After examining how a worm is constructed and how its major life cycle steps are implemented, the book scrutinizes targets that worms have attacked over the years, and the likely targets of the immediate future. Moreover, this unique reference explains how to detect worms using a variety of mechanisms, and evaluates the strengths and weaknesses of three approaches - traffic analysis, honeypots and dark network monitors, and signature analysis. The book concludes with a discussion of four effective defenses against network worms, including host-based defenses, network firewalls and filters, application layer proxies, and a direct attack on the worm network itself.

Contents:

Introduction.

Background and Taxonomy-Worms defined. Differentiation From Viruses. Their Six Components. Worm Traffic Patterns. Exponential Growth. Scans, Attacks, Fetch. Worm History. Theory, Implementations, Use, and Ubiquity. Worm Taxonomy. History. ADMworm, Ramen, 110n, Code Red, CR2, NIMDA, etc. Construction of a Worm. Basic Components and Implementation.

Worm Trends-Infection Patterns. Random: Ramen, Code Red 1. Directed. Local Heavy: Code Red 2, NIMDA. Targets. Servers. Desktops. Broadband vs. Commodity Connections. Possible futures. Updates. Different Behaviors. Warhol and Flash Worms.

Detection - Reliance on Knowledge of Set of Behaviors. Traffic Analysis. Traffic Trends (Exponential Growth). Many Connections Outward. Numerous Random Scans In and Out. Less Complete Behavior Set Needed (Generic Behavior).Honeypot and Blackhole Detection. Honeypots: Sit and Wait to be Attacked. Get Hit, Analyze Infection. Back Scatter Analysis from Scans. Blackhole Captures of Payloads. Signature Based Analysis. Virus Applications. NIDS Engines. Application Behavior (Zone Alarm, etc.).

Defenses - Host Level Defenses. Patching. Virus Detection. Host Based IDS. Firewalling Strategies. General policies. Specific Policies. Traffic Limits on Hosts. Ingress vs. Egress Filtering. Proxy Filters. Web. Mail. File. Difficulties: Compressed, Locked Archives. Unicode. Attacking the Worm Network. Shutdown Messages. Forged “Already Infected” Replies. Routing Style Attacks. NULL or Poison Updates.

Conclusions-General Summary and Closing Thoughts.

Jose Nazario is a senior software engineer at Arbor Networks, an internet security company. He is also a consultant and researcher at Crimelabs Research, a think tank and consulting firm. He holds a Ph.D. in biochemistry from Case Western Reserve University. He has published extensively.  less