Worm Analysis and Changes in Host Behaviors During Worm Outbreaks

NetFlow analysis can provide insight into worm behaviors. In this paper, we report the results of a detailed analysis of a publicly available dataset, the 2003 / 2004 wireless traces from the CRAWDAD repository at Dartmouth. This dataset contains packet headers captured from the Dartmouth wireless network between November 2003 and February 2004, a period in which numerous worms were being observed in the wild. IP packet headers were converted to ldquodegeneraterdquo NetFlow records (1 flow record per packet) and the resulting flow files analyzed using the SiLKtools. Our approach was to use information available on worm and virus outbreaks during the period covered by the data and to use this information to develop profiles for each worm that could be used detect the presence of the wormin the traffic. The initial analysis involved manually studying the traffic for some key ports exploited by worms and looking for changes in network traffic which would give us time windows to filter the traffic for more detailed analysis. In addition to identifying many of the worms active during the period, we observed a number of related phenomena. The initial analysis showed heavy ICMP traffic from early November till second week of January after which it suddenly drops. We also observed sudden appearance of peaks in the SMTP traffic (possibly the result of Mass mailing worms, but more likely due to other causes) throughout the Dataset. In addition to reporting our findings for this data set, we hope that the description of our techniques will serve as a guide for others undertaking similar analyses. We note that the anonymization of the IP addresses and the requirement that we not attempt to break it resulted in our inability to investigate some behaviours in the traffic completely.