Technical Track
Current strategy against Internet worms is similar to capturing mouse using mousetrap, that is, to clip the occasionally passing mouse and never release until it dies. However, this strategy is less effective than that of spreading pest control chemicalst to cause a plague among cockroach group. For infected cockroach, we don’t expect it dead at once. We hope it goes back nest and infects others, by which way can kill pests at an exponential rate.
The theory of Worm Poisoning is similar with pest-toxicant production technics. The PoisonWorm functions like the pest-toxicant and the poisoned worm is like the infected pest then.
Worm Poisoning (also called Worm Spoofing) is a new-invented technology for worm containment. It tricks malicious worms to spread irrelevant file or code by their own mechanisms. The worm which poisons others and propagates by the poisoned worms is called PoisonWorm. So PoisonWorm is a special worm with active spread motivation, but without self-propagating capability. While it can obtain spread ability when some other malicious worms break out. It will reduce the negative influence of the malicious worm gradually, and won’t cause extra burden to the Internet or its host. A proof-of-concept PoisonWorm has been compiled and tested successfully using MSBlaster, Sasser, Mydoom and Netsky worms as the poisoned worms which proved the feasibility of the idea. PoisonWorm has some common characteristic but essential difference with anti-worm(also called good worm).
In this paper, the concept of Worm Poisoning and PoisonWorm are presented and the feasibility of Worm Poisoning is emphatically testified. A propagation model called SIRP and the side-effect to network traffic of PoisonWorm are given and compared to the classical epidemic Kermack-Mckendrick model. We highlight the feasibility and necessity of PoisonWorm and its application in active defense system against Internet worms. Also the technology of P2P-based unknown worm detection and signature verification is briefly introduced.
The theory of Worm Poisoning is similar with pest-toxicant production technics. The PoisonWorm functions like the pest-toxicant and the poisoned worm is like the infected pest then.
Worm Poisoning (also called Worm Spoofing) is a new-invented technology for worm containment. It tricks malicious worms to spread irrelevant file or code by their own mechanisms. The worm which poisons others and propagates by the poisoned worms is called PoisonWorm. So PoisonWorm is a special worm with active spread motivation, but without self-propagating capability. While it can obtain spread ability when some other malicious worms break out. It will reduce the negative influence of the malicious worm gradually, and won’t cause extra burden to the Internet or its host. A proof-of-concept PoisonWorm has been compiled and tested successfully using MSBlaster, Sasser, Mydoom and Netsky worms as the poisoned worms which proved the feasibility of the idea. PoisonWorm has some common characteristic but essential difference with anti-worm(also called good worm).
In this paper, the concept of Worm Poisoning and PoisonWorm are presented and the feasibility of Worm Poisoning is emphatically testified. A propagation model called SIRP and the side-effect to network traffic of PoisonWorm are given and compared to the classical epidemic Kermack-Mckendrick model. We highlight the feasibility and necessity of PoisonWorm and its application in active defense system against Internet worms. Also the technology of P2P-based unknown worm detection and signature verification is briefly introduced.
http://www.first.org/conference/2006/papers/xiang-cui-papers.pdf
Type: Paper
Format: application/pdf
Last updated: July 12, 2006
Size: 207 Kb
Authors & presenters
(CNCERT/CC – National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)
