A couple of weeks ago I wrote a blog entitled Downadup/Conficker Worm caught by using Flow Analytics, NetFlow Analyzer which used the SYN Violation algorithm to detect its presence. Another algorithm that will help prevent worms on your network is the RST/ACK Destination algorithm.
RST/ACK Destination algorithm looks for excessive connection denials that come back from the destination host. This is very handy in detecting such small things as network misconfigurations, and big things such as worms or port scans across the network.
Since worm attacks are designed to spread throughout networks and copy themselves to other nodes it’s important to monitor the connection requests within your network.
Some worms, such as the ExploreZip Worm, are designed to alter system config files. Others exploit vulnerabilities in an effort to establish backdoors to your network. With the network now compromised, these infected machines known as zombies join other networks that have also been infected. These botnets function as a channel to inject Trojans and other viruses into yours and other networks.
Detection is made easier when using RST/ACK Destination algorithm. With the help of Flow Analytics and gadgets like this, you have the visibility you need to detect malicious behavior before it causes damage.
Milton
