Proactive detection of code injection worms

Charles Renert Determina

Some of today's most dangerous worms are finding ways to compromise systems by injecting and running the code of their choosing on a remote host. Different from classic email-borne worms, these new threats (e.g. CodeRed, Slammer, Blaster) take advantage of recently published vulnerabilities to launch their payloads. Code injection worms are especially dangerous for two primary reasons:

1) they are not detectable by traditional AV software

2) they spread extremely rapidly because they require no user interaction.

Reactive strategies to prevent damage from these worms are too slow, and often risky to deploy. Only proactive detection techniques are truly effective against these worms - techniques that do not need updating because they stop both current threats and those that are as yet unwritten. In this paper, I examine the state of the art for proactive detection of this growing threat class.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘I attend a variety of security conferences and events each year and VB continues to be my favourite. Great content, great networking, great organisation.’

Poll

Who in your company is responsible for installing software patches?

Leave a comment

Malware Prevalence

Agent
Mytob
Invoice
NetSky
Suspect packers

View this month's full report

Virus Bulletin currently has 148,287 registered users.

Fighting malware and spam