Mass-Mailing Worms: Prevention, Detection and Responce

Preventing mass-mailing worms from infecting the PCs in your network is obviously the cornerstone of any reasonable defense against them, but early detection and prompt isolation and recovery of any infections which do occur should be your second line of defense. In this paper I describe the approaches to mass-mailing worm prevention, detection, and incident response that I have developed and used on a large university network. The prevention strategy has encompassed user education and awareness, desktop anti-virus policy, and minimally invasive server-based filtering of incoming email, while the approach to worm detection is based on detecting traffic patterns of worm behavior on the network itself, using readily available open source tools, including the argus real time flow monitor and the Perl scripting language. In this paper I present results which demonstrate the efficacy of our strategies for prevention, behavior-based (as opposed to signature-based) detection, and recovery, and I discuss future directions based on lessons learned to date.