Get documents about "Computer Worm Classification
Document Sample
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No.4, April 2012
Computer Worm Classification
Andhika Pratama Fauzi Adi Rafrastara
Faculty of Engineering Master of Information Technology
Dian Nuswantoro University Post-Graduate Program
Semarang, Indonesia Dian Nuswantoro University
Arjuna_7@rocketmail.com Semarang, Indonesia
fauziadi@pasca.dinus.ac.id
Abstract—To find out more the ins and the outs of computer This paper presents the taxonomy for classifying computer
worm, including how the work and how to overcome, it is worm into 4 main classifications, which are based on its
necessary to study the classification of computer worm itself first. structure, how they attack, how they defense itself from
This paper presents taxonomy for classifying worm structure, detection, and how user fight the computer worm
worm attack, worm defense, and user defense.
Keywords-component; computer worm; computer security II. WORM STRUCTURE
worm classification In its body, computer worm has some important parts, and
each part have their function, such as: infection propagation,
I. INTRODUCTION remote control and update interface, life-cycle manager,
payload, self-tracking.
The internet has many uses for our life. It helps our work,
and gives us some information that we need quickly. Along
with the vigorous development of the internet, the
development and the spread of malicious code which can harm
our data and system in our computer, are becoming even more
unstoppable [1].
There are several types of malicious code which has been
available in the world, such as: virus, worm, blended threats,
time bombs, spyware, adware, stealware, trojans and other
backdoors [2]. Eventhough there are many interesting things
that can be discussed deeply, but this paper will only study one
type of malicious code, called computer worm.
The computer worm is a malicious code that spread
through internet connection or a local area network (LAN). Figure 1. Worm classification based on its structure
The computer worm will search a vulnerability host to
replicate itself into that computer and continuously search
another vulnerability host which can be replicated [2]. There A. Infection Propagation
are many reasons why the attacker employs the computer The essential part of the worm is the strategy which is used
worm to attack the vulnerable host. First, to take over vast by the worm to get control of remote system by transferring
numbers of system. Second, to make trackback more difficult. itself to a new bud. The worm's author may use any document
Third, to amplify the damage. The computer worm can be very format, script language, and binary or in-memory injected
dangerous for our system, because they take the power of code (or a combination of these) to destroy your system. The
large distributed networks and use it to destroy the network attackers deceive the victims to execute the worm by using
[3]. There are 10 most destructive computer worms [4]: social engineering techniques [5].
1. MyDoom
2. Sobiq.F B. Remote Control and Update Interface
3. ILOVEYOU
4. Conficker Remote control is another essential component of the
5. Code Red computer worm. Here, communication module is the
6. Melissa Virus important part of remote control, because without this module,
7. SQL Slammer the worm’s author cannot control the worm by sending control
8. Sasser message to the worm copies. Next, the function of an update
9. Blaster or plug-in interface is, to update the worm's code on
10. CIH compromised system. However there is a problem after the
attacker compromise with a particular exploitation, it can't be
exploited again with the same bud [5].
21 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No.4, April 2012
C. Life-Cycle Manager a) Selective random scan: worm selects the address as
The worm’s author likes to run a variant of a computer the target (vulnerable host).
worm for a preset period of time. In their life-cycle manager b) Sequential scan: once scanning with many vulnerable
components, many worms have bugs and always continue to hosts.
run and never stop. Then the others patch them to make the
worms can continue their life [5]. c) Hit-list scan: by creating the target list, and then do
searching the susceptible host.
D. Payload d) Routable scan: based on the route information in a
The code separate from the propagation habits, is limited network, worm will scan selectively IP address space. By
by the attacker’s imagination and the purposes. Different using this routable IP address, worm can propagate quickly,
attackers will bring different payloads to reach their ends more effectively, and it can also avoid the anti-detecting
directly [6]. system.
2) Pre-Generated Target List: Here, the attacker creates a
E. Self-Tracking hit-list of probable victims [6]. There are two groups of hit-list
Some attackers really interest to see how many vulnerable and will be discussed as follows:
systems that can be contaminated. They allow others to track a) Static hit-list: before a worm is released, static hit-list
the path. Computer worm usually send the information
is created [8].
through e-mail about the infected computer to track their
spread. There is a kind of computer worm which deploy a self- b) Dynamical hit-list: dynamical hit-list is created in
tracking module that capable of sending UDP datagram to the every contaminated machine [8].
host. And about every 15 infections (this routine was fake), it 3) Passive: It is very different with scanning that has
never send any information [5]. been discussed before. Scanning is very aggressive to find the
target, whereas a passive worm, they wait for potential victims
III. WORM ATTACK to connect the machine where the worm stay, and then infect
the visitors during the interaction. This way is very hard to
There are many steps, if the computer worm wants to
detect, because there is no any anomalous traffic during target
attack the vulnerable system. We divide this worm attack in 4
finding [6,8].
terms: how to find the target, target space, propagation
method, and activation. These every term has sub terms which
explain the way of that term. B. Target Space
Target space is very important component of computer
worm to attack the vulnerable host efficiently [5,8]. Below are
the explanations of the target space:
1) internet: worm find the target in the IP address space,
and then do propagation in the internet through security flaws
in computer [5,8].
2) P2P worm: worm find the target in the space of P2P
network through copy of themselves to a shared P2P folder on
the disk [5,8].
3) E-mail worm: worm find the target in the space of
email address, and self-propagate through infected email
messages [8].
Figure 2. Worm classification based on the way to attack
4) Instant messaging (IM) worm: worm finds the target in
the space of IM user IDs [8].
A. How to Find the Target:
C. Propagation Method
Generally computer worm will do searching a set of
address to diagnose the vulnerable host. There are two forms Exploiting the vulnerability host, this is the way how the
of scanning, which are sequential and random. According to a internet worm propagate themselves [8]. Generally there are
number of other spreading techniques, scanning worm three propagation methods that used by worm:
included in a slow spread. There is a combinations of factor 1) Self-carried: send it-self as part of the infection process.
which make the speed of worm scanning is limited such as the This mechanism is used in self-activating scanning [6,8].
density of vulnerable machines, the design of the scanner, the
2) Second channel: some worms need a secondary
ability of edge routers to handle a potentially significant
increase in new, and diverse communication [6,7,8]. communication channel to finish the infection. In this case,
worm just send a small piece of malicious code to the target
1) Scanning: Below are the ways of scanning activity done [6,8].
by computer worm [6,7,8]: 3) Embedded: the velocity of embedded worm spread is
depends on how the application is used [6].
22 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No.4, April 2012
D. Activation:
The computer worm is activated on the vulnerability host
and then spread quickly [6]. This classification can be divided
into 4 sub classification, as follows:
1) Human activation: This kind of worm will be active if
user executes the local copy of the worm. Usually, the worm
involves some social engineering techniques to deceive the
user [6].
2) Human activity-based activation: the computer worm
will active when the user do activity un-normally related to a
Figure 4. Classification based on user defense
worm [6].
3) Scheduled process activation: worms activate itself
through scheduled system processes [6]. A. Detection Method
It is used to find the activities of internet worms. Detection
IV. WORM DEFENSE
method can be classified into two parts, which are: signature-
There are many ways for the computer worm to avoid based and anomaly-based.
detection system. This paper classifies the worm into 5 1) Signature-Based Detection: it is commonly used in
categories based on their defense technique, which are: intrusion detection system (IDSs). The patterns or the habits of
monomorphic, polymorphic, metamorphic, and polymorphic the worms have been modeled, so what need to do is only to
exploitation [8]. match the signature of the suspicious file with the signature
that has been listed in the database system [8].
2) Anomaly-based detection: this method is used to
indicate the models of normal network or program behavior.
An alarm will be activated, when the anomaly behavior is
detected [8].
B. Defense Against Nasty Worm
1) Ethical worm: sometimes ethical worm is called white
Figure 3. Worm classification based on how worm defense itself worm. It does not do like ordinary worm, but it will help the
user to overcome the problem caused by the black worm.
1) Monomorphic: worm always send the same infection Ethical worms are able to fix problems by applying patches or
attempt, and never change the code [8]. hardening configuration settings before a malicious worm take
2) Polymorphic: changing a worm’s binary code by using over the system [3].
encryption technique when keeping the original worm code 2) Antivirus: keeping the antivirus up to date, will help the
intact. The decrypted worm body is unchanged, when the system to fight a large number of worm species [3].
worm replicates itself become millions of different form by 3) Patch: Deploy vendor patches and harden publicly
modifying its encryption [8]. accessible system: making sure that security team has the
3) Metamorphic: worm which is using this technique is resources necessary to test all patches before rolling them into
more difficult to detect than monomorphic or even production [3].
polymorphic. Metamorphic worm has capability to make new
generation in the target place which the code is modified [8]. VI. CONCLUSION
4) Polymorphic exploitation: it is consist of two attempts, This paper has shown that computer worm is not simple. In
exploit and payload. Here exploit means, mutation order to make easier to understand, this paper attempted to
unimportant bytes, but still keep some bytes complete. classify worm based on 4 main things, called: worm structure,
Whereas the meaning of payload here is, the body of worm worm attack, worm defense, and user defense. By studying
can be changed through polymorphic or metamorphic worm this worm classification, it helps us to understand more clearly
code [8]. about worm itself, including how they act and how to fight
with worm.
V. USER DEFENSE
To protect our system from the computer worm attack, we REFERENCES
need to know about how user should do toward this threat. [1] Rafrastara, F & Faizal, MA (2011). “Advanced Virus Monitoring and
There are two ways for user to defense from the worm attack: Analysis System.” IJCSIS’11, vol. 9, no. 1 (pp. 35-38).
[2] Erbschloe, Michael (2005). “Trojan, worms, and spyware: a computer
security profesional’s guide to malicious code.” Burlington: Elsevier Inc.
[3] Skoudis, E & Zeltser L (2003). “Fighting malicious code.” New Jersey:
Prentice Hall PTR.
23 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No.4, April 2012
[4] Eric, S (2010). 10 most destructive computer worms and viruses ever. [7] Qing, S & Wen, W (2005). “A survey and trends on internet worm.”
[Online] Retrived on March 2012 from Computers & Security’05 (pp.334-346). Elsevier.
http://wildammo.com/2010/10/12/10-most-destructive-computer-worms- [8] Tang, Y, Luo J, Xiao, B & Wei G (2009). “Concept, characteristic, and
and-viruses-ever/ defending mechanism of worm.” IEICE TRANS. INF. & SYST.’09, vol.
[5] Szor, Peter (2005). “The art of computer virus research and defense.” E92-D, No. 5, (pp. 799-809). The Institute of Electronics, Information
Maryland: Addison Wesley Profesional. and Communication Engineers.
[6] Weaver, N, Paxson, V, Staniford, S & Cunningham, R (2005). A
taxonomy of computer worm.” WORM’03 (pp. 11-18). Washington:
ACM.
24 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
Related docs
Other docs by ijcsiseditor
Digital Images Encryption in Spatial Domain Based on Singular Value Decomposition and Cellular Automata
Views: 0 | Downloads: 0
Agent Behavior in Multiagent Systems: Issues and Challenges in Design, Development and Implementation
Views: 1 | Downloads: 0
Optimizing Cost, Delay, Packet Loss and Network Load in AODV Routing Protocols
Views: 2 | Downloads: 0
