Modelling a Computer Worm Defense System

By | January 1, 2012
By SENTHILKUMAR G CHEETANCHERI

Background

2.1 Introduction

A computer worm is an extremely handy tool to do a particular task on several hosts. Unfortunately, it can also be used as a weapon. For example, consider a computing task that takes several days to nish on a single machine. It can be done much quicker if it can be broken down to several smaller and simpler sub-tasks that can be done in parallel on several machines. It is de nitely painstaking to do it manually; particularly if we need to do it on a daily basis. We could design a parallel processing machine. But such a machine is usually very expensive and not very versatile. Instead of designing such a complex parallel processing machine, we can design a comparatively simple tool that can assign sub-tasks to
capable idle machines and collect and compile the results. Such a tool is a worm.
When used properly the worm tries to hop on from one idle host to another carrying with it a sub-task in search of computing power to accomplish its tasks and return the results to the parent process that waits for the results in a di erent machine. A beautiful example is the worm program that Shoch and Hupp used at the Parc to make use of idle computing power of computers of several employees after regular oce hours[22]. More on
this worm in section 2.3.1.
The most important requirement for a worm to perform a sub-task on a idle machine is, obviously, permissions to execute programs on it. In cases where prior permissions are granted on various machines, the task is simple. In cases where permissions are not granted the job owner may try to force his or her way into other people’s computers.
One can force his or her way into a computer by exploiting any of the vulnerabilities that exist in it. When there is a wide-spread vulnerability on many hundreds of machines spread across the Internet, the Internet becomes a happy hunting ground for anyone that can exploit that particular vulnerability. A computer worm that can automatically hop on from one host to another to perform a task can also penetrate from host to host exploiting such a wide spread vulnerability with such penetration being its task. Such an ability can transform from a very useful tool to a weapon that can cause wide-spread havoc and destruction. A very simple and recent example is the Slammer worm of 2003.

2.2 Model of a worm

Each computer worm is di erent in the sense that each of them uses di erent mechanisms to spread on the Internet. Some of them just spread on a particular targeted network as opposed to the Internet. There are several features or parameters that characterize a worm such as:

  • Vulnerabilities exploited on victims
  •  Speed of spread
  •  Strategies of spread
  •  Payload of the worm
  •  Intended goals and unintended e ects

Though each worm is a unique combination of all the above said parameters, a basic comprehensive structure can be assigned to any worm to understand its working. A worm consists of 4 components, Probe, Transporter, Worm Engine and Payload as shown in Fig.2.1.

The probe is that part of the worm which looks for a susceptible host. This could be very simple query to a host inquiring if a particular service which the worm tries to exploit is running on it.
The transporter module of the worm is responsible for spreading the worm from one host to another. This contains the ability to establish a communication with the vulnerable host as reported by the `probe’ and exploit the vulnerability in it. Once the worm gains a foothold in the victim, this module transports the entire worm to the new host and starts up the worm engine. This is analogous to a boot strap loader in a operating system. A classic example of a transporter is the Grappling Hook used in the Morris worm[15].
The worm engine is the central command base of the worm. It dictates how the worm behaves. Once the transporter starts up the worm engine, the engine takes control of all the activities of the worm. It installs the worm in the new victim. It triggers the probe as and when required which is the rst step in spreading the worm to another host.

The worm engine can control the following traits of the worm giving the worm a unique character of its own.

  • Frequency and timing of infection attempts
  •  Spreading strategy
  •  Limiting the number of worms in a single host
  •  Camouflage – to avoid detection eg. Frequent fork()s and opening a network port in Morris worm.
  •  Executing the payload of the worm

The above list is by no means exhaustive. Spreading strategy is a very interesting study in itself. Highly sophisticated worms can be built by appropriately selecting the next host to infect[28]. The current host itself could be chosen as the next host, thereby repeatedly infecting itself. This would cause the cpu to run several copies of the same worm program which competes with the other processes for cpu time. After a while, the other processes do not get enough cpu time and the performance of the host deteriorates severely and appears to stall. This doesn’t serve the usual goal of a worm to spread far and wide and should generally be avoided in a worm.
The payload is the part of the worm that could contain malicious instructions. It could even remove all les in the hard disk if the worm has enough permissions for that. The worm engine has to execute the payload to achieve the intended malicious e ects. The payload doesn’t execute by itself. Ironically enough, all of the most damaging worms so far haven’t contained any explicit malicious payloads.

In a C-like language a worm looks like:
worm()
{
worm engine();
probe();
transport();
}
worm engine()
{
install and initialize the worm();
execute payload if any needs to be();
choose the next host to probe();
wait until desired time for the next probe();
}

Read the entire document here.

Leave a Reply