Computer wormFrom Wikipedia, the free encyclopediaJump to: navigation, searchMorris Worm source code disk at the Computer History Museum.Spread of Conficker worm.A computer worm is a self-replicating malware computer program, which uses acomputer network to send copies of itself to other nodes (computers on the network)and it may do so without any user intervention. This is due to security shortcomingson the target computer. Unlike a computer virus, it does not need to attach itself to anexisting program. Worms almost always cause at least some harm to the network,even if only by consuming bandwidth, whereas viruses almost always corrupt ormodify files on a targeted computer.Contents[hide] • 1 Payloads • 2 Worms with good intent • 3 Protecting against dangerous computer worms • 4 Mitigation techniques
• 5 History • 6 See also • 7 References • 8 External links PayloadsMany worms that have been created are only designed to spread, and dont attempt toalter the systems they pass through. However, as the Morris worm and Mydoomshowed, even these "payload free" worms can cause major disruption by increasingnetwork traffic and other unintended effects. A "payload" is code in the wormdesigned to do more than spread the worm–it might delete files on a host system (e.g.,the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or senddocuments via e-mail. A very common payload for worms is to install a backdoor inthe infected computer to allow the creation of a "zombie" computer under control ofthe worm author. Networks of such machines are often referred to as botnets and arevery commonly used by spam senders for sending junk email or to cloak theirwebsites address. Spammers are therefore thought to be a source of funding for thecreation of such worms, and the worm writers have been caught selling lists of IPaddresses of infected machines. Others try to blackmail companies with threatenedDoS attacks.Backdoors can be exploited by other malware, including worms. Examples includeDoomjuice, which spreads better using the backdoor opened by Mydoom, and at leastone instance of malware taking advantage of the rootkit and backdoor installed by theSony/BMG DRM software utilized by millions of music CDs prior to late 2005.[dubious –discuss] Worms with good intentBeginning with the very first research into worms at Xerox PARC, there have beenattempts to create useful worms. The Nachi family of worms, for example, tried todownload and install patches from Microsofts website to fix vulnerabilities in thehost system–by exploiting those same vulnerabilities. In practice, although this mayhave made these systems more secure, it generated considerable network traffic,rebooted the machine in the course of patching it, and did its work without the consentof the computers owner or user.Some worms, such as XSS worms, have been written for research to determine thefactors of how worms spread, such as social activity and change in user behavior,while other worms are little more than a prank, such as one that sends the popularimage macro of an owl with the phrase "O RLY?" to a print queue in the infectedcomputer. Another research proposed what seems to be the first computer worm thatoperates on the second layer of the OSI model (Data link Layer), it utilizes topologyinformation such as Content-addressable memory (CAM) tables and Spanning Treeinformation stored in switches to propagate and probe for vulnerable nodes until theenterprise network is covered.
Most security experts regard all worms as malware, whatever their payload or theirwriters intentions.Protecting against dangerous computer wormsWorms spread by exploiting vulnerabilities in operating systems. Vendors withsecurity problems supply regular security updates (see "Patch Tuesday"), and ifthese are installed to a machine then the majority of worms are unable to spread to it.If a vulnerability is disclosed before the security patch released by the vendor, a Zero-day attack is possible.Users need to be wary of opening unexpected email, and should not run attachedfiles or programs, or visit web sites that are linked to such emails. However, as withthe ILOVEYOU worm, and with the increased growth and efficiency of phishingattacks, it remains possible to trick the end-user into running a malicious code.Anti-virus and anti-spyware software are helpful, but must be kept up-to-date withnew pattern files at least every few days. The use of a firewall is also recommended.In the April–June, 2008, issue of IEEE Transactions on Dependable and SecureComputing, computer scientists describe a potential new way to combat internetworms. The researchers discovered how to contain the kind of worm that scans theInternet randomly, looking for vulnerable hosts to infect. They found that the key isfor software to monitor the number of scans that machines on a network sends out.When a machine starts sending out too many scans, it is a sign that it has beeninfected, allowing administrators to take it off line and check it for viruses.Mitigation techniques • ACLs in routers and switches • Packet-filters • Nullrouting • TCP Wrapper/libwrap enabled network service daemonsHistoryThe actual term "worm" was first used in John Brunners 1975 novel, The ShockwaveRider. In that novel, Nichlas Haflinger designs and sets off a data-gathering worm inan act of revenge against the powerful men who run a national electronic informationweb that induces mass conformity. "You have the biggest-ever worm loose in the net,and it automatically sabotages any attempt to monitor it... Theres never been a wormwith that tough a head or that long a tail!"On November 2, 1988, Robert Tappan Morris, a Cornell University computer sciencegraduate student, unleashed what became known as the Morris worm, disruptingperhaps 10% of the computers then on the Internet and prompting the formationof the CERT Coordination Center and Phage mailing list. Morris himself becamethe first person tried and convicted under the 1986 Computer Fraud and Abuse Act.