Tracing Fast-moving Worms跟踪快速移動的蠕蟲

Trojans that steal your bank details and botnets that zombify computers have taken the place of fast-spreading worms in the popular headlines.特洛伊木馬竊取你的銀行資料和botnet認為zombify電腦已採取地方快速蔓延的蠕蟲病毒在流行的頭條新聞。 It’s been a while since we had a global infestation on the scale of MyDoom, Sobig, or ILOVEYOU.這是一個，而由於我們有一個全球感染上規模的MyDoom ， sobig ，或iloveyou 。 However, worms, self-replicating computer programs that spread across a network, are still at the top of the critical lists when it comes to computer security.不過，蠕蟲病毒，自我複製的一種計算機程序，推廣到全國的網絡，現在仍然在頂部的臨界名單，當談到計算機安全。

After all, it is only the headlines that have changed, those botnets are created by the spread of specific worms and similarly Trojans are often delivered by a worm.畢竟，這僅僅是個大字標題說，有改變，這些殭屍網絡是通過傳播具體蠕蟲和同樣木馬往往是由蠕蟲病毒所利用。

Indrajit Ray indrajit射線 a computer science professor at Colorado State University, Andrew Burt CEO of security company電腦科學教授在科羅拉多州立大學，鄭家富伯特首席執行官保安公司 Techsoft techsoft , based in Golden, Colorado, graduate student Michael Darschewski and Prof Ramakrishna Thurimella of the University of Denver and Hailin Wu senior network engineer at總部設在科羅拉多州戈爾登，研究生邁克爾darschewski教授ramakrishna thurimella的丹佛大學和海林吳資深網絡工程師 Array Networks陣列網絡 have developed two new approaches to finding the origin of a worm infection.已開發出兩種新的辦法，以尋找起源的蠕蟲感染。 One spots ongoing worm attack, the other works forensically after an attack has occurred.其中一個景點進行蠕蟲攻擊外，其他工程法醫後，攻擊已經發生。

The researchers point out that conventional approaches to fending off malicious code use signatures, snippets of identifying code found in the worm.研究人員指出，傳統的辦法擊退惡意代碼使用簽字，片斷的識別代碼，發現在蠕蟲。 However, some worms spread so quickly that there is often not enough time to update security software with the new codes before the damage is done.然而，一些蠕蟲病毒蔓延如此之快，卻往往沒有足夠的時間來更新安全防護軟體與新的代碼之前所損害的是。 Some worms can infect millions of host computers across the internet within a matter of minutes.有些蠕蟲病毒能感染以百萬計的電腦主機整個互聯網短短幾分鐘。

The automatic distributed mechanism looks for the propagation roots of a fast-spreading internet worm.自動分發機制的面貌與繁殖根的一種快速傳播的互聯網蠕蟲。 It can identify local worm outbreaks, spot network intrusion, locate internal network abuse, and assist in tracing the worm back to its source.它可以認同的地方蠕蟲的爆發，現貨網絡入侵中，找到內部網絡濫用，並協助追查蠕蟲到其源頭。 The team adds that their method works alongside more conventional intrusion detection, bandwidth throttling and human-mediated responses to protect a network.該小組補充說，他們的方法是可行的旁邊更傳統的入侵檢測，帶寬節流和人力介導的反應，以保護一個網絡。

The approach is quite simple and relatively easy to deploy.做法很簡單，比較容易部署。 “Our system is based on the observation that in order for any worm to spread rapidly, the moment it compromises a host, it must immediately identify a new set of victims,” the researchers explain, “Infection will almost surely be manifested by an explosive rate of outbound connection attempts from the site.” "我們的制度是基於觀察認為，為了使任何蠕蟲病毒蔓延迅速，目前它損害了主機，它必須立即找出了一套新的受害者， "研究人員解釋， "感染，將幾乎肯定會得到體現，由一個爆炸率外連接嘗試從工地" 。

The key to combating this infection is to deploy a monitoring program at the network gateways that spots such flash floods of outbound connection attempts, assumes that can only be due to the presence of a fast-spreading worm and blocks the activity almost instantaneously.重點打擊這種感染是要部署一個監控程序在網絡網關點如山洪爆發外連接嘗試，假設只能是因為存在一個快速傳播的蠕蟲和塊活動幾乎瞬間。 Of course, the network administrator could whitelist any legitimate programs that may mimic such activity and so prevent false positives and network downtime for such programs.當然，網絡管理員可以白名單沒有任何正當的程序可能類似這樣的活動等，防止假陽性和網絡停機等節目。 More importantly, the monitors can work in reverse identifying network upstream neighbors and so figure out where the root is.更重要的是，該顯示器可以在扭轉識別網絡上游鄰居，所以揣摩出的根源。

The team’s simulations of worm infections show that even if only 20 to 30% of computers in a network have deployed the system, then the origin of a worm can nevertheless be pinpointed with great precision.該小組的模擬蠕蟲感染表明，即使只有20至30 ％的電腦在網絡中部署該系統，則原產地的蠕蟲能儘管如此，找准了非常精密。

Details of the distributed worm defense can be found in the January issue of 詳情分佈式蠕蟲防禦，可以發現，在2005年1月發行的 International Journal of Security and Networks (2008, 3, 36-46) 國際期刊的安全和網絡（ 2008 ， 3 ， 36-46段） . 。 You can get a free white paper on security for your business entitled ” 你可以有機會獲得免費的白皮書對安全為您的企業題為" 7 Essential Steps to Achieve, Measure and Prove Optimal Security Risk Reduction 七必不可少的步驟來實現，測量，並證明了最佳的安全風險減少 here. 在這裡。 The white paper is published by Qualys and is available from our partner site for free. 白皮書出版Qualys的，是可以從我們的合作夥伴網站免費。