. presented a paper today on detecting and suppressing IM-based malware using a honeypot approach. The idea is to create decoy IM accounts and add them to random users’ buddy lists in an enterprise environment. Then, when these accounts are hit with file transfer requests or links to malicious software, HoneyIM sounds an alarm and detects the infection. Unfortunately, their approach only works on so-called “hit-all” worms that go after every user in your buddy list, which the authors admit in the paper. HoneyIM would not work against a worm that interjected links in the middle of conversations, for example. It would also fail against targeted attacks with a human behind the keyboard. This article suggests a better, alternative approach to the problem of IM malware that would detect even one instant message containing a malicious link. (more…)

This past week at the Blue Hat security conference, Lurene Grenier from Sourcefire gave an impressive presentation about exploit and signature development. She rapidly creates proof-of-concept exploits following Microsoft’s patch release on the second Tuesday of every month. Thanks to years of experience, the whole process only takes a few hours. It would be exceedingly difficult for prospective hackers to create and use a weaponized exploit any faster than signatures are pushed out by intrusion detection system (IDS) vendors. However, it may be possible to create a working exploit that escapes detection entirely. This article takes a look at issues related to completeness of IDS signatures. (more…)

Guofei Gu gave a talk today about BotHunter, a passive network monitoring system that detects bots using a “Dialog Correlation Engine.” This correlation engine looks for (1) incoming scans, followed by (2) exploits, (3) egg downloads, (4) command and control (C&C) traffic, and (5) outbound scans. It detects inbound and outbound scans using SCADE, the Statistical sCan Anomaly Detection Engine. The correlation engine relies on Snort rules to identify exploits, egg downloads, and C&C traffic.

Unfortunately, BotHunter does not introduce any new techniques for detecting bots. It is more or less a front-end that aggregates Snort alerts. The presentation was very unclear as to whether correlating Snort alerts with scans actually improves the detection or false positive rate at all compared to just running Snort. (more…)