Computer Worms
(C) Dr. Jyoti Lakhani
A computer worm is a standalone malware computer
program that replicates itself in order to spread to other
computers.
It often uses a computer network to spread itself, relying on
security failures on the target computer to access it.
It will use target machine as a host to scan and infect other
computers.
(C) Dr. Jyoti Lakhani
Definition:
A computer worm is a piece of software that copies
itself from one computer to another. Unlike a virus, it
is a standalone program that doesn’t require a host. It
usually doesn’t target files on an individual computer.
Instead, it takes on entire networks in an attempt to
create large botnets.
(C) Dr. Jyoti Lakhani
Worm vs Virus
Worms almost always cause at least some harm to the
network, even if only by consuming bandwidth
whereas
Viruses almost always corrupt or modify files on a targeted
computer
(C) Dr. Jyoti Lakhani
Many worms are designed only to spread, and do not attempt to
change the systems they pass through.
These are called
“Payload Free worms”
These "payload-free" worms can cause major disruption by
increasing network traffic and other unintended effects
Example :
Morris worm
Mydoom worm
(C) Dr. Jyoti Lakhani
Some History...
The actual term "worm" was first used in John Brunner's 1975
novel, The Shockwave Rider.
In the novel, Nichlas Haflinger designs and sets off a data-
gathering worm in an act of revenge against the powerful men
who run a national electronic information web that induces mass
conformity“
The first ever computer worm was devised to be an anti-virus
software. Named Reaper, it was created by Ray Tomlinson to
replicate itself across the ARPANET and delete the
experimental Creeper program.
(C) Dr. Jyoti Lakhani
On November 2, 1988, Robert Tappan Morris, a Cornell
University computer science graduate student,
_unleashed what became known as the Morris worm
_disrupting many computers then on the Internet, guessed, one
tenth of all those connected.
_During the Morris appeal process, the U.S. Court of Appeals
estimated the cost of removing the worm from each installation at
between $200 and $53,000
_this work prompted the formation of the CERT Coordination
Center and Phage mailing list
_Morris himself became the first person tried and convicted under
the 1986 Computer Fraud and Abuse Act.
(C) Dr. Jyoti Lakhani
The Generic Structure of Computer Worms
Each computer worm has a few essential components-
• Target Locator (TL)
• Infection Propagator(IP)
• Remote Control (RC)
• Update Interface (UI)
• Life-Cycle Manager (LM)
• Payload Routines (PR)
(C) Dr. Jyoti Lakhani
RC
PR
TL
LM
UI
Target Locator (TL)
To spread rapidly on the network, the worm needs to be able to
find new targets
Most worms search host system to discover e-mail addresses and
simply send copies of themselves to such addresses
This is convenient for attackers because corporations typically
need to allow e-mail messages across the corporate firewalls,
thereby allowing an easy penetration point for the worm
Many worms deploy techniques to scan the network for nodes on
the IP level and even "fingerprint" the remote system to check
whether such a system might be vulnerable
(C) Dr. Jyoti Lakhani
Infection Propagator (IP)
It is the strategy the worm uses to transfer itself to a new node
and get control on the remote system
The author of the worm can use any-
script language
document format
binary or in-memory injected code
(or a combination of these) to attack your system.
(C) Dr. Jyoti Lakhani
Some mini-worms such as W32/Witty and W32/Slammer appear
to combine the target locator (network scan) and infection
propagator in a single function call.
Remote Control and Update Interface
Remote Control module is a communication module
The worm's author can send control messages to the worm copies
Such remote control can allow the attacker to use the worm as a
DDoS (distributed denial of service) tool on the network
(C) Dr. Jyoti Lakhani
(C) Dr. Jyoti Lakhani
Update or Plug-in Interface
It is an important feature of advanced worms to update the
worm's code on an already-compromised system.
A common problem for the attacker is that after a system is
compromised with a particular exploit, it often cannot be
exploited again with the same one.
The attacker is interested in changing the behavior of the worm
and even sending new infection strategies to as many
compromised nodes as possible.
For example, the intruder can use a single exploit during the first
24 hours of the outbreak and then introduce a set of others via
the worm's update interface.
Life-Cycle Manager
Decides and control the life of the worm
• Limited Life Cycle
• Endless Life Cycle
(C) Dr. Jyoti Lakhani
(C) Dr. Jyoti Lakhani
Limited Life Cycle
Some worm writers prefer to run a version of a computer worm for
a preset period of time.
For instance, the W32/Welchia.A worm "committed suicide" in early
2004, and then the B variant of Welchia was released in late
February of 2004 to run for three more months.
The suicide of Welchia worm
The cumulative number of
distinct Welchia attacking
systems was around 30,000
when the worm started to
kill itself when observed
The cumulative number of Welchia attackers.
(C) Dr. Jyoti Lakhani
Consider the statistics collected on an individual Welchia honeypot
administered by Frederic Perriot between August 2003 and
February 2004, The sudden drop of Welchia is related to its life-
cycle manager, which triggers the worm's self-killing routine.
(C) Dr. Jyoti Lakhani
Endless Life Cycle
Many worms have bugs in their life-cycle manager component and
continue to run without ever stopping.
Some variants of computer worms patched by others to give the
worm "endless" life.
Payload(activation routine).
optional but common component of a computer worm
common side effect of computer worms is –
• accidental DoS attacks as a result of overloaded networks,
overloaded network routers
• accidental attacks on network printers
(C) Dr. Jyoti Lakhani
Several anti-worms have been released with the intention of
killing other computer worms and installing patches against the
vulnerabilities they exploited.
Examples include Linux/Lion versus Linux/Cheese and
W32/CodeRed versus W32/CodeGreen.
Recently it is becoming popular to install an SMTP (Simple Mail
Transfer Protocol) spam relay server the payload of a worm.
Spammers compromise systems on a large scale using worms such
as W32/Bobax and then using the SMTP relay server created by
the worm to spam messages from the "zombie" systems.
(C) Dr. Jyoti Lakhani
Self-Tracking
Computer worms typically send the attacker an e-mail message
with information about the infected computer to track their
spread.
The Morris worm deployed a self-tracking module that attempted
to send a UDP datagram to the host at ernie.berkeley.edu after
approximately every 15 infections.
(C) Dr. Jyoti Lakhani
Features
Independence
Computer viruses generally require a host program.
A worm does not need a host program, as it is an independent
program or code chunk. Therefore, it is not restricted by the host
program, but can run independently and actively carry out
attacks.
Exploit attacks
Because a worm is not limited by the host program, worms can
take advantage of various operating system vulnerabilities to
carry out active attacks.
(C) Dr. Jyoti Lakhani
Complexity
Some worms are combined with web page scripts, and are hidden
in HTML pages using VBScript, ActiveX and other technologies.
When a user accesses a webpage containing a virus, the virus
automatically resides in memory and waits to be triggered. There
are also some worms that are combined with backdoor programs
or Trojan horses, such as "Code Red".
Contagiousness
Worms are more infectious than traditional viruses. They not only
infect local computers, but also all servers and clients on the
network based on the local computer.
Worms can easily spread through shared folders, e-mails,
malicious web pages, and servers with a large number of
vulnerabilities in the network.
(C) Dr. Jyoti Lakhani
Typical malicious payloads might –
• delete files on a host system (e.g., the ExploreZip worm)
• encrypt files in a ransomware attack
• exfiltrate data such as confidential documents or passwords
• install a backdoor. This allows the computer to be remotely
controlled by the worm author as a "zombie”
• Networks of such machines are often referred to as botnets
HARM
(C) Dr. Jyoti Lakhani
Worms with good intent
A helpful worm or anti-worm is a worm designed to do something
that its author feels is helpful
Beginning with the first research into worms at Xerox PARC, there
have been attempts to create useful worms. Those worms
allowed John Shoch and Jon Hupp to test the Ethernet principles
on their network of Xerox Alto computers.
Similarly, the Nachi worms tried to download and install patches
from Microsoft's website to fix vulnerabilities in the host system
by exploiting those same vulnerabilities.
(C) Dr. Jyoti Lakhani
Several worms, including some XSS worms, have been written to
research how worms spread, such as the effects of changes in
social activity or user behavior
Anti-worms have been used to combat the effects of the Code
Red, Blaster, and Santy worms.
Welchia is an example of a helpful worm. Utilizing the same
deficiencies exploited by the Blaster worm, Welchia infected
computers and automatically began
downloading Microsoft security updates for Windows without the
users' consent. Welchia automatically reboots the computers it
infects after installing the updates. One of these updates was the
patch that fixed the exploit.
Other examples of helpful worms are "Den_Zuko", "Cheeze",
"CodeGreen", and "Millenium".
(C) Dr. Jyoti Lakhani
Types of Computer Worm
(C) Dr. Jyoti Lakhani
Worms
Internet
Worms
Email
Worms
File
Sharing
Worms
IRC
Worms
Instant
Messagin
g worms
Internet Worms
Computer worms do target popular websites with insufficient
security
When they manage to infect the site, internet worms can
replicate themselves onto any computer being used to access
the website in question.
From there, internet worms are distributed to other
connected computers through the internet and local area
network connections.
(C) Dr. Jyoti Lakhani
Email Worms
Distributed via compromised email attachments
They usually have double extensions (for example, .mp4.exe or
.avi.exe) so that the recipient would think that they are media files
and not malicious computer programs.
When the victims click on the attachment, copies of the same
infected file will automatically be sent to addresses from their
contacts list.
An email message doesn’t have to contain a downloadable
attachment to distribute a computer worm. Instead, the body of
the message might contain a link that’s shortened so that the
recipient can’t tell what it’s about without clicking on it. When they
click on the link, they will be taken to an infected website that will
automatically start downloading malicious software to their
computer. (C) Dr. Jyoti Lakhani
Instant Messaging Worms
Instant messaging worms are exactly the same as email worms, the
only difference being their method of distribution.
Once again, they are masked as attachments or clickable links to
websites. They are often accompanied by short messages like “LOL”
or “You have to see this!” to trick the victim into thinking that their
friend is sending them a funny video to look at.
When the user clicks on the link or the attachment – be it in
Messenger, WhatsApp, Skype, or any other popular messaging app
– the exact same message will then be sent to their contacts.
(C) Dr. Jyoti Lakhani
File-Sharing Worms
Although illegal, file-sharing and peer-to-peer file transfers are
still used by millions of people around the world. Doing so,
they are unknowingly exposing their computers to the threat
of file-sharing worms.
When the victim opens the downloaded file to view it or listen
to it, they will download the worm to their computer.
Even if it seems that users have downloaded an actual
playable media file, an executable malicious file could be
hidden in the folder and discreetly installed when the media
file is first opened.
(C) Dr. Jyoti Lakhani
IRC Worms
Internet Relay Chat (IRC) is a messaging app that is mostly
outdated nowadays but was all the rage at the turn of the century.
Same as with today’s instant messaging platforms, computer
worms were distributed via messages containing links and
attachments.
The latter was less effective due to an extra layer of protection
that prompted users to accept incoming files before any transfer
could take place.
(C) Dr. Jyoti Lakhani
Examples of Some of the most notorious Computer Worm
Jerusalem, the first known computer worm, was discovered in
1987.
The Morris Worm, launched in 1988 by Robert Morris, an
American student who wanted to discover how big the internet
really was. To do this, he launched a few dozen lines of code, but
he didn’t know that the code was riddled with bugs that would
cause a variety of problems on affected hosts. The result was
thousands of overloaded computers running on UNIX and a
financial damage ranging between $10 million and $100 million.
(C) Dr. Jyoti Lakhani
The Storm Worm, an email worm launched in 2007.
Victims would receive emails with a fake news report about an
unprecedented storm wave that had already killed hundreds of
people across Europe.
More than 1.2 billion of these emails were sent over the course
of ten years in order to create a botnet that would target popular
websites. Experts believe that there are still at least a million
infected computers whose owners don’t know that they are part
of a botnet.
(C) Dr. Jyoti Lakhani
SQL Slammer didn’t utilize any of the traditional distribution
methods. Instead, it generated a number of random IP addresses
and sent itself out to them in hopes that they weren’t protected
by antivirus software.
Soon after it hit in 2003, the result was more than 75,000 infected
computers unknowingly involved in DDoS attacks on several major
websites.
(C) Dr. Jyoti Lakhani
Code Red
Code Red first surfaced on 2001 and was discovered by two eEye
Digital Security employees. It was named Code Red because the
the pair were drinking Code Red Mountain Dew at the time of
discovery.
The worm targeted computers with Microsoft IIS web server
installed, exploiting a buffer overflow problem in the system. It
leaves very little trace on the hard disk as it is able to run entirely
on memory, with a size of 3,569 bytes.
Once infected, it will proceed to make a hundred copies of itself
but due to a bug in the programming, it will duplicate even more
and ends up eating a lot of the systems resources.
(C) Dr. Jyoti Lakhani
Melissa
Named after an exotic dancer from Florida
it was created by David L. Smith in 1999
It started as an infected Word document that was posted up on a
usenet group, claiming to be a list of passwords for pornographic
sites.
This got people curious and when it was downloaded and
opened, it would trigger the macro inside and unleash its
payload.
The virus will mail itself to the top 50 people in the user’s email
address book and this caused an increase of email traffic,
disrupting the email services of governments and corporations.
(C) Dr. Jyoti Lakhani
Sasser
A Windows worm first discovered in 2004, it was created by
computer science student Sven Jaschan, who also created the
Netsky worm.
it slows down and crashes the computer, while making it hard to
reset without cutting the power, the effects were incredibly
disruptive, with millions of computers being infected, and
important, critical infrastructure affected.
The worm took advantage of a buffer overflow vulnerability in
Local Security Authority Subsystem Service (LSASS), which
controls the security policy of local accounts causing crashes to
the computer.
It will also use the system resources to propagate itself to other
machines through the Internet and infect others automatically.
(C) Dr. Jyoti Lakhani
(C) Dr. Jyoti Lakhani
Conficker
Conficker is a worm of unknown authorship for Windows that
made its first appearance in 2008.
It infects computers using flaws in the OS to create a botnet.
The malware was able to infect more than 9 millions computers
all around the world, affecting governments, businesses and
individuals.
It was one of the largest known worm infections to ever
surface causing an estimate damage of $9 billion.
(C) Dr. Jyoti Lakhani
The worm works by exploiting a network service vulnerability that
was present and unpatched in Windows.
Once infected, the worm will then reset account lockout policies,
block access to Windows update and antivirus sites, turn off
certain services and lock out user accounts among many.
Then, it proceeds to install software that will turn the computer
into a botnet slave and scareware to scam money off the user.
Microsoft later provided a fix and patch with many antivirus
vendors providing updates to their definitions.
(C) Dr. Jyoti Lakhani
(C) Dr. Jyoti Lakhani
Mydoom
Surfacing in 2004, Mydoom was a worm for Windows that
became one of the fastest spreading email worm since
ILOVEYOU.
The author is unknown and it is believed that the creator was
paid to create it since it contains the text message, “andy; I’m
just doing my job, nothing personal, sorry,”.
It was named by McAfee employee Craig Schmugar, one of the
people who had originally discovered it. ‘mydom’ was a line of
text in the program’s code (my domain) and sensing this was
going to be big, added ‘doom’ into it.
(C) Dr. Jyoti Lakhani
The worm spreads itself by appearing as an email transmission
error and contains an attachment of itself.
Once executed, it will send itself to email addresses that are in a
user’s address book and copies itself to any P2P program’s folder
to propagate itself through that network.
The payload is twofold: first it opens up a backdoor to allow
remote access and second it launches a denial of service attack
It caused an estimate of $38.5 billion in damages and the worm is
still active in some form today
(C) Dr. Jyoti Lakhani
(C) Dr. Jyoti Lakhani

Ids 006 computer worms

  • 1.
  • 2.
    A computer wormis a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use target machine as a host to scan and infect other computers. (C) Dr. Jyoti Lakhani
  • 3.
    Definition: A computer wormis a piece of software that copies itself from one computer to another. Unlike a virus, it is a standalone program that doesn’t require a host. It usually doesn’t target files on an individual computer. Instead, it takes on entire networks in an attempt to create large botnets. (C) Dr. Jyoti Lakhani
  • 4.
    Worm vs Virus Wormsalmost always cause at least some harm to the network, even if only by consuming bandwidth whereas Viruses almost always corrupt or modify files on a targeted computer (C) Dr. Jyoti Lakhani
  • 5.
    Many worms aredesigned only to spread, and do not attempt to change the systems they pass through. These are called “Payload Free worms” These "payload-free" worms can cause major disruption by increasing network traffic and other unintended effects Example : Morris worm Mydoom worm (C) Dr. Jyoti Lakhani
  • 6.
    Some History... The actualterm "worm" was first used in John Brunner's 1975 novel, The Shockwave Rider. In the novel, Nichlas Haflinger designs and sets off a data- gathering worm in an act of revenge against the powerful men who run a national electronic information web that induces mass conformity“ The first ever computer worm was devised to be an anti-virus software. Named Reaper, it was created by Ray Tomlinson to replicate itself across the ARPANET and delete the experimental Creeper program. (C) Dr. Jyoti Lakhani
  • 7.
    On November 2,1988, Robert Tappan Morris, a Cornell University computer science graduate student, _unleashed what became known as the Morris worm _disrupting many computers then on the Internet, guessed, one tenth of all those connected. _During the Morris appeal process, the U.S. Court of Appeals estimated the cost of removing the worm from each installation at between $200 and $53,000 _this work prompted the formation of the CERT Coordination Center and Phage mailing list _Morris himself became the first person tried and convicted under the 1986 Computer Fraud and Abuse Act. (C) Dr. Jyoti Lakhani
  • 8.
    The Generic Structureof Computer Worms Each computer worm has a few essential components- • Target Locator (TL) • Infection Propagator(IP) • Remote Control (RC) • Update Interface (UI) • Life-Cycle Manager (LM) • Payload Routines (PR) (C) Dr. Jyoti Lakhani RC PR TL LM UI
  • 9.
    Target Locator (TL) Tospread rapidly on the network, the worm needs to be able to find new targets Most worms search host system to discover e-mail addresses and simply send copies of themselves to such addresses This is convenient for attackers because corporations typically need to allow e-mail messages across the corporate firewalls, thereby allowing an easy penetration point for the worm Many worms deploy techniques to scan the network for nodes on the IP level and even "fingerprint" the remote system to check whether such a system might be vulnerable (C) Dr. Jyoti Lakhani
  • 10.
    Infection Propagator (IP) Itis the strategy the worm uses to transfer itself to a new node and get control on the remote system The author of the worm can use any- script language document format binary or in-memory injected code (or a combination of these) to attack your system. (C) Dr. Jyoti Lakhani Some mini-worms such as W32/Witty and W32/Slammer appear to combine the target locator (network scan) and infection propagator in a single function call.
  • 11.
    Remote Control andUpdate Interface Remote Control module is a communication module The worm's author can send control messages to the worm copies Such remote control can allow the attacker to use the worm as a DDoS (distributed denial of service) tool on the network (C) Dr. Jyoti Lakhani
  • 12.
    (C) Dr. JyotiLakhani Update or Plug-in Interface It is an important feature of advanced worms to update the worm's code on an already-compromised system. A common problem for the attacker is that after a system is compromised with a particular exploit, it often cannot be exploited again with the same one. The attacker is interested in changing the behavior of the worm and even sending new infection strategies to as many compromised nodes as possible. For example, the intruder can use a single exploit during the first 24 hours of the outbreak and then introduce a set of others via the worm's update interface.
  • 13.
    Life-Cycle Manager Decides andcontrol the life of the worm • Limited Life Cycle • Endless Life Cycle (C) Dr. Jyoti Lakhani
  • 14.
    (C) Dr. JyotiLakhani Limited Life Cycle Some worm writers prefer to run a version of a computer worm for a preset period of time. For instance, the W32/Welchia.A worm "committed suicide" in early 2004, and then the B variant of Welchia was released in late February of 2004 to run for three more months. The suicide of Welchia worm The cumulative number of distinct Welchia attacking systems was around 30,000 when the worm started to kill itself when observed
  • 15.
    The cumulative numberof Welchia attackers. (C) Dr. Jyoti Lakhani Consider the statistics collected on an individual Welchia honeypot administered by Frederic Perriot between August 2003 and February 2004, The sudden drop of Welchia is related to its life- cycle manager, which triggers the worm's self-killing routine.
  • 16.
    (C) Dr. JyotiLakhani Endless Life Cycle Many worms have bugs in their life-cycle manager component and continue to run without ever stopping. Some variants of computer worms patched by others to give the worm "endless" life.
  • 17.
    Payload(activation routine). optional butcommon component of a computer worm common side effect of computer worms is – • accidental DoS attacks as a result of overloaded networks, overloaded network routers • accidental attacks on network printers (C) Dr. Jyoti Lakhani
  • 18.
    Several anti-worms havebeen released with the intention of killing other computer worms and installing patches against the vulnerabilities they exploited. Examples include Linux/Lion versus Linux/Cheese and W32/CodeRed versus W32/CodeGreen. Recently it is becoming popular to install an SMTP (Simple Mail Transfer Protocol) spam relay server the payload of a worm. Spammers compromise systems on a large scale using worms such as W32/Bobax and then using the SMTP relay server created by the worm to spam messages from the "zombie" systems. (C) Dr. Jyoti Lakhani
  • 19.
    Self-Tracking Computer worms typicallysend the attacker an e-mail message with information about the infected computer to track their spread. The Morris worm deployed a self-tracking module that attempted to send a UDP datagram to the host at ernie.berkeley.edu after approximately every 15 infections. (C) Dr. Jyoti Lakhani
  • 20.
    Features Independence Computer viruses generallyrequire a host program. A worm does not need a host program, as it is an independent program or code chunk. Therefore, it is not restricted by the host program, but can run independently and actively carry out attacks. Exploit attacks Because a worm is not limited by the host program, worms can take advantage of various operating system vulnerabilities to carry out active attacks. (C) Dr. Jyoti Lakhani
  • 21.
    Complexity Some worms arecombined with web page scripts, and are hidden in HTML pages using VBScript, ActiveX and other technologies. When a user accesses a webpage containing a virus, the virus automatically resides in memory and waits to be triggered. There are also some worms that are combined with backdoor programs or Trojan horses, such as "Code Red". Contagiousness Worms are more infectious than traditional viruses. They not only infect local computers, but also all servers and clients on the network based on the local computer. Worms can easily spread through shared folders, e-mails, malicious web pages, and servers with a large number of vulnerabilities in the network. (C) Dr. Jyoti Lakhani
  • 22.
    Typical malicious payloadsmight – • delete files on a host system (e.g., the ExploreZip worm) • encrypt files in a ransomware attack • exfiltrate data such as confidential documents or passwords • install a backdoor. This allows the computer to be remotely controlled by the worm author as a "zombie” • Networks of such machines are often referred to as botnets HARM (C) Dr. Jyoti Lakhani
  • 23.
    Worms with goodintent A helpful worm or anti-worm is a worm designed to do something that its author feels is helpful Beginning with the first research into worms at Xerox PARC, there have been attempts to create useful worms. Those worms allowed John Shoch and Jon Hupp to test the Ethernet principles on their network of Xerox Alto computers. Similarly, the Nachi worms tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system by exploiting those same vulnerabilities. (C) Dr. Jyoti Lakhani
  • 24.
    Several worms, includingsome XSS worms, have been written to research how worms spread, such as the effects of changes in social activity or user behavior Anti-worms have been used to combat the effects of the Code Red, Blaster, and Santy worms. Welchia is an example of a helpful worm. Utilizing the same deficiencies exploited by the Blaster worm, Welchia infected computers and automatically began downloading Microsoft security updates for Windows without the users' consent. Welchia automatically reboots the computers it infects after installing the updates. One of these updates was the patch that fixed the exploit. Other examples of helpful worms are "Den_Zuko", "Cheeze", "CodeGreen", and "Millenium". (C) Dr. Jyoti Lakhani
  • 25.
    Types of ComputerWorm (C) Dr. Jyoti Lakhani Worms Internet Worms Email Worms File Sharing Worms IRC Worms Instant Messagin g worms
  • 26.
    Internet Worms Computer wormsdo target popular websites with insufficient security When they manage to infect the site, internet worms can replicate themselves onto any computer being used to access the website in question. From there, internet worms are distributed to other connected computers through the internet and local area network connections. (C) Dr. Jyoti Lakhani
  • 27.
    Email Worms Distributed viacompromised email attachments They usually have double extensions (for example, .mp4.exe or .avi.exe) so that the recipient would think that they are media files and not malicious computer programs. When the victims click on the attachment, copies of the same infected file will automatically be sent to addresses from their contacts list. An email message doesn’t have to contain a downloadable attachment to distribute a computer worm. Instead, the body of the message might contain a link that’s shortened so that the recipient can’t tell what it’s about without clicking on it. When they click on the link, they will be taken to an infected website that will automatically start downloading malicious software to their computer. (C) Dr. Jyoti Lakhani
  • 28.
    Instant Messaging Worms Instantmessaging worms are exactly the same as email worms, the only difference being their method of distribution. Once again, they are masked as attachments or clickable links to websites. They are often accompanied by short messages like “LOL” or “You have to see this!” to trick the victim into thinking that their friend is sending them a funny video to look at. When the user clicks on the link or the attachment – be it in Messenger, WhatsApp, Skype, or any other popular messaging app – the exact same message will then be sent to their contacts. (C) Dr. Jyoti Lakhani
  • 29.
    File-Sharing Worms Although illegal,file-sharing and peer-to-peer file transfers are still used by millions of people around the world. Doing so, they are unknowingly exposing their computers to the threat of file-sharing worms. When the victim opens the downloaded file to view it or listen to it, they will download the worm to their computer. Even if it seems that users have downloaded an actual playable media file, an executable malicious file could be hidden in the folder and discreetly installed when the media file is first opened. (C) Dr. Jyoti Lakhani
  • 30.
    IRC Worms Internet RelayChat (IRC) is a messaging app that is mostly outdated nowadays but was all the rage at the turn of the century. Same as with today’s instant messaging platforms, computer worms were distributed via messages containing links and attachments. The latter was less effective due to an extra layer of protection that prompted users to accept incoming files before any transfer could take place. (C) Dr. Jyoti Lakhani
  • 31.
    Examples of Someof the most notorious Computer Worm Jerusalem, the first known computer worm, was discovered in 1987. The Morris Worm, launched in 1988 by Robert Morris, an American student who wanted to discover how big the internet really was. To do this, he launched a few dozen lines of code, but he didn’t know that the code was riddled with bugs that would cause a variety of problems on affected hosts. The result was thousands of overloaded computers running on UNIX and a financial damage ranging between $10 million and $100 million. (C) Dr. Jyoti Lakhani
  • 32.
    The Storm Worm,an email worm launched in 2007. Victims would receive emails with a fake news report about an unprecedented storm wave that had already killed hundreds of people across Europe. More than 1.2 billion of these emails were sent over the course of ten years in order to create a botnet that would target popular websites. Experts believe that there are still at least a million infected computers whose owners don’t know that they are part of a botnet. (C) Dr. Jyoti Lakhani
  • 33.
    SQL Slammer didn’tutilize any of the traditional distribution methods. Instead, it generated a number of random IP addresses and sent itself out to them in hopes that they weren’t protected by antivirus software. Soon after it hit in 2003, the result was more than 75,000 infected computers unknowingly involved in DDoS attacks on several major websites. (C) Dr. Jyoti Lakhani
  • 34.
    Code Red Code Redfirst surfaced on 2001 and was discovered by two eEye Digital Security employees. It was named Code Red because the the pair were drinking Code Red Mountain Dew at the time of discovery. The worm targeted computers with Microsoft IIS web server installed, exploiting a buffer overflow problem in the system. It leaves very little trace on the hard disk as it is able to run entirely on memory, with a size of 3,569 bytes. Once infected, it will proceed to make a hundred copies of itself but due to a bug in the programming, it will duplicate even more and ends up eating a lot of the systems resources. (C) Dr. Jyoti Lakhani
  • 35.
    Melissa Named after anexotic dancer from Florida it was created by David L. Smith in 1999 It started as an infected Word document that was posted up on a usenet group, claiming to be a list of passwords for pornographic sites. This got people curious and when it was downloaded and opened, it would trigger the macro inside and unleash its payload. The virus will mail itself to the top 50 people in the user’s email address book and this caused an increase of email traffic, disrupting the email services of governments and corporations. (C) Dr. Jyoti Lakhani
  • 36.
    Sasser A Windows wormfirst discovered in 2004, it was created by computer science student Sven Jaschan, who also created the Netsky worm. it slows down and crashes the computer, while making it hard to reset without cutting the power, the effects were incredibly disruptive, with millions of computers being infected, and important, critical infrastructure affected. The worm took advantage of a buffer overflow vulnerability in Local Security Authority Subsystem Service (LSASS), which controls the security policy of local accounts causing crashes to the computer. It will also use the system resources to propagate itself to other machines through the Internet and infect others automatically. (C) Dr. Jyoti Lakhani
  • 37.
  • 38.
    Conficker Conficker is aworm of unknown authorship for Windows that made its first appearance in 2008. It infects computers using flaws in the OS to create a botnet. The malware was able to infect more than 9 millions computers all around the world, affecting governments, businesses and individuals. It was one of the largest known worm infections to ever surface causing an estimate damage of $9 billion. (C) Dr. Jyoti Lakhani
  • 39.
    The worm worksby exploiting a network service vulnerability that was present and unpatched in Windows. Once infected, the worm will then reset account lockout policies, block access to Windows update and antivirus sites, turn off certain services and lock out user accounts among many. Then, it proceeds to install software that will turn the computer into a botnet slave and scareware to scam money off the user. Microsoft later provided a fix and patch with many antivirus vendors providing updates to their definitions. (C) Dr. Jyoti Lakhani
  • 40.
  • 41.
    Mydoom Surfacing in 2004,Mydoom was a worm for Windows that became one of the fastest spreading email worm since ILOVEYOU. The author is unknown and it is believed that the creator was paid to create it since it contains the text message, “andy; I’m just doing my job, nothing personal, sorry,”. It was named by McAfee employee Craig Schmugar, one of the people who had originally discovered it. ‘mydom’ was a line of text in the program’s code (my domain) and sensing this was going to be big, added ‘doom’ into it. (C) Dr. Jyoti Lakhani
  • 42.
    The worm spreadsitself by appearing as an email transmission error and contains an attachment of itself. Once executed, it will send itself to email addresses that are in a user’s address book and copies itself to any P2P program’s folder to propagate itself through that network. The payload is twofold: first it opens up a backdoor to allow remote access and second it launches a denial of service attack It caused an estimate of $38.5 billion in damages and the worm is still active in some form today (C) Dr. Jyoti Lakhani
  • 43.