Killing Internet worms dead

Published 6 June 2008

Internet worms flood the Internet with junk traffic, and at their most benign, they overload computer networks and shut them down; Buckeyes researchers find new way to combat worms

Scientists may have found a new way to combat the most dangerous form of computer virus. The method automatically detects within minutes when an Internet worm has infected a computer network. Network administrators can then isolate infected machines and hold them in quarantine for repairs. Ness Shroff, Ohio Eminent Scholar in Networking and Communications at Ohio State University, and his colleagues describe their strategy in the current issue of IEEE Transactions on Dependable and Secure Computing. They discovered how to contain the most virulent kind of worm: the kind that scans the Internet randomly, looking for vulnerable hosts to infect. “These worms spread very quickly,” Shroff said. “They flood the Net with junk traffic, and at their most benign, they overload computer networks and shut them down.”

Code Red was a random scanning worm, and it caused $2.6 billion in lost productivity to businesses worldwide in 2001. Even worse, Shroff said, the worm blocked network traffic to important physical facilities such as subway stations and 911 call centers. “Code Red infected more than 350,000 machines in less than 14 hours. We wanted to find a way to catch infections in their earliest stages, before they get that far,” Shroff said. The key, they found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans - a sign that it has been infected - administrators should take it off line and check it for viruses. The strategy sounds straightforward enough. A scan is just a search for Internet addresses — what we do every time we use search engines such as Google. The difference is, a virus sends out many scans to many different destinations in a very short period of time, as it searches for machines to infect. “The difficulty was figuring out how many scans were too many,” Shroff said. “How many could you allow before an infection would spread wildly? You want to make sure the number is small to contain the infection. But if you make it too small, you’ll interfere with normal network traffic. It turns out that you can allow quite a large number of scans, and you’ll still catch the worm.”

Shroff was working at Purdue University in 2006 when doctoral student Sarah Sellke suggested making a mathematical model of the early stages of worm growth. With Saurabh Bagchi, assistant professor