Combating Internet Worms

In recent years, not only has the number of network and computer attacks been on the rise, but also the level of complexity and sophistication with which they strike. The most common and perhaps most damaging of these attacks are called worms. Worms are malicious programs written to exploit vulnerabilities within an operating system or an application environment and to then automatically seek out and find other vulnerable hosts to exploit and infect with the worm code. The worms travel rapidly affecting all neighboring systems of the initially infected host. This exponential propagation induces a large amount of network traffic that overwhelms bandwidth and system resources making applications and network services slow or even unavailable. Some worms also contain payloads including additional code to further exploit the host such as data modification (a web page) or thief of information.

Network worms and viruses have existed for well over 20 years. One of the first and famous worm programs to impact the Internet was the Morris Worm in November of 1988. This worm exploited vulnerabilities in the finger and sendmail programs. At that time the Internet consisted of approximately 60,000 hosts. This worm infected approximately 10% of the hosts and caused significant outages and slowdowns of mail servers across the net. In July of 2001 a new worm infection appeared that would significantly raise awareness of the threat posed by these malicious software programs along with the dramatic landscape change of the Internet.

An estimated 650 million hosts are today connected to the Internet hence a fundamental shift in the potential number of participants to propagate a worm. CodeRed spread quickly and became the most widespread and damaging worm to hit the Internet since the Morris Worm. An estimated total of 360,000 hosts were infected within a period of 14 hours. Two months after CodeRed another large-scale worm named NIMDA (ADMIN spelled backwards) impacted the Internet. More recently, the Internet saw the appearance of a new type of worm that infected the Internet at such a high rate that it was classified as a flash worm. The fast scanning rate of SQL Slammer in January 2003 was achieved because of its small size (single packet of 376 byte) as well as the fact that the worm was not TCP but UDP based (connectionless). SQL Slammer reached its full scanning rate of 55 million scans/sec within 3 minutes of the start of the infection and infected the majority of vulnerable hosts on the Internet within 10 minutes of the start of the infection with an estimated 250,000 – 300,000 infected hosts overall. Summer 2003 witnessed the infamous Blaster and January 2004 was the turn of MyDoom to impact Internet users.

While the underlying exploits used to achieve access to the target hosts varied between these worms the methods and technologies used to mitigate and contain the infection remained the same. In order to protect the network from these threats, the security system must be able to protect and react against both known and unknown attacks. This calls for an integrated security solution that is both flexible and pervasive, providing tighter collaboration between network services, security services, hosts, applications, management and business processes. As worms typically invade an environment in a multi-phased approach, this layered structure is an effective way to protect networks from these threats.

There are six steps involved in a worm mitigation methodology, in order: preparation, identification, classification, trace back, reaction, and post-mortem. The reaction phase can broken down into containment, inoculation, quarantine, and treatment. Worm mitigation requires coordination between system administration, network engineering, and security operations personnel. This is critical in responding effectively to a worm incident. The containment phase involves the limiting of the spread of a worm infection to those areas of the network already affected. With the worm infection contained, or at the least, significantly slowed down, the inoculation process further deprives the worm of any available targets.

The mobile environment prevalent on networks today poses significant challenges since laptops are routinely taken out of the “secure” environment and connected to potentially “insecure” environments such as home networks. A laptop can be infected with a worm or virus and then bring it back into the “secure” environment where it can infect other systems. The quarantine phase involves tracking down and identifying infected machines within the contained areas and disconnecting, blocking, or removing the infected machines. This isolates these systems appropriately for the final phase. During the treatment phase actively infected systems are disinfected of the worm. This can involve simply terminating the worm process and removing any modified files or system settings that the worm introduced, and patching for the vulnerability the worm used to exploit the system. In other cases a complete re-install of the system may be warranted in order to confidently ensure that the worm and its byproducts are removed.