Virtual Playgrounds for Worm Behavior Investigation

  • Xuxian Jiang
  • Dongyan Xu
  • Helen J. Wang
  • Eugene H. Spafford
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3858)


To detect and defend against Internet worms, researchers have long hoped to have a safe convenient environment to unleash and run real-world worms for close observation of their infection, damage, and propagation. However, major challenges exist in realizing such “worm playgrounds”, including the playgrounds’ fidelity, confinement, scalability, as well as convenience in worm experiments. In this paper, we present a virtualization-based platform to create virtual worm playgrounds, called vGrounds, on top of a physical infrastructure. A vGround is an all-software virtual environment dynamically created for a worm attack. It has realistic end-hosts and network entities, all realized as virtual machines (VMs) and confined in a virtual network (VN). The salient features of vGround include: (1) high fidelity supporting real worm codes exploiting real vulnerable services, (2) strict confinement making the real Internet totally invisible and unreachable from inside a vGround, (3) high resource efficiency achieving sufficiently large scale of worm experiments, and (4) flexible and efficient worm experiment control enabling fast (tens of seconds) and automatic generation, re-installation, and final tear-down of vGrounds. Our experiments with real-world worms (including multi-vector worms and polymorphic worms) have successfully exhibited their probing and propagation patterns, exploitation steps, and malicious payloads, demonstrating the value of vGrounds for worm detection and defense research.


Internet Worms Intrusion Observation and Analysis Destructive Experiments 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Internet Protocol V4 Address Space,
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9.
  10. 10.
    The DETER Project,
  11. 11.
    The Honeynet Project,
  12. 12.
  13. 13.
  14. 14.
    ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability (2001),
  15. 15.
  16. 16.
  17. 17.
    Ramen Worm (February 2001),
  18. 18.
    CERT Advisory CA-2002-27 Apache/mod_ssl Worm, (2002)
  19. 19.
    PUD: Peer-To-Peer UDP Distributed Denial of Service (2002),
  20. 20.
    Google Smacks Down Santy Worm (December 2004),,aid,119029,00.asp
  21. 21.
  22. 22.
    Santy Worms (December 2004),
  23. 23.
  24. 24.
  25. 25.
    Anderson, T., Peterson, L., Shenker, S., Turner, J.: A Global Communications Infrastructure: A Way Forward (December 2004),
  26. 26.
    Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Alex Ho, R.N., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: SOSP 2003 (2003)Google Scholar
  27. 27.
    Carella, C., Dike, J., Fox, N., Ryan, M.: UML Extensions for Honeypots in the ISTS Distributed Honeypot Project. In: Proceedings of the 2004 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY (June 2004)Google Scholar
  28. 28.
    Craveiro, P.: SANS Malware FAQ: What is t0rn rootkit?,
  29. 29.
    Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J., Owen, H.: HoneyStat: Local Worm Detection Using Honeypots. In: Proceedings of the 7th RAID (September 2004)Google Scholar
  30. 30.
    Dike, J.: User Mode Linux,
  31. 31.
    Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In: OSDI 2002 (2002)Google Scholar
  32. 32.
    Jiang, X., Xu, D.: VIOLIN: Virtual Internetworking on Overlay Infrastructure. Technical Report CSD-TR-03-027, Purdue University (July 2003)Google Scholar
  33. 33.
    Jiang, X., Xu, D., Eigenmann, R.: Protection Mechanisms for Application Service Hosting Platforms. In: CCGrid 2004 (April 2004)Google Scholar
  34. 34.
    K2. ADMmutate. CanSecWest/Core01 Conference, Vancouver (March 2001),
  35. 35.
    Kim, H.A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th Usenix Security Symposium (August 2004)Google Scholar
  36. 36.
    Nazario, J.: Defense and Detection Strategies against Internet Worms. Artech House Publishers (2004) ISBN: 1-58053-537-2Google Scholar
  37. 37.
    Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: Proceedings of Oakland 2005 (May 2005)Google Scholar
  38. 38.
    Perriot, F., Szor, P.: An Analysis of the Slapper Worm Exploit. Symantec White Paper,
  39. 39.
    Perumalla, K.S., Sundaragopalan, S.: High-Fidelity Modeling of Computer Network Worms. In: Proceedings of 20th ACSAC (December 2004)Google Scholar
  40. 40.
    Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the USENIX 13th Security Symposium, San Diego, USA (August 2004)Google Scholar
  41. 41.
    Ptacek, T., Nazario, J.: Exploit Virulence: Deriving Worm Trends From Vulnerability Data. In: CanSecWest/Core 2004 Conference, Vancouver (April 2004)Google Scholar
  42. 42.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of the ACM/USENIX OSDI (December 2004)Google Scholar
  43. 43.
    Sundararaj, A., Dinda, P.: Towards Virtual Networks for Virtual Machine Grid Computing. In: Proceedings of the Third USENIX Virtual Machine Technology Symposium (VM 2004) (August 2004)Google Scholar
  44. 44.
    Szor, P.: Fighting Computer Virus Attacks. In: Invited Talk, the 13th Usenix Security Symposium (Security 2004), San Diego, CA (August 2004)Google Scholar
  45. 45.
    Touch, J.: Dynamic Internet Overlay Deployment and Management Using the X-Bone. In: Proc. of IEEE ICNP 2000 (November 2000)Google Scholar
  46. 46.
    Twycross, J., Williamson, M.M.: Implementing and Testing a Virus Throttle. In: Proceedings of the USENIX 12th Security Symposium, Washington, DC (August 2003)Google Scholar
  47. 47.
    Vahdat, A., Yocum, K., Walsh, K., Mahadevan, P., Kostic, D., Chase, J., Becker, D.: Scalability and Accuracy in a Large-Scale Network Emulator. In: OSDI 2002 (2002)Google Scholar
  48. 48.
    Whalley, I., Arnold, B., Chess, D., Morar, J., Segal, A.: An Environment for Controlled Worm Replication & Analysis (Internet-inna-Box). In: Proceedings of Virus Bulletin Conference (September 2000)Google Scholar
  49. 49.
    Whitaker, A., Shaw, M., Gribble, S.D.: Scale and Performance in the Denali Isolation Kernel. In: Proceedings of USENIX OSDI 2002 (December 2002)Google Scholar
  50. 50.
    White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., Newbold, M., Hibler, M., Barb, C., Joglekar, A.: An Integrated Experimental Environment for Distributed Systems and Networks. In: Proceedings of 5th OSDI (December 2002)Google Scholar
  51. 51.
    Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Proc. of 7th RAID (September 2004)Google Scholar
  52. 52.
    Zou, C.C., Towsley, D., Gong, W., Cai, S.: Routing Worm: A Fast, Selective Attack Worm based on IP Address Information. Umass ECE Technical Report TR-03-CSE-06 (November 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Xuxian Jiang
    • 1
  • Dongyan Xu
    • 1
  • Helen J. Wang
    • 2
  • Eugene H. Spafford
    • 1
  1. 1.CERIAS and Department of Computer SciencePurdue UniversityWest LafayetteUSA
  2. 2.Microsoft Research RedmondUSA

Personalised recommendations