Abstract
Scanning worms have been around for a while and have had some damaging effects on the Internet. Because of their fast spread and their random selection of their target victims, building a global knowledge about which infected end-systems caused the infection of which susceptible end-systems seems fairly hard. In this paper, we propose to find the originator(s) (i.e., first infected end-system(s)) that spread the worm. The broader view is to build the complete infection tree(s) rooted at the originator(s) and which leaves consist of susceptible machines becoming infected. Besides, scanning worms could unintentionally divulge some information about the machines they infect. We will show how such information could be extracted from the scans of a victim end-system. We studied two different worms, the SQL Slammer/Sapphire worm and the Witty worm, and demonstrated the possibility of building the infection tree and gathering information about the infected end-systems.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Eeye Digital Security: Sapphire Worm Code Disassembled (2003), http://www.eeye.com/html/Research/Flash/sapphire.txt
Hamadeh, I., Kesidis, G.: Performance of IP address fragmentation strategies for DDoS Traceback. In: The Proceedings IEEE Workshop on IP Operations and Management (IPOM) (2003)
Kumar, A., Paxson, V., Weaver, N.: Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In: The Proceedings of ACM IMC (2005)
Lehmer, D.H.: Mathematical methods in large-scale computing units. In: The Proceedings of the 2nd Symposium on Large-Scale Digital Calculating Machinery (1951)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm. The Cooperative Association for Internet Data Analysis (2003), http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
Murphy, M.: ISS PAM/ICQ Witty Worm Analysis (2004), http://www.netsecure.shawbiz.ca/witty-analysis.html
University of Michigan Internet Motion Sensor, http://ims.eecs.umich.edu/index.html
University of Wisconsin-Madison Advanced Internet Laboratory, http://wail.cs.wisc.edu/
Cooperative Association for Internet Data Analysis (CAIDA).UCSD Network Telescope, http://www.caida.org/analysis/security/telescope/
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical Network Support for IP Traceback. In: The Proceedings ACM SIGCOMM (2000)
Shannon, C., Moore, D.: The Spread of the Witty Worm. The Cooperative Association for Internet Data Analysis (2004), http://www.caida.org/analysis/security/witty/
Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-Based IP Traceback. In: The Proceedings ACM SIGCOMM (2001)
Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time (2002)
Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS - A Graph Based Intrustion Detection System for Large Networks. In: The Proceedings of the 19th National Information Systems Security Conference (1996)
Staniford, S.: Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security (2004)
Weaver, N., Hamadeh, I., Kesidis, G., Paxson, V.: Preliminary results using scale-down to explore worm dynamics. In: The Proceedings of the ACM CCS workshop on Rapid malcode (2004)
Whyte, D., Kranakis, E., Van Oorschot, P.C.: DNS-based Detection of Scanning Worms in an Enterprise Network. In: Network and Distributed System Security Symposium (2005)
Williamson, M.M.: Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code. In: The Proceedings of the 18th (2002)
Xie, Y., Sekar, V., Maltz, D., Reiter, M., Zhang, H.: Worm Origin Identification Using Random Moonwalks. In: The Proceedings of the IEEE Symposium on Security and Privacy (2005)
Zou, C., Gong, W., Towsley, D.: Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense. In: The Proceedings of the ACM CCS workshop on Rapid malcode (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hamadeh, I., Kesidis, G. (2006). Toward a Framework for Forensic Analysis of Scanning Worms. In: Müller, G. (eds) Emerging Trends in Information and Communication Security. ETRICS 2006. Lecture Notes in Computer Science, vol 3995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11766155_20
Download citation
DOI: https://doi.org/10.1007/11766155_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34640-1
Online ISBN: 978-3-540-34642-5
eBook Packages: Computer ScienceComputer Science (R0)