Since the first worm virus was released by Mohs in 1988, computer worms have continuously brought disasters to the online world through its fast and diverse transmission methods. In particular, the rapid development of the network has caused more and more serious harm to the worm, resulting in a network world that talks about the changing of drugs.
Unlike General viruses, the worm uses computers as the carrier to replicate itself to spread in the Internet environment, the spread of worms is targeted at all computers on the network-shared folders, email, malicious web pages on the network, and a large number of servers with vulnerabilities in the LAN. channels.
The worm generally works like this:
First, scan: the scan function module of the worm detects vulnerable hosts. Randomly select an IP address segment and scan hosts on the segment. The stupid scanner may repeatedly repeat the above process. In this way, with the spread of worms, new infected hosts also began to scan. These scanning programs do not know which addresses have been scanned, but simply scan the Internet randomly. As a result, the more worms spread, the more scanning packets on the network. Even if the probe packets sent by the scanning program are small and contain less, the network congestion caused by the scanning of a large number of worms is very serious.
Second, attacks: When the worm scans hosts on the network, it begins to use its own destructive function to obtain the administrator privilege of the host. Finally, use the interaction between the original host and the new host to copy the worm program to the new host and start it.
It can be seen that the harm of worms has two aspects:
1. The large and fast replication of worms rapidly increases the number of scan packets on the network, resulting in network congestion and high bandwidth usage, thus paralyzing the network.
2. A host with vulnerabilities on the network will be quickly infected after being scanned, causing the administrator privilege to be stolen. Facilitate hacker attacks.
With the rapid evolution of worms, the experts of detoxification are also emerging. Aitai technology's broadband security gateway series adopts the simple anti-virus method of "Detection-screen avoidance.
First, detection: This step requires manual operations, but it is extremely simple. As worms in the network constantly send scanning packets to external computers, these scanning packets have obvious characteristics. For example, a worm in an infected computer sends a scan packet to a certain IP address in the network. Because all packets sent and received by the network must pass through the router, you can easily see them through the WEB management interface of the router. Therefore, the characteristics of worm attacks are reflected on the Internet monitoring page: infected hosts send a large number of NAT sessions, only upload packets, the download package is small or zero. If such a host exists, it indicates that the host has been infected with the virus.
In this case, the second step is to shield hosts on the network. The shielding method is to use the management function of the router to establish a corresponding policy and disable the port on which the virus sends packets outward. Take anti-virus measures or install corresponding patches. In this way, you can easily deal with the worm.