Since many web applications leak sensitive pages that can expose their vulnerabilities, worms like Santy locate their targets by searching these pages in search engine with well crafted keywords. We call them search worms. In this paper, we focus on the modeling and containment of these search worms targeting web applications. We first introduce several propagation models to study two unique effect factors on their propagation: eigenpage distribution and page ranking. And then, we propose a containment system for search worms based on honey-page insertion: a small number of fake pages which will induce visitors to pre-established honeypots are randomly inserted into search results, and then infected hosts can be detected and reported to search engines when their malicious scans hit honeypots. We use our propagation models to study the relation between the containment effectiveness and the honey-page insert rate and find this mechanism is extremely effective.
展开▼