Enterprises are often at the mercy of viruses and worms and their dangerous payloads during the early stages of...
an outbreak. Antivirus firms usually need up to two hours to dissect a new piece of malicious code, write a signature, test it and push it out to customers. In the meantime, some mega-worms like Code Red and Nimda jump from network to network at immeasurable rates of speed, and companies can suffer billions of dollars in damage to assets and reputation.
This has led researchers to pursue behavior-blocking approaches to virus defense. Many vendors, for example, have developed products that allow only defined application behaviors and choke off all others.
A Hewlett-Packard researcher, meanwhile, has taken a more global approach toward choking the spread of fast-moving worms. Matt Williamson has come up with a technology that is essentially a rate-limiter; it checks the number of outgoing connections a server or desktop computer makes per second. By limiting the massive number of connections some worms try to make per second once they've infected a computer, Williamson's virus-throttling technique halts propagation, he said.
"We needed a different way of thinking about viruses after the large impact of Code Red and Nimda more than a year ago," the Bristol, England-based Williamson told SearchSecurity.com recently. "It spread so quickly, much faster than human responses. We want to change the focus from protecting individual machines to protecting the community. Virus throttling won't stop individual viruses and machines from getting infected, but it will prevent viruses from spreading further."
Williamson added that his technique will be especially beneficial in the crucial early hours before signatures are available, lessening the code's potentially dangerous impact on businesses and networks.
Williamson's virus-throttling system is based on the theory that machines make a low rate of connections to new or different machines under normal activity periods -- about one per second. Often, while a user is Web browsing, for example, those connections are made to the same machine rather than to different machines. When a desktop or a server is infected, it tries to make many outgoing connections to many different machines. Nimda, for example, tried to make up to 400 connections per second, Williamson said.
The virus throttle is a filter on an enterprise network stack that uses timeouts to restrict the rate of connections to new host machines. Traffic trying to connect at a higher rate than the normal one-connection-per-second rate is dropped into a queue, which delays the request and allows normal traffic to proceed, Williamson wrote in a research paper posted on Hewlett-Packard's Web site.
The virus throttle runs in the background of a system and is split into two components. The first determines whether a request for a connection is to a new host. The other is a system that uses a series of benign responses (timeouts) to limit the rates of those connections. When a request is made, it is filtered into the system. If the request is to a new host, it is dumped into a delay queue, where it waits for the second half of the system to process it. If the request is not to a new host, it is processed immediately.
The throttle keeps a list of recent connections and compares connection requests to this list to determine each request's newness.
If a request is to a new host, it is dumped into the second half of the system. As the timeouts expire, the next request is processed and the list is updated. If a virus is trying to propagate, it would be easy to detect by monitoring the size or rate of increase of the delay queue. That process can then be suspended or stopped, and the virus' spread is halted.
Williamson said he tested the virus throttle on five machines during a period of five months. He said that 98% of connections went through uninterrupted. He added that the maximum delay a legitimate request experienced was five seconds. The average delay was three seconds.
Williamson said his team has tested the virus throttle on a computer infected with the Nimda worm in a controlled environment.
"We will continue to test and develop the throttling idea. It's quite a rich area of research," Williamson said. "It's very exciting because it covers a large class of viruses."
- FEEDBACK: Is virus throttling a viable defense against malicious code?
Send your feedback to News Editor Michael S. Mimoso