蠕虫的行为特征描述和工作原理分析

*20-333#300071E-mail:zhenghui@ieee.org[1][2][3][4][5][6]malware[7]*2000005516**197219781937CIMSDEDS[7~14][6][14]11982XeroxPARCJohnF.Shoch[15]1988MorrisEugeneH.Spaffordwormisaprogramthatcanrunbyitselfandcanpropagateafullyworkingversionofitselftoothermachines.[8]2DavidGerrold1972WhenHarlieWasOneFredCohen1984aprogramthatcan'infect'otherprogramsbymodifyingthemtoincludeapossiblyevolvedcopyofitself.[9]1988MorrisEugeneH.Spaffordvirusisapieceofcodethataddsitselftootherprograms,includingoperatingsystems.itcannotrunindependentlyanditrequiresthatits'host'programberuntoactivateit.[8]31vulnerabilityPatch1.4vulnerabilityWindowsWindows[1][2][13]MorrisHappy99MellisaLoverLetterSirCamNAVIDADBlebla.BVBS_KAKWORM.A1980XeroxPARC[15]DistributedComputationSegment1988112Morris[8][10][16~18]6000Internet101990MorrisRobertT.Morris31400Morrisfingerdsendmailrexec/rsh19891016WANK[34]wormsagainstthenuclearkillersDECVMSYoutalkoftimesofpeaceforall,andthenprepareforwar.WANK19985ADM[19][20]LinuxADMBINDinversequery19999Millennium[21]MillenniumLinuximapdqpopperbindrpc.mountd20011Ramen[22]Linux1513Webindex.htmlRootkitLinuxRamenwuftpdrpc.statdLPRng2001323Lion1i0n[23][24]lion20003LionPscant0rnDDoSTFN2Kli0nsniffer@china.comInternetLionBINDTSIGRamen200143Adore[35]Redadore9000@21cn.com,adore9000@sina.com,adore9001@21cn.com,adore9001@sina.comAdoreAdoreRamenLionAdorewuftpdrpc.statdLPRngBIND20015cheese[7][25]friendlywormLionLion10008rootshellLioncheese20015sadmind[26][27]sadmind/IISSUNSalorisUNIXsadmindIISUnicodeIIS2001719CodeRed[13][28]92520CodeRedII12200141200151CodeRedCodeRedHackedbyChinese!CodeRedCodeRedII300600CodeRedIIMorrisLionCodeRedCodeRedIIS.idaIndexingService2001918Nimda[29~32]NimdaNAIMcAfeeCERTComputerEmergencyResponseTeamIncidents.OrgNimdaConceptVirus(CV)5.5,Copyright©2001RP.ChinaNimda526NimdaWinxIEMIMEAutomaticExecutionofEmbeddedMIMETypesIISdirectorytraversalCodeRedIIsadmind/IISCreeperReaperCreeperReaperCreeperCoreWarCoreWarA.K.Dewdney[33]folklore1release234567NimdaNimdaNimdaNimda8wormnetwork[6][14]1llUNIXllshellll211.lllllllll322.1[11]2[6]3456llWormCondom[8][17]lInterpreterUnixshellWindows$systemroot$\System32\WScript.exelFirewallll[1]KV3000[2]--[3]512000426[4]JayLyman,“HowComputerVirusesGetTheirNames”,[5]FridirkSkulason,VesselinBontchev,“ANewVirusNamingConvention”,[6]NicholasWeaver,“PotentialStrategiesforHighSpeedActiveWorms”(submittedtoUSENIXSecurity2002),~nweaver/worms.pdf[7]BryanBarber,“CheeseWorm:ProsandConsofa‘Friendly’Worm”,[8]EugeneH.Spafford,“TheInternetwormprogram:ananalysis”,ACMComputerCommunicationReview,1989,19(1):1757.[9]Cohen,Fred,“ComputerViruses:TheoryandExperiments”,ProceedingsOfThe7thNationalComputerSecurityConference,1984,pp.240-263.[10]“UnitedStatesGeneralAccountingOfficeReporttotheChairman”,GAO/IMTEC-89-57[11]SnakeByte,“WormsandViruses:AlittleessaybySnakeByte”,[12]R.Shirey,“InternetSecurityGlossary”,RFC2828,2000.[13]MarcMazuhelli,“AVirusandaWorm:LessonsLearnedfromSirCamandCodeRedinaUniversityEnvironment”,[14]JoseNazario,JeremyAnderson,RickWash,ChrisConnelly,“TheFutureofInternetWorms”,PresentedattheBlackhatBriefings,July,2001,LasVegas.[15]Shoch,JohnF,JonA.Hupp,“TheWormProgramsEarlyExperiencewithaDistributedComputation”,CommunicationsoftheACM,1982,25(3),pp.172-180.[16]EugeneH.Spafford,“Crisisandaftermath”,CommunicationsoftheACM,1989,32(6):678687.~vigna/courses/NetworkSecurity/01_Introduction/CrisisAndAftermath.pdf[17]BobPage,“AReportOnTheInternetWorm”,[18]DonnSeeley,“ATouroftheWorm”,Proc.UsenixWinter1989Conference,SanDiego,California,1989,p.287.[19]CERT/CC,“CERTSummaryCS-98.05-SPECIALEDITION”,[20]MaxVision,“ABriefAnalysisoftheADMInternetWorm”,[21]MaxVision,“OriginandBriefAnalysisoftheMillenniumWorm”,[22]JackR.Collins,“RAMEN–ALinuxWorm”,[23]28120021[24]AustinKasarda,“TheLionWorm:KingoftheJungle?”,[25]CERT/CC,“CERT®IncidentNoteIN-2001-05”,[26]NancyL.Feder,“SADMIND/IISWorm”,[27]CERT/CC,“CERTAdvisoryCA-2001-11sadmind/IISWorm”,[28]JohnC.Dolak,“TheCodeRedWorm”