Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Computer Worm Classification

Computer Worm Classification

Ratings: (0)|Views: 315|Likes:
Published by ijcsis
To find out more the ins and the outs of computer worm, including how the work and how to overcome, it is necessary to study the classification of computer worm itself first. This paper presents taxonomy for classifying worm structure, worm attack, worm defense, and user defense.
To find out more the ins and the outs of computer worm, including how the work and how to overcome, it is necessary to study the classification of computer worm itself first. This paper presents taxonomy for classifying worm structure, worm attack, worm defense, and user defense.

More info:

Published by: ijcsis on May 17, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No.4, April 2012
Computer Worm Classification
Andhika Pratama
Faculty of EngineeringDian Nuswantoro UniversitySemarang, IndonesiaArjuna_7@rocketmail.com
Fauzi Adi Rafrastara
Master of Information TechnologyPost-Graduate ProgramDian Nuswantoro UniversitySemarang, Indonesiafauziadi@pasca.dinus.ac.id 
To find out more the ins and the outs of computerworm, including how the work and how to overcome, it isnecessary to study the classification of computer worm itself first.This paper presents taxonomy for classifying worm structure,worm attack, worm defense, and user defense.
 Keywords-component; computer worm; computer securityworm classification
The internet has many uses for our life. It helps our work,and gives us some information that we need quickly. Alongwith the vigorous development of the internet, thedevelopment and the spread of malicious code which can harmour data and system in our computer, are becoming even moreunstoppable [1].There are several types of malicious code which has beenavailable in the world, such as: virus, worm, blended threats,time bombs, spyware, adware, stealware, trojans and otherbackdoors [2]. Eventhough there are many interesting thingsthat can be discussed deeply, but this paper will only study onetype of malicious code, called computer worm.The computer worm is a malicious code that spreadthrough internet connection or a local area network (LAN).The computer worm will search a vulnerability host toreplicate itself into that computer and continuously searchanother vulnerability host which can be replicated [2]. Thereare many reasons why the attacker employs the computerworm to attack the vulnerable host. First, to take over vastnumbers of system. Second, to make trackback more difficult.Third, to amplify the damage. The computer worm can be verydangerous for our system, because they take the power of large distributed networks and use it to destroy the network [3]. There are 10 most destructive computer worms [4]:1.
Code Red6.
Melissa Virus7.
SQL Slammer8.
CIHThis paper presents the taxonomy for classifying computerworm into 4 main classifications, which are based on itsstructure, how they attack, how they defense itself fromdetection, and how user fight the computer wormII.
 In its body, computer worm has some important parts, andeach part have their function, such as: infection propagation,remote control and update interface, life-cycle manager,payload, self-tracking.
Figure 1. Worm classification based on its structure
 Infection Propagation
The essential part of the worm is the strategy which is usedby the worm to get control of remote system by transferringitself to a new bud. The worm's author may use any documentformat, script language, and binary or in-memory injectedcode (or a combination of these) to destroy your system. Theattackers deceive the victims to execute the worm by usingsocial engineering techniques [5].
 Remote Control and Update Interface
Remote control is another essential component of thecomputer worm. Here, communication module is theimportant part of remote control, because without this module,
the worm’s author can
not control the worm by sending controlmessage to the worm copies. Next, the function of an updateor plug-in interface is, to update the worm's code oncompromised system. However there is a problem after theattacker compromise with a particular exploitation, it can't beexploited again with the same bud [5].
21http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No.4, April 2012
 Life-Cycle Manager 
The worm’s aut
hor likes to run a variant of a computerworm for a preset period of time. In their life-cycle managercomponents, many worms have bugs and always continue torun and never stop. Then the others patch them to make theworms can continue their life [5].
The code separate from the propagation habits, is limited
 by the attacker’s imagination and the purposes. Different
attackers will bring different payloads to reach their endsdirectly [6].
Some attackers really interest to see how many vulnerablesystems that can be contaminated. They allow others to track the path. Computer worm usually send the informationthrough e-mail about the infected computer to track theirspread. There is a kind of computer worm which deploy a self-tracking module that capable of sending UDP datagram to thehost. And about every 15 infections (this routine was fake), itnever send any information [5].III.
 There are many steps, if the computer worm wants toattack the vulnerable system. We divide this worm attack in 4terms: how to find the target, target space, propagationmethod, and activation. These every term has sub terms whichexplain the way of that term.
Figure 2. Worm classification based on the way to attack 
 How to Find the Target:
Generally computer worm will do searching a set of address to diagnose the vulnerable host. There are two formsof scanning, which are sequential and random. According to anumber of other spreading techniques, scanning wormincluded in a slow spread. There is a combinations of factorwhich make the speed of worm scanning is limited such as thedensity of vulnerable machines, the design of the scanner, theability of edge routers to handle a potentially significantincrease in new, and diverse communication [6,7,8].
Below are the ways of scanning activity doneby computer worm [6,7,8]:
Selective random scan:
worm selects the address asthe target (vulnerable host).
Sequential scan:
once scanning with many vulnerablehosts.
 Hit-list scan:
by creating the target list, and then dosearching the susceptible host.
 Routable scan:
based on the route information in anetwork, worm will scan selectively IP address space. Byusing this routable IP address, worm can propagate quickly,more effectively, and it can also avoid the anti-detectingsystem.
Pre-Generated Target List:
Here, the attacker creates ahit-list of probable victims [6]. There are two groups of hit-listand will be discussed as follows:
Static hit-list:
before a worm is released, static hit-listis created [8].
 Dynamical hit-list:
dynamical hit-list is created inevery contaminated machine [8].
It is very different with scanning that hasbeen discussed before. Scanning is very aggressive to find thetarget, whereas a passive worm, they wait for potential victimsto connect the machine where the worm stay, and then infectthe visitors during the interaction. This way is very hard todetect, because there is no any anomalous traffic during targetfinding [6,8].
Target Space
Target space is very important component of computerworm to attack the vulnerable host efficiently [5,8]. Below arethe explanations of the target space:
worm find the target in the IP address space,and then do propagation in the internet through security flawsin computer [5,8].
P2P worm:
worm find the target in the space of P2Pnetwork through copy of themselves to a shared P2P folder onthe disk [5,8].
 E-mail worm:
worm find the target in the space of email address, and self-propagate through infected emailmessages [8].
 Instant messaging (IM) worm:
worm finds the target inthe space of IM user IDs [8].
Propagation Method 
Exploiting the vulnerability host, this is the way how theinternet worm propagate themselves [8]. Generally there arethree propagation methods that used by worm:
send it-self as part of the infection process.This mechanism is used in self-activating scanning [6,8].
Second channel:
some worms need a secondarycommunication channel to finish the infection. In this case,worm just send a small piece of malicious code to the target[6,8].
the velocity of embedded worm spread isdepends on how the application is used [6].
22http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No.4, April 2012
The computer worm is activated on the vulnerability hostand then spread quickly [6]. This classification can be dividedinto 4 sub classification, as follows:
 Human activation:
This kind of worm will be active if user executes the local copy of the worm. Usually, the worminvolves some social engineering techniques to deceive theuser [6].
 Human activity-based activation:
the computer wormwill active when the user do activity un-normally related to aworm [6].
Scheduled process activation:
worms activate itself through scheduled system processes [6].IV.
 There are many ways for the computer worm to avoiddetection system. This paper classifies the worm into 5categories based on their defense technique, which are:monomorphic, polymorphic, metamorphic, and polymorphicexploitation [8].
Figure 3. Worm classification based on how worm defense itself 
worm always send the same infectionattempt, and never change the code [8].
changing a worm’s binary code by using
encryption technique when keeping the original worm codeintact. The decrypted worm body is unchanged, when theworm replicates itself become millions of different form bymodifying its encryption [8].
worm which is using this technique ismore difficult to detect than monomorphic or evenpolymorphic. Metamorphic worm has capability to make newgeneration in the target place which the code is modified [8].
Polymorphic exploitation:
it is consist of two attempts,exploit and payload. Here exploit means, mutationunimportant bytes, but still keep some bytes complete.Whereas the meaning of payload here is, the body of wormcan be changed through polymorphic or metamorphic wormcode [8].V.
 To protect our system from the computer worm attack, weneed to know about how user should do toward this threat.There are two ways for user to defense from the worm attack:
Figure 4. Classification based on user defense
 Detection Method 
It is used to find the activities of internet worms. Detectionmethod can be classified into two parts, which are: signature-based and anomaly-based.
Signature-Based Detection:
it is commonly used inintrusion detection system (IDSs). The patterns or the habits of the worms have been modeled, so what need to do is only tomatch the signature of the suspicious file with the signaturethat has been listed in the database system [8].
 Anomaly-based detection:
this method is used toindicate the models of normal network or program behavior.An alarm will be activated, when the anomaly behavior isdetected [8].
 Defense Against Nasty Worm1)
 Ethical worm:
sometimes ethical worm is called whiteworm. It does not do like ordinary worm, but it will help theuser to overcome the problem caused by the black worm.Ethical worms are able to fix problems by applying patches orhardening configuration settings before a malicious worm takeover the system
keeping the antivirus up to date, will help thesystem to fight a large number of worm species [3].
Deploy vendor patches and harden publiclyaccessible system: making sure that security team has theresources necessary to test all patches before rolling them intoproduction [3].VI.
CONCLUSIONThis paper has shown that computer worm is not simple. Inorder to make easier to understand, this paper attempted toclassify worm based on 4 main things, called: worm structure,worm attack, worm defense, and user defense. By studyingthis worm classification, it helps us to understand more clearlyabout worm itself, including how they act and how to fightwith worm.R
Rafrastara, F & Faizal, MA (2011). “Advanced Virus Monitoring and
ysis System.” IJCSIS’11, vol. 9, no. 1 (pp. 35
Erbschloe, Michael (2005). “Trojan, worms, and spyware: a computer security profesional’s guide to malicious code.” Burlington: Elsevier Inc.
Skoudis, E & Zeltser L (2003). “Fighting malicious code.” Ne
w Jersey:Prentice Hall PTR.
23http://sites.google.com/site/ijcsis/ISSN 1947-5500

Activity (5)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
hansdeep479 liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->