Microsoft Research Blog

The Microsoft Research blog provides in-depth views and perspectives from our researchers, scientists and engineers, plus announcements about noteworthy events, scholarships, and fellowships designed for academic and scientific communities.

First Line Worm Defense

October 13, 2004 | Posted by Microsoft Research Blog

By Suzanne Ross

We don’t like worms, in any incarnation. Not the crawly ones, not the human ones, not the computer ones. Especially not the computer ones. We can usually avoid the other kinds.

That’s why Helen Wang and her colleagues decided to design a shield that would protect us from the nasty things. Patches are effective against exploits, but unfortunately don’t work unless people use them. And, most of the worms that exist today, 90% of them according to Wang’s research, were created by ‘the bad guys’ after the patch was available for the vulnerability that the worm exploited.

Most worms are created after a software company has announced the vulnerability, otherwise known as a software defect, and offered a patch to fix the problem. The people who like to send worms to wreck havoc with our machines reverse engineer the patch to discover ways to exploit the defect. Meanwhile, people haven’t patched, so they become targets of the worm writers.

“There are a number of reasons that people don’t patch,” explains Wang. “The first is that it’s disruptive. People have to reboot their machines after they patch. The second is that patches don’t always work. Unfortunately, it’s difficult to test a patch for all variables that are present on each person’s local machine. The third difficulty that prevents people from patching is that patches aren’t easy to remove if that’s needed at a later time. This can make people reluctant to patch. Lastly, people may not be aware that their machines are vulnerable and in need of patches.”

Worms can be extremely damaging. They self-propagate and replicate within your computer and over a computer network. A common action for worms these days is to take over your computer, making it a ‘zombie’ at attackers’ disposal. They can then use your machine for spamming, phishing, or launching distributed denial-of-service (DDoS) attacks.

Wang and her colleagues’ new technique, code-named Shield, uses a shielding process that precedes the patching process. “This will cover the critical time window between the vulnerability disclosure and patch application, when more than 90% of the attacks take place today,” said Wang.

“We’ve implemented a prototype Shield framework that filters traffic above the network transport layer,” said Wang. Shield is a system of vulnerability specific, exploit-generic network filters that are installed at the end host for preventing worms or other network-based attacks. The filter examines the incoming and outgoing traffic of the vulnerable application and drops any traffic that tries to exploit the software defect.

Since one vulnerability can be exploited in multiple ways, Shield protects against any type of exploit by shielding the vulnerability instead of trying to protect against specific exploits. Therefore, Shield is resilient to any variations of the attacks.

“Shield has several advantages. It’s not disruptive; you don’t need to restart the application or reboot your machine to enact shields. It’s easier to test than a patch since it is a network-level, data-driven mechanism that is separate from the binary code itself.. It’s easy to remove the Shield if you need to, for instance, after you apply the patch,” said Wang. These features enable shields to be deployed in the same fashion as anti-virus signature distribution model.

“We envision that in the future everyone’s desktop will have a Shield running,” said Wang.