Check out the new USENIX Web site. next up previous
Next: Proof-of-concept implementation Up: Wildfire worms Previous: Open vs. Protected Access

Infection process

In the design of a wildfire worm, we note that there are two possible ways to exploit vulnerabilities. The first approach, known as the "push method", is to directly probe for an exploitable service and inject code to that service on clients just as traditional worms (e.g. DCOM RPC vulnerability on port 135 for Blaster worm). With the second approach, dubbed "pull method", instead of relying on a service vulnerability, the attacker exploits vulnerabilities, such as browser vulnerabilities by performing a man-in-the-middle attack. For example, the infected node can listen on the wifi and wait for the victim to make a DNS request, spoof the response pointing to itself (or some other, unused address), pretend it is the web-server and respond with pages that include exploits such as the WMF exploit [13] or other exploits for IE and Mozilla that attempt to execute malicious code. ARP spoofing and TCP injection attacks may be used as well. We note that the distinction between worm and virus is blurred in this case, as propagation may require some form of user interaction, yet the attack is piggybacked on communication to a third party, rather than between infected and targeted host. The broadcast nature of most wireless setups makes "pull" attacks attractive for wildfire worms as they can be exploited at a scale that was never possible for Internet worms.


next up previous
Next: Proof-of-concept implementation Up: Wildfire worms Previous: Open vs. Protected Access