Skip the navigation

Fleet-Footed Worm Blocker

Software can detect and defend against worms in network traffic at lightning speed.

By Gary Anthes
September 12, 2005 12:00 PM ET

Computerworld - Just before 5:30 GMT on Saturday, Jan. 25, 2003, the Slammer worm crawled into the Internet. The world's first high-speed worm doubled in size every 8.5 seconds and infected more than 90% of the world's vulnerable hosts within 10 minutes, according to a report published by the University of California, Berkeley.

Slammer caused network outages, airline flight cancellations and automated teller machine failures, according to the report. And subsequent worms have gone further and faster.

Now Horizon Award winner Microsoft Corp. is developing a defense against such fast-replicating worms. Vigilante, experimental software from Microsoft Research in Cambridge, England, detects worms in network traffic -- even new ones with no known signatures -- then generates "filters" against them and sends alerts to other machines on the network. The process is quick enough to block worms before humans are even aware of their existence, says Manuel Costa, a research software design engineer.

Computers running Vigilante generate "self-certifying alerts" when they detect an attack and then send them to other machines, which can verify the alerts before taking defensive action. The Vigilante algorithms that detect worms and issue alerts are computationally intensive and typically would run on just a few nonproduction "honeypot" servers, Costa says. But the protection mechanisms that respond to the alerts are very efficient and would run on every machine on a company's network, he says.

Costa says Vigilante is strictly a research project at present and may or may not end up as a product. But, he says, "we are actively talking with Microsoft product groups." He says his team is "looking to improve every part of the system," including its speed and ability to detect a wide variety of worms.

Costa says his research team faced two major challenges when it got started in December 2003. The first was to create algorithms that would work in a general way so as to detect worms not previously seen. A related challenge was to generate no false alerts, which would cause it to block legitimate traffic. The first challenge hasn't been entirely met, Costa says, and is the subject of further research. But as for the false alerts, he says, "when an alert is verified, we are absolutely certain it's a bad thing."

"This has potential ... specifically in large enterprise or government networks, where a degree of uniform control policies exist for the security systems," says Robert Ghanea-Hercock, a principal scientist at BT Group PLC in London. "But it is less valuable in the open network or broadband sector due to the lack of cooperation between the security vendors."

Matthew Williamson, a senior research scientist at Sana Security Inc. in San Mateo, Calif., says some tough technical issues need to be resolved before tools like Vigilante see widespread use. "However, there is no question that we need adaptive security mechanisms in general, and adaptive mechanisms themselves are becoming more common," he says.

But developing worm medicine is like planning to fight the last war, Williamson says. "The worm-writing community has been joined by a much larger group of malware writers who are professional criminals motivated by making money on the Internet by stealing information, extortion, blackmail, phishing and so on," he says. "Thus, while there might be more big worms, there will definitely be more malicious spyware and attacks designed both to steal and exploit stolen information."

Read more about Applications in Computerworld's Applications Topic Center.

Our Commenting Policies