ABSTRACT
To understand the threat posed by computer worms, it is necessary to understand the classes of worms, the attackers who may employ them, and the potential payloads. This paper describes a preliminary taxonomy based on worm target discovery and selection strategies, worm carrier mechanisms, worm activation, possible payloads, and plausible attackers who would employ a worm.
- Simon Byers, Aviel Rubin, and David Kormann. Defending against internet-based attack on the physical world, http://www.avirubin.com/lscripted.attacks.pdf.Google Scholar
- Cardcops. http://www.cardcops.com.Google Scholar
- CERT. CERT Advisory CA-1999-04 Melissa Macro Virus, http://www.cert.org/advisories/ca-1999-04.html.Google Scholar
- CERT. CERT Advisory CA-2000-04 Love Letter Worm, http://www.cert.org/advisories/ca-2000-04.html.Google Scholar
- CERT. CERT Advisory CA-2001-22 w32/Sircam Malicious Code, http://www.cert.org/advisories/ca-2001-22.html.Google Scholar
- CERT. CERT Advisory CA-2001-26 Nimda Worm, http://www.cert.org/advisories/ca-2001-26.html.Google Scholar
- CERT. CERT Advisory CA-2002-25 Integer Overflow in XDR Library, http://www.cert.org/advisories/ca-2002-25.html.Google Scholar
- CERT. Code Red II: Another Worm Exploting Buffer Overflow in IIS Indexing Service DLL, http://www.cert.org/incident_notes/in-2001-09.html.Google Scholar
- Zesheng Chen, Lixin Gao, and Kevin Kwiat. Modeling the spread of active worms. In IEEE INFOCOM 2003. IEEE, April 2003.Google ScholarCross Ref
- ComputerWorld. Al-qaeda poses threat to net, http://www.computerworld.com/securitytopics/story/0,10801,76150,00.html.Google Scholar
- Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proc. 7th USENIX Security Conference, pages 63--78, San Antonio, Texas, jan 1998. Google ScholarDigital Library
- Silicon Defense. Countermalice worm containment, http://www.silicondefense.com/products/countermalice/.Google Scholar
- David Dittrich. The Stacheldraht Distributed Denial of Service Attack Tool, http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.Google Scholar
- David Dittrich. The Tribe Flood Network Distributed Denial of Service Attack Tool, http://staff.washington.edu/dittrich/misc/tfn.analysis.Google Scholar
- eEye Digital Security. .ida "Code Red" Worm, http://www.eeye.com/html/research/advisories/al20010717.html.Google Scholar
- Mark Eichin and Jon Rochlis. With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988. In IEEE Computer Society Symposium on Security and Privacy, 1989.Google ScholarCross Ref
- Hiroaki Etoh. Gcc extentions for protecting applications from stack-smashing attacks, http://www.research.ibm.com/trl/projects/security/ssp/.Google Scholar
- F-Secure. F-Secure Computer Virus Information Pages: Hybris, http://www.f-secure.com/v-descs/hybris.shtml.Google Scholar
- Peter Ferrie. W32//Klez, http://toronto.virusbtn.com/magazine/archives/200207/klez.xml.Google Scholar
- Security Focus. MacOS X SoftwareUpdate Arbitrary Package Installation Vulnerability, http://online.securityfocus.com/bid/5176.Google Scholar
- The Animal Liberation Front. http://www.animalliberationfront.com.Google Scholar
- The Earth Liberation Front. In defense of all life, http://www.earthliberationfront.com.Google Scholar
- Gamespy. Gamespy arcade, http://www.gamespyarcade.com.Google Scholar
- Symantec Inc. W32.gnuman.worm, http://securityresponse.symantec.com/avcenter/venc/data/w32.gnuman.worm.html.Google Scholar
- itsecure. OpenSSH Trojan Horse, http://www.itsecure.com.au/alerts/alert.htm?alertid=95.Google Scholar
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, Monterey, CA, June 2002. Google ScholarDigital Library
- Markus Kern. Re: Codegreen beta release, http://online.securityfocus.com/archive/82/211462.Google Scholar
- Kaspersky Labs. W95/CIH (a.k.a Chernobyl), http://www.viruslist.com/eng/viruslist.html?id=3204.Google Scholar
- Message Labs. W32/bugbear-ww, http://www.messagelabs.com/viruseye/report.asp?id=110.Google Scholar
- Brian McWilliams. Yaha Worm Takes out Pakistan Government's Site, http://online.securityfocus.com/news/501.Google Scholar
- Jason V Miller, Jesse Gough, Bartek Kostanecki, Josh Talbot, and Jensenne Roculan. Microsoft dcom rpc worm alert, https://tms.symantec.com/members/analystreports/030811-alert-dcomworm.pdf.Google Scholar
- Domas Mituzas. FreeBSD Scalper Worm, http://www.dammit.lt/apache-worm/.Google Scholar
- David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. Inside the slammer worm. IEEE Magazine of Security and Privacy, pages 33--39, July/August 2003 2003. Google ScholarDigital Library
- David Moore, Colleen Shannon, and k claffy. Code-red: a case study on the spread and victims of an Internet worm. In The Second Internet Measurement Workshop, pages 273--284, November 2002. Google ScholarDigital Library
- George Necula, Scott McPeak, and Westley Weimer. CCured: Type-Safe Retrofitting of Legacy Code. In Proceedings of the Principles of Programming Languages. ACM, 2002. Google ScholarDigital Library
- Netcraft. The Netcraft Survey, http://www.netcraft.com.Google Scholar
- Openbsd 3.3, http://www.openbsd.org/33.html.Google Scholar
- The homepage of the pax team, http://pageexec.virtualave.net/.Google Scholar
- Sam Phillips. dasbistro.com default.ida responder. http://sunsite.bilkent.edu.tr/pub/infosystems/phpweb/default.txt.Google Scholar
- The Honeynet Project. Know Your Enemy: Motives, http://project.honeynet.org/papers/motives/.Google Scholar
- Eric Rescorla. Security holes .. who cares? In Proceedings of the 12th USENIX Security Symposium, pages 75--90. USENIX, August 2003. Google ScholarDigital Library
- Stuart Schechter and Michael Smith. Access for sale: A new class of worm. In First Workshop on Rapid Malcode WORM, October 2003. Google ScholarDigital Library
- Markus Schmall. Bulding Anna Kournikova: An Analysis of the VBSWG Worm Kit, http://online.securityfocus.com/infocus/1287.Google Scholar
- McAffe Secuirty. W95/firkin.worm, http://vil.mcafee.com/dispvirus.asp?virus\_k=98557.Google Scholar
- F secure Inc. Global slapper worm information center, http://www.f-secure.com/slapper/.Google Scholar
- Valve Software. Half life, http://www.half-life.com.Google Scholar
- Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to 0wn the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium. USENIX, August 2002. Google ScholarDigital Library
- Joe Stewart. Sobig.e: Evolution of the worm. http://www.lurhq.com/sobig-e.html.Google Scholar
- Symantec. W32.Benjamin.Worm, http://securityresponse.symantec.com/avcenter/venc/data/w32.benjamin.worm.html.Google Scholar
- Symantec. W32.Sonic.worm, http://securityresponse.symantec.com/avcenter/venc/data/w32.sonic.worm.html.Google Scholar
- Jamie Twycross and Matthew M Williamson. Implementing and testing a virus throttle. In Proceedings of the 12th USENIX Security Symposium, pages 285--294. USENIX, August 2003. Google ScholarDigital Library
- Max Vision. Whitehats: Ramen Internet Worm Analysis, http://www.whitehats.com/library/worms/ramen/.Google Scholar
- Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient Software-Based Fault Isolation. ACM SIGOPS Operating Systems Review, 27(5):203--216, December 1993. Google ScholarDigital Library
- Matthew M Williamson. Throttling viruses: Restricting propigation to defeat mobil malicious code. In Annual Computer Security Applications Conference, 2002. Google ScholarDigital Library
- Adam Young and Moti Yung. Cryptovirology: Extortion based security threats and countermeasures. In IEEE Symposium on Security and Privacy, pages 129--141, Oakland, CA, 1996. IEEE Computer Society Press. Google ScholarDigital Library
Index Terms
- A taxonomy of computer worms
Recommendations
Detecting computer worms in the cloud
iNetSec'11: Proceedings of the 2011 IFIP WG 11.4 international conference on Open Problems in Network SecurityComputer worms are very active and new sophisticated versions continuously appear. Signature-based detection methods work with a low false-positive rate, but previously knowledge about the threat is needed. Anomaly-based intrusion detection methods are ...
On the development of an internetwork-centric defense for scanning worms
Studies of worm outbreaks have found that the speed of worm propagation makes manual intervention ineffective. Consequently, many automated containment mechanisms have been proposed to contain worm outbreaks before they grow out of control. These ...
Modeling and Analysis of Active Benign Worms and Hybrid Benign Worms Containing the Spread of Worms
ICN '07: Proceedings of the Sixth International Conference on NetworkingWorms are a serious and growing threat to network and traditional antivirus technologies do not currently scale to deal with the worm threat. Benign worms, especially active benign worms and hybrid benign worms, become a new active countermeasure. In ...
Comments