In [6], Pouget et al. have conjectured the existence of so-called multiheaded worms and found a couple of them on attack traces collected on a single honeypot. These worms take advantage of several distinct attack techniques to propagate but they use only one of them against a given target. From a victim’s viewpoint, they are therefore indistinguishable from the other classical worms that always propagate using the same attack vector or same sequence of attack vectors. This paper aims at confirming the existence of these worms by studying a very large dataset. The validation process led to three important contributions. First, we establish the existence and assess the importance of three distinct classes of attacks seen in the wild. Second, we propose a new method to correlate attack traces time series and apply it to search for multi-headed worms. Third, we offer and discuss results of the analysis of 15 months of data gathered over 28 different platforms located all over the world.
The quest for multi-headed worms
DIMVA 2008, 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 10-11th, 2008, Paris, France | Also published as LNCS Volume 5137
Type:
Conférence
City:
Paris
Date:
2008-07-10
Department:
Sécurité numérique
Eurecom Ref:
2467
Copyright:
© Springer. Personal use of this material is permitted. The definitive version of this paper was published in DIMVA 2008, 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 10-11th, 2008, Paris, France | Also published as LNCS Volume 5137 and is available at : http://dx.doi.org/10.1007/978-3-540-70542-0_13
See also:
PERMALINK : https://www.eurecom.fr/publication/2467
