“Worms” are malicious programs that self-replicate across networks, typically by exploiting security flaws in widely-used services. The term “malicious,” as used in the context of the present patent application and in the claims, refers to programs and network communication traffic that are initiated by a computer user (or users) in order to disrupt the orderly operation of other computers and network elements. A computer on which a worm program is running is referred to as “infected,” and this term is also used to refer to the malicious traffic that the computer generates under the control of the worm.
Worm infections are often invisible to the user of an infected computer, and the worm may copy itself to other computers independently of any action taken by the computer user. After infecting a computer, the worm program typically begin scanning the network for other computers to infect. To enable this scanning, for example, the worm may cause the infected computer to attempt to reach other computers by sending out a large volume of Transmission Control Protocol (TCP) SYN request packets to random Internet Protocol (IP) destination addresses, in the hope of establishing a connection with other computers and infecting them. Each of these destination addresses may send back a SYN-ACK response packet (or a RST packet to indicate a refusal to establish a connection). Worm-generated scanning may thus generate a large volume of both incoming and outgoing message traffic, which can consume the victim's available bandwidth and other critical system resources. Consequently, servers and networks infected by a worm often experience performance degradations.
Recent well-known worms include Code Red, Nimba and Slammer/SQL. For example, Code Red I spread during the summer of 2001 by exploiting a security flaw in Microsoft® IIS Web servers. Once it infected a server, the worm spread by launching multiple threads, each of which generated random IP addresses and attempted to compromise servers at these addresses. In addition to this self-replication, Code Red I self-activated simultaneously on infected servers to launch a coordinated Denial of Service (DoS) attack on the www.whitehouse.gov domain.