3rd International ICST Conference on Security and Privacy in Communication Networks

Research Article

Misleading and Defeating Importance-Scanning Malware Propagation

  • @INPROCEEDINGS{10.1109/SECCOM.2007.4550340,
        author={Guofei Gu and Zesheng Chen and Phillip Porras and Wenke Lee},
        title={Misleading and Defeating Importance-Scanning Malware Propagation},
        proceedings={3rd International ICST Conference on Security and Privacy in Communication Networks},
        keywords={Aggregates  Analytical models  Computer networks  Computer worms  Humans  Information analysis  Information security  Internet  Routing  Sampling methods},
  • Guofei Gu
    Zesheng Chen
    Phillip Porras
    Wenke Lee
    Year: 2008
    Misleading and Defeating Importance-Scanning Malware Propagation
    DOI: 10.1109/SECCOM.2007.4550340
Guofei Gu1,*, Zesheng Chen1,*, Phillip Porras2,*, Wenke Lee1,*
  • 1: Georgia Institute of Technology Atlanta, Georgia 30332
  • 2: SRI International Menlo Park, California 94025
*Contact email: guofei@cc.gatech.edu, zchen@ece.gatech.edu, porras@csl.sri.com, wenke@cc.gatech.edu


The scan-then-exploit propagation strategy is among the most widely used methods by which malware spreads across computer networks. Recently, a new self-learning strategy for selecting target addresses during malware propagation was introduced in [1], which we refer to as importance scanning. Under the importance-scanning approach, malware employs an address sampling scheme to search for the underlying group distribution of (vulnerable) hosts in the address space through which it propagates. The malware utilizes this information to increase the rate at which it locates viable addresses during its search for infection targets. In this paper, we introduce a strategy to combat importance scanning propagation.We propose the use of white hole networks, which combine several existing components to dissuade, slow, and ultimately halt the propagation of importance scanning malware. Based on analytical reasoning and simulations using real trace and address distribution information, we demonstrate how the white hole approach can provide an effective defense, even when the deployment of this countermeasure represents a very small fraction of the address space population.