Tracing Fast-moving Worms

Trojans that steal your bank details and botnets that zombify computers have taken the place of fast-spreading worms in the popular headlines. It’s been a while since we had a global infestation on the scale of MyDoom, Sobig, or ILOVEYOU. However, worms, self-replicating computer programs that spread across a network, are still at the top of the critical lists when it comes to computer security.

After all, it is only the headlines that have changed, those botnets are created by the spread of specific worms and similarly Trojans are often delivered by a worm.

Indrajit Ray a computer science professor at Colorado State University, Andrew Burt CEO of security company Techsoft, based in Golden, Colorado, graduate student Michael Darschewski and Prof Ramakrishna Thurimella of the University of Denver and Hailin Wu senior network engineer at Array Networks have developed two new approaches to finding the origin of a worm infection. One spots ongoing worm attack, the other works forensically after an attack has occurred.

The researchers point out that conventional approaches to fending off malicious code use signatures, snippets of identifying code found in the worm. However, some worms spread so quickly that there is often not enough time to update security software with the new codes before the damage is done. Some worms can infect millions of host computers across the internet within a matter of minutes.

The automatic distributed mechanism looks for the propagation roots of a fast-spreading internet worm. It can identify local worm outbreaks, spot network intrusion, locate internal network abuse, and assist in tracing the worm back to its source. The team adds that their method works alongside more conventional intrusion detection, bandwidth throttling and human-mediated responses to protect a network.

The approach is quite simple and relatively easy to deploy. “Our system is based on the observation that in order for any worm to spread rapidly, the moment it compromises a host, it must immediately identify a new set of victims,” the researchers explain, “Infection will almost surely be manifested by an explosive rate of outbound connection attempts from the site.”

The key to combating this infection is to deploy a monitoring program at the network gateways that spots such flash floods of outbound connection attempts, assumes that can only be due to the presence of a fast-spreading worm and blocks the activity almost instantaneously. Of course, the network administrator could whitelist any legitimate programs that may mimic such activity and so prevent false positives and network downtime for such programs. More importantly, the monitors can work in reverse identifying network upstream neighbors and so figure out where the root is.

The team’s simulations of worm infections show that even if only 20 to 30% of computers in a network have deployed the system, then the origin of a worm can nevertheless be pinpointed with great precision.

Details of the distributed worm defense can be found in the January issue of International Journal of Security and Networks (2008, 3, 36-46). You can get a free white paper on security for your business entitled ” 7 Essential Steps to Achieve, Measure and Prove Optimal Security Risk Reduction here. The white paper is published by Qualys and is available from our partner site for free.