Skip to main content
SpringerLink
Log in

Toward a Framework for Forensic Analysis of Scanning Worms

  • Conference paper
Emerging Trends in Information and Communication Security (ETRICS 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3995))

Abstract

Scanning worms have been around for a while and have had some damaging effects on the Internet. Because of their fast spread and their random selection of their target victims, building a global knowledge about which infected end-systems caused the infection of which susceptible end-systems seems fairly hard. In this paper, we propose to find the originator(s) (i.e., first infected end-system(s)) that spread the worm. The broader view is to build the complete infection tree(s) rooted at the originator(s) and which leaves consist of susceptible machines becoming infected. Besides, scanning worms could unintentionally divulge some information about the machines they infect. We will show how such information could be extracted from the scans of a victim end-system. We studied two different worms, the SQL Slammer/Sapphire worm and the Witty worm, and demonstrated the possibility of building the infection tree and gathering information about the infected end-systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Eeye Digital Security: Sapphire Worm Code Disassembled (2003), http://www.eeye.com/html/Research/Flash/sapphire.txt

  2. Hamadeh, I., Kesidis, G.: Performance of IP address fragmentation strategies for DDoS Traceback. In: The Proceedings IEEE Workshop on IP Operations and Management (IPOM) (2003)

    Google Scholar 

  3. Kumar, A., Paxson, V., Weaver, N.: Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In: The Proceedings of ACM IMC (2005)

    Google Scholar 

  4. Lehmer, D.H.: Mathematical methods in large-scale computing units. In: The Proceedings of the 2nd Symposium on Large-Scale Digital Calculating Machinery (1951)

    Google Scholar 

  5. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm. The Cooperative Association for Internet Data Analysis (2003), http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html

  6. Murphy, M.: ISS PAM/ICQ Witty Worm Analysis (2004), http://www.netsecure.shawbiz.ca/witty-analysis.html

  7. University of Michigan Internet Motion Sensor, http://ims.eecs.umich.edu/index.html

  8. University of Wisconsin-Madison Advanced Internet Laboratory, http://wail.cs.wisc.edu/

  9. Cooperative Association for Internet Data Analysis (CAIDA).UCSD Network Telescope, http://www.caida.org/analysis/security/telescope/

  10. Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical Network Support for IP Traceback. In: The Proceedings ACM SIGCOMM (2000)

    Google Scholar 

  11. Shannon, C., Moore, D.: The Spread of the Witty Worm. The Cooperative Association for Internet Data Analysis (2004), http://www.caida.org/analysis/security/witty/

  12. Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-Based IP Traceback. In: The Proceedings ACM SIGCOMM (2001)

    Google Scholar 

  13. Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time (2002)

    Google Scholar 

  14. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS - A Graph Based Intrustion Detection System for Large Networks. In: The Proceedings of the 19th National Information Systems Security Conference (1996)

    Google Scholar 

  15. Staniford, S.: Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security (2004)

    Google Scholar 

  16. Weaver, N., Hamadeh, I., Kesidis, G., Paxson, V.: Preliminary results using scale-down to explore worm dynamics. In: The Proceedings of the ACM CCS workshop on Rapid malcode (2004)

    Google Scholar 

  17. Whyte, D., Kranakis, E., Van Oorschot, P.C.: DNS-based Detection of Scanning Worms in an Enterprise Network. In: Network and Distributed System Security Symposium (2005)

    Google Scholar 

  18. Williamson, M.M.: Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code. In: The Proceedings of the 18th (2002)

    Google Scholar 

  19. Xie, Y., Sekar, V., Maltz, D., Reiter, M., Zhang, H.: Worm Origin Identification Using Random Moonwalks. In: The Proceedings of the IEEE Symposium on Security and Privacy (2005)

    Google Scholar 

  20. Zou, C., Gong, W., Towsley, D.: Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense. In: The Proceedings of the ACM CCS workshop on Rapid malcode (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Department of Electrical Engineering, Pennsylvania State University, University Park, PA, 16802, USA

    Ihab Hamadeh & George Kesidis

Authors
  1. Ihab Hamadeh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. George Kesidis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institut für Informatik und Gesellschaft, Abt. Telematik, Albert-Ludwigs-Universität Freiburg, Friedrichstr. 50, 79098, Freiburg, Germany

    Günter Müller

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hamadeh, I., Kesidis, G. (2006). Toward a Framework for Forensic Analysis of Scanning Worms. In: Müller, G. (eds) Emerging Trends in Information and Communication Security. ETRICS 2006. Lecture Notes in Computer Science, vol 3995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11766155_20

Download citation

  • DOI: https://doi.org/10.1007/11766155_20

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34640-1

  • Online ISBN: 978-3-540-34642-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation