Chapter10概要1.pptVIP

Worms first appeared on mobile phones in 2004. These worms communicate through Bluetooth wireless connections or via the multimedia messaging service (MMS). The target is the smartphone, which is a mobile phone that permits users to install software applications from sources other than the cellular network operator. Mobile phone malware can completely disable the phone, delete data on the phone, or force the device to send costly messages to premium- priced numbers. An example of a mobile phone worm is CommWarrior, which was launched in 2005. This worm replicates by means of Bluetooth to other phones in the receiving area. It also sends itself as an MMS file to numbers in the phones address book and in automatic replies to incoming text messages and MMS messages. In addition, it copies itself to the removable memory card and inserts itself into the program installation files on the phone. * * There is considerable overlap in techniques for dealing with viruses and worms. Once a worm is resident on a machine, antivirus software can be used to detect it. In addition, because worms propagation generates considerable network activity, the monitoring of that activity can lead form the basis of a worm defense. Have classes: Signature-based worm scan filtering: generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host. Filter-based worm containment: focuses on worm content rather than a scan signature. The filter checks a message to determine if it contains worm code. Payload-classification-based worm containment: examine packets to see if they contain a worm using anomaly detection techniques Threshold random walk (TRW) scan detection: exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation Rate limiting: limits the rate of scanlike traffic from an infected host. Rate halting: immediately blocks outgoing traffic when a threshold is exceeded either in outgoing connec