Gabor Szappanos ( Hungary )
Head of Virus Laboratory, VirusBuster

The wonderful world of worm traps

While the application of proactive malware detection techniques is favored nowadays, we still can't get entirely rid of the reactive nature of antivirus field. But if we have to do it, we should do it as good as possible.

Instead of waiting for users finding out that they have a worm, and submitting the sample, antivirus companies are moving towards automatic sample gathering by utilizing different types of worm traps. The spectra for such traps are very wide.

E-mail traps are used to collect e-mail worms. These can be as simple as collecting messages for several trap e-mail addresses, but more complex methods also exist, statistically analyzing the traffic to find signs of an outbreak.

Network worms are gathered using simple SMB traps, port listener applications, or specific protocol emulator in the case of special replication methods.

This paper will describe in details the different types of worm traps, the design, and implementation and operation problems.

Along with that, statistics of different traps, operated at different locations and antivirus companies are also compared.