LMTV | SPAN Port vs TAP: The Latency Impact (with Tony Fortunato)
Optimizing Network Security with Packet Intelligence (by Tom Rowley)

How to Detect a Worm with a Network Analyzer (by Nancy Liu)

How to Detect Worm with a Network Analyzer?

 The most potent threats to Network and Computer Security are worms as they have the unique ability to mimic biological like viruses. Worms can infect a host (biological or logical electronic systems like computers, phones, servers and network devices like routers, servers , controllers and switches). Once the worn has infected the device they then choose a medium to propagate to other neighboring hosts – digital devices. Most worms are malicious and generally, their intent is usually malicious, however some worms (not many) do not have malicious intent (anti-worms or helpful worms) as are designed to help find and destroy Bad or Malicious worms. An example of an Anti-worm is Welchia (Nachia worm, around 2003) which infected compromised computers and automatically began downloading the correct Microsoft security updates without the users consent. It automatically rebooted the computers, installing the security patches to fix the current exploit worm like Code Red, Blaster and Santy. Other examples of helpful anti-worms are Den_Zuko, Cheeze, CodeGreen and Mellenium and many others. However, the list of Malicious worms is very long - https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms and here is a list of malicious file extensions - http://www.file-extensions.org/filetype/extension/name/dangerous-malicious-files .
Worm attacking computer

General procedures for the visualization of the propagation of a worm:

Step 1 Scanning: the worm's scanning function module is responsible for detecting the presence of vulnerable hosts. When the program sent a host information for detecting vulnerabilities and received successful feedback, it got a transmissible object.

Step 2 Attack: Attack module automatically attacks the objects found in step 1 according to the loophole attack to obtain permission to the host (usually administrator privileges) and get a shell.

Step 3 Copy: Copy module copies the worm program to the new host through the interaction of the original host and the new host. Then start the program or automatically transmit it by e-mail.

Once a host is infected by the worm, firstly it will scan the hosts existing in network, and then establish a connection with the hosts scanned successfully and try to infect them. Scanning behavior will be continued once the hosts are infected successfully.

How to detect /visualize a worm with a Network Analyzer?   Note**Click on any screen shot to expand!

Pic 1

Start by running the network analyzer free from Colasoft Capsa, and concentrate on the TCP packet summary. We should notice that TCP SYN Sent number is much larger than TCP SYN ACK Sent number. Generally the ratio of these two numbers approximately 1:1.

Picture 2

To effectively view of IP Endpoints, we can make IP Conversations (Packet Sent/ Packet Received) in descending rank by clicking the column headers. We should focus on analyzing the hosts whose number of Packets Sent is much larger than the number of Packets Received. Such hosts may have scanning behavior, that is, the worm infected hosts are identifying, analyzing in the scanning phase.

Pic 3

Navigate to the host IP; Analyze the TCP connection in the view of TCP Conversation. From the number of packets, the numbers of most conversations are one or three, these hosts’ 80-port may not open or hosts do not exist. In the Time Sequence sub-window, three packets are TCP SYN request packet, are one-way and there is no reply.

Pic 4

By decoding the packet can be further seen, the data packets sent by this IP node are set to synchronize SYN packet requesting a connection. Because of the existence of such a large number of semi- connection requests, you can make sure that the IP hosts are making malicious semi- connection attacks.

Positioning the worm by traffic:

1) Through the analysis of the host transmitting / receiving packet number to locate the worm

Thousands of packets are sent per second, but no response received as a large number of hosts scanned don’t exist.

2) Through the analysis of hosts’ sessions to locate the worm

 Because it is constantly scanning and trying to spread itself, after the connection is established, there will be a lot of communication sessions, and these sessions produces a little traffic and contains only 1 or 2 packets.

3) Through the exception destination address packets sending to locate the worm

As the worm attempts to establish a connection with the destination host, and sometimes it sends packets to random addresses which are in a segment, or transmits data packets continuously. Check if there are abnormal destination addresses, which can also locate hosts sending abnormal packets.

4) Through the worm’s signatures to locate the worm

Each worm has its own traffic pattern, characterized by copying itself in the network traffic generated in the network; it can be possible to locate what kind of virus it is by analyzing the characteristic of the filter traffic.

Colasoft has some very good capture filters as well as some very nice video tutorials and other nice tutorials for focusing on your analysis needs  - http://www.colasoft.com/network-solutions/ .

Editor’s Note – Always use a network TAP to get the best, uncompromised view of your network traffic. A real TAP cannot be hacked, allows access to view every Bit and Byte and does not affect your network traffic in any way!

Some super information freeware downloads - http://www.colasoft.com/download/network-freeware.php

Nancy LiuAuthor: Nancy Liu - Nancy Liu is the marketing specialist for Colasoft, an innovative provider of network analysis software and solutions. Nancy has been in IT industry for 3 years and likes sharing useful networking tools and technical knowledge/experience with others. Colasoft is an Oklahoma LLC and has dedicated itself to the development of innovative network analysis software and packet analysis solutions since 2001. Colasoft's flagship products are the nChronos Network Forensic Analysis Appliance and the Capsa network analyzer. Both products offer real-time and historical network analysis solutions for organizations of all sizes. Colasoft is a fast-growing company with more than half million users in over 110 countries.