Proactive detection of code injection worms

Charles Renert Determina

Some of today's most dangerous worms are finding ways to compromise systems by injecting and running the code of their choosing on a remote host. Different from classic email-borne worms, these new threats (e.g. CodeRed, Slammer, Blaster) take advantage of recently published vulnerabilities to launch their payloads. Code injection worms are especially dangerous for two primary reasons:

    1) they are not detectable by traditional AV software
    2) they spread extremely rapidly because they require no user interaction.

Reactive strategies to prevent damage from these worms are too slow, and often risky to deploy. Only proactive detection techniques are truly effective against these worms - techniques that do not need updating because they stop both current threats and those that are as yet unwritten. In this paper, I examine the state of the art for proactive detection of this growing threat class.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.