Virus Detection based on Virus Throttle Technology J. Ahmed Muzammil

UG Student, Dept. of Information Technology, Noorul Islam College of Engineering

(Anna University), Kumaracoil, Tamilnadu, India. ahmedmuzammil@outlook.com

S. Suresh Kumar Principal,

Vivekanandha College of Technology (Anna University),

Elayampalayam, Thiruchengode, Erode. nice.ssk@gmail.com

Abstract

In the Internet age, Virus Epidemics are getting worse than before, making the networks slow, Computers slow, suspending mission critical operations and so on. In this paper, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection. The special feature of this technology is that its virus detection algorithm is based on the network behaviour of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates.

Keywords: Virus, Worm, Throttle, Antivirus, Network Security

1. Introduction As every network administrator knows, virus

epidemics are only getting worse. In 2003, the SQL Slammer worm infected 75,000 computers in one minute, making it the fastest-moving virus ever seen, and caused major network disruptions worldwide. Nimbda, Blaster, Code Red, Sasser and Welchia are continual threats as well. Today, computer users are directly threatened by more than 97,000 viruses, worms and Trojan horses. Increased usage of network applications such as Instant Messages, P2P also increases the risk of virus infection. In the 3rd quarter of 2005, the volume of IM(Instant Messaging) threats were more than 3,000 percent higher than the previous year, according to IMlogic Threat Center.

To protect themselves from the onslaught of traffic generated by computer viruses, many corporations shut down portions of their network infrastructure; when they can’t act fast enough, entire network subnets or even entire networks can be brought down by viruses. Either way, the viruses cost corporations incalculable sums in lost productivity. Beyond bringing normal operations in an office or enterprise to a halt, computer viruses can put attacker-defined code on a system to cause additional damage.

Network threats once were slow-moving and easy to defend against when information transfer was done largely by sharing floppies. Organizations had the time they needed to clean their networks and install defences. However, as CPU speeds increase, bandwidth grows, networks become more business critical and clients become more mobile, network administrators increasingly lack the time to shut

operations down or develop inoculations to cure the infections.

Nor is productivity the only victim of network viruses. The SQL Slammer virus took out a 911 emergency response center serving two police departments and 14 fire departments near Seattle, USA. Protecting against computer viruses can ultimately be an effort to protect lives. [1]

In this paper we define a new technique for virus detection in PC based on the network virus and worm detection technique of virus throttle. The organization of the paper is such that the section 2 defines the terms virus, worm and Trojan. Section 3 explains the limitations of the existing methods for virus detection. Section 4 explains Virus Throttle technology and also the detection methodology is explained using an example worm W32/Nimbda-D. The method we have devised for virus detection in PCs which is based on the existing Virus Throttle Technology is defined in the Section 5 of the paper. Section 6 concludes the paper.

2. Definitions 2.1 Virus

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable medium such as a floppy disk, CD, USB drive or by the Internet. Additionally,

viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses.

2.1. Worm

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer. 2.2. Trojan Horse

Trojan horse is a program that installs malicious software while under the guise of doing something else. Though not limited in their payload, Trojan horses are more notorious for installing backdoor programs which allow unauthorized non permissible remote access to the victim's machine by unwanted parties - normally with malicious intentions. Unlike a computer virus, a Trojan horse does not propagate by inserting its code into other computer files. The term is derived from the classical myth of the Trojan Horse. Like the mythical Trojan Horse, the malicious code is hidden in a computer program or other computer file which may appear to be useful, interesting, or at the very least harmless to an unsuspecting user. When this computer program or file is executed by the unsuspecting user, the malicious code is also executed resulting in the set up or installation of the malicious Trojan horse program.

3. Limitations of existing methods

Current methods to stop the propagation of malicious agents rely on the use of signature recognition to prevent hosts from being infected. That is, they seek to prevent the virus or worm from entering the system. These methods concentrate on the physical characteristics of the virus—i.e., its program code—and use parts of this code to create a unique signature. Programs entering the system are compared against this signature and discarded if they match.

While this method has been effective in protecting systems, it has several limitations which, as the number of viruses increase, decrease its effectiveness. It is fundamentally a reactive and case-by-case approach in that a new signature needs to be developed for each new virus or variant as it appears. Signature development is usually performed by skilled people who are able to produce only a certain number of signatures at a time. As the number of

viruses increase, the time between initial detection and the release of a signature also increases, allowing a virus to spread further in the interim.

This latency between the introduction of a new virus or worm into a network and the implementation and distribution of a signature-based patch can be significant. Within this period, a network can be crippled by the abnormally high rate of traffic generated by infected hosts.

As long as attacks occur at “machine speed” and responses are implemented at “human speed,” computers will essentially be defenseless against new threats. As systems get bigger and more complex, so does the problem of addressing new threats.

A different solution is needed. A truly resilient infrastructure would include a solution that automatically hampers, contains and mitigates attacks by previously unknown threats, giving the people responsible for an infrastructure’s security the time they need to implement a response.

Rather than replacing current, signature-and-patch-based protections, the new solution would complement them by allowing computers and humans to each do what they do best: computers can respond far more quickly than people, but are poor at gauging the nature of a previously unknown threat. Humans are good at making such decisions, but are slow—by machine standards—to act. A new solution would have computers acting quickly to stabilize a situation until humans could intervene. [1] 4. Virus Throttle

Virus Throttle technology is a technology that was originally devised by HP Labs. It is a new technique that overcomes the limitations of previous responses and meets the need for rapid containment and mitigation of attacks by malicious agents.

Traditional approaches to anti-viral protection are based on the actual code or signature of the virus. Virus Throttle, in contrast, is based on the behaviour of malicious code and the ways in which that behaviour differs from that of normal code. Virus Throttle is based on the observation that under normal activity, a computer will make fairly few outgoing connections to new computers, but instead is more likely to regularly connect to the same set of computers. This is in contrast to the fundamental behaviour of a rapidly spreading worm, which will attempt many outgoing connections to new computers. For example, while computers normally make approximately one connection per second, the SQL Slammer virus tried to infect more than 800 computers per second. [1]

The idea behind the Virus Throttle is to put a rate limit on connections to new computers, such that

normal traffic remains unaffected but suspect traffic that attempts to spread faster than the allowed rate will be slowed. This creates large backlogs of connection requests that can be easily detected. Once the virus is slowed and detected, technicians and system administrators have the time they need to intervene in order to isolate and eradicate the threat by cleaning it from the system. [1]

Figure 1: Throttle Control Flow [2]

Figure 1 shows the throttle control flow. All the

processes using the network are routed through the virus throttle. A process requesting access is checked with a set of working processes. If it is a newly requesting process then it is put on a delay queue. A queue length detector detects the number of connection requests from a single process and if it is within an acceptable threshold, then the new process is updated in the working set of processes. If the number of connections is above the threshold, then a rate limiter limits the suspicious process from accessing the network.

This technique differs from signature-and-patch

approaches in three key ways:

i. It focuses on the network behaviour of the virus and prevents certain types of behaviour — in particular, the attempted creation of a large number of outgoing connections per second.

ii. It is also unique in that, instead of stopping viruses from entering a system, it restricts the code from leaving.

iii. Because connections exceeding the allowed rate can be blocked for configurable periods of time, the system is tolerant to false positives and is therefore robust.

Virus Throttle technology is not meant to replace

signature-based solutions but, rather, to complement them. Virus Throttle fills a gap in anti-virus

protection that previously allowed unknown threats to wreak significant damage before patches could be deployed. With Virus Throttle, previously unknown threats can be mitigated, giving administrators time to deploy signature updates and patches against further attack. 4.1 Tests Show Quick Detection, Prevention

Tests of Virus Throttle technology conducted at Hewlett-Packard Labs in Bristol, U.K. show that Virus Throttle is able to very quickly detect and prevent worms spreading from an infected computer. For example, the throttle is able to stop the W32/Nimda-D worm in less than one second.

The test was carried out using a throttle that followed the control flow shown in the Figure 1. The virus throttle parses all outgoing packets from a machine for TCP SYN packets. The destination address of an intercepted SYN packet is then compared against a list of destination addresses of machines to which connections have previously been made, which is termed as the working set. The working set can hold up to 5 such addresses. If the destination address is in this working set the connection is allowed immediately. If the address is not in the working set and the working set is not full i.e. it holds less than 5 addresses, the destination address is added to the working set and the connection is once again allowed to proceed immediately. If none of these two conditions are met, the SYN packet is added to what we term the delay queue and is not transmitted immediately.

Once every second the delay queue is processed and the SYN packet at its head and any other SYN packets with the same destination address are popped and sent, allowing the establishment of the requested connection. The destination address of this packet is also added to the working set, the oldest member of which is discarded if the working set is full. If the delay queue is empty at processing time and the working set is full, the oldest member of working set is also discarded, allowing for the potential establishment of one connection per second to a target not recently connected to.

This design, summarised as a control flow in Figure 1, allows hosts to create as many connections per second as they want to the 5 most recently connected-to machines. Any further connection attempts will be delayed for at least a second, and then attempted. Delaying connections rather than simply dropping them is important in a cost-sensitive environment that, if incorrectly targeted at legitimate connection attempts, will introduce an often

imperceptible delay in the connection, instead of prohibiting it entirely. [2]

The throttle detects a process as a malicious one when the number of connections issued by the process is more in number within the waiting time. The Average time taken by the Throttle to detect real and test worms is shown in the Table 1.

connections per second

stopping time allowed connections

Nimbda 120 0.25s 1

Test Worm 20 5.44s 5 40 2.34s 2 60 1.37s 1 80 1.04s 1

100 0.91s 1 150 0.21s 0 200 0.02s 0

SQL Slammer 850 0.02s 0

Table 1: Average time taken by the test Throttle to

detect real and test worms [2]

4.2 W32/Nimbda-D Worm W32/Nimbda-D is a mass-mailing worm that

uses multiple methods to spread itself. It searches for network shares, attempts to copy itself to vulnerable Microsoft IIS web servers. It is a virus that affects both local files and files on remote network shares. [3] 4.3 Limitations in traditional way of detection of

W32/Nimbda-D worm The traditional way of detecting the W32/Nimbda-

D worm has the following limitations which makes it ineffiecient for use in time critical applications.

• The virus spreads out throughout the network and web servers. So each computer in the network will have a copy of the worm.

• The antivirus software needs a signature

update. For that it takes atleast a day and atmost a week, within which the virus may have replicated more.

• The temporary solution to this problem is to suspend the network, which is impossible in an organisation as it causes a financial loss due to suspension of work.

• After the signature updates have arrived, each computer in the network will have to scan the whole system and clean each file. It is a complex process for the IT people to scan each computer on the network for the worm individually and takes days to complete.

4.4 Response to W32/Nimbda-D worm by the

Virus Throttle

• The throttle detects the process which makes the abnormal activity of making over 500 connections per second.

• The throttle cuts the extra connections made by the process other than the current working set, thus implementing a temporary solution.

• No or less number of other computer on the network are affected.

4.5 Benefits of Virus Throttle Technology

The benefits of Virus Throttle technology include the following:

• Works without knowing anything about the virus. Because it is triggered by the behaviour of a virus rather than by identifying the code of the virus, it can handle unknown threats without waiting for signature updates.

• Protects network infrastructure by slowing or stopping routed traffic from hosts exhibiting high connection rates. The infrastructure will stay up and running, even when it is under attack from a virus.

• Can provide event logs and SNMP trap warnings when worm-like behaviour is detected.

• Gives IT staff time to react before the problem escalates to a crisis.

• If deployed widely, makes it difficult for viruses to spread at all.

4.6 Advantages

Since the throttle prevents subsequent infection, the effect on the global spread of a virus depends on how widely the throttle is deployed. HP Labs results show that when only 50 percent of computers are installed with the throttle, the global spread of both real and constructed worms is substantially reduced. Throttled machines do not contribute any network traffic in spite of being infected, significantly reducing the amount of network traffic produced by a virus.

5. Virus Throttle for Virus Detection in PCs The technique of Virus Throttle on a Network

Environment can be used for improving the speed of virus detection of PC based Anti-Virus Softwares. The presently available Anti-Virus Softwares scan each Application, DLL or other suspicious files for virus code of known viruses.

A gateway called THROTWALL is installed befront an antivirus software. The THROTWALL monitors all the running processes for suspicious activity. The antivirus scanner consists of presently available signatures of viruses and also a trusted processes list. The job of the antivirus scanner is to check the files flagged by the THROTWALL for virus code or an entry in the trusted processes list.

The suspicious activity that is detected by the THROTWALL is defined by the following guidelines:

• When a process uses resources that are not required for its normal operation

• When a process creates multiple child process

• When a change to multiple files is executed by a program

• When a change to the registry is executed • When a change to the boot sector is

executed • When a change to a running program is

executed • When a file in the system directory is

changed • When a change to the system users and

groups is executed • When multiple files are created When one or more of a suspicious activity is

detected, the following steps are followed to check the process for virus code:

i) The access to the restricted resource is blocked while still allowing the process to use the general resources

ii) The particular process and child processes are scanned using a virus scanner

iii) If the process is a trusted one, then the process is allowed to use the restricted resources by commanding the gateway to permit access for the process

iv) If the process is not a trusted one, and it is confirmed as a virus, then the process and its parent or child processes are killed and necessary action to disinfect or delete the file is taken by the antivirus program itself.

v) If the process is not a trusted one, and it is not confirmed as a virus, then the process is suspended for access to the requested resources and the user is prompted for what action to take or to add the process to the trusted applications list.

This technique definitely improves the response and the overall performance of the Antivirus software as well as the PC itself. 6. Conclusion:

Traditional methods of addressing viruses, worms and other malicious code depend on signatures and patches. That leaves systems vulnerable to previously unknown threats until protective code can be written and deployed. At a time when viruses spread more quickly than ever before, often generating paralysing amounts of network traffic, this is a significant lapse.

This paper has demonstrated a new technique for virus detection on PCs that is based on the virus throttle technology of HP. The new technique uses a gateway called THROTWALL in front of an antivirus software. Using the THROTWALL prevents checking all the processes and files by the antivirus scanner. Thus reducing the processing power required to detect viruses, Trojans and worms.

The usage of THROTWALL even increases the efficiency of the antivirus software by preventing new viruses that are not present in the available signatures of known viruses. The new technique also increases the overall performance of the PC by making available, the valuable processing power for other applications. References: [1] ProCurve Networking - Connection-Rate

Filtering Based on Virus Throttle Technology, Hewlett Packard Company, 2006

[2] Jamie Twycross, Matthew M. Williamson - Implementing and testing a virus throttle, Hewlett-Packard Labs, Bristol, U.K., 2003

[3] W32/Nimda-D Virus - Sophos Security Anlaysis http://www.sophos.com/security/analyses/viruses-and-spyware/w32nimdad.html

[4] M. M. Williamson, J. Twycross, J. Griffin, and A. Norman. Virus throttling. In Virus Bulletin, U.K., 2003.

[5] Matthew M. Williamson - Design, Implementation and Test of an Email Virus Throttle, HP Laboratories Bristol, 2003