Advanced survival techniques in recent Internet worms

Gabor Szappanos VirusBuster

The early email worms did not pay much attention to their target selection. They either picked all names from the address books, or any text similar to an email address from the web browser's cache. If they directly targeted other computers, then the IP address selection was completely random, resulting in a huge percentage of useless probes. Some new worms introduced more careful techniques trying to avoid unnecessary network probes. Overcoming the limitations of email address stores, they started generating possible email addresses themselves. The IP address selection also evolved, first concentrating more on the subnet of the infected computer, then using weighted selection of target subnets. Also, the Internet worms did not bother about the operating environment expect them on the targets. Some new worms already bring with themselves everything that is needed: if they use SMTP to spread, then include an SMTP server inside themselves; if they spread using infected web page, then install a simple web server on the target thus enabling the spread.

Mathematical modelling proves that the success of a worm depends on the initial seeding. Virus authors use various methods (bot networks, email seeding, Usenet) to start up their creations. The presentation will cover in detail these new techniques.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.