In Search of a More Insidious Worm

The Internet has been the victim of numerous worms in the last few years. All such worms have a common underlying principle: launch a blitzkrieg-like attack with wide fan-out. These worms’ operations constituted large denial-ofservice attacks, which disrupted the normal operation of the Internet and made many resources inaccessible. These worms are examples of a historical tendency to write worms naively, with little attention paid to detection avoidance. In fact, a large-scale infection that causes an uproar on the Internet is considered a source of pride among virus and worm writers. Such infections die quickly, and provide little more than shock value to the creator, while causing great harm to the victim. In contrast, a worm that can remain largely undetected is capable of having much more serious and far-reaching effects. While such a worm may not achieve large-scale publicity, it can potentially be used for personal benefit while amortizing the damage to target hosts. For instance, such worms could be used to monitor traffic on supposedly secure intranets, perform distributed computations, and serve as backbones for relaying of unsolicited e-mail. More forward-thinking worm designers could design their worms to map the Internet infrastructure, returning information not only about topology but about operating system and server software versions, allowing rapid location of vulnerable servers by future worm attacks. In addition, if it remained undetected for a sufficiently long time, an existing worm infestation could be used as a network by which viruses could be rapidly and surreptitiously inserted into computers, thus creating a network of machines infected by multiple viruses, making detection and eradication more difficult. Recent research has raised the possibility of designing smarter worms based on stealth techniques like slow attack, polymorphism, long incubation periods, knowledge of network topology and wormnets. In this project, we explore stealth techniques with the aim of creating the “perfect” insidious worm. In order to quantitatively evaluate the effectiveness of these techniques, we define a formal system which includes not only the network penetration of the worm but the amount of suspicious traffic it creates, allowing us to simulate network-based detection systems. Next, we discuss various methods for avoiding detection while still being effective in terms of the resulting penetration of the infection. Finally, we present simulation results to evaluate the relative merits of the stealth methods. In Section 2 we discuss previous work in the area. Then, in Section 3, we describe the policy underlying our experimental approach. We discuss technical aspects of our implementation in Section 4, and present our experiments and their results in Section 5. Finally, the conclusions we drew from our study, and potential for future study in this area, are presented in Section 7.