Visualization of packet data transmitted by a worm-infected node
Updated: May.10, 2007
What is a worm?
A worm is a self-replicating malicious computer program. Unlike narrowly defined computer viruses, it does not need to attach itself to an existing program for infective activities, and is characterized by the fact that it penetrates other computers via the network and self-propagates.
Since 2001, network worms (hereafter referred to as "worms"), including Nimda and CodeRed with advanced functions, have come into existence and threatened network infrastructure and corporate intranets countless times. Although no massive incidents due to new worms have occurred recently, nodes*1 infected by worms which proliferated widely in the past still continue their infective activities.
On this page, we attempt to visualize the packet*2 of worms, which remains flowing within the network.
Usually, worms search for target nodes to propagate themselves and there are said to be some patterns in the search methods. According to data known and released on papers, previous typical worms are classified as shown below:
We observed a node actually infected by a worm within a closed experimental environment and visualized observation data using our proprietary tool.
This tool splits the destination IP address of the packet transmitted by the node into four octets*3 and displays the value of each octet by converting it into a rotating angle of the corresponding line.