杏吧原创

‘Patient zero’ pinpointed in PC-worm outbreak

A new technique could help law enforcers identify those responsible for distributing viral code across the internet, researchers say

The computer used to kick-start a global worm outbreak in March 2004 has been traced using crucial kinks in its code.

The same technique could, in future, help law enforcers pinpoint those responsible for distributing viral code across the internet, researchers say.

The 鈥淲itty worm鈥 first emerged at 0445 GMT on 20 March 2004 and infected more than 12,000 computer systems around the globe within 75 minutes. It exploited a software bug in a commercial firewall package to infect new machines, randomly generating new network address targets as it went.

Nicholas Weaver and Vern Paxson from the International Computer Science Institute in California, and Abhishek Kumar from the Georgia Institute of Technology, all in the US, carefully analysed the way the worm generated new targets and painstakingly retraced its steps back to the first computer 鈥 or 鈥減atient zero鈥 鈥 of the outbreak.

They used a technique known as 鈥渢elescope analysis鈥 to gather valuable data about the worm鈥檚 spread. The approach involves monitoring portions of the internet where little or no network traffic normally exists, but which receive packets of data when a computer worm or virus starts generating traffic indiscriminately.

Network supernovae

鈥淎 worm鈥檚 release illuminates, for a few moments, dark corners of the network just as supernovae illuminate dark and distant corners of the universe,鈥 the researchers write in a paper outlining their work. 鈥淲ithin the overwhelming mass of observed data lies a very structured process that can be deciphered and understood, if studied with the correct model.鈥

Combined with an analysis of the worm鈥檚 code, this data provided crucial clues as to how it spread.

Examining the worm鈥檚 code revealed that it employed a 鈥減seudo random number generator鈥 to produce new network addresses to target. As this method is not genuinely random, the team were able to calculate precisely which addresses the worm could feasibly send packets to.

Analysing the traffic data gathered by the network telescopes revealed some infected machines outside of these addresses, which must have been infected manually. The earliest of these machines was identified as patient zero 鈥 a PC registered with an unnamed European ISP.

Military installation

The researchers also found that the worm targeted 110 systems, all within a single US military installation, in the first 10 seconds of the outbreak, which kick-started the worm鈥檚 spread.

鈥淚t is interesting research,鈥 says Eric Chien, chief researcher at Symantec Security Response in California, US. 鈥淚t could definitely be useful, especially if patient zero turned out to be the author鈥檚 machine.鈥

But Chien says that worm writers will typically use another computer to begin spreading their creation. And he notes that the amount of data gathered by this type of network analysis could be time-consuming to sort through. 鈥淭ime is obviously crucial,鈥 he says.

Nevertheless, Weaver, Paxson and Kumar, believe the approach could provide valuable new analytic tools for investigators.

鈥淎 worm鈥檚 propagation is a rare but spectacular event in today鈥檚 networks,鈥 the researchers write. 鈥淲e have shown how a fine-grained understanding of the exact control flow of a particular worm 聟 when coupled with network telescope data, enables a detailed reconstruction of nearly the entire chain of events that followed the worm鈥檚 release.鈥

Topics: Computer crime