Research On Peer-to-Peer Malicious Worm Networks

A computer worm is a program which self-propagates across a network exploiting security flaws in widely used services. Until now people have different understandings about worms partially because of the lack of a perfect worm model. Worms have much potential in propagation control, and so they must evolve to adopt more optimized propagation patterns without confining themselves to existing ones. Self-propagation of worms can provide attackers plenty of available host nodes, and therefore construction of worm networks will naturally follow after propagation of worms. With regard to centralized networks, peer to peer (P2P) networks possess more excellent stealth and robustness. Thus P2P worm networks are more difficult to detect and eliminate than general worm networks, and also have much potential in malicious application. P2P worm networks represent the future of worm networks and bring great challenges to relevant defense work. With respect to the above discussion, we research into worms and P2P worm networks from the following aspects:1. Although a few computational models of viruses/worms have been proposed at present, they all have their own shortages. Besides, due to the continuous progress of worm techniques, it is necessary to develop a worm model that adapts to current status of worms. In this paper we anatomize worms'behavior features, and develop a computational model of worms based on persistent Turing machines using the classical Cohen model for reference. The worm model is named as the SIW (Sequentially Interactive Worm) model. It includes two parts: the first one is the basic worm definition which is used to describe the typical features of current worms; the other one is the extended worm definition which is used to cover special worm types outside of the basic worm definition. Based on the SIW model, we analyze the essential self-reproduction and net-interaction of worms. We also prove the undecidability of the worm detection problem, and discuss the computing complexity of worm detection under some limitations.2. From the net-interaction analysis based on the SIW model, we can derive that worms have much potential in propagation optimization. With optimized propagation of worms, attackers can better control the processes of node deployment during construction of worm networks. Worm networks can also act as reliable platforms supporting optimized propagation of worms. In this paper we define the worm propagation problem based on the search theory by concluding propagation features of worms. Aiming at the worm propagation problem, we analyze current propagation strategies, and move forward to propose an optimized propagation strategy from two aspects: distribution estimation of vulnerable hosts and propagation coordination of worm nodes. Through theoretical analysis and simulation we verify the advantage of the optimized propagation strategy compared with current propagation strategies.3. Worms occupy user hosts'resources without authorization, and have special application aims. Therefore, construction of P2P worm networks should be stealthy in order to reduce exposure chances. In this paper we establish a construction framework of P2P worm networks with respect to node deployment, link configuration and message communication. After that we present a construction example with prepared nodes and a construction example without prepared nodes, and make simulation evaluation respectively. These two examples show the availability of the construction framework. Due to special application purposes of P2P worm networks, and so we analyze the stealth and the robustness of P2P worm networks finally.4. P2P worm networks can act as favorable distributed resource platforms for attackers to perform many types of attack tasks. In this paper we establish an application framework of P2P worm networks with respect to resource organization, location and application types. And then we analyze several typical application cases including DDoS attack, worm propagation, phishing attack, illegal content distribution, and brute force cryptanalysis.5. Application of P2P worm networks will pose serious threat to network security and P2P worm networks possess more excellent stealth and robustness than general worm networks, which bring great challenges to relevant defense work. According to the life circle of P2P worm networks, we study defense mechanisms against P2P worm networks from three aspects: vulnerability defense, worm defense and network defense.Existing P2P worm networks still have many faults since they appear just in recent years. But with the progress of correlative techniques, some mature systems will come into being in the near future. Therefore we should keep close watch on the problem continuously in order to defend against the threat effectively.