American scientists have developed a new code to contain “stealthiest” of self-propagating worms that cause damage worth billions of dollar worldwide.
These worms, also known as infectious computer programmes, are malicious programmes which after being released can spread throughout networks without human control, stealing or erasing hard drive data, interfering with pre-installed programmes and slowing, even crashing, home and work computers.
Now researchers at Penn State College created a new code, or algorithm, that targets these worms, containing them before an outbreak can occur, journal Computers and Security said.
“In 2001 the ‘Code Red’ worms caused USD 2 billion worth of damage worldwide. Our algorithm can prevent a worm’s propagation early in its propagation stage,” said lead researcher Yoon-Ho Choi.
Choi and his colleagues’ algorithm defends against the spread of local scanning worms that search for hosts in “local” spaces within networks or sub-networks.
This strategy allows them access to hosts that are clustered, which means once they infect one host, the rest can be can be infected quickly.
There are many types of scanning worms, but Choi calls these worms the stealthiest because they are the most efficient and can evade even the best worm defences.
A worm outbreak can begin with the infection of a single computer.
After infection, a worm begins to probe a set of random, local or enterprise IP addresses, searching for more vulnerable hosts. When one is found the worm sends out a probe, or packet, to infect it.
“A local scanning worm can purposely scan a local or enterprise network only. As the size of the susceptible population increases, the worm’s virulence increases,” said Choi.
The researchers’ algorithm works by estimating the size of the susceptible host population. It then monitors the occurrence of infections within it and sets a threshold value just equal to or below the average number of scans necessary to infect a host by an infected host.
If the scanning worm’s number of scans carrying a specific destination port number exceeds the threshold, the algorithm quarantines the worm.
The algorithm then breaks down the network into many small networks, or cells, which in some cases might be only one computer.
A worm can spread within the cells, but not between the cells. This way the algorithm can isolate an infected host or small cluster of infected hosts housing the worm.
“By applying the containment thresholds from our proposed algorithm, outbreaks can be blocked early,” Choi added.
