Proactive detection of code injection worms

Charles Renert Determina

Some of today's most dangerous worms are finding ways to compromise systems by injecting and running the code of their choosing on a remote host. Different from classic email-borne worms, these new threats (e.g. CodeRed, Slammer, Blaster) take advantage of recently published vulnerabilities to launch their payloads. Code injection worms are especially dangerous for two primary reasons:

    1) they are not detectable by traditional AV software
    2) they spread extremely rapidly because they require no user interaction.

Reactive strategies to prevent damage from these worms are too slow, and often risky to deploy. Only proactive detection techniques are truly effective against these worms - techniques that do not need updating because they stop both current threats and those that are as yet unwritten. In this paper, I examine the state of the art for proactive detection of this growing threat class.

 del.icio.us  digg this! digg this

Quick Links

Poll
The Japanese government is reported to have commissioned a 'defensive virus'. Is 'defensive' malware ever a good idea?
Yes
No
I don't know
Leave a comment
View 11 comments

99 Subscription Promo

Malware Prevalence
Autorun |#######|
Encrypted/Obfuscated |#####|
Heuristic/generic |#####|
Sality |####|
Zbot |####|
 View this month's full report

Virus Bulletin currently has 224,240 registered users.