Serum System: An Automatic Curing System for Worms and Buffer Overflow-Based Botnets


Article Preview

We propose an automatic defense system, called Serum System, against scanning worms. The homeland security department of a country can use Serum System to protect its Internet infrastructure. When an infecting host is infecting a Serum System host, called Serum System Server (SSS), the SSS automatically replaces the shellcode inside the infecting string with its code (called serum code) and then uses the modified string (called serum string) to counterattack the infecting host and take control of it. The serum code transforms the infecting host into a Serum System Client (SSC) that has the same functions as the SSS and is immune to the same worm. Therefore, infecting hosts attacking SSSs or SSCs will transform themselves to SSCs. We implemented Serum System on Linux. Our analyses show Serum System can automatically defeat related infected hosts.



Edited by:

Chien-Hung Liu




L. H. Chen et al., "Serum System: An Automatic Curing System for Worms and Buffer Overflow-Based Botnets", Applied Mechanics and Materials, Vols. 479-480, pp. 923-927, 2014

Online since:

December 2013




[1] P. Denning and D. Denning: Discussing cyber attack. Commun. ACM Vol. 53 (2010), pp.29-31.


[2] L. Cavallaro, A. Lanzi, L. Mayer, and M. Monga: Lisabeth: automated content-based signature generator for zero-day polymorphic worms. Proceedings of the fourth international workshop of Software engineering for secure systems, New York (2008).


[3] W. Cui, M. Peinado, H. Wang, and M. Locasto: ShieldGen: Automatic data patch generation for unknown vulnerabilities with informed probing. Proceedings of the IEEE Symposium on Security and Privacy, Washington (2007), pp.252-266.


[4] L.H. Chen, F.H. Hsu, Y. Hwang, M.C. Su, W.S. Ku, and C.H. Chang: ARMORY: an automatic security testing tool for buffer overflow defect detection. Accepted by Computers Electrical Engineering (2012).


[5] A. Smirnov, and T.C. Chiueh: Automatic patch generation for buffer overflow attacks. International Symposium on Information Assurance and Security (2007), pp.165-170.


[6] B. Schneier: http: /www. schneier. com/blog/archives/ 2005/12/benevolent_worm. html.

[7] F. Castaneda, E.C. Sezer, and J. Wu: Worm vs worm: preliminary study of an active counter-attack mechanism. Proceedings of the ACM workshop on Rapid malcode, New York (2004), pp.83-93.


[8] L.H. Chen, F.H. Hsu, C.H. Huang, C.W. Ou, C.J. Lin, and S.C. Liu: A robust kernel-based solution to control-hijacking buffer overflow attacks. Journal of Information Science and Engineering Vol. 27 No. 3 (2011), pp.869-890.