Advanced survival techniques in recent Internet worms
Gabor Szappanos VirusBuster
The early email worms did not pay much attention to their target selection. They either picked all names from the address books,
or any text similar to an email address from the web browser's cache. If they directly targeted other computers, then the
IP address selection was completely random, resulting in a huge percentage of useless probes.
Some new worms introduced more careful techniques trying to avoid unnecessary network probes. Overcoming the limitations
of email address stores, they started generating possible email addresses themselves. The IP address selection also
evolved, first concentrating more on the subnet of the infected computer, then using weighted selection of target
subnets.
Also, the Internet worms did not bother about the operating environment expect them on the targets. Some new worms already
bring with themselves everything that is needed: if they use SMTP to spread, then include an SMTP server inside
themselves; if they spread using infected web page, then install a simple web server on the target thus enabling the
spread.
Mathematical modelling proves that the success of a worm depends on the initial seeding. Virus authors use various methods
(bot networks, email seeding, Usenet) to start up their creations.
The presentation will cover in detail these new techniques.
