SECURITY AND COMMUNICATION NETWORKS

Security Comm. Networks 2015; 8:715–726

Published online 10 June 2014 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1019

RESEARCH ARTICLE

Defeat scanning worms in cyber warfare

Fu-Hau Hsu1 , Li-Han Chen1 * and Chia-Jun Lin2
1
Department of Computer Science and Information Engineering, National Central University, Jhongli City, Taiwan
2
The Master of Science in Information Security Technology and Management, Carnegie Mellon University, Pittsburgh, Pennsylvania

ABSTRACT
In this paper, we propose an automatic defense system, called Serum System, against scanning worms. The homeland
security department of a country can use Serum System to protect its Internet infrastructure. When an infecting host is
infecting a Serum System host, called Serum System Server (SSS), the SSS automatically replaces the shellcode inside the
infecting string with its code (called serum code) and then uses the modified string (called serum string) to counterattack
the infecting host and takes control of it. The serum code transforms the infecting host into a Serum System Client (SSC)
that has the same functions as the SSS and is immune to the same worm. Therefore, infecting hosts attacking SSSs or
SSCs will transform themselves into SSCs. We implemented Serum System on Linux and also built a mathematical model
for Serum System to analyze its effectiveness and bandwidth savings. Our analyses show that with only a small number
of SSSs and through chain counterattacks, Serum System can automatically and rapidly defeat related infected hosts.
Compared with white worms whose spread cannot be controlled, Serum System only spreads on infected hosts. The amount
of accumulative traffic saved by Serum System at time tick 450 reached 90%. Copyright © 2014 John Wiley & Sons, Ltd.

KEYWORDS
computer crime; network security; system security; worm
*Correspondence
Li-Han Chen, Department of Computer Science and Information Engineering, National Central University, No.300, Jhongda Rd.,
Jhongli City, Taoyuan County 32001, Taiwan.
E-mail: lhchen@adl.csie.ncu.edu.tw

1. INTRODUCTION Windows Vista and Windows 7, have been released for

In April 2007 and July 2008, large scale distributed denial
of service attacks against Estonia and Georgia marked the
beginning of using cyber warfare to paralyze the Internet
infrastructure of a country. In both cyber attacks, attackers
used compromised hosts to launch the attacks. In March
2010, Stuxnet worm not only has infected more than
tens of thousands industrial computers but also has con-
ducted sabotage on the facilities controlled by these
computers [1]. Downadup worm infected more than 10
million hosts in early 2010. These events show the poten-
tially destructive power of cyber warfare and its major
goals, that is, creating network traffic congestion and com-
promising hosts.
Although many people believed that scanning worms
are no longer a security threat to the Internet, the major
breeding grounds of scanning worms—old, unpatched, or
less secure operating systems and application programs—
still exist. Statistics of a long-term survey show that
even though several operating systems with enhanced
anti-buffer overflow attack (anti-BOA) solutions, such as
a while, more than 47% of users are still using less
secure operating systems [2], such as Windows XP. Hence,
we believe scanning worms will become a critical cyber
weapon in the future. Table I lists some features of sev-
eral notorious scanning worms. Although some scanning
worms prefer to attack hosts in the same subnet (e.g., local-
ized scan), they still continuously attack external hosts
chosen randomly until being removed.
Even though the development of various promising anti-
BOA solutions [7–9], many worm research and promising
anti-worm solutions have been proposed [10–13], most of
them require widespread deployment of these solutions
and a short response time. However, it is challenging to
satisfy both requirements, especially for household hosts.
Furthermore, patching programs is usually slower than
the spread of worms; hence, when a new vulnerability is
discovered, the related worm already may have scattered
among vulnerable hosts before a patch program is released.
As a result, the Internet is still under the threat of scanning
worms.
In this paper, we propose an automatic curing system,
called Serum System, against scanning worms that contin-

Copyright © 2014 John Wiley & Sons, Ltd. 715

Defeat scanning worms in cyber warfare
Table I. Features Of some notorious scanning worms [3–6].
Name Congestion Continuous attack
Code red Yes Yes
Code red II Yes Yes
Slammer Yes Yes
Blaster Yes Yes
Downadup Yes Yes
uously attack hosts. Serum System provides the homeland
security department of a country a reliable tool to pro-
tect her Internet infrastructure against scanning worms.
Serum System can handle unprotected hosts and requires
only small number of initial deployment of Serum System
Servers (SSSs). Serum System precisely defeats a scan-
ning worm and can solve the traffic congestion caused by
worms. And Serum System does not need to apply patches
to vulnerable programs. Scanning worms spread through
BOA strings, called infecting strings. For a scanning worm,
the same infecting string is used to infect hosts with the
same BO vulnerability. Hence, when an infecting host (i.e.,
a worm host) attacks an uninfected host, the attacking
string is the same string that the other host uses to infect the
infecting host. In other words, if we use the same infecting
string to attack the infecting host via the same vulnera-
bility, we are likely able to compromise that host again.
When an infecting host is infecting the SSS, the SSS auto-
matically replaces the shellcode inside the infecting string
with its code (called serum code) and then uses the modi-
fied string (called serum string) to cure the infecting host.
In this paper, the word “cure” means taking control of the
infecting host and transforming the infecting host into a
Serum System Client (SSC). An SSC has the same func-
tion as an SSS and is immune to the same worm. Any
infecting host attacking an SSS or SSC will make itself an
SSC instead.
We implemented Serum System on a Linux host,
and also built mathematical models for the system to
analyze its effectiveness and the resulting bandwidth
savings. Our analyses show that with only a small
number of SSSs, Serum System can automatically and
rapidly cure the related infected hosts around the world
through chain counterattacks. And the amount of accu-
mulative traffic saved by Serum System at time tick
450 reaches 90%. Compared with white worms and
auto-patch mechanisms, our system is reversible and
more precise.
The rest of this paper is organized as follows. Related
work is surveyed in Section 2. Section 3 introduces the
architecture and discusses some critical design issues of
Serum System. Section 4 evaluates the effectiveness and
performance overhead of Serum System. This section also
builds some mathematical models to analyze the effec-
tiveness and bandwidth saving of the proposed system.
Section 5 discusses our design issues and the future work.
Section 6 concludes the paper.
716
F.-H. Hsu, L.-H. Chen and C.-J. Lin
First scanning strategy Second scanning strategy
Uniform randomized N/A
Localized Randomized
Uniform randomized N/A
Sequential Randomized
Localized Randomized
2. RELATED WORK
There has been much work on the automatic generation of
worm signatures. Polygraph [11] generates a worm signa-
ture based on the invariant parts of various network traffic
associated with the same polymorphic worm; thus, it pro-
vides more robust protection to hosts against polymorphic
worms. However, this work suffers from non-trivial false
positives and false negatives. Cavallaro et al. proposed an
automated content-based signature generation system for
polymorphic worms based on invariant byte analysis of
network traffic content [14]. ShieldGen [15] automatically
generates signatures for a wide range of attacks if a zero-
day attack instance is provided. Even though ShieldGen
can effectively reduce the number of false positives, it has
non-trivial false negatives.
There has also been much work discussing, classifying,
or modeling the behavior of various worms, and illus-
trating the connection between worms and cyber warfare
[16]. Ma et al. discussed a new stealthier-type worm—
a self-stopping worm that could coordinate its members
to halt infection activity after the vulnerable population
is subverted [17]. According to the Kermack–Mckendrick
model, Zou et al. took internet service provider (ISP) coun-
termeasures and traffic congestion into account to build
a two-factor worm model to more accurately describe
worms behavior [18]. Chen et al. presented a mathemati-
cal model, Analytical Active Worm Propagation (AAWP),
to characterize the propagation of worms that uses ran-
dom scanning [19]. Rajab et al. modified the afore-
mentioned models and added a non-uniform scanning
element [20].
Except for automatic worm signature generation, con-
tainment and auto-patch are two major approaches devel-
oped to defend against worms. Zou et al. quarantines a host
whenever its behavior looks suspicious by blocking traffic
on its anomaly port [21]. After a short time, the system will
unlock related ports. The main purpose of this design is
not to control worm spread but to decrease worm propaga-
tion speed so that users can have more time to implement a
solution. Vigilante [12], an end-to-end approach to contain
worms automatically, utilizes dynamic dataflow analysis
to capture various worms. After creating a worm signa-
ture, an end host broadcasts the signature to its peers.
Each peer verifies the signature before using it. Through
a series of experiments, Moore et al. surveyed how well
any approach could contain a worm epidemic on the
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin
Table II. The difference between white worm, anti-worm, and Serum System.
Traffic Curing
Name amount speed Precision
Serum system Low Fast High
White worm High Fast Low
Anti-worm
Passive High Fast High
Active High Fast Low
IDS-based High Fast Medium
IDS, intrusion detection system.
Internet [22]. They concluded that the reaction time is a
critical factor in a successful containment solution. How-
ever, current techniques and administration systems may
not be able to contain worm propagation successfully. In
addition, they also found that content filtering is more
effective than address blocking. ARMORY [23] provided
a kernel solution to automatically detect BO defects from
application source code.
PASAN [10] instrumented a network applications
source code with extra instructions to detect control hijack-
ing and to record run-time information from which it
can derive an attack signature and patch for the detected
attack. As for research about white worms [24,25], there
were analyses and discussions about them but no practical
implementation has been completed. Besides, it is difficult
to control the spread of a white worm. Castaneda et al.
proposed a method similar to Serum System to disinfect
infected hosts by transforming a malicious worm into an
anti-worm and have implemented some proofs of concept
[26]. They also analyzed the effectiveness of active coun-
terattack mechanism. In Serum System, disinfection code
is dispatched to an infecting host from an SSS or SSC
when the infecting host is infecting the SSS or SSC. How-
ever, anti-worms need to download disinfection code from
specific hosts; hence, these hosts may encounter traffic
congestion and launch denial of service/distributed denial
of service attacks against these hosts. Moreover, because
Serum System stores various serum strings in each SSS
and SSC, an SSS or SSC may utilize other unpatched vul-
nerabilities to cure an infecting worm. Active anti-worms
can only spread on hosts that are not infected by a patch
worm. Furthermore, while Serum System only counter-
attacks infected hosts, white worms, active anti-worms,
and intrusion detection system (IDS)-based anti-worms
may counterattack hosts that are not infected by a worm.
Hence, Serum System is more accurate than previous solu-
tions. Table II compares Serum System with white worms
and anti-worms.
3. ARCHITECTURE
In this section, we discuss the architecture of Serum
System, the constituent hosts of the System (SSS and
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare
Patch Disinfection code Need faster
Worm dispatch than worm?
Partially Distributed No
No No Yes
No Centralized No
Uninfected Centralized Yes
No Centralized Yes
SSC), and the major components of the constituent hosts
as well as their functionality.
3.1. System components
Serum System consists of two host types, SSS and SSC,
containing the same components: sanitizer, redirector,
downloader, and uploader. However, the functionality of
each component may vary with the host type. The follow-
ing is a brief description of each component.
3.1.1. Sanitizer.
A sanitizer is the core of an SSS and an SSC. It sani-
tizes infecting string and converts them into serum strings.
It takes input strings from a redirector, filters out, and drops
input strings, which match the characteristics of an infect-
ing string. To find infecting strings, a sanitizer uses the
signatures provided by a collaborative BOA signature gen-
erator, such as Aurora [9], STRIDE [27], and Sigfree [28],
which could locate shellcode inside an infecting strings.
Currently, we use Aurora to implement sanitizers. Aurora
uses the invariant properties, such as no-operation (NOP)
sled and deviation address, to detect BOAs, so it can also
detect the variants using the same vulnerability. Then, the
sanitizer replaces the shellcode with serum code to gener-
ate a serum string. If the detected infecting string is from
an external host, the sanitizer uses the serum string to cure
the external host. If the detected string is from an internal
process, the sanitizer removes the process and the related
program. Besides, the sanitizer drops the string directly
to prevent an infecting host from continuously infecting
other hosts.
3.1.2. Redirector.
Through adjusting the firewall (such as iptables on a
Linux platform) of the host that executes a piece of serum
code, a redirector redirects input strings that will be sent to
a vulnerable process to a sanitizer for pre-processing. The
vulnerable process is the target of the infecting string that
triggers the counterattack procedure. Moreover, the vulner-
able process could be a local process or a network service
in a remote host.
717
Defeat scanning worms in cyber warfare
3.1.3. Downloader and uploader.
A downloader constitutes the major part of serum code.
When being executed in an infecting host, a downloader
will connect to the uploader in the SSS or SSC who
sends the serum code to download a sanitizer, redirector,
uploader, and the source code of the downloader to the
infecting host.
3.2. Workflow of Serum System Server and
Serum System Client
In this subsection, we describe how each component of an
SSS or SSC works together to cure an infecting host and
transform it into an SSC.
Figure 1 illustrates the workflow of an SSS. When
an IDS with an automatic signature generator detects an
infecting string (1), it sends the string and properties of
the string, such as the signature, location and length of
the NOP sled, target port, and location of the address
that will redirect the attacked process execution flow to
the shellcode, to the sanitizer (2). Based on the infor-
mation provided by the IDS, the sanitizer replaces the
shellcode inside the infecting string with serum code to
create a serum string and then sends the serum string to
the infecting host (3). The serum string is sent to the vul-
nerable process to take control of the infecting host. The
vulnerable process is the previous victim of the infect-
ing string. Via the same vulnerability, the serum code
is executed (4). The major part of the serum code is a
downloader that will connect back to the uploader of the
SSS (5) to download the whole program set of Serum
System (6).
After downloading the program set, the downloader
will follow the steps described in Section 3.3 to invoke
related programs inside the set to transform the infect-
ing host into an SSC. The workflow of an SSC is similar
to that of an SSS, but its information about an infect-
ing string is provided by an SSS or an SSC, instead of
an IDS.
Serum System Server Infecting Host
(3)
vulnerable
sanitizer Process
(2)
IDS (1)
worm
redirector
sanitizer
redirector
downloader
downloader
(6) uploader
uploader (5)
downloader
Figure 1. Workflow of a Serum System Server.
718
F.-H. Hsu, L.-H. Chen and C.-J. Lin
3.3. Dataflow of Serum System Client and
Serum System Server
After the sanitizer, redirector, downloader, and uploader
are downloaded to the infecting host, the serum code exe-
cutes the sanitizer and the redirector first. The redirector
adjusts the firewall of the infecting host and redirects input
strings toward a vulnerable process to the sanitizer. Then,
the serum code executes the uploader as a network service,
in order to prepare for transmitting Serum System to other
downloaders. Finally, the infecting host is reformed into
a SSC.
The sanitizer of an SSS uses the signatures provided by
a collaborative BOA signature generator. And the sanitizer
of SSC uses the signatures forwarded by an SSS or an SSC
to find infecting strings. If the origination of a detected
infecting string is an external host, the sanitizer replaces
the shellcode inside the string with serum code to create a
serum string and then uses the string to cure the external
host. If the origination of a detected string is an internal
process, the sanitizer drops the string directly to stop an
infecting host continuously infecting other hosts. Other-
wise, the sanitizer forwards the sanitized strings to their
original destinations. Figure 2 gives an overview of the
aforementioned steps. After these steps, the infecting host
is transformed into an SSC, which not only is immune from
the same infecting string but also can cure other infect-
ing hosts that were infected by the same infecting string.
An SSC uses the same approach described in the previous
subsection to cure other infecting hosts.
3.4. Merging sanitizers
When curing an infecting host compromised by a worm,
Serum System will install a sanitizer in the infecting host.
Hence, in principle, each worm has a dedicated sanitizer in
an infecting host to handle it. If a host is attacked by several
worms, several sanitizers against different worms would
be installed on the same host. To save system resources,
SSC vulnerable
process
(4)
sanitizer to a remote
(drop strings matching service
infecting strings and
normal forward sanitized
process strings)
outgoing traffic
to a remote vulnerable service
worm or incoming strings
BO botnet redirector
Figure 2. Dataflow of an Serum System Client.
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin Defeat scanning worms in cyber warfare

sanitizers protecting the same port of a vulnerable program

are merged into one, even though originally these sanitiz-
ers are used to handle distinct worms. Thus, when a new
sanitizer is installed in an infecting host to handle traffic to
a port of a vulnerable program, it will look up the firewall
rules first to see whether the traffic to the port has been
redirected to an old sanitizer. If such a redirection exists,
the new sanitizer requests the old sanitizer to send its worm
signatures to it. After transmitting all its signatures, the
old sanitizer closes all its ports to allow the new sani-
tizer to take them over and then terminates itself. After the
aforementioned steps, the new sanitizer becomes the only
sanitizer used to handle traffic to the related port. Commu-
nication between the two sanitizers proceeds through the
aforementioned port in a special string format.
4. EVALUATION
In this section, we design various experiments to evaluate
the effectiveness and efficiency of Serum System.
4.1. Effectiveness
In this subsection, we use six real hosts to perform a curing
effectiveness evaluation and also simulate worm spreading
in a huge network by using a mathematical model.
4.1.1. Curing effectiveness.
This experiment shows (i) that an SSS can cure an
infecting host and transform it into a curing host and (ii)
the curing behavior can be propagated to other infecting
hosts. In our experiments, the vulnerable program we used
is peercast program with BO vulnerability (CVE-2006-
1148). Six real hosts, A, B, C, D, E, and F are used in the
experiments, as shown in Figure 3. Initially, host A is an
SSS, and hosts B, C, D, E, and F are infecting hosts with
the unpatched peercast program. First, we used hosts
B and C to attack host A; then, we used hosts D and E to
attack host B. Host F launched attack to host C. Experi-
mental results show Serum System can automatically cure
infecting hosts B and C and transform them into SSC,
which in turn cured infecting hosts D, E, and F and also
transformed them into SSC. This experiment shows that
Figure 3. Experimental setup. Host A is a Serum System
Server. Initially, hosts B, C, D, E, and F are infecting hosts.
Serum System can handle unprotected hosts and cure all
infecting hosts.
In the experiment, if the attack order changes, it seems
that not all hosts can be cured. Such as host D infects
host B and then host B attacks host A. Host D will not
be cured in this situation. However, research shows that
an infecting host, such as host D, will continue launching
attacks against other hosts. As the number of cured hosts
increased, soon or later, the infecting host will attack an
SSS, SSC, or a cured host. Therefore, it still will be cured
by our Serum System.
4.1.2. Mathematical model and analysis.
In this subsection, we analyze the model of worm
spreading and evaluate the effectiveness of our system. We
developed our model based on the AAWP model [19] and
assume that vulnerable hosts are uniformly distributed in
the whole IPv4 space to simplify the task of modeling and
analysis. Table III gives the definition of the notations used
in the model. Because an infected host will try to infect
others, it is also an infecting host. Hence, in the notation
table, an infected host is also an infecting host and vice
versa. Because a worm host (i.e., an infecting host) usu-
ally randomly decides its targets, the S hosts scanned by an
infecting host per time tick may be repeated.
According to AAWP, the probability that a vulnera-
ble host is attacked at least once at time tick i can be
represented as
 sni
Pi = 1 – 1 – 1/232 (1)
Because a vulnerable host may become an infecting host
which in turn may become a curing host, the number of

Table III. Notation table.

Symbol Quantity

Pi Probability that a vulnerable host is attacked at least once at time tick i.

ni Number of infected hosts at time tick i.
Ii Number of curing hosts (i.e., SSSs or SSCs) at time tick i. (I0 is equal to the number of SSSs.)
Ri Overall probability that infecting hosts are cured successfully at time tick i.
S Number of hosts scanned by an infecting host per time tick.
Vi Number of vulnerable hosts at time tick i.
˛ Probability that an infecting host is cured successfully by a curing host at time tick i.
SSS, Serum System Serve; SSC, Serum System Client.

Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd. 719
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare F.-H. Hsu, L.-H. Chen and C.-J. Lin

vulnerable hosts at time tick i is the number of vulnerable ing pattern, the possibility that the infecting host will be
host at time tick i – 1 minus the number of increased curing cured is 1 – (1 – ˛)x . Hence, Ri and Ii are described using
hosts in the previous time tick: Equations (4) and (5), respectively:

Vi = Vi–1 – Ii + Ii–1 (2) s

X  
  I 232 –Ii–1 32
Ri = 1 – (1 – ˛)x Cxi–1 Cs–x Cs2 (4)
On the basis of Equations (1) and (2), we can use x=1
Equation (3) to denote the number of infecting hosts at time
tick i: Ii = Ii–1 + ni–1 Ri–1
( s
 h  sni–1 i X 
ni = ni–1 + Vi–1 – ni–1 1 – 1 – 1/232 = Ii–1 + ni–1 1 – (1 – ˛)x
(3)
x=1
– Ii + Ii–1  
I 232 –Ii–2 32
Cxi–2 Cs–x /Cs2 (5)
32
Let Cs2 represent the number of combinations of
selecting S hosts from 232 hosts. Here, S is the number of 4.1.3. Infection and cure analysis.
targets that an infecting host tries to infect per time tick. On the basis of the previous equations, we can cal-
32
As a result, CxIi Cs–x
2 –Ii
is equal to the number of infect- culate the number of infecting hosts and the number of
ing patterns that an infecting host may have at time tick i curing hosts at different time ticks. The results are shown
when x of its S targets are curing hosts. For each infect- in Figures 4 and 5.

5 5
x 10 x 10
7 7

6 6

5 5
host number

host number

4 4

3 3

2 2

1 1

0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) (b)
Figure 4. Curing effect of Serum System for Internet worms.

5 5
x 10 x 10
7 7

6 6

5 5
host number
host number

4 4

3 3

2 2

1 1

0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) (b)
Figure 5. Curing effect of Serum System for stealthy worms.

720 Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin
Table IV. The parameters used in the calculation
in Section 4.1.3.
Symbol Value
Total hosts 224 hosts
S 10 or 200 times/time tick
n0 500 hosts
V0 10  216 hosts
I0 50 or 500 hosts
˛ 1
The parameters used in the calculation are listed in
Table IV. The two different scan rates are used to sim-
ulate the different infection patterns of worms emphasiz-
ing stealth and Internet worms. For worms emphasizing
stealth, we used a low scan rate to imitate their spread
behavior. On the other hand, Internet worms try to com-
promise as many hosts as possible in a short time; thus, we
used a high scan rate to mimic their propagation method.
Because recent worms try to infect hosts within the same
network first, we use a class A network, which consists of
224 hosts as the simulated network.
Figure 4 shows the simulation results of an Internet
worm. Figure 5 shows the simulation results of a worm
emphasizing stealth. All results show that Serum System
can completely quell and cure Internet worms and low
scan rate worms, even when the initial number of SSSs
is only 50. For the stealthy worm, Serum System takes
slightly longer to cure all hosts, because the counterattack
rate is proportional to the scan rate. In fact, according to
the results, except under low scan rates and low numbers of
vulnerable hosts, the number of SSSs (i.e., initial number
of curing hosts) does not greatly change the time to cure
the whole worm. Hence, widespread deployment is not a
critical issue for the success of Serum System.
The four figures in Figures 4 and 5 show that with more
vulnerable hosts, the higher percentage of vulnerable hosts
will be compromised. All infecting hosts will be cured by
Serum System. The sharp curing curves in the figures also
show that soon after the number of infecting hosts reaches
its maximum. Serum System cures a worm very quickly
with a small-scale initial deployment of SSSs. Therefore,
Serum System need not to be faster than the speed of
worm spreading.
4.2. Performance overhead
The performance overhead of a curing host is generated by
the sanitizer and redirector, because these two components
need to check input strings and perform their correspond-
ing functions. We used two hosts, hosts A and B, to test
the performance overhead of proxy mechanism introduced
by a curing host. The same peercast program used in
the effectiveness tests was installed in host A. Here, host A
may be a curing host or a normal host. In either case, in host
B, we measured the time it took to receive a response from
the peercast program after host B sent a string to the
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare
peercast program. The aforementioned measurement
was made 5000 times for both cases. Experimental results
show that when host A is a normal host, the average time of
the aforementioned tests is 0.00824 s. And when host A is
a curing host, the average time of the aforementioned tests
is 0.009343 s. Hence, the overhead is 13.3% (0.0011 s).
However, because a network service is usually much more
complicated than a peercast program, 13.3% can be
deemed as an upper bound of the performance overhead
introduced by a curing host.
4.2.1. Processing time.
In this subsection, we discuss the time a curing host
spends to handle an infecting string. We call this time the
curing time. In fact, curing time is the time that a cur-
ing host spends to finish steps (2)–(6) of Figure 1. The
average time of curing time in 10000 measurements is
0.0000274 s. We also discuss the time it takes to transform
an infecting host into an SSC after a curing host has sent
all Serum System related programs to the infecting host.
We call this time the transforming time. We added some
code in the infecting host to measure the transforming time.
The average time of transforming time in 10000 measure-
ments is 0.374828 s. The curing time and transforming
time influence the performance of Serum System. Serum
System cannot spend too much time on a single host, espe-
cially during the attack period of worms. The experimental
results show that the transforming time and the curing time
are very short, so an SSS or SSC can cure an infecting
host quickly.
4.2.2. Network traffic overhead.
Network traffic overhead is mainly created by the traf-
fic used to transmit Serum System related programs to the
infecting hosts. We use a sniffer to collect the amount of
traffic transmitted between a curing host and an infecting
host. The traffic overhead is 28 769 bytes, which is unlikely
to affect the bandwidth of a network link. If a local net-
work is under attack by worms, the heavy network traffic
may affect the efficiency of Serum System. Therefore, the
low traffic overhead of our system ensures the success rate
of curing procedure.
4.2.3. Network traffic amount analysis.
In this subsection, we discuss the total amount of traffic
generated by a worm and Serum System so that we can
calculate the amount of traffic saved by the system. Table V
lists the notations used in our analysis model.
Based on the equations derived in the previous sub-
section, Xi and Yi can be represented by the following
equations:
Xi = ni  S  z (6)
0
Yi = (Ii+1 – Ii )  (z ) (7)
According to [29], the size of the core part of a Dow-
nadup file is 58 KB. However, after being installed in a
compromised host, Downadup downloads more files into
721
Defeat scanning worms in cyber warfare F.-H. Hsu, L.-H. Chen and C.-J. Lin

Table V. Notations used in traffic amount analysis.

Symbol Quantity

Xi Total amount of traffic produced by all infecting hosts at time tick i when a Serum System is used.
Yi Total amount of traffic produced by all curing hosts at time tick i when a Serum System is used.
Wi Total amount of traffic produced by all infecting hosts at time tick i when no Serum System is used.
z Amount of traffic produced by a single infecting host per infection.
0
z Amount of traffic produced by a single curing host per counterattack.
mi The number of infected hosts at time tick i when no Serum System is used.

9 9
x 10 x 10
8 8

7 7

6 6
traffic (unit:KB)

traffic (unit:KB)
5 5

4 4

3 3

2 2

1 1

0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) (b)
Figure 6. Amount of traffic produced by infecting hosts and serum hosts when rate is 200 times/time tick.

8 8
x 10 x 10
5 5
4.5 4.5
traffic amount (unit:KB)

traffic amount (unit:KB)

4 4
3.5 3.5
3 3
2.5 2.5
2 2
1.5 1.5
1 1
0.5 0.5
0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) (b)
Figure 7. Amount of traffic produced by infecting hosts and serum hosts when rate is 10 times/time tick.

the host; this fact will be ignored for simplicity. Hence,
z is equal to 58 KB, and the results in this subsection
can be deemed as either the minimum traffic amount that
Downadup will create or the minimum traffic amount that
Serum System can save. Besides, according to the previous
subsection, z is equal to 28 KB. Thus, with the aforemen-
tioned data and the parameters used in Section 4.1.2, we
can obtain the amount of the traffic created by infecting
hosts and curing hosts during the first 500 time ticks, as
shown in Figures 6 and 7.
At both high (Figure 6) and low (Figure 7) scan rates,
the amount of traffic generated by curing hosts is far less
than that created by infecting hosts. The experiments show
that Serum System only need a small amount of traffic to
cure all hosts. The amount of traffic generated by Serum
System has little influence on the network traffic.

722 Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin Defeat scanning worms in cyber warfare

100 100
90 90
80 80
70 70

percent (%)
percent (%)

60 60
50 50
40 40
30 30
20 20
10 10
0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) 10 times / time kick (b) 200 times / time kick

Figure 8. Percentage of amount of traffic saved by Serum System at various time ticks for different scan rate.

100 100
90 90
80 80
70 70
percent (%)
percent (%)

60 60
50 50
40 40
30 30
20 20
10 10
0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) 10 times / time kick (b) 200 times / time kick

Figure 9. Percentage of amount of accumulated traffic saved by Serum System at various time ticks for different scan rate.

We also compare the amount of network traffic with and
without Serum System. According to AAWP, mi and Wi
can be calculated using the following equations:
h  smi–1 i
mi = mi–1 + (Vo – mi–1 ) 1 – 1 – 1/232
W i = mi  S  z
Hence, the amount of traffic saved by Serum System at
time tick i is as follows:
0 faster scan rate of the worm, the percentage of accumulated
Wi – (Xi + Yi ) = (mi – ni )  S  z – (Ii+1 – Ii )  z
And when a worm breaks out, the ratio of the traffic amount
saved by Serum System at time tick i to the traffic amount
appearing in the Internet when no Serum System is used
0
at time tick i is ((mi – ni )  S  z – (Ii+1 – Ii )  z )/Wi .
Figure 8 shows that Serum System can successfully sup-
press worm traffic. Although Serum System cannot control
the network traffic at the beginning of a worm attack,
as the worm attack proceeds, large amount of attack
traffic is suppressed by Serum System. Because worms
(8)
usually generate a huge amount of attack traffic, Serum
System can effectively reduce a considerable amount of
attack traffic.
(9)
Figure 9 shows the percentages of accumulated traf-
fic saved by Serum System between time tick 0 and time
tick 500. Under both low and high scan rates, the percent-
age is up to 90% at time tick 450. In addition, with the
(10) traffic saved by Serum System also increases at a faster
rate. Hence, Serum System can significantly solve the traf-
fic congestion problem caused by Internet worms. With a
strong and proper counterattack mechanism, such as Serum
System, the accumulated traffic generated by worms can
be greatly reduced.

Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd. 723
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare
5. DISCUSSIONS
In this section, we discuss some design issues and enhance-
ments that we plan to make in the future and several
applications that can be performed on the basis of the
techniques adopted by the proposed Serum System.
5.1. Design issues
The first issue is the length of the serum code. The sani-
tizer replaces the shellcode inside an infecting string with
serum code to create a serum string. In order to avoid
destroying the structure of the infecting string (such as the
content, location, and length of the NOP sled, and the con-
tent and the location of the address used to redirect the
execution flow to the shellcode) so that the serum string can
have the same infecting capability as the original infecting
string, the length of the serum code should be as small as
possible. In fact, the length of the serum code should be
shorter than the length of the shellcode inside the related
infecting string. Currently, the length of our serum code is
only 149 bytes. Because the major part of the serum code
performs only a download behavior, we believe that the
length of serum code is smaller than the shellcode lengths
of most infecting strings, which usually need to perform
more work than just downloading. One probable excep-
tion is that inbuilt connection commands (such as ftp or
wget) are used by worms that do not care to reveal their
features. Nevertheless, under this situation, our serum code
can utilize the same approach to further reduce its size. Our
current serum code has been published by exploit-db [30]
on its website.
The second issue is patching. Until now, except for
botnets, most Internet worms do not apply patches to
seal the security vulnerabilities through which the worms
obtain the control of hosts. We cannot rule out the pos-
sibility that future worms will adopt this approach to
avoid their hosts being taken over by other worms through
the same security vulnerability. Serum System solves this
problem by saving multiple serum strings for various
vulnerabilities in curing hosts and using them when the
current one does not work. The solution is based on the
observation that a host usually has several vulnerabili-
ties. However, patching is not free for worms. It will
increase the complexity of worms, which in turn usually
reduces their stability and stealth, thus making detection
of them easier. Moreover, after a patch is applied to a pro-
gram, the program usually needs to be restarted. In some
cases, the whole system may even need to be rebooted,
which can slow down the worm propagation speed and
may attract the attention of the administrator of an
infecting host.
The third issue is repeated cure to an infecting host.
When spreading an Internet worm, an infecting host of
some worms may fork multiple threads to spread the
worms. In this case, each thread works independently to
infect other hosts. Hence, it is possible that several curing
724
F.-H. Hsu, L.-H. Chen and C.-J. Lin
hosts try to cure the same infecting host simultaneously.
As a result, the cure procedure, which includes upload-
ing programs to the infecting host and installing them
on the host, will occur repeatedly. Because the infect-
ing host only needs to be cured once, all other cures
are just a waste of system resources. To avoid the waste,
a sanitizer also filters out and drops serum strings from
input strings.
The fourth issue is how Serum System defeats new
worms or the variants of them. We use Aurora as the
BOA detector in our system. Aurora detects new BOAs by
using NOP sled and the deviation address, which are the
indispensable properties in a successful BOA. We believe
most variants of a single worm use the same vulnerability,
so the indispensable properties will not change. There-
fore, Aurora can detect the variants correctly in normal
circumstance. More details are presented in [9].
5.2. Future work
Except for the worms themselves, modern worms usually
download and install other malware to the hosts infected
by them. The current version of Serum System only blocks
traffic created by worms. It does not remove the worms
and related malware from an infecting host. In the future,
we plan to add the aforementioned function to the Serum
System by utilizing relative processes of the worm process.
By discovering the process that sends infecting strings, we
can find the worm process. Because malware brought to
an infecting host by a worm is usually downloaded and
installed by a process created by a worm, finding the worm
process and all its child processes and the programs that
are executed or created or downloaded by these processes
may help us to locate and remove the worm and related
malware.
The current Serum System could not handle a worm that
works after exchanging multiple messages with its targets.
For example, the Serum System could not counter back to
the worm that performed the exploit under secure sockets
layer. The problem could be solved by recording the previ-
ous steps and packets, distinguishing the type of protocol
or authentication, and replaying the attack scenario after
a connection is established. As for the encoded shellcode,
like alphanumeric shellcode and the English shellcode,
the replacement mechanism of shellcode payload could be
modified to ensure that the serum string is also encoded.
Besides, in the future, we plan to implement the Serum
System on Windows system.
Because the Serum System allows us to take control of
an infecting host, based on the techniques developed, many
new mechanisms can be further developed to solve vari-
ous difficult security problems, such as tracing back to the
source of an attack launched through many stepping-stone
hosts. The tracing back solution may further help solve the
list worms because if an SSS is in the attack list of a list
worm, it can use the solution to find and cure the infected
hosts.
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin
6. CONCLUSIONS
In this paper, we propose and implement an automatic
scanning worm curing system, Serum System, to defeat
scanning worms in cyber warfare. The proposed system
can handle unprotected hosts, demands only a small-scale
initial deployment of SSSs, can tolerate long response
time, can cure a worm precisely, and does not apply
patches to vulnerable programs. Various experimental
results and analyses showed that with only a small number
of SSSs and through chain counterattacks, Serum Sys-
tem can automatically and rapidly cure the related infected
hosts around the world. And the accumulated amount of
traffic saved by Serum System at time tick 450 reaches
90%; hence, Serum System can significantly help in solv-
ing the traffic congestion problem caused by scanning
worms in cyber warfare. Compared with white worms and
auto-patch mechanisms, our system is reversible and is
more precise. Serum System can also greatly decrease the
colossal amount of traffic created by worms and quickly
mitigate the traffic congestion problem generated by them.
Furthermore, based on the techniques developed by Serum
System, many new mechanisms may be developed to solve
various difficult security problems, such as tracing back
to the source of an attack that is launched through many
stepping-stone hosts.
ACKNOWLEDGEMENT
This paper was partially supported by National Science
Council projects. The project numbers are NSC 100-
2218-E-008-013-MY3, NSC 101-2221-E-008-028-MY2,
and NSC 103-2623-E-008-003-D.
REFERENCES
1. Kaspersky L. Kaspersky lab provides its insights on
stuxnet worm. Kaspersky Lab, 2010. Available from:
http://www.kaspersky.com/about/news/virus/2010/
Kaspersky_Lab_provides_its_insights_on_Stuxnet_
worm. Accessed on 28 March 2012.
2. Os Statistics. w3schools, 2012. Available from:
http://www.w3schools.com/browsers/browsers_os.asp.
Accessed on 10 March 2012.
3. Teeraruangchaisri K. Code red and code red ii: double
dragons, 2001. Available from: http://www.sans.org/
reading_room/whitepapers/malicious/code-red-code-
red-ii-double-dragons_88. Accessed on 20 May 2012.
4. Krishnan S, Kim Y. Passive identification of conficker
nodes on the Internet. Technical Report, University of
Minnesota, 2009.
5. Symantec. The Downadup codex: a comprehensive
guide to the threat’s mechanics edition 2.0. Syman-
tec, 2009. Available from: http://www.symantec.com/
content/en/us/enterprise/media/security_response/
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare
whitepapers/the_downadup_codex_ed2.pdf. Accessed
on 20 May 2012.
6. Chen Z, Ji C. Intelligent worms: searching for preys,
2006. Available from: http://www.ams.org/samplings/
math-awareness-month/06-Chen-Ji.pdf. Accessed on
20 May 2012.
7. Hsu FH, Guo F, Chiueh T. Scalable network-based
buffer overflow attack detection. In Proceedings of
the 2006 ACM/IEEE Symposium on Architecture for
Networking and Communications Systems, ANCS ’06.
ACM: New York, NY, USA, 2006; 163–172.
8. Shacham H. The geometry of innocent flesh on the
bone: return-into-libc without function calls (on the
x86). In Proceedings of the 14th ACM Conference
on Computer and Communications Security, CCS ’07.
ACM: New York, NY, USA, 2007; 552–561.
9. Chen LH, Hsu FH, Huang CH, Ou CW, Lin
CJ, Liu SC. A robust kernel-based solution to
control-hijacking buffer overflow attacks. Journal of
Information Science and Engineering 2011; 27(3):
869–890.
10. Smirnov A, Chiueh TC. Automatic patch genera-
tion for buffer overflow attacks. International Sym-
posium on Information Assurance and Security 2007;
0: 165–170.
11. Newsome J, Karp B, Song D. Polygraph: automati-
cally generating signatures for polymorphic worms. In
Proceedings of the 2005 IEEE Symposium on Secu-
rity and Privacy, SP ’05. IEEE Computer Society:
Washington, DC, USA, 2005; 226–241.
12. Costa M, Crowcroft J, Castro M, Rowstron A,
Zhou L, Zhang L, Barham P. Vigilante: end-to-end
containment of Internet worms. In Proceedings of
the Twentieth ACM Symposium on Operating Systems
Principles, SOSP ’05. ACM: New York, NY, USA,
2005; 133–147.
13. Jiang X, Buchholz F, Walters A, Xu D, Wang YM,
Spafford EH. Tracing worm break-in and contamina-
tions via process coloring: a provenance-preserving
approach. IEEE Transactions on Parallel and Dis-
tributed Systems 2008; 19(7): 890–902.
14. Cavallaro L, Lanzi A, Mayer L, Monga M. Lisabeth:
automated content-based signature generator for zero-
day polymorphic worms. In Proceedings of the Fourth
International Workshop on Software Engineering for
Secure Systems, SESS ’08. ACM: New York, NY,
USA, 2008; 41–48.
15. Cui W, Peinado M, Wang HJ, Locasto ME. Shieldgen:
automatic data patch generation for unknown vulner-
abilities with informed probing. In Proceedings of the
2007 IEEE Symposium on Security and Privacy, SP
’07. IEEE Computer Society: Washington, DC, USA,
2007; 252–266.
725
Defeat scanning worms in cyber warfare
16. Weaver N, Paxson V, Staniford S, Cunningham R.
A taxonomy of computer worms. In Proceedings
of the 2003 ACM Workshop on Rapid Malcode,
WORM ’03. ACM: New York, NY, USA, 2003;
11–18.
17. Ma J, Voelker GM, Savage S. Self-stopping worms.
In Proceedings of the 2005 ACM Workshop on Rapid
Malcode, WORM ’05. ACM: New York, NY, USA,
2005; 12–21.
18. Zou CC, Gong W, Towsley D. Code red worm prop-
agation modeling and analysis. In Proceedings of the
9th ACM Conference on Computer and Communica-
tions Security, CCS ’02. ACM: New York, NY, USA,
2002; 138–147.
19. Chen Z, Gao L, Kwiat K. Modeling the spread of active
worms, INFOCOM 2003. Twenty-Second Annual Joint
Conference of the IEEE Computer and Communica-
tions, IEEE Societies, vol. 3, San Francisco, CA, USA,
2003; 1890–1900.
20. Rajab MA, Monrose F, Terzis A. On the effective-
ness of distributed worm monitoring. In Proceedings
of the 14th Conference on USENIX Security Sympo-
sium - Volume 14, SSYM’05. USENIX Association:
Berkeley, CA, USA, 2005; 15–15.
21. Zou CC, Gong W, Towsley D. Worm propagation
modeling and analysis under dynamic quarantine
defense. In Proceedings of the 2003 ACM Workshop
on Rapid Malcode, WORM ’03. ACM: New York, NY,
USA, 2003; 51–60.
22. Moore D, Shannon C, Voelker GM, Savage S.
Internet quarantine: requirements for containing self-
propagating code, INFOCOM 2003. Twenty-Second
Annual Joint Conference of the IEEE Computer
and Communications, IEEE Societies, vol. 3, San
Francisco, CA, USA, 2003; 1901–1910.
726
F.-H. Hsu, L.-H. Chen and C.-J. Lin
23. Chen LH, Hsu FH, Hwang Y, Su MC, Ku WS,
Chang CH. Armory: an automatic security testing tool
for buffer overflow defect detection. Computers and
Electrical Engineering 2013; 39(7): 2233–2242, DOI:
10.1016/j.compeleceng.2012.07.005.
24. Kleiner K. Viral cure could ‘immunise’ the inter-
net. NewScientist Tech, 2005. Available from: http://
www.newscientist.com/article/dn8403-viral-cure-
could-immuni se-the-internet.html. Accessed on 20
May 2012.
25. Schneier B. Benevolent worms, 2005. Available
from: http://www.schneier.com/blog/archives/2005/
12/benevolent_worm.html. Accessed on 20 May 2012.
26. Castaneda F, Sezer EC, Xu J. Worm vs. worm: pre-
liminary study of an active counter-attack mechanism.
In Proceedings of the 2004 ACM Workshop on Rapid
Malcode, WORM ’04. ACM: New York, NY, USA,
2004; 83–93.
27. Akritidis P, Markatos EP, Polychronakis M,
Anagnostakis K. STRIDE: polymorphic sled detection
through instruction sequence analysis, Proceedings
of the 20th IFIP International Information Security
Conference (IFIP/SEC), Chiba, Japan, 2005; 375–391.
28. Wang X, Pan CC, Liu P, Zhu S. Sigfree: a signature-
free buffer overflow attack blocker. In Proceedings of
the 15th Conference on USENIX Security Symposium
- Volume 15, USENIX-SS’06. USENIX Association:
Berkeley, CA, USA, 2006; 225–240.
29. McAfee. W32/conficker.worm, 2008. Available
from: http://vil.nai.com/vil/content/v_153464.htm.
Accessed on 20 May 2012.
30. Militan. linux/x86 connect back, download a file and
execute 149 bytes. Exploit-db, 2008. Available from:
http://www.exploit-db.com/exploits/13337/. Accessed
on 20 May 2012.
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec