ISSN 1000-1239 CN 11-1777/TP

• Paper •

### Contagion Worm Propagation Simulation and Analysis

Wang Yuewu, Jing Jiwu, Xiang Ji, and Liu Qi

1. (The State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, Beijing 100049)
• Online:2008-02-15

Abstract: Although active worms have great spread speed, they usually stir anomalous traffic pattern during targets discovery, which make them easy to be detected. Thus, worm authors turn to increasing the stealth of worms to make them propagate more effectively. Contagion worm is a typical paradigm of stealth worms. It takes advantage of the normal Internet operation traffic to propagate through the Internet, thus it can spread faster than the traditional passive worm, and evinces almost no peculiar communication patterns. Because of its spread speed and stealth, Contagion worm is becoming an immediately security threat on Internet. In order to get insight into Contagion worm propagation, it is necessary to construct a suitable simulation model. Unfortunately, all existing simulation models are constructed for active worms, and can't dynamically simulate the network traffic that is necessary for Contagion worm simulation. Here, a dynamic operation traffic simulation model is presented to adapt for Contagion worm simulation. Through selective abstraction, the scalable bottleneck of packet level worm simulation is broken and a complete Contagion worm simulation system is implemented based on the general network simulator. A series of analyses experiments are conducted by this simulation system to analyze the Contagion worm propagation. Simulation results indicate that the simulation method is very effective in Contagion worm study.