Church_paper - Design and Implementation of a Simple Class...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Design and Implementation of a Simple Class Room Laboratory Internet Worm Christopher Church, Tim Schmoyer, and Henry L. Owen* School of Electrical and Computer Engineering Georgia Institute of Technology; Atlanta, Georgia 30332-0250 USA *Email: [email protected]; Voice: 404-894-4126; fax 404-894-9959 Abstract Beginners to Internet security research require an understanding of the inner workings of worms. A simple research worm designed to run on a test network facilitates this understanding. This paper explains the design and implementation of a simple research worm. A discussion of worm structure is provided. Design decisions made in creating our research worm are then given with an emphasis on how they relate to real Internet worms. 1 INTRODUCTION Security researchers must possess an in-depth understanding of Internet worms in order to effectively combat them. Such an understanding best comes from seeing how a worm is designed and implemented. The aim of this paper is to provide insight into both the methods and mechanisms used in worm creation. First, a model will be defined for classifying worm-like code. Concrete details will then be explored through the design and implementation of a simple research worm. The worm described was created in a security research lab at the Georgia Institute of Technology to allow students to witness it spread in a safe, controlled environment. The information in this paper is being provided in hopes that it may help the reader defend against worm attacks by seeing a research worm from the worm author’s viewpoint. II. A GENERIC WORM MODEL A general model of worm-like behavior is needed to understand and classify Internet worms. Ellis described six components of any worm system as: reconnaissance, a specific attack, a command interface, a communications capability, intelligence capabilities and unused attack capabilities [1]. Since the purpose of our educational worm is to demonstrate a worm’s ability to infect and propagate hosts using a known vulnerability and exploit, rather than demonstrate an intelligent and cooperative worm system, we have chosen not to implement a command interface or maintain an intelligence capability in our prototype. In addition, maintaining unused attacks is unnecessary for our purpose. Nazario, et al., proposed a general worm algorithm that enumerates target hosts, verifies visibility, verifies vulnerability, exploits the vulnerability and then infects the target host [2]. Since we are using a specified vulnerability with a known exploit to reduce risk of harm to the network, we can combine the steps: verify visibility and verify vulnerability. We have added to the above algorithm the implementation of an optional payload. This can perform a number of functions including the communications and intelligence capabilities described earlier, as well as administrative or malicious operations on files and/or other resources on the infected host. Our choices provide a simplified general model to teach design decisions for our own worm. Our model is composed of five parts.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 12/05/2009 for the course IT IS taught by Professor Arther during the Three '09 term at Queensland Tech.

Page1 / 9

Church_paper - Design and Implementation of a Simple Class...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online