Computer Worm Classification

Document Sample
Computer Worm Classification Powered By Docstoc
					                                                                (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                   Vol. 10, No.4, April 2012

                             Computer Worm Classification

                     Andhika Pratama                                                           Fauzi Adi Rafrastara
                  Faculty of Engineering                                                Master of Information Technology
                Dian Nuswantoro University                                                   Post-Graduate Program
                   Semarang, Indonesia                                                    Dian Nuswantoro University
                                                             Semarang, Indonesia

Abstract—To find out more the ins and the outs of computer                      This paper presents the taxonomy for classifying computer
worm, including how the work and how to overcome, it is                     worm into 4 main classifications, which are based on its
necessary to study the classification of computer worm itself first.        structure, how they attack, how they defense itself from
This paper presents taxonomy for classifying worm structure,                detection, and how user fight the computer worm
worm attack, worm defense, and user defense.

   Keywords-component; computer worm; computer security                                          II.    WORM STRUCTURE
worm classification                                                            In its body, computer worm has some important parts, and
                                                                            each part have their function, such as: infection propagation,
                       I.    INTRODUCTION                                   remote control and update interface, life-cycle manager,
                                                                            payload, self-tracking.
    The internet has many uses for our life. It helps our work,
and gives us some information that we need quickly. Along
with the vigorous development of the internet, the
development and the spread of malicious code which can harm
our data and system in our computer, are becoming even more
unstoppable [1].
    There are several types of malicious code which has been
available in the world, such as: virus, worm, blended threats,
time bombs, spyware, adware, stealware, trojans and other
backdoors [2]. Eventhough there are many interesting things
that can be discussed deeply, but this paper will only study one
type of malicious code, called computer worm.
    The computer worm is a malicious code that spread
through internet connection or a local area network (LAN).                            Figure 1. Worm classification based on its structure
The computer worm will search a vulnerability host to
replicate itself into that computer and continuously search
another vulnerability host which can be replicated [2]. There               A. Infection Propagation
are many reasons why the attacker employs the computer                          The essential part of the worm is the strategy which is used
worm to attack the vulnerable host. First, to take over vast                by the worm to get control of remote system by transferring
numbers of system. Second, to make trackback more difficult.                itself to a new bud. The worm's author may use any document
Third, to amplify the damage. The computer worm can be very                 format, script language, and binary or in-memory injected
dangerous for our system, because they take the power of                    code (or a combination of these) to destroy your system. The
large distributed networks and use it to destroy the network                attackers deceive the victims to execute the worm by using
[3]. There are 10 most destructive computer worms [4]:                      social engineering techniques [5].
    1. MyDoom
    2. Sobiq.F                                                              B. Remote Control and Update Interface
    4. Conficker                                                                Remote control is another essential component of the
    5. Code Red                                                             computer worm. Here, communication module is the
    6. Melissa Virus                                                        important part of remote control, because without this module,
    7. SQL Slammer                                                          the worm’s author cannot control the worm by sending control
    8. Sasser                                                               message to the worm copies. Next, the function of an update
    9. Blaster                                                              or plug-in interface is, to update the worm's code on
    10. CIH                                                                 compromised system. However there is a problem after the
                                                                            attacker compromise with a particular exploitation, it can't be
                                                                            exploited again with the same bud [5].

                                                                                                          ISSN 1947-5500
                                                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                      Vol. 10, No.4, April 2012
C. Life-Cycle Manager                                                            a) Selective random scan: worm selects the address as
   The worm’s author likes to run a variant of a computer                   the target (vulnerable host).
worm for a preset period of time. In their life-cycle manager                   b) Sequential scan: once scanning with many vulnerable
components, many worms have bugs and always continue to                     hosts.
run and never stop. Then the others patch them to make the
worms can continue their life [5].                                              c) Hit-list scan: by creating the target list, and then do
                                                                            searching the susceptible host.
D. Payload                                                                        d) Routable scan: based on the route information in a
    The code separate from the propagation habits, is limited               network, worm will scan selectively IP address space. By
by the attacker’s imagination and the purposes. Different                   using this routable IP address, worm can propagate quickly,
attackers will bring different payloads to reach their ends                 more effectively, and it can also avoid the anti-detecting
directly [6].                                                               system.
                                                                                2) Pre-Generated Target List: Here, the attacker creates a
E. Self-Tracking                                                            hit-list of probable victims [6]. There are two groups of hit-list
    Some attackers really interest to see how many vulnerable               and will be discussed as follows:
systems that can be contaminated. They allow others to track                     a) Static hit-list: before a worm is released, static hit-list
the path. Computer worm usually send the information
                                                                            is created [8].
through e-mail about the infected computer to track their
spread. There is a kind of computer worm which deploy a self-                    b) Dynamical hit-list: dynamical hit-list is created in
tracking module that capable of sending UDP datagram to the                 every contaminated machine [8].
host. And about every 15 infections (this routine was fake), it                 3) Passive: It is very different with scanning that has
never send any information [5].                                             been discussed before. Scanning is very aggressive to find the
                                                                            target, whereas a passive worm, they wait for potential victims
                       III.   WORM ATTACK                                   to connect the machine where the worm stay, and then infect
                                                                            the visitors during the interaction. This way is very hard to
    There are many steps, if the computer worm wants to
                                                                            detect, because there is no any anomalous traffic during target
attack the vulnerable system. We divide this worm attack in 4
                                                                            finding [6,8].
terms: how to find the target, target space, propagation
method, and activation. These every term has sub terms which
explain the way of that term.                                               B. Target Space
                                                                                Target space is very important component of computer
                                                                            worm to attack the vulnerable host efficiently [5,8]. Below are
                                                                            the explanations of the target space:
                                                                               1) internet: worm find the target in the IP address space,
                                                                            and then do propagation in the internet through security flaws
                                                                            in computer [5,8].
                                                                               2) P2P worm: worm find the target in the space of P2P
                                                                            network through copy of themselves to a shared P2P folder on
                                                                            the disk [5,8].
                                                                               3) E-mail worm: worm find the target in the space of
                                                                            email address, and self-propagate through infected email
                                                                            messages [8].
        Figure 2. Worm classification based on the way to attack
                                                                               4) Instant messaging (IM) worm: worm finds the target in
                                                                            the space of IM user IDs [8].
A. How to Find the Target:
                                                                            C. Propagation Method
    Generally computer worm will do searching a set of
address to diagnose the vulnerable host. There are two forms                    Exploiting the vulnerability host, this is the way how the
of scanning, which are sequential and random. According to a                internet worm propagate themselves [8]. Generally there are
number of other spreading techniques, scanning worm                         three propagation methods that used by worm:
included in a slow spread. There is a combinations of factor                  1) Self-carried: send it-self as part of the infection process.
which make the speed of worm scanning is limited such as the                This mechanism is used in self-activating scanning [6,8].
density of vulnerable machines, the design of the scanner, the
                                                                              2) Second channel: some worms need a secondary
ability of edge routers to handle a potentially significant
increase in new, and diverse communication [6,7,8].                         communication channel to finish the infection. In this case,
                                                                            worm just send a small piece of malicious code to the target
  1) Scanning: Below are the ways of scanning activity done                 [6,8].
by computer worm [6,7,8]:                                                     3) Embedded: the velocity of embedded worm spread is
                                                                            depends on how the application is used [6].

                                                                                                        ISSN 1947-5500
                                                                      (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                         Vol. 10, No.4, April 2012
D. Activation:
    The computer worm is activated on the vulnerability host
and then spread quickly [6]. This classification can be divided
into 4 sub classification, as follows:
  1) Human activation: This kind of worm will be active if
user executes the local copy of the worm. Usually, the worm
involves some social engineering techniques to deceive the
user [6].
  2) Human activity-based activation: the computer worm
will active when the user do activity un-normally related to a
                                                                                               Figure 4. Classification based on user defense
worm [6].
  3) Scheduled process activation: worms activate itself
through scheduled system processes [6].                                        A. Detection Method
                                                                               It is used to find the activities of internet worms. Detection
                       IV.    WORM DEFENSE
                                                                               method can be classified into two parts, which are: signature-
   There are many ways for the computer worm to avoid                          based and anomaly-based.
detection system. This paper classifies the worm into 5                           1) Signature-Based Detection: it is commonly used in
categories based on their defense technique, which are:                        intrusion detection system (IDSs). The patterns or the habits of
monomorphic, polymorphic, metamorphic, and polymorphic                         the worms have been modeled, so what need to do is only to
exploitation [8].                                                              match the signature of the suspicious file with the signature
                                                                               that has been listed in the database system [8].
                                                                                  2) Anomaly-based detection: this method is used to
                                                                               indicate the models of normal network or program behavior.
                                                                               An alarm will be activated, when the anomaly behavior is
                                                                               detected [8].
                                                                               B. Defense Against Nasty Worm
                                                                                 1) Ethical worm: sometimes ethical worm is called white
     Figure 3. Worm classification based on how worm defense itself            worm. It does not do like ordinary worm, but it will help the
                                                                               user to overcome the problem caused by the black worm.
   1) Monomorphic: worm always send the same infection                         Ethical worms are able to fix problems by applying patches or
attempt, and never change the code [8].                                        hardening configuration settings before a malicious worm take
   2) Polymorphic: changing a worm’s binary code by using                      over the system [3].
encryption technique when keeping the original worm code                         2) Antivirus: keeping the antivirus up to date, will help the
intact. The decrypted worm body is unchanged, when the                         system to fight a large number of worm species [3].
worm replicates itself become millions of different form by                      3) Patch: Deploy vendor patches and harden publicly
modifying its encryption [8].                                                  accessible system: making sure that security team has the
   3) Metamorphic: worm which is using this technique is                       resources necessary to test all patches before rolling them into
more difficult to detect than monomorphic or even                              production [3].
polymorphic. Metamorphic worm has capability to make new
generation in the target place which the code is modified [8].                                           VI.     CONCLUSION
   4) Polymorphic exploitation: it is consist of two attempts,                     This paper has shown that computer worm is not simple. In
exploit and payload. Here exploit means, mutation                              order to make easier to understand, this paper attempted to
unimportant bytes, but still keep some bytes complete.                         classify worm based on 4 main things, called: worm structure,
Whereas the meaning of payload here is, the body of worm                       worm attack, worm defense, and user defense. By studying
can be changed through polymorphic or metamorphic worm                         this worm classification, it helps us to understand more clearly
code [8].                                                                      about worm itself, including how they act and how to fight
                                                                               with worm.
                        V.     USER DEFENSE
   To protect our system from the computer worm attack, we                                                     REFERENCES
need to know about how user should do toward this threat.                      [1]   Rafrastara, F & Faizal, MA (2011). “Advanced Virus Monitoring and
There are two ways for user to defense from the worm attack:                         Analysis System.” IJCSIS’11, vol. 9, no. 1 (pp. 35-38).
                                                                               [2]   Erbschloe, Michael (2005). “Trojan, worms, and spyware: a computer
                                                                                     security profesional’s guide to malicious code.” Burlington: Elsevier Inc.
                                                                               [3]   Skoudis, E & Zeltser L (2003). “Fighting malicious code.” New Jersey:
                                                                                     Prentice Hall PTR.

                                                                                                                 ISSN 1947-5500
                                                                       (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                          Vol. 10, No.4, April 2012
[4]   Eric, S (2010). 10 most destructive computer worms and viruses ever.         [7]   Qing, S & Wen, W (2005). “A survey and trends on internet worm.”
      [Online]        Retrived       on      March         2012       from               Computers & Security’05 (pp.334-346). Elsevier.           [8]   Tang, Y, Luo J, Xiao, B & Wei G (2009). “Concept, characteristic, and
      and-viruses-ever/                                                                  defending mechanism of worm.” IEICE TRANS. INF. & SYST.’09, vol.
[5]   Szor, Peter (2005). “The art of computer virus research and defense.”              E92-D, No. 5, (pp. 799-809). The Institute of Electronics, Information
      Maryland: Addison Wesley Profesional.                                              and Communication Engineers.
[6]   Weaver, N, Paxson, V, Staniford, S & Cunningham, R (2005). A
      taxonomy of computer worm.” WORM’03 (pp. 11-18). Washington:

                                                                                                                    ISSN 1947-5500

Shared By: