Tracing Fast-moving Worms跟踪快速移动的蠕虫

Trojans that steal your bank details and botnets that zombify computers have taken the place of fast-spreading worms in the popular headlines.特洛伊木马窃取您的银行的详细资料和僵尸网络认为， zombify电脑已采取的地方快速蔓延的蠕虫病毒在流行的头条新闻。 It’s been a while since we had a global infestation on the scale of MyDoom, Sobig, or ILOVEYOU.这是一个，而由于我们有一个全球感染上规模的Mydoom ， sobig ，或iloveyou 。 However, worms, self-replicating computer programs that spread across a network, are still at the top of the critical lists when it comes to不过，蠕虫病毒，自我复制的一种计算机程序，遍布网络，仍处于顶端的关键名单，当谈到 computer security计算机安全 . 。

After all, it is only the headlines that have changed, those botnets are created by the spread of specific worms and similarly Trojans are often delivered by a worm.毕竟，这只是标题有所改变，这些僵尸网络所建立的蔓延具体的蠕虫和木马同样，往往所发表的蠕虫。

Indrajit Ray indrajit射线 a computer science professor at Colorado State University, Andrew Burt CEO of security company 1计算机科学教授在美国科罗拉多州立大学，郑家富伯特总裁兼首席执行官保安公司 Techsoft techsoft , based in Golden, Colorado, graduate student Michael Darschewski and Prof Ramakrishna Thurimella of the University of Denver and Hailin Wu senior network engineer at总部设在黄金，科罗拉多州，研究生迈克尔darschewski和教授ramakrishna thurimella的丹佛大学和海林吴高级网络工程师 Array Networks阵列网络 have developed two new approaches to finding the origin of a worm infection.已开发的两种新方法找到的起源蠕虫的感染。 One spots ongoing worm attack, the other works forensically after an attack has occurred. 1点，正在进行的蠕虫攻击，其他工程forensically后，攻击已经发生。

The researchers point out that conventional approaches to fending off malicious code use signatures, snippets of identifying code found in the worm.研究人员指出，传统的办法抵御恶意代码使用签字，摘录查明代码中发现病毒。 However, some worms spread so quickly that there is often not enough time to update security software with the new codes before the damage is done.然而，一些蠕虫病毒的蔓延这么快是有，往往没有足够的时间来更新安全软件与新的行为守则损害前是这样做。 Some worms can infect millions of host computers across the internet within a matter of minutes.一些蠕虫病毒能感染以百万计的主机电脑的整个网际网路内部的事分钟。

The automatic distributed mechanism looks for the propagation roots of a fast-spreading internet worm.自动分发机制，寻找传播的根源，一种快速传播的网络蠕虫。 It can identify local worm outbreaks, spot network intrusion, locate internal network abuse, and assist in tracing the worm back to its source.它可以识别本地蠕虫病毒的爆发，现场的网络入侵，找到内部网络滥用，并协助追查该蠕虫回到其来源。 The team adds that their method works alongside more conventional intrusion detection, bandwidth throttling and human-mediated responses to protect a network.小组补充说，他们的方法，工程一起较为传统的入侵检测，带宽节流和人力介导的反应，以保护一个网络。

The approach is quite simple and relatively easy to deploy.做法很简单，和比较容易部署。 “Our system is based on the observation that in order for any worm to spread rapidly, the moment it compromises a host, it must immediately identify a new set of victims,” the researchers explain, “Infection will almost surely be manifested by an explosive rate of outbound connection attempts from the site.” “我们的制度是基于观察认为，为了使任何蠕虫病毒蔓延迅速，目前它的妥协主机，它必须立即找出了一套新的受害者， ”研究人员解释， “感染，将几乎一定会表现出一个爆炸率外的连接尝试从网站“ 。

The key to combating this infection is to deploy a monitoring program at the network gateways that spots such flash floods of outbound connection attempts, assumes that can only be due to the presence of a fast-spreading worm and blocks the activity almost instantaneously.的关键，以打击这种感染是要部署一个监控程序在网络网关景点如山洪爆发外的连接尝试，假设只能是由于存在一个快速扩散的蠕虫和大厦的活动，几乎瞬间。 Of course, the network administrator could whitelist any legitimate programs that may mimic such activity and so prevent false positives and network downtime for such programs.当然，网络管理员可以白名单的任何合法程序，可能模仿这种活动等，防止假阳性和网络停机时间等程序。 More importantly, the monitors can work in reverse identifying network upstream neighbors and so figure out where the root is.更重要的是，显示器可以工作在反向确定网络的上游邻居等的数字，哪里的根源是。

The team’s simulations of worm infections show that even if only 20 to 30% of computers in a network have deployed the system, then the origin of a worm can nevertheless be pinpointed with great precision.球队的模拟蠕虫感染表明，即使只有20至30 ％的电脑在一个网络已部署该系统，则原产地的蠕虫可以不过，针对与伟大的精度。

Details of the distributed worm defense can be found in the January issue of 详情分布式蠕虫防御，可以发现在2005年1月的问题 International Journal of Security and Networks (2008, 3, 36-46) 国际期刊的安全和网络（ 2008年， 3 ， 36-46段） . 。 You can get a free white paper on security for your business entitled ” 你可以得到免费的白皮书对安全为您的企业题为“ 7 Essential Steps to Achieve, Measure and Prove Optimal Security Risk Reduction 7必要的步骤来实现，措施，并证明了最佳的安全风险减少 here. 这里。 The white paper is published by Qualys and is available from our partner site for free. 白皮书发表的Qualys的和可以从我们的合作伙伴的网站是免费的。