Axiom of a Computer Worms
Computer worm is a computer program that spreads from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver’s address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding.
Thus a computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.
The name Worm comes from a science fiction novel titled ‘The Shockwave Rider’ published in 1975 by John Brunner. Researchers John F Shoch and Jon A Hupp of Xerox PARC chose the name in a paper published in 1982 (The Worm Programs) and it has since been widely adopted.
The first implementation of a worm was by these same two researchers at Xerox PARC in 1978. Shoch and Hupp originally designed the worm to find idle processors on the network and assign them tasks, sharing the processing load, and so improving the CPU cycle use efficiency across an entire network. They were self-limited so that they would spread no farther than intended.
Afterwards this technique was embraced by notorious programmers to build self-replicating programs targeted towards the denial of service attacks to ultimately result into today’s Computer Worms.
Structure of Computer Worms
Let us now discuss the generic structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within Computer Antivirus Researchers Organization (CARO), researchers do not share a common view about what exactly can be classified as a worm.
The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take control of remote systems without any help from the users, usually exploiting a vulnerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold.
A computer worm consists of a few essential components which together give it its character. They are as follows:
- Target locator
- Infection propagator
- Remote control and update interface
- Life cycle manager
- Self tracking
To spread rapidly on the network, the worm needs to be able to find new targets. Most worms search your system to discover e-mail addresses and simply send copies of themselves to such addresses. This is convenient for attackers because corporations typically need to allow e-mail messages across the corporate firewalls, thereby allowing an easy penetration point for the worm.
Many worms deploy techniques to scan the network for nodes on the IP level and even fingerprint the remote system to check whether such a system might be vulnerable.
A very important component of the worm is the strategy the worm uses to transfer itself to a new node and get control on the remote system. Most worms assume that you have a certain kind of system, such as a Windows machine, and send you a worm compatible with such systems. For example, the author of the worm can use any script language, document format, and binary or in-memory injected code (or a combination of these) to attack your system. Typically, the attacker tricks the recipient into executing the worm based on social engineering techniques. However, more and more worms deploy several exploit modules to execute the worm automatically on the vulnerable remote system without the user’s help.
Remote Control and Update Interface
Another important component of a worm is remote control using a communication module. Without such a module, the worm’s author cannot control the worm network by sending control messages to the worm copies. Such remote control can allow the attacker to use the worm as a Distributed Denial of Service (DDoS) tool on the zombie network against several unknown targets.
An update or plug-in interface is an important feature of advanced worms to update the worm’s code on an already-compromised system. A common problem for the attacker is that after a system is compromised with a particular exploit, it often cannot be exploited again with the same one. Such a problem helps the attacker to avoid multiple infections of the same node, which could result in a crash. However, the intruder can find many other ways to avoid multiple infections.
The attacker is interested in changing the behavior of the worm and even sending new infection strategies to as many compromised nodes as possible. The quick introduction of new infection vectors is especially dangerous. For example, the intruder can use a single exploit during the first 24 hours of the outbreak and then introduce a set of others via the worm’s update interface.
Life Cycle Manager
Some worm writers prefer to run a version of a computer worm for a preset period of time. For instance, the Welchia. A worm automatically stopped its activities, and then the B variant of Welchia was released to run for more months. On the other hand, many worms have bugs in their life-cycle manager component and continue to run without ever stopping. Furthermore, we often encounter variants of computer worms that were patched by others to give the worm endless life
Another optional but common component of a computer worm is the payload (activation routine). In many cases, computer worms do not contain any payload. An increasingly popular payload is a Denial of Service (DoS) attack against a particular Web site. However, a common side effect of computer worms is accidental DoS attacks as a result of overloaded networks, especially overloaded network routers. However, other interesting side effects have also been observed, such as accidental attacks on network printers.
Computer worms also can utilize the compromised systems. For example, W32/Opaserv9 attempts to break a DES-like secret key by sharing the attack among the infected nodes, similarly to the SETI network. In fact, some computer worms, such as W32/Hyd, download and install SETI to compromised systems. The W32/Bymer worm is an example of a Distributed Network Client (DNETC) installation to compromised systems.
Another interesting tendency is the planned interaction between two computer worms as a payload. Recently it is becoming popular to install an SMTP (Simple Mail Transfer Protocol) spam relay server as the payload of a worm. Spammers compromise systems on a large scale using worms such as W32/Bobax and then using the SMTP relay server created by the worm to spam messages from the zombie systems.
Many computer worm authors are interested in seeing how many machines the worm can infect. Alternatively, they want to allow others to track the path of the worm infections. In order to do this, several such worms upload the IP information of the infected systems to an FTP site.
Spreading of Worms
The worms exploit various strategies to spread themselves. The most common are as follows:
- Embedded SMTP Engine
- Internet Relay Chat
- Peer-to-Peer File Sharing
These are not the only strategies employed by the worms for their spreading. But they will give you an understanding behind their phenomenal ability to self-replicate and spread.
Embedded SMTP Engine
It is very common to encounter a phrase such as uses its own SMTP engine when reading worm descriptions. I often use such a phrase when discussing Internet worms. SMTP stands for Simple Mail Transfer Protocol. SMTP is a protocol for transferring e-mail messages and is used legitimately and effectively (along with other protocols) by email programs such as Outlook Express, Pegasus Mail and others. SMTP is quite old by Internet standards but is still relatively efficient and easy to implement. These qualities make it a valuable tool for worm writer’s intent on wreaking maximum havoc. Many modern Internet worms have SMTP engines built directly into their code and can bypass existing email programs completely. Basically, such a worm comes loaded with everything it needs to establish a connection with a mail server and send itself to any email addresses it has harvested from the infected computer. Since the worm does not use an existing email application, the operator of the infected computer might not even be aware that a worm is propagating itself
Internet Relay Chat
Internet Relay Chat (IRC) is a form of real-time Internet chat or synchronous conferencing. It is mainly designed for group (many-to-many) communication in discussion forums called channels, but also allows one-to-one communication and data transfers via private message. A worm may use its facilities to propagate itself in this many-many environment.
Peer-to-Peer File Sharing
Peer-to-Peer file sharing technology provides a working ground for a worm. The yesteryears popular file sharing tools like Napster and Gnutella led path to its today’s avatars like torrent. The fundamentally unrestricted nature of this technology makes it very vulnerable to the worms.
Different Types of Computer Worms
Computer worms can be classified as follows according to their target platform and the spreading strategy adopted by them. Depending upon its architecture a worm may fall under more than one category at a time. Due to this these type categories are fuzzy. A brief listing of these types is as follows:
- E-Mail Worms
- Instant Messaging Worms
- Internet Worms
- IRC Worms
- File-Sharing Networks Worms
This type of computer worm spreads through infected email messages. Any form of attachment or link in an email may contain a link to an infected website. In the first case activation starts when the user clicks on the attachment while in the second case the activation starts when clicking the link in the email. Known methods to spread are:
- MS Outlook services
- Direct connection to SMTP servers using their own SMTP API
- Windows MAPI functions
This type of worms is known to harvest an infected computer for email addresses from different sources, like:
- Windows Address Book database
- MS Outlook address book
- Files with appropriate extensions will be scanned for email like strings
During spreading some worms construct new sender addresses based on possible names combined with common domain names. So, the sender address in the email doesn’t need to be the originator of the email.
Instant Messaging Worms
This type of computer worm spreads through instant messaging applications by sending links to infected websites to everyone on the local contact list. The only difference between these and email worms are the way chosen to send the links.
This type of computer worm scans all available network resources using local operating system services. It may also scan the Internet for vulnerable machines. Attempt will be made to connect to these machines and gain full access to them. Another way is that the worms scan the Internet for machines still open for exploitation i.e. not patched. Data packets or requests will be sent to them which install the worm or a worm downloader. If succeeded the worm will execute and there it goes again.
Internet Relay Chatting (IRC) channels are very much vulnerable for worm spreading. They are exploited for sending infected files or links to infected websites. But the infected file sending is less effective as the recipient needs to confirm receipt, save the file and open it before infection will take place.
File-Sharing Networks Worms
This type of worm copies itself into a shared folder. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the peer-to-peer file sharing network, thus continuing the spreading of infected file.
Protection against the Computer Worms:
The understanding of computer worms enables us to safeguard computer systems against them. Though a detailed technical knowledge cannot be expected from a common IT user, a few simple preventive measures can provide a considerable protection against the computer worms.
Installing the Security Patches for Operating System
Worms mainly spread by exploiting vulnerabilities in operating systems. The operating system vendors supply regular security updates. If these are installed to a machine then the majority of worms will be unable to spread to it. If a vendor acknowledges vulnerability but has yet to release a security update to patch it, a zero day exploit is possible. However, these are relatively rare.
Avoid Opening the Unexpected and Suspicious e-Mails
Computer users need to restrain themselves from opening unexpected and suspicious emails. One also should not run attached files or programs or visit web sites that are linked to such emails.
Regular Updation of the Anti-Virus Software
Anti-virus software are helpful, but must be kept up-to-date with new pattern files at least every few days.