A Distributed Stealthy Coordination Mechanism for Worm Synchronization Gaurav Kataria, Gaurav Anand, Rudolph Araujo, Ramayya Krishnan and Adrian Perrig Carnegie Mellon University Abstract— Once a critical mass of nodes is infected by a worm it becomes very difficult to stop the worm from infecting a large fraction of vulnerable nodes. Therefore, the focus of strategies for worm defense has been to detect the worm before it reaches that critical mass. In this paper we present a novel distributed coordination technique for worm propagation and synchronization that can persist under the radar of detection mechanisms long enough to achieve critical mass for a full fledged attack. We discuss the stealthy worm propagation and synchronization approach exploiting a P2P file-sharing network. I. I NTRODUCTION The emergence of flash worms in the wild, as hypothesized by Staniford et al. [24], [25], has stimulated interest in automated detection of Internet worms [9], [16], [23]. Early detection being crucial in immunizing hosts and/or setting up network filters, many techniques have been developed to detect and diffuse worms and viruses in early stages [14], [20], [26], [35]. In response, worm writers have attempted to develop even quicker propagation techniques to outpace these defensive mechanisms. Although faster propagation helps in gaining quick momentum, it also leads to early detection of worms, thereby helping the defensive mechanisms. Ma et al. have proposed self-stopping worms that stop scanning after a critical mass of nodes is infected in order to avoid further exposing infected hosts [10]. In this paper, we propose slow and covert propagation even in early stages of worm infection to avoid worm detection until a critical mass of nodes is infected. In addition, we propose a stealthy distributed coordination mechanism for worm synchronization that does not require command and control channels like IRC, which could be easily detected by network monitors. Instead, via use of discreet in-channel communication of an overlay network, a worm can spread and coordinate without raising an alarm. P2P file-sharing networks can provide a vast overlay net- work ideal for stealthy propagation. P2P networks are not alone in providing an application-specific network overlay; email is another example, which has recently seen numerous worm outbreaks. Though what makes P2P file-sharing net- works unique is that (1) they are large and distributed networks that are neither managed nor controlled by anyone, (2) due to enormous amount of data transfer that takes place on them, it is much easier to conceal malicious content and messages as part of regular communication, and (3) nodes connected to a P2P network by definition are aware of other nodes on the network and hence do not have to randomly scan the Internet for vulnerable hosts. Interestingly, as technically savvy security researchers have been analyzing scanning-based self-propagating worms ex- ploiting intricate software vulnerabilities; malware developers have been developing technically less savvy yet equally potent attack vectors using email and P2P file sharing. Of the more than twenty thousand worms and viruses reported by Symantec in year 2005, only a handful were scanning-based self-propagating worms that exploited a software vulnerability [27]. The majority of malware discovered was viruses, which is basically an executable code, compiled for a particular platform, typically MS Windows. The propagation vectors for these viruses are mostly email, P2P or instant messaging, instead of vulnerability scanning. It can be difficult to detect a virus if it does not exhibit any unusual behavior like opening a back door or altering the kernel. Therefore, in theory a P2P virus can persist under the radar as long as it behaves like a normal P2P application; surreptitiously using the P2P overlay network itself for distributed coordination with other infected nodes. In this paper, we present a stochastic model for P2P virus propagation and coordination such that once a critical mass of nodes get infected, all covert nodes become aware of that with high probability and can drop their cover to simultaneously launch a usual scanning-based Internet-wide worm infection. Effectively, we propose a novel malcode termed “Worus” that starts out as a virus and then morphs into a worm. A worus can potentially beat worm defenses that require a typical delay of T R after detection to activate filters over the global Internet (see Figure 1). The remainder of the paper is organized as follows. In Sec- tion II we discuss the related work in the area of worm/virus propagation. Section III presents a background on P2P file sharing protocol. The Worus propagation model is discussed in Section IV, while Section V describes the distributed coordination scheme based on probabilistic counting. Sections VI and VII present a simulation model and its results. Section VIII proposes some countermeasures against the proposed Worus. Directions for future research and conclusions are presented in Sections IX and X, respectively. II. RELATED WORK Computer security researchers have applied the knowledge in the field of epidemiology to estimate the birth, death and cure rates of virus infections in computer networks to model the infection trajectory [15]. Zou et al. [36] developed a propagation model that fit the spread of the Code Red worm. Wang et al. [28] describe propagation models in terms of