JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 12

Vaccine for Network Worms

M.Goldoust Jildani, S.Jabbehdari and A.Rahmani

Abstract— Network Worms are one of the most important and common Malware at Internet and Network that their spreading
velocity are very high considering to lack of direct interference of human. Automatic spreading fact causes to make Infected
most networks and computers by worms in a very short time and as a result the negative and unsuitable effect of the worm in
entire network will clear in a short time and cause to major damages to the entire network. Object of presenting this article is in-
troduction of a vaccine that may be injected in entire network and because of it in entire computers of the network and with con-
sideration to type of its operation that is the same renovation of vulnerable holes of machines, has made the network safe and
through preventing the worms spreading, it will make the network safe against these type of Malware. In order to study on effect
of worm vaccine injection on network, a network that was connected with some vulnerable nodes to internet, was simulated that
the gained results showed high decrease of the numbers of the Infected nodes.

Keywords— Network worms, malware, vaccine, injection, Infected nodes, spreading.

——————————  ——————————

1 INTRODUCTION

N etwork worm [19, 16, 14] is a self-repeated com-

puter program [8] that has been produced on a
computer and uses computer networks and securi-
ing some systems having spread vulnerable holes [7] and
their number will be increased every time [10], in such a
way that in a short-time will cause disorder at the opera-
ty holes present there in for their own reproduction [2]. tion of the network and consequently activity and servic-
Really, worm is a self-determined and self-repeated pol- es of the network will encounter to disorder through
lution factor that has the ability for searching the new spreading of numerous worms.
host for making it Infected [22, 21] using network [6]. Producers of software after information from the vul-
A copy of worm has searched the network for finding nerable holes [10] at their products, through presenting
another machine that has determined security hole and required patches, will take an action for removing prob-
through finding a vulnerable hole in new machine, will lem and resolving the produced problem.
copy therein [3, 5]. Through approaching the worm to a All computer operators must be confident from instal-
new machine, the cycle will be repeated again conse- lation of the last presented patches related to software
quently the worm is copied from this location at new ma- products that they use on their system. Such as patches of
chines, again, really, the main difference between worm a cloth that cause to improve the present holes at the
and other destructive programs in being automatic of software programs [10].
worm spreading [2]. Software producers after preparing the patches, will
The worms use different methods [7] in order to influ- present them on their websites [10, 11] and computer op-
ence to offered machine and thereafter use them in order erators may inform from submission the new patch
to fulfillment their own codes that the following items through referring the site of supplier company of soft-
may be mentioned: ware product at the first step and at the second step
1. Social engineering, encourages the email receivers through its receiving and installation [10], will promote
for opening the enclosed files. the installed software on their system.
2. Weak figuring of the network; those networks that After submission a patch, they must take an action to
have open holes and ways in order to approach its installation on system, immediately and consequently,
from out of network. the opportunity to use the vulnerable holes present at
3. Vulnerability in operating systems and softwares. software products is deprived by the aggressor and de-
With consideration to different methods of worms crease the possibility for their success.
spreading to the offered machine, vulnerability [20] at Some of softwares are studies automatically required
operating systems and softwares is one of those factors for submission the new and up to date copies and an-
that causes to spread the worms into the machines. nounce to operators to present a new copy and there is
Worms may spread after a short time through profit- possibility for its receiving and installation. Some of soft-
ware producers will inform the operators from prepara-
———————————————— tion of a patch through email.
 M.Goldoust Jildani ‐ Islamic Azad University,  If there will be possibility for use of the aforesaid facili-
     North Tehran Branch.   ties, it is suggested to use its benefits. If there would not
 S.Jabbehdari – Islamic Azad University,  be the possibility for use of the mentioned potentials,
    North Tehran Branch.  
 A.Rahmani ‐ Islamic Azad University,  producers websites must be investigated periodically to
    Science and Research Branch.   inform from a new presented patch and take an action to
receive and install it on their systems, immediately.
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
2 RELATED WORK
Most of the existing anti-virus techniques use a simple
signature scanning approach to locate threats. As new
viruses are created, so do virus signatures. Smarter virus
writers use more creative techniques to avoid detection.
In response detection mechanisms become ever more ela-
borate. This has led to coevolution, an ever-escalating
arms race between virus writers and anti-virus develop-
ers [17].
Recent incidents have demonstrated the ability of self-
propagating code, also known as “network worms”, to
infect large numbers of hosts, exploiting vulnerabilities in
the largely homogeneous deployed software base. Even
when a worm carries no malicious payload, the direct
cost of recovering from the side effects of an infection
epidemic can be tremendous [18, 17, 1].
Thus, countering worms has recently become the focus
of increased research, generally focusing on content-
filtering mechanisms combined with large-scale coordina-
tion strategies [18, 17, 1].
Since the first Internet-wide worm, considerable effort
has gone into preventing worms from exploiting common
software vulnerabilities by using the compiler to inject
run-time safety checks into applications, safe languages
and APIs, and static or dynamic analysis tools. While
shortcomings may be attributed to each of these tools or
approaches individually, the fact is that they have not
seen wide use [18, 17].
We speculate that the most important reasons are:
complexity; performance implications (or a perception of
such); and, perhaps most importantly, a requirement for
proactiveness on the part of application developers, who
are often under pressure to meet deadlines or have no
incentive to use new-fangled software verification tools
[18, 17].
Another approach has been that of containment of in-
fected applications, exemplified by the “sandboxing” pa-
radigm. Unfortunately, even when such systems are suc-
cessful in containing the virus, they do not always suc-
ceed in preventing further propagation or ensuring con-
tinued service availability [18, 17].
Furthermore, there is often a significant performance
overhead associated with their use, which deters many
users from taking advantage of them [18, 17].
3 OPERATION OF VACCINE OF NETWORK WORM
Suggested system, in order to better putting into oper-
ation the presented patches in order to renovation the
holes of operating system or softwares that have been
produced and presented by the operating system and
software producers.
Operation of vaccine of network worm is similar to
operation of network worm and consists of fulfillment the
following steps:
1. Injection of vaccine to the network.
2. Scan the network by vaccine in order to find
computers having vulnerable holes.
13
3. Flowing the vaccine into computers having vul-
nerable holes through one of the received holes.
4. Scan and inspection each computer in order to
find all vulnerable holes present therein.
5. Removing all worms in each computer by vac-
cine.
6. Applying and receiving the renovated patches
related to each vulnerable hole from the server or
website in order to renovation the vulnerable
holes.
7. Renovation the vulnerable holes through installa-
tion the patch related to each vulnerable hole.
8. Remaining of vaccine in each computer in order
to contract with worms and renovation those
vulnerabilities that will be discovered in future.
3.1 Injection of vaccine to the network
In order to make active the vaccine of network worm,
at first, the vaccine must be injected to the network.
The vaccine consists of all information related to all
vulnerable holes, specification of all worms, all ways for
spreading of each worm, all ways related to renovation of
each vulnerability, address of patches is specific for reno-
vation of vulnerable that introduces its information in
each day using scan on internet sites that introduces the
newest worms and makes security holes and patch of
each one up to date.
3.2 Scan of network by vaccine in order to find
computers having vulnerable holes
With consideration to similarity of operation of this
vaccine with worm, method of its scan [8] is similar to
scan on worm for finding Infected systems. Generally,
there are different methods for finding the systems exist-
ing at the network.
As the worm must find an object in order to make it In-
fected, our vaccine in order to flow in each computer hav-
ing vulnerable hole [13], at first it must find it for seeking
its vulnerable machine in the network. This vaccine such
as worm, uses one of the coincidental, statistical and topo-
logical scan and list of vulnerability in order to find the
machines present at the network.  
3.3 Flowing the vaccine in the computers having
vulnerable holes through one of the found
holes
After finding the computers present at the network, it
the turn of injection to the computer. For this reason, the
considered computer is scanned in order to find vulnera-
ble holes. After finding the first vulnerable hole, the vac-
cine has used that hole in order to be flowing the vaccine
to it and consequently the vaccine will be injected to all
computers having vulnerable hole.
3.4 Scan and inspection of each computer in order
to find all vulnerable holes therein
After injection and flowing the vaccine in the computer
having vulnerable hole, the vaccine take an action to scan
on each machine to determine all vulnerabilities in oper-
ating systems and softwares of each machine.
The last known vulnerabilities and specification of
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 14

each one of vulnerabilities are introduced and made up to

date by websites [10] every day [4].

3.5 Removing all worms in the computer by

vaccine
With consideration to this point that in the previous
step, all holes have been vulnerable, the vaccine has stu-
died the system, entirely to find the present worms. After
finding the worms, it starts to remove the worms in total
machine from these worms that have used vulnerabilities
of operating systems and softwares.  

3.6 Applying and receive the renovating patches

related to vulnerable hole from the server or
website in order to renovation the vulnerable
holes
After discovery all vulnerable computers, it is turn of
renovation the vulnerability hole [10] related to each vul-
nerability. This vaccine in order to renovation the found
holes, must receive at first the renovated patches of vul-
nerabilities from those websites that introduce new vul-
nerabilities and also patches related to the vulnerabilities.
3.7 Renovation the vulnerable holes by installation
of patches
After receiving the patches, it is the turn of installation
of patches and consequently renovation the vulnerable
hole. The patches remove a specific problem or vulnera-
ble point in a software and through installation of deter-
mined patches and removing the vulnerable holes, possi-
bility for spreading of those worms that use these holes
have been removed and through this method, it prevents
spreading the worms into a machines and in a manner we
cam claim that the network has been secure against these
types of worms.
3.8 Remaining of vaccine in each computer in
order to contract with worms and renovation
the vulnerabilities that will be found in future
After removing all vulnerable holes and removing all
worms from computer in order to management and con-
trol of vaccine in two methods:
1. The vaccine itself is removed.
2. Vaccine remains at the system and waits for mes-
sage from server in order to identification the
vulnerability hole and new remained worm to
renovate it.
Table 1
Comparing the number of Infected nodes in the status of
70 nodes in detailed network and 250000 nodes in ab-
stract network
Vaccine at this step may use each one of these two me-
thods.
Fig.1. Comparing the number of Infected nodes in status of 70
nodes in detailed network and 250000 nodes in abstract network
4 SIMULATION AND STUDY ON RESULTS
In order to simulation the vaccine operation and com-
paring the amounts of Infected nodes in those statuses
that the worm before injection of vaccine and after injec-
tion of worm is spread, ns 2.33 (NS2) Software has been
used and in order to gain the better results, internet and
detailed network traffics have been experimented.
In ns [9], described a scalable worm propagation mod-
el, namely the detailed-network and abstract-network
(DN-AN) model. It combines packet-level simulations
with analytic worm spreading model. The Internet with
two parts: detailed and abstract part.
A detailed-network could be an enterprise-network or the
network run by an ISP. It simulates network connectivity
and packet transmission. Users can evaluate worm detec-
tion lgorithms in the detailed network.
On the other hand, we abstract the rest of the Internet
with a mathematical model, namely susceptibleinfectious-
removal (SIR) model (refer to [15] for detailed descrip-
tions). Compared to the detailed network, we only track
several state variables in the abstract world, such as the
number of infected hosts. The interaction between DN
and AN is through actual packet transmissions, that is,
the probing traffic generated by compromised hosts in
both parts.
In order to show the related results, this simulation
was fulfilled in 70 seconds and in two specific statuses
(before injection of vaccine and after injection of vaccine)
with 70 nodes (all of them are infected) in detailed net-
work and 250000 nodes in abstract network (0.8 percent
are infected) that numbers of Infected nodes have been
shown before injection of vaccine and number of Infected
nodes after injection of vaccine in table 1.
With consideration to the Fig. 1. , it is determined that
injection of this vaccine has had its favorite effect on the
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
network and decreases the Infected nodes.
If the simulation time will increase and more time will
take to injection the vaccine, it will have its effect in entire
network and the network will be removed from these
type of worms, entirely and the network will be secure
against them.
5 DISCUSSION
Following the description of our architecture, there are
several other issues that need to be discussed.
The biggest challenge may be that this vaccine, like
having a model release is a network worm and a worm
network itself be known. Because it Will be published
into the compute without the user taking action to activi-
ty. To solve this problem, the vaccine can do all their
deeds ask permission from user.
Another challenge of this vaccine is to increase traffic
on the network. Because the vaccine injection at any mo-
ment in the entire network request to patch different
websites that offer this patch them.
This weakness can be covered with only one time to
download the patch and put it on a central server and can
be programmed to receive all the Requested patches from
the server. In addition, vaccines can be planned and or-
ganized so that low-traffic time to do all their deeds.
Next topic, which should get time to check to make
patches to fix vulnerable holes of operating systems and
software. For increased performance and positive vaccine
to prevent the exploitation of the hole to make vulnerable
by network worms, patches must be produced by manu-
facturers in the shortest possible time operating systems
and software and are utilized for repairing holes to make
vulnerable.
Vaccine may be considered an antivirus or anti mal-
ware. But until that is installed antivirus or anti malware
can to deal with malware, and if being disabled antivirus
or anti malware, malware without the slightest factor
could come into publishing networks. But once the vac-
cine being injected with the network to make and repair
patches, even after being inactive can help prevent getting
into that kind of worms to use for publication by the se-
curity holes and weaknesses operating system and soft-
ware.
6 CONCLUSION
We have presented and introduced a vaccine in this ar-
ticle under title of "Vaccine for Network Worms" that has
confronted against a type of network worms that influ-
ence and spread through weaknesses present at operating
systems and softwares into the network and prevent their
arrival and spread into the machines. In this method, our
vaccine has used a set of factors and works in a special
order that its result has been automatic renovation and
patching of all vulnerable holes of operating system and
software used in machines to prevent the spreading of
worms.
Simulation of the suggested plan indicates that the
15
vaccine has been able to have a suitable operation in the
network and secure the worms spreading therein. Only a
very basic point is that the patches must be produced at
the shortest possible time and putting into operation
them in preventing the worm spreading. The next subject
may introduce submission of some methods in order to
production and putting into operation the patches on
time that may be a fact for an intelligent super vaccine.
REFERENCES
[1] Stelios Sidiroglou, John Ioannidis, Angelos D. Keromytis, and
Salvatore J. Stolfo. "An Email Worm Vaccine Architecture" , To
appear in the Proceedings of the 1st Information Security Prac-
tice and Experience Conference (ISPEC) April 2005, Singapore
[2] Jiang Wu, Sarma Vangala, Lixin GaO, AND Kevin Kwiat. An
E®ective Architecture and Algorithm for Detecting Worms
with Various Scan Techniques.
[3] THE RACE AGAINST MALICIOUS SOFTARE. SE 4C03 Winter
2005 Last Revised: April 2, 2005.
[4] http://www.cert.org/stats/vulnerability_remediation.html
[5] Zesheng Chen and Chuanyi Ji. Intelligent Worms: Searching for
Preys.
[6] Jose Nazario, Defense and Detection Strategies against Internet
Worms.2005
[7] ESHARENANA E. ADOMI, SECURITY AND SOFTWARE FOR CYBER-
CAFES, IGI GLOBAL SNIPPET, 2008.
[8] Pankaj Kohli. Worms - survey and propagation. MS by Re-
search - Computer Science and Engineering International Insti-
tute of Information Technology Hyderabad, India.
[9] The VINT Project A Collaboration between researchers at UC
Berkeley, LBL, USC/ISI, and Xerox PARC. The ns Ma-
nual(formerly ns Notes and Documentation).January 6, 2009
[10] The Government of the Hong Kong Special Administrative
Region. PATCH MANAGEMENT .February 2008
[11] Windows XP Service Pack 2.” (no date given), Microsoft Web-
site. Retrieved March 27, 2005 from the World Wide Web:
http://www.microsoft.com/windowsxp/sp2/default.mspx.
[12] Pankaj Kohli. Worms - survey and propagation.MS by Research
- Computer Science and Engineering International Institute of
Information Technology Hyderabad, India.
[13] Craig Smith, Ashraf Matrawy,Stanley Chow and Bassem Abde-
laziz. Computer Worms: Architectures, Evasion Strategies, and
Detection Mechanisms. Journal of Information Assurance and
Security 4 (2009) 69-83.
[14] J. Shoch and J. Hupp. The “worm” programs – early experi-
ments with a distributed computation. Communications of the
ACM, 22(3):172–180, March 1982.
[15] H. W. Hethcote. The mathematics of infectious diseases. SIAM
Review, 42(4):599–653, October 2000.
[16] J. Brunner. The Shockwave Rider. Del Rey Books, Canada, 1975.
[17] Stelios Sidiroglou and Angelos D. Keromytis. "A Network
Worm Vaccine Architecture" , In Proceedings of the IEEE Inter-
national Workshops on Enabling Technologies: Infrastructure
for Collaborative Enterprises (WETICE), Workshop on Enter-
prise Security. June 2003, Linz, Austria.
[18] Stelios Sidiroglou and Angelos D. Keromytis. "Countering
Network Worms Through Automatic Patch Generation", Co-
lumbia University technical report CUCS-029-03. November
2003, New York, NY.
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 16

[19] Siahn Qing and W. Wen, "A Survey and Trends on Internet
Worms," Computers & Security, vol. 24, pp. 334-346, 2005
[20] Siahn Qing and W. Wen, "A Survey and Trends on Internet
Worms," Computers & Security, vol. 24, pp. 334-346, 2005
[21] C. C. Zou,W. Gong, and D. Towsley. Code RedWorm Propaga-
tion Modeling and Analysis. In Proceedings of the 9th ACM
Conference on Computer and Communications Security
(CCS), pages 138–147, November 2002.
[22] The Spread of the Sapphire/Slammer Worm.
http://www.silicondefense.com/research/worms/slammer.ph
p, February 2003.