Abstract
In [6], Pouget et al. have conjectured the existence of so-called multi-headed worms and found a couple of them on attack traces collected on a single honeypot. These worms take advantage of several distinct attack techniques to propagate but they use only one of them against a given target. From a victim’s viewpoint, they are therefore indistinguishable from the other classical worms that always propagate using the same attack vector or same sequence of attack vectors. This paper aims at confirming the existence of these worms by studying a very large dataset. The validation process led to three important contributions. First, we establish the existence and assess the importance of three distinct classes of attacks seen in the wild. Second, we propose a new method to correlate attack traces time series and apply it to search for multi-headed worms. Third, we offer and discuss results of the analysis of 15 months of data gathered over 28 different platforms located all over the world.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bron, C., Kerbosch, J.: Algorithm 457: finding all cliques of an undirected graph. Commun. ACM 16(9), 575–577 (1973)
Eichin, M.W., Rochlis, J.A.A.: With microscope and tweezers: An analysis of the internet virus of november 1988. In: Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy, Oakland, Ohio (1989)
Hoglund, G., Graw, G.M.: Exploiting Software: How to Break Code. Addison-Wesley Professional, Reading (2004)
Lin, J., Keogh, E., Lonardi, S., Chiu, B.: A symbolic representation of time series, with implications for streaming algorithms. In: DMKD 2003: Proceedings of the 8th ACM SIGMOD workshop on Research issues in data mining and knowledge discovery, pp. 2–11. ACM Press, New York (2003)
Pouget, F., Dacier, M.: Honeypot-based forensics. In: AusCERT2004, Brisbane, Australia, May 23 - 27, 2004. AusCERT Asia Pacific Information technology Security Conference (May 2004)
Pouget, F., Keller, G.U., Dacier, M.: Time signatures to detect multi-headed stealthy attack tools. In: 18th Annual FIRST Conference, June 25-30, Baltimore, USA (June 2006)
Niels Provos. Home page of honeyd, http://www.honeyd.org/
Shoch, J., Hupp, J.: The worm programs: Early experience with a distributed computation. Commun. ACM 25(3), 172–180 (1982)
Spafford, E.H.: The internet worm program: an analysis. SIGCOMM Comput. Commun. Rev. 19(1), 17–57 (1989)
Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, Berkeley, CA, USA, pp. 149–167. USENIX Association (2002)
Trochim, W., Donnelly, J.P.: The Research Methods Knowledge Base. Atomic Dog (December 2006)
Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: WORM 2003: Proceedings of the 2003 ACM workshop on Rapid malcode, pp. 11–18. ACM Press, New York (2003)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pham, VH., Dacier, M., Urvoy-Keller, G., En-Najjary, T. (2008). The Quest for Multi-headed Worms. In: Zamboni, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70542-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-70542-0_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-70541-3
Online ISBN: 978-3-540-70542-0
eBook Packages: Computer ScienceComputer Science (R0)