Ids 006 computer worms

Computer Worms
(C) Dr. Jyoti Lakhani

A computer worm is a standalone malware computer
program that replicates itself in order to spread to other
computers.
It often uses a computer network to spread itself, relying on
security failures on the target computer to access it.
It will use target machine as a host to scan and infect other
computers.

Definition:
A computer worm is a piece of software that copies
itself from one computer to another. Unlike a virus, it
is a standalone program that doesn’t require a host. It
usually doesn’t target files on an individual computer.
Instead, it takes on entire networks in an attempt to
create large botnets.

Worm vs Virus
Worms almost always cause at least some harm to the
network, even if only by consuming bandwidth
whereas
Viruses almost always corrupt or modify files on a targeted
computer

Many worms are designed only to spread, and do not attempt to
change the systems they pass through.
These are called
“Payload Free worms”
These "payload-free" worms can cause major disruption by
increasing network traffic and other unintended effects
Example :
Morris worm
Mydoom worm

Some History...
The actual term "worm" was first used in John Brunner's 1975
novel, The Shockwave Rider.
In the novel, Nichlas Haflinger designs and sets off a data-
gathering worm in an act of revenge against the powerful men
who run a national electronic information web that induces mass
conformity“
The first ever computer worm was devised to be an anti-virus
software. Named Reaper, it was created by Ray Tomlinson to
replicate itself across the ARPANET and delete the
experimental Creeper program.

On November 2, 1988, Robert Tappan Morris, a Cornell
University computer science graduate student,
_unleashed what became known as the Morris worm
_disrupting many computers then on the Internet, guessed, one
tenth of all those connected.
_During the Morris appeal process, the U.S. Court of Appeals
estimated the cost of removing the worm from each installation at
between $200 and $53,000
_this work prompted the formation of the CERT Coordination
Center and Phage mailing list
_Morris himself became the first person tried and convicted under
the 1986 Computer Fraud and Abuse Act.

The Generic Structure of Computer Worms
Each computer worm has a few essential components-
• Target Locator (TL)
• Infection Propagator(IP)
• Remote Control (RC)
• Update Interface (UI)
• Life-Cycle Manager (LM)
• Payload Routines (PR)
RC
PR
TL
LM
UI

Target Locator (TL)
To spread rapidly on the network, the worm needs to be able to
find new targets
Most worms search host system to discover e-mail addresses and
simply send copies of themselves to such addresses
This is convenient for attackers because corporations typically
need to allow e-mail messages across the corporate firewalls,
thereby allowing an easy penetration point for the worm
Many worms deploy techniques to scan the network for nodes on
the IP level and even "fingerprint" the remote system to check
whether such a system might be vulnerable

Infection Propagator (IP)
It is the strategy the worm uses to transfer itself to a new node
and get control on the remote system
The author of the worm can use any-
script language
document format
binary or in-memory injected code
(or a combination of these) to attack your system.
Some mini-worms such as W32/Witty and W32/Slammer appear
to combine the target locator (network scan) and infection
propagator in a single function call.

Remote Control and Update Interface
Remote Control module is a communication module
The worm's author can send control messages to the worm copies
Such remote control can allow the attacker to use the worm as a
DDoS (distributed denial of service) tool on the network

Update or Plug-in Interface
It is an important feature of advanced worms to update the
worm's code on an already-compromised system.
A common problem for the attacker is that after a system is
compromised with a particular exploit, it often cannot be
exploited again with the same one.
The attacker is interested in changing the behavior of the worm
and even sending new infection strategies to as many
compromised nodes as possible.
For example, the intruder can use a single exploit during the first
24 hours of the outbreak and then introduce a set of others via
the worm's update interface.

Life-Cycle Manager
Decides and control the life of the worm
• Limited Life Cycle
• Endless Life Cycle

Limited Life Cycle
Some worm writers prefer to run a version of a computer worm for
a preset period of time.
For instance, the W32/Welchia.A worm "committed suicide" in early
2004, and then the B variant of Welchia was released in late
February of 2004 to run for three more months.
The suicide of Welchia worm
The cumulative number of
distinct Welchia attacking
systems was around 30,000
when the worm started to
kill itself when observed

The cumulative number of Welchia attackers.
Consider the statistics collected on an individual Welchia honeypot
administered by Frederic Perriot between August 2003 and
February 2004, The sudden drop of Welchia is related to its life-
cycle manager, which triggers the worm's self-killing routine.

Endless Life Cycle
Many worms have bugs in their life-cycle manager component and
continue to run without ever stopping.
Some variants of computer worms patched by others to give the
worm "endless" life.

Payload(activation routine).
optional but common component of a computer worm
common side effect of computer worms is –
• accidental DoS attacks as a result of overloaded networks,
overloaded network routers
• accidental attacks on network printers

Several anti-worms have been released with the intention of
killing other computer worms and installing patches against the
vulnerabilities they exploited.
Examples include Linux/Lion versus Linux/Cheese and
W32/CodeRed versus W32/CodeGreen.
Recently it is becoming popular to install an SMTP (Simple Mail
Transfer Protocol) spam relay server the payload of a worm.
Spammers compromise systems on a large scale using worms such
as W32/Bobax and then using the SMTP relay server created by
the worm to spam messages from the "zombie" systems.

Self-Tracking
Computer worms typically send the attacker an e-mail message
with information about the infected computer to track their
spread.
The Morris worm deployed a self-tracking module that attempted
to send a UDP datagram to the host at ernie.berkeley.edu after
approximately every 15 infections.

Features
Independence
Computer viruses generally require a host program.
A worm does not need a host program, as it is an independent
program or code chunk. Therefore, it is not restricted by the host
program, but can run independently and actively carry out
attacks.
Exploit attacks
Because a worm is not limited by the host program, worms can
take advantage of various operating system vulnerabilities to
carry out active attacks.

Complexity
Some worms are combined with web page scripts, and are hidden
in HTML pages using VBScript, ActiveX and other technologies.
When a user accesses a webpage containing a virus, the virus
automatically resides in memory and waits to be triggered. There
are also some worms that are combined with backdoor programs
or Trojan horses, such as "Code Red".
Contagiousness
Worms are more infectious than traditional viruses. They not only
infect local computers, but also all servers and clients on the
network based on the local computer.
Worms can easily spread through shared folders, e-mails,
malicious web pages, and servers with a large number of
vulnerabilities in the network.

Typical malicious payloads might –
• delete files on a host system (e.g., the ExploreZip worm)
• encrypt files in a ransomware attack
• exfiltrate data such as confidential documents or passwords
• install a backdoor. This allows the computer to be remotely
controlled by the worm author as a "zombie”
• Networks of such machines are often referred to as botnets
HARM

Worms with good intent
A helpful worm or anti-worm is a worm designed to do something
that its author feels is helpful
Beginning with the first research into worms at Xerox PARC, there
have been attempts to create useful worms. Those worms
allowed John Shoch and Jon Hupp to test the Ethernet principles
on their network of Xerox Alto computers.
Similarly, the Nachi worms tried to download and install patches
from Microsoft's website to fix vulnerabilities in the host system
by exploiting those same vulnerabilities.

Several worms, including some XSS worms, have been written to
research how worms spread, such as the effects of changes in
social activity or user behavior
Anti-worms have been used to combat the effects of the Code
Red, Blaster, and Santy worms.
Welchia is an example of a helpful worm. Utilizing the same
deficiencies exploited by the Blaster worm, Welchia infected
computers and automatically began
downloading Microsoft security updates for Windows without the
users' consent. Welchia automatically reboots the computers it
infects after installing the updates. One of these updates was the
patch that fixed the exploit.
Other examples of helpful worms are "Den_Zuko", "Cheeze",
"CodeGreen", and "Millenium".

Types of Computer Worm
Worms
Internet
Worms
Email
Worms
File
Sharing
Worms
IRC
Worms
Instant
Messagin
g worms

Internet Worms
Computer worms do target popular websites with insufficient
security
When they manage to infect the site, internet worms can
replicate themselves onto any computer being used to access
the website in question.
From there, internet worms are distributed to other
connected computers through the internet and local area
network connections.

Email Worms
Distributed via compromised email attachments
They usually have double extensions (for example, .mp4.exe or
.avi.exe) so that the recipient would think that they are media files
and not malicious computer programs.
When the victims click on the attachment, copies of the same
infected file will automatically be sent to addresses from their
contacts list.
An email message doesn’t have to contain a downloadable
attachment to distribute a computer worm. Instead, the body of
the message might contain a link that’s shortened so that the
recipient can’t tell what it’s about without clicking on it. When they
click on the link, they will be taken to an infected website that will
automatically start downloading malicious software to their
computer. (C) Dr. Jyoti Lakhani

Instant Messaging Worms
Instant messaging worms are exactly the same as email worms, the
only difference being their method of distribution.
Once again, they are masked as attachments or clickable links to
websites. They are often accompanied by short messages like “LOL”
or “You have to see this!” to trick the victim into thinking that their
friend is sending them a funny video to look at.
When the user clicks on the link or the attachment – be it in
Messenger, WhatsApp, Skype, or any other popular messaging app
– the exact same message will then be sent to their contacts.

File-Sharing Worms
Although illegal, file-sharing and peer-to-peer file transfers are
still used by millions of people around the world. Doing so,
they are unknowingly exposing their computers to the threat
of file-sharing worms.
When the victim opens the downloaded file to view it or listen
to it, they will download the worm to their computer.
Even if it seems that users have downloaded an actual
playable media file, an executable malicious file could be
hidden in the folder and discreetly installed when the media
file is first opened.

IRC Worms
Internet Relay Chat (IRC) is a messaging app that is mostly
outdated nowadays but was all the rage at the turn of the century.
Same as with today’s instant messaging platforms, computer
worms were distributed via messages containing links and
attachments.
The latter was less effective due to an extra layer of protection
that prompted users to accept incoming files before any transfer
could take place.

Examples of Some of the most notorious Computer Worm
Jerusalem, the first known computer worm, was discovered in
1987.
The Morris Worm, launched in 1988 by Robert Morris, an
American student who wanted to discover how big the internet
really was. To do this, he launched a few dozen lines of code, but
he didn’t know that the code was riddled with bugs that would
cause a variety of problems on affected hosts. The result was
thousands of overloaded computers running on UNIX and a
financial damage ranging between $10 million and $100 million.

The Storm Worm, an email worm launched in 2007.
Victims would receive emails with a fake news report about an
unprecedented storm wave that had already killed hundreds of
people across Europe.
More than 1.2 billion of these emails were sent over the course
of ten years in order to create a botnet that would target popular
websites. Experts believe that there are still at least a million
infected computers whose owners don’t know that they are part
of a botnet.

SQL Slammer didn’t utilize any of the traditional distribution
methods. Instead, it generated a number of random IP addresses
and sent itself out to them in hopes that they weren’t protected
by antivirus software.
Soon after it hit in 2003, the result was more than 75,000 infected
computers unknowingly involved in DDoS attacks on several major
websites.

Code Red
Code Red first surfaced on 2001 and was discovered by two eEye
Digital Security employees. It was named Code Red because the
the pair were drinking Code Red Mountain Dew at the time of
discovery.
The worm targeted computers with Microsoft IIS web server
installed, exploiting a buffer overflow problem in the system. It
leaves very little trace on the hard disk as it is able to run entirely
on memory, with a size of 3,569 bytes.
Once infected, it will proceed to make a hundred copies of itself
but due to a bug in the programming, it will duplicate even more
and ends up eating a lot of the systems resources.

Melissa
Named after an exotic dancer from Florida
it was created by David L. Smith in 1999
It started as an infected Word document that was posted up on a
usenet group, claiming to be a list of passwords for pornographic
sites.
This got people curious and when it was downloaded and
opened, it would trigger the macro inside and unleash its
payload.
The virus will mail itself to the top 50 people in the user’s email
address book and this caused an increase of email traffic,
disrupting the email services of governments and corporations.

Sasser
A Windows worm first discovered in 2004, it was created by
computer science student Sven Jaschan, who also created the
Netsky worm.
it slows down and crashes the computer, while making it hard to
reset without cutting the power, the effects were incredibly
disruptive, with millions of computers being infected, and
important, critical infrastructure affected.
The worm took advantage of a buffer overflow vulnerability in
Local Security Authority Subsystem Service (LSASS), which
controls the security policy of local accounts causing crashes to
the computer.
It will also use the system resources to propagate itself to other
machines through the Internet and infect others automatically.

Conficker
Conficker is a worm of unknown authorship for Windows that
made its first appearance in 2008.
It infects computers using flaws in the OS to create a botnet.
The malware was able to infect more than 9 millions computers
all around the world, affecting governments, businesses and
individuals.
It was one of the largest known worm infections to ever
surface causing an estimate damage of $9 billion.

The worm works by exploiting a network service vulnerability that
was present and unpatched in Windows.
Once infected, the worm will then reset account lockout policies,
block access to Windows update and antivirus sites, turn off
certain services and lock out user accounts among many.
Then, it proceeds to install software that will turn the computer
into a botnet slave and scareware to scam money off the user.
Microsoft later provided a fix and patch with many antivirus
vendors providing updates to their definitions.

Mydoom
Surfacing in 2004, Mydoom was a worm for Windows that
became one of the fastest spreading email worm since
ILOVEYOU.
The author is unknown and it is believed that the creator was
paid to create it since it contains the text message, “andy; I’m
just doing my job, nothing personal, sorry,”.
It was named by McAfee employee Craig Schmugar, one of the
people who had originally discovered it. ‘mydom’ was a line of
text in the program’s code (my domain) and sensing this was
going to be big, added ‘doom’ into it.

The worm spreads itself by appearing as an email transmission
error and contains an attachment of itself.
Once executed, it will send itself to email addresses that are in a
user’s address book and copies itself to any P2P program’s folder
to propagate itself through that network.
The payload is twofold: first it opens up a backdoor to allow
remote access and second it launches a denial of service attack
It caused an estimate of $38.5 billion in damages and the worm is
still active in some form today

Ids 006 computer worms

More Related Content

What's hot

Similar to Ids 006 computer worms

More from jyoti_lakhani

Recently uploaded

Ids 006 computer worms