Killing Internet worms dead

of electrical and computer engineering at Purdue, they developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line. In simulations, they pitted their model against the Code Red worm, as well as the SQL Slammer worm of 2003. They simulated how far the virus would spread, depending on how many networks on the Internet were using the same containment strategy: quarantine any machine that sends out more than 10,000 scans. They chose 10,000 because it is well above the number of scans that a typical computer network would send out in a month. “An infected machine would reach this value very quickly, while a regular machine would not,” Shroff explained. “A worm has to hit so many IP addresses so quickly in order to survive.” In the simulations pitted against the Code Red worm, they were able to prevent the spread of the infection to less than 150 hosts on the whole Internet, 95 percent of the time.

A variant of Code Red worm (Code Red II) scans the local network more efficiently, and finds vulnerable targets much faster. Their method was effective in containing such worms. In the simulations, they were able to trap the worm in its original network - the one that would have started the outbreak — 77 percent of the time. Anywhere from 10 to 20 percent of the time, it spread to one other network, but no further. The remaining 3 to 13 percent of the time, it escaped to more networks, but the infection was slowed. In all cases, there was a dramatic decrease in the spread of the worm within the first hour. To use this strategy, network administrators would have to install software to monitor the number of scans on their networks, and would have to allow for some downtime among computers when they initiate a quarantine. According to Shroff, that wouldn’t be a problem for most organizations. Very small businesses - ones with only a few servers - may have more difficulty taking their machines off line. “Unfortunately there is no complete foolproof solution,” Shroff said. “You just keep trying to come up with techniques that limit a virus’s ability to do harm.” He and his colleagues are working on adapting their strategy to stop targeted Internet worms - ones that have been designed specifically to attack certain vulnerable IP addresses. This work was supported by a grant from the National Science Foundation, and Sarah Sellke’s NSF Graduate Fellowship.