Skip to Main Content

Hitachi Logo
earth icon
    mail icon Contact Us
    Hitachi Global
    Hitachi Global

    HIRT-PUB07004:Let's take a look at the flow of packet data transmitted by a worm

    Visualization of packet data transmitted by a worm-infected node

    Updated: May.10, 2007

    What is a worm?
    A worm is a self-replicating malicious computer program. Unlike narrowly defined computer viruses, it does not need to attach itself to an existing program for infective activities, and is characterized by the fact that it penetrates other computers via the network and self-propagates.

    Introduction

    Since 2001, network worms (hereafter referred to as "worms"), including Nimda and CodeRed with advanced functions, have come into existence and threatened network infrastructure and corporate intranets countless times. Although no massive incidents due to new worms have occurred recently, nodes*1 infected by worms which proliferated widely in the past still continue their infective activities.
    On this page, we attempt to visualize the packet*2 of worms, which remains flowing within the network.

    Type of target node searching activity

    Usually, worms search for target nodes to propagate themselves and there are said to be some patterns in the search methods. According to data known and released on papers, previous typical worms are classified as shown below:

     

    (1)Worms that intensively explore the adjacent network of the infected node:

     

    • Blaster
    • Nimda
    • Zotob

     

    (2)Worms that explore a wide range, not only the adjacent network:

     

    • CodeRed
    • SQLSlammer

     

    It is also known that some worms randomly select the IP address of the target node, while others select based on certain patterns.

    Visualization of packet data transmitted by a worm-infected node

    We observed a node actually infected by a worm within a closed experimental environment and visualized observation data using our proprietary tool.

    Figure: Visualization Method

    This tool splits the destination IP address of the packet transmitted by the node into four octets*3 and displays the value of each octet by converting it into a rotating angle of the corresponding line.

     

    *1
    Equipment connected to the network. It means a computer here.
    *2
    Unit of data to transmit data after splitting it into small pieces during data communication
    *3
    One of the units for the amount of information and 1 octet is equivalent to 8-bits.
    Page 1 of 3