Article

A taxonomy of computer worms

Authors:
Nicholas Weaver

UC Berkeley

UC Berkeley
View Profile

,
Vern Paxson

ICSI

ICSI
View Profile

,
Stuart Staniford

Silicon Defense

Silicon Defense
View Profile

,
Robert Cunningham

MIT Lincoln Laboratory

MIT Lincoln Laboratory
View Profile

WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcodeOctober 2003Pages 11–18https://doi.org/10.1145/948187.948190

Published:27 October 2003Publication History

WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode

Pages 11–18

ABSTRACT

To understand the threat posed by computer worms, it is necessary to understand the classes of worms, the attackers who may employ them, and the potential payloads. This paper describes a preliminary taxonomy based on worm target discovery and selection strategies, worm carrier mechanisms, worm activation, possible payloads, and plausible attackers who would employ a worm.

References

Simon Byers, Aviel Rubin, and David Kormann. Defending against internet-based attack on the physical world, http://www.avirubin.com/lscripted.attacks.pdf.Google Scholar
Cardcops. http://www.cardcops.com.Google Scholar
CERT. CERT Advisory CA-1999-04 Melissa Macro Virus, http://www.cert.org/advisories/ca-1999-04.html.Google Scholar
CERT. CERT Advisory CA-2000-04 Love Letter Worm, http://www.cert.org/advisories/ca-2000-04.html.Google Scholar
CERT. CERT Advisory CA-2001-22 w32/Sircam Malicious Code, http://www.cert.org/advisories/ca-2001-22.html.Google Scholar
CERT. CERT Advisory CA-2001-26 Nimda Worm, http://www.cert.org/advisories/ca-2001-26.html.Google Scholar
CERT. CERT Advisory CA-2002-25 Integer Overflow in XDR Library, http://www.cert.org/advisories/ca-2002-25.html.Google Scholar
CERT. Code Red II: Another Worm Exploting Buffer Overflow in IIS Indexing Service DLL, http://www.cert.org/incident_notes/in-2001-09.html.Google Scholar
Zesheng Chen, Lixin Gao, and Kevin Kwiat. Modeling the spread of active worms. In IEEE INFOCOM 2003. IEEE, April 2003.Google ScholarCross Ref
ComputerWorld. Al-qaeda poses threat to net, http://www.computerworld.com/securitytopics/story/0,10801,76150,00.html.Google Scholar
Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proc. 7th USENIX Security Conference, pages 63--78, San Antonio, Texas, jan 1998. Google ScholarDigital Library
Silicon Defense. Countermalice worm containment, http://www.silicondefense.com/products/countermalice/.Google Scholar
David Dittrich. The Stacheldraht Distributed Denial of Service Attack Tool, http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.Google Scholar
David Dittrich. The Tribe Flood Network Distributed Denial of Service Attack Tool, http://staff.washington.edu/dittrich/misc/tfn.analysis.Google Scholar
eEye Digital Security. .ida "Code Red" Worm, http://www.eeye.com/html/research/advisories/al20010717.html.Google Scholar
Mark Eichin and Jon Rochlis. With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988. In IEEE Computer Society Symposium on Security and Privacy, 1989.Google ScholarCross Ref
Hiroaki Etoh. Gcc extentions for protecting applications from stack-smashing attacks, http://www.research.ibm.com/trl/projects/security/ssp/.Google Scholar
F-Secure. F-Secure Computer Virus Information Pages: Hybris, http://www.f-secure.com/v-descs/hybris.shtml.Google Scholar
Peter Ferrie. W32//Klez, http://toronto.virusbtn.com/magazine/archives/200207/klez.xml.Google Scholar
Security Focus. MacOS X SoftwareUpdate Arbitrary Package Installation Vulnerability, http://online.securityfocus.com/bid/5176.Google Scholar
The Animal Liberation Front. http://www.animalliberationfront.com.Google Scholar
The Earth Liberation Front. In defense of all life, http://www.earthliberationfront.com.Google Scholar
Gamespy. Gamespy arcade, http://www.gamespyarcade.com.Google Scholar
Symantec Inc. W32.gnuman.worm, http://securityresponse.symantec.com/avcenter/venc/data/w32.gnuman.worm.html.Google Scholar
itsecure. OpenSSH Trojan Horse, http://www.itsecure.com.au/alerts/alert.htm?alertid=95.Google Scholar
T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, Monterey, CA, June 2002. Google ScholarDigital Library
Markus Kern. Re: Codegreen beta release, http://online.securityfocus.com/archive/82/211462.Google Scholar
Kaspersky Labs. W95/CIH (a.k.a Chernobyl), http://www.viruslist.com/eng/viruslist.html?id=3204.Google Scholar
Message Labs. W32/bugbear-ww, http://www.messagelabs.com/viruseye/report.asp?id=110.Google Scholar
Brian McWilliams. Yaha Worm Takes out Pakistan Government's Site, http://online.securityfocus.com/news/501.Google Scholar
Jason V Miller, Jesse Gough, Bartek Kostanecki, Josh Talbot, and Jensenne Roculan. Microsoft dcom rpc worm alert, https://tms.symantec.com/members/analystreports/030811-alert-dcomworm.pdf.Google Scholar
Domas Mituzas. FreeBSD Scalper Worm, http://www.dammit.lt/apache-worm/.Google Scholar
David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. Inside the slammer worm. IEEE Magazine of Security and Privacy, pages 33--39, July/August 2003 2003. Google ScholarDigital Library
David Moore, Colleen Shannon, and k claffy. Code-red: a case study on the spread and victims of an Internet worm. In The Second Internet Measurement Workshop, pages 273--284, November 2002. Google ScholarDigital Library
George Necula, Scott McPeak, and Westley Weimer. CCured: Type-Safe Retrofitting of Legacy Code. In Proceedings of the Principles of Programming Languages. ACM, 2002. Google ScholarDigital Library
Netcraft. The Netcraft Survey, http://www.netcraft.com.Google Scholar
Openbsd 3.3, http://www.openbsd.org/33.html.Google Scholar
The homepage of the pax team, http://pageexec.virtualave.net/.Google Scholar
Sam Phillips. dasbistro.com default.ida responder. http://sunsite.bilkent.edu.tr/pub/infosystems/phpweb/default.txt.Google Scholar
The Honeynet Project. Know Your Enemy: Motives, http://project.honeynet.org/papers/motives/.Google Scholar
Eric Rescorla. Security holes .. who cares? In Proceedings of the 12th USENIX Security Symposium, pages 75--90. USENIX, August 2003. Google ScholarDigital Library
Stuart Schechter and Michael Smith. Access for sale: A new class of worm. In First Workshop on Rapid Malcode WORM, October 2003. Google ScholarDigital Library
Markus Schmall. Bulding Anna Kournikova: An Analysis of the VBSWG Worm Kit, http://online.securityfocus.com/infocus/1287.Google Scholar
McAffe Secuirty. W95/firkin.worm, http://vil.mcafee.com/dispvirus.asp?virus\_k=98557.Google Scholar
F secure Inc. Global slapper worm information center, http://www.f-secure.com/slapper/.Google Scholar
Valve Software. Half life, http://www.half-life.com.Google Scholar
Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to 0wn the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium. USENIX, August 2002. Google ScholarDigital Library
Joe Stewart. Sobig.e: Evolution of the worm. http://www.lurhq.com/sobig-e.html.Google Scholar
Symantec. W32.Benjamin.Worm, http://securityresponse.symantec.com/avcenter/venc/data/w32.benjamin.worm.html.Google Scholar
Symantec. W32.Sonic.worm, http://securityresponse.symantec.com/avcenter/venc/data/w32.sonic.worm.html.Google Scholar
Jamie Twycross and Matthew M Williamson. Implementing and testing a virus throttle. In Proceedings of the 12th USENIX Security Symposium, pages 285--294. USENIX, August 2003. Google ScholarDigital Library
Max Vision. Whitehats: Ramen Internet Worm Analysis, http://www.whitehats.com/library/worms/ramen/.Google Scholar
Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient Software-Based Fault Isolation. ACM SIGOPS Operating Systems Review, 27(5):203--216, December 1993. Google ScholarDigital Library
Matthew M Williamson. Throttling viruses: Restricting propigation to defeat mobil malicious code. In Annual Computer Security Applications Conference, 2002. Google ScholarDigital Library
Adam Young and Moti Yung. Cryptovirology: Extortion based security threats and countermeasures. In IEEE Symposium on Security and Privacy, pages 129--141, Oakland, CA, 1996. IEEE Computer Society Press. Google ScholarDigital Library

Index Terms

A taxonomy of computer worms
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Detecting computer worms in the cloud
iNetSec'11: Proceedings of the 2011 IFIP WG 11.4 international conference on Open Problems in Network Security

Computer worms are very active and new sophisticated versions continuously appear. Signature-based detection methods work with a low false-positive rate, but previously knowledge about the threat is needed. Anomaly-based intrusion detection methods are ...
Read More
On the development of an internetwork-centric defense for scanning worms

Studies of worm outbreaks have found that the speed of worm propagation makes manual intervention ineffective. Consequently, many automated containment mechanisms have been proposed to contain worm outbreaks before they grow out of control. These ...
Read More
Modeling and Analysis of Active Benign Worms and Hybrid Benign Worms Containing the Spread of Worms
ICN '07: Proceedings of the Sixth International Conference on Networking

Worms are a serious and growing threat to network and traditional antivirus technologies do not currently scale to deal with the worm threat. Benign worms, especially active benign worms and hybrid benign worms, become a new active countermeasure. In ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode
October 2003
92 pages
ISBN:1581137850
DOI:10.1145/948187
General Chair:
Stuart Staniford
Silicon Defense
,
Program Chair:
Stefan Savage
University of California, San Diego
Copyright © 2003 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 October 2003
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
attackers
computer worms
mobile malicious code
motivation
taxonomy
Qualifiers
- Article
Conference
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 275
  Total Citations
  View Citations
- 6,762
  Total Downloads
- Downloads (Last 12 months)79
- Downloads (Last 6 weeks)12
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A taxonomy of computer worms

WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode

ABSTRACT

References

Cited By

Index Terms

Recommendations

Detecting computer worms in the cloud

On the development of an internetwork-centric defense for scanning worms

Modeling and Analysis of Active Benign Worms and Hybrid Benign Worms Containing the Spread of Worms