Misleading and defeating importance-scanning malware propagation

The scan-then-exploit propagation strategy is among the most widely used methods by which malware spreads across computer networks. Recently, a new self-learning strategy for selecting target addresses during malware propagation was introduced in [1], which we refer to as importance scanning. Under the importance-scanning approach, malware employs an address sampling scheme to search for the underlying group distribution of (vulnerable) hosts in the address space through which it propagates. The malware utilizes this information to increase the rate at which it locates viable addresses during its search for infection targets. In this paper, we introduce a strategy to combat importance scanning propagation.We propose the use of white hole networks, which combine several existing components to dissuade, slow, and ultimately halt the propagation of importance scanning malware. Based on analytical reasoning and simulations using real trace and address distribution information, we demonstrate how the white hole approach can provide an effective defense, even when the deployment of this countermeasure represents a very small fraction of the address space population.