3
The Propagation Model and Analysis of Worms
Together with Anti-worms
BAI-LING WANG1, XIAO-CHUN YUN, BIN-XING FANG
Research Center of Computer Network and Information Security Technology
Harbin Institute of Technology, Harbin 150001
CHINA
Abstract: There are some known anti-worms used to kill worms and recover the infected machines, but they always aggravate the epidemic situation on the contrary due to the absence of theoretical model and the corresponding experiments. This paper describes an action-based taxonomy of Internet worm. By the taxonomy, we propose an all-purpose propagation model on worms together with anti-worms, and then we simulate and analyze the propagation of worm MSBlaster together with Welchia as a case study. At last, a fast anti-worm with low traffic load is proposed to make comparison with Welchia to contain MSBlaster. This paper leads to a better understanding and prediction of the scale and speed of Internet worm together with its anti-worm spreading.
Key-Words: Computer Security; action-based taxonomy; friendly worm; Worm propagation model;
3
1 Introduction
Worm propagates through network, and attacks the vulnerability, which exists in much extensively used software, to exhaust the network resource. Since the first worm created in 1988 [[1]], the security threat posed by worms has steadily increased, especially in the last three years. The Code Red worm and Nimda worm incidents of 2001 have shown us how vulnerable our networks are and how fast a worm can spread.
The reason for internet worm to be hard to control is that Internet is so open, complex and immense that causes us having no way to know or control all the hosts connected to internet. The worms will stay in the hosts and attack other hosts for a long period if the uncontrolled hosts are infected with worms. So the key to control the Internet worm is to find the solution to recovering those uncontrolled hosts.
Recently, some people begin to study the active countermeasure with anti-worm, which can be posted to the remote hosts to recover them actively. The typical examples are as follows:
·2001, worm Cheese was released to Internet against worm LiOn .
·2001, worm CodeGreen and CRClean were developed against worm CodeRed, but both of them were not released to Internet.
·2003, worm Welchia was released to Internet against worm MSBlaster.
But the result is not very prefect. Especially, Welchia has caused a mass of loss and high impact on Internet. There is no successful and influential case on worm countermeasure until now due to the absence of theoretical model and the corresponding experiments.
2 Related Work
The firstly well-known Internet worm was Morris that self-propagated across a network by exploiting security vulnerabilities in host software. Morris is the modern archetype for contemporary Internet worms, and it has infected several thousand hosts and disrupted Internet-wide communication due to its high growth rate [[2]].
Research on Internet worm became really hot after worm code-red was released. D.J. Daley and J. Gani. Provide a simple epidemic model, which assumes that each host stays in one of two states: susceptible or infectious. The model further assumes that once a worm infects a host, the host will stay in the infectious state forever. Thus a host can only have one possible state transition: “susceptible à infectious” [[3]]. J. C. Frauenthal’s K-M epidemic model considers the removal process of infectious hosts [[4]]. It assumes that during the epidemic situation some infectious hosts either recover or die. Once a host dies or recovers from the disease, it will be immune to the disease forever. Z. Chen presents a mathematical model, referred to as the Analytical Active Worm Propagation (AAWP) model, which characterizes the propagation of worms that employ random scanning [[5]]. Moore and Shannon have also published an empirical analysis of Code-Red’s growth, repair, and geography based on observed probes [[6]] to a dedicated class A network. Song et al. reproduced parts of this study and further distinguished between different simultaneously active worms [[7]].
None of the research has considered the two or more worms’ propagation together, such as worm LiOn together with cheese and worm MSBlaster together with Welchia. Our work will just fill the void. We are interested in the following issues: What are the curves when there are two or more kinds of worms interacting with each other at the same time on Internet? Can we contain the worms on Internet enlightened by the anti-worms?
3 A Taxonomy of Internet Worms
To understand the threat posed by Internet worms and the effective countermeasure to contain Internet worms, it is necessary to make clear the classes of worms. We attempt to construct a preliminary taxonomy based on worm’s action in this part.
Definition 1 Worm: Worm is a program that can run by itself and can propagate a fully working version of itself to other machines [[8]].
There are two basic properties in worm according to the definition, and they can be described as the followings:
Class worm{
Property propagation;
Property self-replicating;
}
Definition 2 Vicious Worm: Vicious worm (Vworm) is a program that can run by itself and can propagate a fully working version of itself to other machines, but its purpose is to waste the resource of communicating and computing or to steal the information from the computers on Internet.
There are some more “virtual properties” in Vworm than those in worm. Described in the followings:
Class vicious_worm : publish worm {
Virtual Property hiding;
Virtual Property destroying;
}
Note that the “virtual property” means a Vworm can have the property or not. So we conclude that a Vworm is a kind of worm that maybe has some other “virtual properties”. For example, worm Nimda is a Vworm with destroying property, which can add some scripts to the web file (.html or .asp file) to propagation. And worm Code Red is a Vworm without any extra virtual properties.
According to the difference in the property “destroying” of the Vworms, we divide Vworm into two classes: the worm closing the vulnerability (CVworm) and the worm not closing the vulnerability of the infected host (NVworm) after entering it.
Definition 3 Friendly Worm: Friendly worm (Fworm) is a program that can run by itself and can propagate a fully working version of itself to other machines, but its purpose is to recover the vulnerable hosts and to kill the vicious worm.
There are two extra properties and one overriding properties in Fworm. We describe it in the followings:
Class friendly_worm : public worm{
Property propagation;
Property countermeasure;
Property self-killing;
}
According to the different countermeasures to different Vworms, we divide Fworm into two kinds: the worm patching the susceptible hosts (SFworm) and the worm recovering the infected hosts (IFworm), referring to definition 4 and definition 5. Note that the recovering action includes killing the Vworm and patching the vulnerability.
Definition 4 SFworm: The SFworm is a sort of Fworm that can patch the susceptible hosts in its countermeasure, and then the host will never be infected with the Vworm. SFworm enters the susceptible hosts in the same entry with Vworm.
Definition 5 IFworm: The IFworm is a sort of Fworm, just like worm cheese. It can kill the Vworm and patch the infected hosts, and then the host will never be infected with the Vworm. IFworm enters the infected hosts by the new backdoor that Vworm left after entering it.
As described above, if a Fworm, including SFworm and IFworm, inherits the same propagation way from worm, it will have the same properties with Vworm, and then we name it “Failing Fworm (FFworm)”. Worm welchia is a FFworm, because it propagates in the same way with Vworm MSBlaster, and it has caused even more loss than Vworm MSBlaster. Then we propose action-based worm taxonomy, as described in the followings:
Fig.1 Action-based worm taxonomy
Base on the taxonomy, IFworm is sent out to contain NVworm and SFworm is used to patch the susceptible hosts. Add also, if a Vworm doesn’t close vulnerability after entering the hosts, IFworm, which is same with SFworm at this condition, will be sent out to both patch the susceptible hosts and contain the Vworm in the infected hosts.
4 Simulation Of MSBlaster Together With Welchia
4.1 Description of simulation model
In the simulation, we model the propagation of Vworm together with Fworm. From the worm’s point of view, SFworm and IFworm remove some hosts from worm spreading circulation, including both hosts that are infected and hosts that are still susceptible. In other words, the removal process consists of two parts: removal of the infected hosts and removal of the susceptible hosts. We give some definitions first before make a detail description on the model.
Definition 6 Susceptible Host: Suppose a host has a vulnerability, which can be exploited by a worm to enter the host, and then if the Vworm has not infected it, the host is in susceptible state.
Definition 7 Immune Host: Suppose a host has a vulnerability, which can be exploited by a worm to enter the host, and then if Fworm patches the host before Vworm entering it, the host is in immune state after being patched.
Definition 8 Recovered Host: Suppose a host was infected with a Vworm, and then if the Fworm kills the Vworm and patches the host, the host is in recovered state after being recovering. The recovered host is different from the immune host due to the different original state.
Definition 9 Infected Host: Suppose a host has been infected with a worm, but the worm closed the backdoor or the vulnerability, such as worm LiOn, the host is in infected state. That means the host will probe or is probing other hosts.
A host stays in one of the four states at any time: susceptible, infected, immune and recovered. There are two practical state transition flows. Firstly if the vicious worm is a CVworm, which closes the vulnerability after entering the vulnerable hosts, IFworm will be sent out to contain CVworms and Sfworm will be sent out to patch the susceptible hosts. Thus the state transition of any host can be “susceptible à infected à recovered” or “susceptible à recovered”, as figured in Fig. 2. Secondly if the vicious worm is a NVworm, which doesn’t close the vulnerability after infecting the susceptible host, IFworm will be sent out to both contain the Vworm and patch the vulnerable hosts. Thus the state transition is same with we mentioned above, but only IFworm is same with SFworm in this situation.
4.2 Simulation experiments
In this part, we want to simulate the propagation of MSBlaster (a NVworm) together with Welchia (a Failing Fworm). The system in our simulation consist of M hosts that can reach each other directly, thus there is no topology issue in our simulation.
Each copy of worm MSBlaster on an infected host will begin infection at an address either based off the local machine's IP address, or a completely random address, and then attempt to infect sequential IP addresses endlessly. Each time a host is infected, there is a 40% chance that it will begin at the first address of its "Class C"-size subnet (x.x.x.0), and a 60% chance that it will start at a completely random IP address with the last octet set to 0 ([1-254].[0-253].[0-253].0). If the starting address is based off of the local address, and the third octet is greater than 20, it will be reduced by a random number between 0 and 19. Worm Welchia will scan for the MSBLAST.EXE file, interrupt it and finally delete it, after successful entering the vulnerable host. And then it scans the Windows system folders and looks for downloaded patches. If the patch against the DCOM RPC vulnerability has not been installed, Welchia will initiate the downloading process. Once the patch is successfully downloaded and executed, the worm re-boots the computer to complete installation.
We simulate two scenarios. Firstly, MSBlaster will propagate without any countermeasure, and there are two states in this model: susceptible and infected. Then the state transition of the vulnerable hosts is “susceptible host à infected host”. In the second scenario, we simulate the propagation when worm Wilchia sent out to contain worms. As mentioned above, Wilchia will kill the worm MSBlaster if it exists in the vulnerable hosts. Then Wilchia will patch the host. So the state transition of the vulnerable hosts is “susceptible host à infected host à removed host; susceptible host à immune host”.
For the purpose of comparison, we plot the simulation results of the two scenarios in Fig. 3. (Suppose that 0.04 percent of the total hosts are infected with MSBlaster; 0.03 percent of the total hosts are infected with Welchia in the second scenario; the propagation rate of the three worms is on average 4 scans/s.)
Comparing our simulation curves in Fig. 3, we observe that, after sending out worm welchia, the proportion of worm MSBlaster increases first and decreases after time t = 10, that is because the number of the new recovered hosts by Weichia is bigger than the new infected hosts. The total number of both worms is bigger than that in the original situation without worm welchia, and the prior reach the maximum of the proportion than the latter, which can be conclude from the curve “sum proportion of welchia and MSBlaster” and the curve “Proportion of MSBlaster without any countermeasure”.
What we mentioned above proves that the worm epidemic situation will be serious after Welchia is sent out.
5 Two new worm propagation models
Fworm is also a worm, and it can bring extra traffic load to network if it is lost of control, just like worm Welchia. So we have to set up a numerical model to evaluate the situation under the countermeasure. And in this part, we will give a farther research on the numerical model of the propagation based on the simulation above. By use of the numerical model, we can forecast the worm epidemic situation under active countermeasure and not under active countermeasure.