Combating Internet Worms
by Vincent Bieri - Business Development Manager - EMEA Security Technology for Cisco Systems - Monday, 10 May 2004.
In recent years, not only has the number of network and computer attacks been on the rise, but also the level of complexity and sophistication with which they strike. The most common and perhaps most damaging of these attacks are called worms. Worms are malicious programs written to exploit vulnerabilities within an operating system or an application environment and to then automatically seek out and find other vulnerable hosts to exploit and infect with the worm code. The worms travel rapidly affecting all neighboring systems of the initially infected host. This exponential propagation induces a large amount of network traffic that overwhelms bandwidth and system resources making applications and network services slow or even unavailable. Some worms also contain payloads including additional code to further exploit the host such as data modification (a web page) or thief of information.

Network worms and viruses have existed for well over 20 years. One of the first and famous worm programs to impact the Internet was the Morris Worm in November of 1988. This worm exploited vulnerabilities in the finger and sendmail programs. At that time the Internet consisted of approximately 60,000 hosts. This worm infected approximately 10% of the hosts and caused significant outages and slowdowns of mail servers across the net. In July of 2001 a new worm infection appeared that would significantly raise awareness of the threat posed by these malicious software programs along with the dramatic landscape change of the Internet.

An estimated 650 million hosts are today connected to the Internet hence a fundamental shift in the potential number of participants to propagate a worm. CodeRed spread quickly and became the most widespread and damaging worm to hit the Internet since the Morris Worm. An estimated total of 360,000 hosts were infected within a period of 14 hours. Two months after CodeRed another large-scale worm named NIMDA (ADMIN spelled backwards) impacted the Internet. More recently, the Internet saw the appearance of a new type of worm that infected the Internet at such a high rate that it was classified as a flash worm. The fast scanning rate of SQL Slammer in January 2003 was achieved because of its small size (single packet of 376 byte) as well as the fact that the worm was not TCP but UDP based (connectionless). SQL Slammer reached its full scanning rate of 55 million scans/sec within 3 minutes of the start of the infection and infected the majority of vulnerable hosts on the Internet within 10 minutes of the start of the infection with an estimated 250,000 - 300,000 infected hosts overall. Summer 2003 witnessed the infamous Blaster and January 2004 was the turn of MyDoom to impact Internet users.

While the underlying exploits used to achieve access to the target hosts varied between these worms the methods and technologies used to mitigate and contain the infection remained the same. In order to protect the network from these threats, the security system must be able to protect and react against both known and unknown attacks. This calls for an integrated security solution that is both flexible and pervasive, providing tighter collaboration between network services, security services, hosts, applications, management and business processes. As worms typically invade an environment in a multi-phased approach, this layered structure is an effective way to protect networks from these threats.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th