Polymorphic worm

A polymorphic worm (PW) is a worm that changes its appearance with every instance (based on Kolesnikov et al. [20]). As a result, byte sequences of dier-ent worm instances may look completely dierdier-ent. However, the actual code of the PW typically stays the same.

To change its appearance, a PW can use methods similar to those used by poly-morphic viruses. One common method is to take the original code of a worm, encrypt it with a random key, and generate a short decryptor for the key. The polymorphic decryptor (PD) and the key changes with each instance. The code

of the worm does not. This operation is typically performed by the polymorphic engine (PE), included as part of the worms code.

A sophisticated PW can mutate both itself and the exploits it uses. Possible elements of such a PW include:

Attack vectors to penetrate systems. Sophisticated worms use many vec-tors of attack. The set includes exploits for stack, heap, and other types of overows, backdoors left by other worms, password sning, Man-in-the-Middle attacks, and so forth.

Invariants for attack vectors. A PE uses attack invariants to decide what parts of an attack are volatile so they can be changed without preventing the at-tack. One example of such invariants are the osets in an exploit for placing the return addresses and handlers, e.g., Windows Structured Exception Handling-based (SEH) exploitation.

Polymorphic Engine (PE). A PE will generate the mutated versions of the PD and the attacks.

Worm body code. In a simple case, the worm's body might simply contain code that selects an attack vector, generates a set of destinations, mutates the attack and itself using the PE, then sends out the mutated instances.

Traditional signature based IDS, though eective for known attacks but failed to handle the zero-day attack promptly. Recent works on polymorphic worms does not guarantee accurate signature in presence of noise in suspicious ow samples.

Paul et al. [21] they propose PolyS, an improved version of Hamsa, a network based automated signature generation scheme to thwart zero- day polymorphic worms. They contribute a novel architecture that reduces the noise in suspi-cious trac pool, thus enhancing the accuracy of worm's signature. They also propose a signature generation algorithm for successfully matching polymorphic worm payload with higher speed and memory eciency.

The typically structure of a polymorphic worm is:

Protocol Framing: is necessary for branch down the code execution path, where software vulnerability exist. The protocol framing string is invariant across all instances of polymorphic worms.

Return Address: Return address or function pointers are the values used to overwrite a jump target to redirect the server execution. Typically a 32 bit in-teger, of which rst 23-bit are normally same across all worm samples. Return address is another invariant part in polymorphic worms.

Exploit Code: These invariant bytes are necessary for abusing vulnerability.

It also activates decryption routines and ensures identical malicious activities in all attacks.

Encrypted worm code (Payload): It contains the code to perform malicious activities. In presence of strong encryption routines, the worm payloads take dierent values in dierent infection.

Decryption Routine: Its function is to decrypt the encrypted payload by decryption key and passes the control to worms code to start execution. De-cryption routines are obfuscated in dierent instances of polymorphic worms.

Decryption Key: Worm payload is encrypted by polymorphic engines by dif-ferent keys in dierent instances. To decrypt the worms payload, corresponding decryption key is required.

Wild Card bytes: These bytes may take any values without aecting the functioning of worms and their spreading capabilities.

In summary, polymorphic worms have two classes of bytes; invariant and variant bytes. Invariant bytes remain same across all instances of the worms while vari-ant bytes change its value in every infection attempt. Typically varivari-ant bytes are protocol framing string, exploit code and return address. The other compo-nents are in general variant across dierent instances of a polymorphic worm.

Li et al. [22] presents a survey and comparison of Internet worm detection and containment schemes. They rst identify worm characteristics through their behaviour, and then classify worm detection algorithms based on the parame-ters used in the algorithms. Furthermore, they analyze and compare dierent detection algorithms with reference to the worm characteristics by identifying the type of worms that can and cannot be detected by these schemes. After detecting the existence of worms, the next step is to contain them. This article explores the current methods used to slow down or stop the spread of worms.

The locations to implement detection and containment, as well as the scope of each of these systems/methods, are also explored in depth. Finally, this

arti-cle points out the remaining challenges of worm detection and future research directions.

Figure 2.19: Categorization of worm characteristics

Figure 2.20: Categorization of Internet worm defence

The boxes in the two gures 2.19 and 2.20 are the topics which the article Paul et al. [22] cover. We will not explain the topics, because this would take to much space, and in the end, not accomplish its purpose.