According to the life cycle of worm, we know that worms have distinct behaviors in different stages. In order to realize threat of worm, we model system status into five states that is proposed to diagnosis system security level in real world.
The system status diagram is shown in Figure 3.1.
The N and C indicate that the current system status is Normal and Candidate,
respectively, are proposed to represent the system does not have service that can be exploited by worm; otherwise, it may be used for entry of worm intrusion. The system in Candidate state is moved to Vulnerability state when security center announces that some vulnerable alerts appear and systematic administrator is unable to mend in time.
If administrators can patch loophole before infected by worm then status will be returned from V state to C state, else the status in V state will be moved into D state.
It means that system is in Damage state and infected by malicious worm. In order to move to normal state, administrators must remove the malicious worm and patch the loophole in the system to avoid infecting another machine.
Target Selection
Figure 3.1: System status transition
We regard the system transition as a behavior; it can be divided into attack and defense transition. For these classes of transition we will refer to [14] in 2003 and modify it. The details will be shown as follows:
Attack transition includes target selection, reconnaissance, exploited, carrier, activated and propagation.
Attack_1) Target selection: Target selection means look for whether victims exist or not. There are a number of techniques by which a worm can discover new machines to exploit: random scanning, pre-generated target lists, internal
target lists, external target lists, and passive. [14]
Scanning: Scanning entails probing a set of addresses to identify vulnerable hosts.
Two simple forms of scanning are sequential (working through an address block using an ordered set of addresses) and random (trying addresses out of a block in a pseudo-random fashion).
Pre-generated target lists: An attacker could obtain a target list in advance, creating a
“hit-list” of probable victims.
Internal target lists: Many applications contain information about other hosts providing vulnerable services.
External target lists: An external target list is one, which is maintained by a separate server, such as a matchmaking service’s metaserver. (A metaserver keeps a list of all the servers, which are currently active. For example, the Gamespy service maintains a list of servers for several different games.)
Passive: A passive worm does not seek out victim machines. Instead, they either wait for potential victims to contact the worm or rely on user behavior to discover new targets.
Attack_2) Reconnaissance: Scanning service that is victims offered usually uses technique of port scanning. Service includes client, server and client-server.
Client: Client programs request service from a server by sending it a message such as Netscape or Internet Explorer. Referring back to the Web example, a Web browser is a client we use everyday to request Web pages. For example, when you clicked the link to read this article, your browser sent a message to a Web server. In response, your browser received the html page you are now reading.
A Web browser represents many client programs, which manage the graphical user interface (GUI) or display portion of an application; determining the
presentation of the service provided by an application.
Server: A server is used to manage and provide special services like IIS or Apache.
Servers are generally passive as they wait for a client request. During these waiting periods servers can perform other tasks or perform maintenance.
Unlike the client, the server must continually run because clients can request service at any time. Clients on the other hand only need to run when they require service.
Client-Server: Such as in peer-to-peer networks, each machine provides services and consumes services.
Attack_3) Exploited: Use of vulnerability to violate policy. Attacks exploit tricks to attack the service that victims offered such as buffer overflow, wrong configuration, back door, etc.
Buffer overflow: A buffer overflow exploit works by feeding the program specially crafted input content that is designed to overflow the allocated data storage buffer and change the data that follows the buffer in memory.
Wrong configuration: User's mistake caused by themselves. The user keeps the thing at their peril and will be prima-facie liable for the consequences of the hijacking / configuration (inadequate security) and any damage which arises as a natural consequence of this.
Back door: Back door (or "trap door", "wormhole"). A hole in the security of a system deliberately left in place by designers or maintainers. The motivation for such holes is not always sinister; some operating systems, for example, come out of the box with privileged accounts intended for use by field service technicians or the vendor's maintenance programmers.
Attack_4) Carrier: The means by which propagation occurs can also affect the speed
and stealth of a worm including self-carried, second channel, and embedded.
[14]
Self-Carried: A self-carried worm actively transmits itself as part of the infection process.
Second Channel: Some worms, such as Blaster, require a secondary communication channel to complete the infection. Although the exploit uses RPC, the victim machine connects back to the infecting machine using TFTP to download the worm body, completing the infection process.
Embedded: An embedded worm sends itself along as part of a normal communication channel, either appending to or replacing normal messages.
Attack_5) Activated: The means by which a worm is activated on a host also drastically affects how rapidly a worm can spread, because some worms can arrange to be activated nearly immediately whereas others may wait days or weeks to be activated. [14]
Human Direct: The slowest activation approach requires a worm to convince a local user to execute the local copy of the worm.
Human Indirect: Similarly, many worms are activated when the user performs some activity not normally related to a worm, such as resetting the machine, logging in and therefore executing login scripts, or opening a remotely infected file.
Scheduled Process: The next fastest worms activate using scheduled system processes.
Self-Activation: The worms that are fastest activated are able to initiate their own execution by exploiting vulnerabilities in services that are always on and available (e.g., Code Red exploiting IIS Web servers).
Attack_6) Propagation: After infected by worm, there are many abnormal behaviors
generated including denial of service, worm maintenance, etc.
Denial of Service: DOS attack will make normal routines paralyzed such as spam-relays, Internet remote control, Internet DOS, data damage etc.
Worm Maintenance: Past worms such as W32/sonic have included a crude update mechanism: querying web sites for new code.
Defense transition includes reconfigure, patch, remove and retard.
Defense_1) Reconfigure: Disable unnecessary or vulnerable services that make the virus unable to invade.
Defense_2) Patch: If administrators can patch loophole before infected by worm, worm can still not invade system though the service utilized. Otherwise, attacker can use those weaknesses to get privilege of administrator and destroy.
Defense_3) Remove: Worm will add, delete or modify files to file system. If we want to return to normal status, we must recover the infected file and remove worms that exist in system.
Defense_4) Retard: When a new worm generated, security center may not offer the solution in time. They will slow down the abnormal flow that worm produces in the network to get more time and solve the problem.