Skip to main content

Hitachi
Contact UsContact Us

HIRT-PUB07005:Let's take a look at the flow of packet data transmitted by a worm Part II (2)

Let's try the tool

Let's try the tool

You can see how worms change their behavior over time in more detail by visualizing them with the tool introduced on this site. Click the link below to try the tool.

Tool description

Basic operation

  1. Select the type of WORM.
  2. Press the "Play" button. (The visualized worm behavior is played with the recommended setting to better understand the characteristics of each WORM.)

You can view the visualized worms with basic operation only, but you can also change the settings. Please see the description of each function for details.

  • * Note: When the Play Speed is set to extremely fast, the PC may be burdened by the load, depending on the type of worm.

Description of each function

Tool Functions

CodeRed3

Nimda E

SQLSlammer

Blaster

Sasser B

Sasser C

Zotob

Worm activity visualized by the tool above can be viewed in a movie as well. To view the movie, please download and unzip the files.

Download the movies(Zip format, hirt-pub07005wmv.zip,7,794kBytes)
Movie files for Blaster, Zotob, CodeRed3, SQLSlammer, Nimda.E, Sasser.B and Sasser.C are contained in the zip file.

Closing

We visualized the search activities of worms from various perspectives, in order to visually observe the characteristics of each worm's behavior, differing to the one we observed last time. We consider that we can use the characteristics of search activities quantified with observation axes, including the search and the random nature, as a criterion to detect the activities of worms and determine the types.

To resolve the problem of "invisibility of malicious activities" increasing in terms of both complexity and sophistication, we continue to try to visualize these events from a multilateral standpoint and introduce our efforts in the Publications.

Related information

"Proposal for visualization of node searching characteristics of worm", written by Hirofumi Nakakoji, Masato Terada, Seiichi Susaki, Computer security research paper Vol. 2007 No. 036, Information Processing Society of Japan (Mar. 2007) "Proposal for network worm behavior examination system" written by Masato Terada, Shingo Takada, Norihisa Doi, Information Processing Society of Japan Journal Vol. 46 No. 8, pp. 2014-2024 (2005)

Masato Terada, Shingo Takada, Norihisa Doi
Proposal for the experimental environment for Network Worm infection
17th Annual FIRST Conference (Shangri-La Hotel, Singapore, Jun.26 - Jul.1, 2005)
http://www.first.org/resources/papers/conf2005.html#p107

Acknowledgement:

This is the outcome of the research project commissioned by National Institute of Information and Communications Technology (NICT), "Research and Development of a Decision Support System to Ensure Secure Information Flow by Real-Time Quantitative Measuring of Vulnerability Level in Network Environment". We'd like to express our sincere gratitude to NICT and all of those involved in the project.

Update history

Jun. 1, 2007 - This webpage was newly created and published.

Prepared by:
Nakakoji/Yokohama Research Laboratory, Terada/HIRT, Okashita/HIRT, Onishi/HIRT

Page 3 of 3 pages

Related Links