FIRST - Improving Security Together 18th Annual FIRST Conference - June 2006 - Baltimore, Maryland

Worm Poisoning Technology and Application







Platinum Sponsor

BT



Silver Sponsor

Diageo



Local Host

CERT Coordination Center



Supporting Sponsors

Sun



Google



Hitachi



ISS



E-Secure-IT

Korea CertCC



Conference Schedule

Technical Track

Friday – June 30th, 14:00

Current strategy against Internet worms is similar to capturing mouse using mousetrap, that is, to clip the occasionally passing mouse and never release until it dies. However, this strategy is less effective than that of spreading pest control chemicalst to cause a plague among cockroach group. For infected cockroach, we don’t expect it dead at once. We hope it goes back nest and infects others, by which way can kill pests at an exponential rate.

The theory of Worm Poisoning is similar with pest-toxicant production technics. The PoisonWorm functions like the pest-toxicant and the poisoned worm is like the infected pest then.

Worm Poisoning (also called Worm Spoofing) is a new-invented technology for worm containment. It tricks malicious worms to spread irrelevant file or code by their own mechanisms. The worm which poisons others and propagates by the poisoned worms is called PoisonWorm. So PoisonWorm is a special worm with active spread motivation, but without self-propagating capability. While it can obtain spread ability when some other malicious worms break out. It will reduce the negative influence of the malicious worm gradually, and won’t cause extra burden to the Internet or its host. A proof-of-concept PoisonWorm has been compiled and tested successfully using MSBlaster, Sasser, Mydoom and Netsky worms as the poisoned worms which proved the feasibility of the idea. PoisonWorm has some common characteristic but essential difference with anti-worm(also called good worm).

In this paper, the concept of Worm Poisoning and PoisonWorm are presented and the feasibility of Worm Poisoning is emphatically testified. A propagation model called SIRP and the side-effect to network traffic of PoisonWorm are given and compared to the classical epidemic Kermack-Mckendrick model. We highlight the feasibility and necessity of PoisonWorm and its application in active defense system against Internet worms. Also the technology of P2P-based unknown worm detection and signature verification is briefly introduced.

Authors & presenters

  • CNCui Xiang Presenter (CNCERT/CC – National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)

  • CNWu Bing (CNCERT/CC – National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)

  • CNYonglin Zhou (CNCERT/CC – National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)

  • CNZou Xin (CNCERT/CC – National Computer Network Emergency Response Technical Team / Coordination Center of China, CN)


Conference Schedule