Research Article
Misleading and Defeating Importance-Scanning Malware Propagation
@INPROCEEDINGS{10.1109/SECCOM.2007.4550340, author={Guofei Gu and Zesheng Chen and Phillip Porras and Wenke Lee}, title={Misleading and Defeating Importance-Scanning Malware Propagation}, proceedings={3rd International ICST Conference on Security and Privacy in Communication Networks}, publisher={IEEE}, proceedings_a={SECURECOMM}, year={2008}, month={6}, keywords={Aggregates Analytical models Computer networks Computer worms Humans Information analysis Information security Internet Routing Sampling methods}, doi={10.1109/SECCOM.2007.4550340} }- Guofei Gu
Zesheng Chen
Phillip Porras
Wenke Lee
Year: 2008
Misleading and Defeating Importance-Scanning Malware Propagation
SECURECOMM
IEEE
DOI: 10.1109/SECCOM.2007.4550340
Abstract
The scan-then-exploit propagation strategy is among the most widely used methods by which malware spreads across computer networks. Recently, a new self-learning strategy for selecting target addresses during malware propagation was introduced in [1], which we refer to as importance scanning. Under the importance-scanning approach, malware employs an address sampling scheme to search for the underlying group distribution of (vulnerable) hosts in the address space through which it propagates. The malware utilizes this information to increase the rate at which it locates viable addresses during its search for infection targets. In this paper, we introduce a strategy to combat importance scanning propagation.We propose the use of white hole networks, which combine several existing components to dissuade, slow, and ultimately halt the propagation of importance scanning malware. Based on analytical reasoning and simulations using real trace and address distribution information, we demonstrate how the white hole approach can provide an effective defense, even when the deployment of this countermeasure represents a very small fraction of the address space population.