Abstract With the wide application of the network the traditional virus spreading through the file has already left the leading post and the worms spreading automatically through the network suddenly become the mainstream of the virus. The worms spread all over the whole world within less than one day by utilizing hole of the operating system or application software what cause the network to slacken even paralysed. Because there are many nodes of networks in the intranet, and most users are not the professional personnel of the computer, it is no doubt important to train users their network security consciousness; but if we can find and isolate the computer which propagate the worm in time, we'll ensure the normal running of the network. The article recommended a method using the network interception technology to detect the worms according to the spread mechanism of the worms.
Introduction Worms from Code Red, SQL SLAMMER, Worm Blaster and Worm Sasser to Worm Cycle, which are familiar to computer users, are surprising with their swift propagation velocity and wide range as well as great harm. Especially in the Corporation LAN, the new worm emergency often accompanies with net jam, which results in network software to fail to run and influence on normal work. Sometimes web administrators have to update hardware, or deny ICMP/IGMP protocol, or even forbid access through 135,137,139,445 port because of not locating the computer infected. So many functions provided by Operation System can't be used. In fact, monitoring software can locate the computer infected and broadcasting virus. It's more flexible than hardware method for its functions of editing and expanding the option of software easily.
Characteristic of Worm Transmission Monitoring focuses on the transmission of Worm. Worms are in a great variety, but its program can be separated into three basic modules: scanning module and attacking module as well as copying/starting one. The scanning module is the fundament. In general, for a random IP address, web administrator may monitor through 80,135,139,445 port using ICMP or TCP/IP protocol to determine whether the IP address can be linked or not. If the IP cannot be linked, trying next IP. Otherwise startup attacking module. If there is system vulnerability in the computer, executing copying/starting module. So the worm program can scan many IPs, but connect few. There are fewer system vulnerabilities.
According to the characteristic of worm transmission, when we monitor by HUB, if a IP address connects more than threshold fixed beforehand(for example 500) in a short time, we mark it "suspicion". We can pay less attention to all the data packets, and only record the connections between IPs.(ICMP protocol , record every source and destination , TCP protocol , pay attention to the first hand shaking, Flags = SYN=2). In order to broadcast to its extent, the worm usually scans large scale IP address in a short time. This is the character of worm, and the criteria we judge whether the worm exists or not. The task what monitor software should do is to record every source IP, and the destination IP which they connect as well as the port they use, at the same time, to release "suspicion" computer bulletin regularly or control firewall to forbid all the data packet from the suspicion computer.
In application, we found that the number of IP address may exceed the threshold we fix when using P2P software. To deal with this situation, we can recognize the first packet after the TCP hand shaking. The P2P software has its own protocol, and the first data packet is P2P hand shaking information. It's the character of P2P software.
Hardware Preparation To capture the data packet on the switches, we have two options in hardware preparation.
Using the Port Mirror function of switches. The function can copy messages through all ports to one destination port, and we monitor the destination port to get all the messages. The administrator don't need to change hardware. What he has to do is to configure the port mirror. When abnormity is detected, we can monitor the port mirror. It is flexible and easy to use.