Worm Detection Gets More
Attention"> Meanwhile, given its intentions to add security to its platforms, Internet worm prevention has become a major focus for Intel researchers, due to worms abilities to spread quickly and cause large amounts of damage to businesses. Some more near-term research projects, which Intel demonstrated at its Fall Intel Developer Forum in August and could show up in its products in the relatively near future, can cut off worm-infected machines from computer networks.Click here to read more about efforts to build a worm early warning system. Autograph, worm detection software created at Intel Research Pittsburg, was released to open source earlier this week, said Brad Karp, a research manager at the lab, which is located on the campus of Carnegie Mellon University. The worm detector, whose technology could some day be used in corporate networks, employs a combination of heuristics and good old sleuthing to track down worms and locate their signaturesor the unique pattern of data required for its particular exploitand then notify other systems so that they can block the worm. It watches for tell-tale signs such as multiple attempts by a system to connect to random Internet addresses as Worms attempt to infect other systems, then it eyes the specific data being transmitted. It keeps a log of both, from which it can build Worm signatures. Because it does the work automatically it can eliminate lags, which often last days, between when a worm is detected and its signature manually mapped and then disseminated. "Its well known that there are worms that can affect the entire Internet within minutes," Karp said. "Compare that with how long it takes to generate a signature "now." If youre goal is to stop worms before they spread, which is the real way to win this, the human approach is too cumbersome." Although the first few copies of a worm will get by Autograph, the vast majority of the Internet can be protected by the proactive sharing of signatures, Karp said. Autograph machines, which filter data at a network gateway, can communicate with each other, but are capable sharing signatures with others. When measured by its ability to prevent broad worm infections, Karp said his tests showed Autograph would have published a signature for the Code-Red worm before two percent of the total number of machines vulnerable to the worm had become infected. Thus, assuming there were enough Autograph monitors in place, it could have prevented 98 percent of infections, he said, saving huge amounts of money. "Right now, if just one percent of edge networks on the Internet ran Autograph, the speed claims Ive made would be true" about Code Red, Karp said. Code Red, which exploited vulnerability in Microsofts IIS Web server, spread quickly in 2001 and is estimated to have done about $2.6 billion worth of damage, most of which was the cost of cleaning affected computers. Click here to read about fast-moving worms that recently slammed media and enterprise networks. While Autograph is now available, Karp and his team are also working on a Polygraph, a similar program which can sniff out so-called polymorphic worms, which change each time they replicate in an effort to cover up their signatures and thwart the defense used in Autograph. Even polymorphic worms still have certain parts, related to their particular exploit, that cant change, he said. Thus the parts that dont change can be mapped and those maps shared. Despite sounding promising, Autograph and Polygraph are a ways from prime time, Karp said. "I dont claim its a product. Its a first important step toward building this kind of system," he said. "Weve shown that it can be done. We believe that the research community and, increasingly, corporations will take up Autograph and begin to build more product-like systems" that draw on it. Ultimately, the technology could be used on concert with the circuit breaker-like tools that detect worm and shut down PCs or servers. "Intel is committed to making computer components and computing more secure," Karp said. "Its self-evident how important that is." Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Meanwhile, other projects are exploring ways to prevent large-scale worm infections altogether.