(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No.4, April 2012
The computer worm is activated on the vulnerability hostand then spread quickly . This classification can be dividedinto 4 sub classification, as follows:
This kind of worm will be active if user executes the local copy of the worm. Usually, the worminvolves some social engineering techniques to deceive theuser .
Human activity-based activation:
the computer wormwill active when the user do activity un-normally related to aworm .
Scheduled process activation:
worms activate itself through scheduled system processes .IV.
There are many ways for the computer worm to avoiddetection system. This paper classifies the worm into 5categories based on their defense technique, which are:monomorphic, polymorphic, metamorphic, and polymorphicexploitation .
Figure 3. Worm classification based on how worm defense itself
worm always send the same infectionattempt, and never change the code .
changing a worm’s binary code by using
encryption technique when keeping the original worm codeintact. The decrypted worm body is unchanged, when theworm replicates itself become millions of different form bymodifying its encryption .
worm which is using this technique ismore difficult to detect than monomorphic or evenpolymorphic. Metamorphic worm has capability to make newgeneration in the target place which the code is modified .
it is consist of two attempts,exploit and payload. Here exploit means, mutationunimportant bytes, but still keep some bytes complete.Whereas the meaning of payload here is, the body of wormcan be changed through polymorphic or metamorphic wormcode .V.
To protect our system from the computer worm attack, weneed to know about how user should do toward this threat.There are two ways for user to defense from the worm attack:
Figure 4. Classification based on user defense
It is used to find the activities of internet worms. Detectionmethod can be classified into two parts, which are: signature-based and anomaly-based.
it is commonly used inintrusion detection system (IDSs). The patterns or the habits of the worms have been modeled, so what need to do is only tomatch the signature of the suspicious file with the signaturethat has been listed in the database system .
this method is used toindicate the models of normal network or program behavior.An alarm will be activated, when the anomaly behavior isdetected .
Defense Against Nasty Worm1)
sometimes ethical worm is called whiteworm. It does not do like ordinary worm, but it will help theuser to overcome the problem caused by the black worm.Ethical worms are able to fix problems by applying patches orhardening configuration settings before a malicious worm takeover the system
keeping the antivirus up to date, will help thesystem to fight a large number of worm species .
Deploy vendor patches and harden publiclyaccessible system: making sure that security team has theresources necessary to test all patches before rolling them intoproduction .VI.
CONCLUSIONThis paper has shown that computer worm is not simple. Inorder to make easier to understand, this paper attempted toclassify worm based on 4 main things, called: worm structure,worm attack, worm defense, and user defense. By studyingthis worm classification, it helps us to understand more clearlyabout worm itself, including how they act and how to fightwith worm.R
Rafrastara, F & Faizal, MA (2011). “Advanced Virus Monitoring and
ysis System.” IJCSIS’11, vol. 9, no. 1 (pp. 35
Erbschloe, Michael (2005). “Trojan, worms, and spyware: a computer security profesional’s guide to malicious code.” Burlington: Elsevier Inc.
Skoudis, E & Zeltser L (2003). “Fighting malicious code.” Ne
w Jersey:Prentice Hall PTR.