Computer worm

From Wikipedia, the free encyclopedia

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.

Contents 1 Naming and history 2 Types of computer worms 3 Payloads 4 Worms with good intent 5 Protecting against Dangerous computer worms 6 Mitigation techniques 7 See also 8 References 9 External links

[edit] Naming and history

The name 'worm' comes from The Shockwave Rider, a science fiction novel published in 1975 by John Brunner. Researchers John F Shoch and Jon A Hupp of Xerox PARC chose the name in a paper published in 1982; The Worm Programs, Comm ACM, 25(3):172-180, 1982), and it has since been widely adopted.

The first implementation of a worm was by these same two researchers at Xerox PARC in 1978.^[1] Shoch and Hupp originally designed the worm to find idle processors on the network and assign them tasks, sharing the processing load, and so improving the 'CPU cycle use efficiency' across an entire network. They were self-limited so that they would spread no farther than intended. ^[2]

Though it was technically a Trojan horse, the Christmas Tree EXEC Worm was likely the first worm on a worldwide network, spreading across both IBM's own international network and BITNET in December 1987, bringing both networks to their knees.

An early worm on the Internet, and the first to attract wide attention, was the Morris worm. It was also termed 'The Internet Worm' by Peter Denning in an article in American Scientist (March-April, 1988) in which he distinguished between a virus and a worm, thereby becoming an early computer zoologist. His definition was more restricted than that of some other computer zoologists of the time (McAfee and Haynes, Computer Viruses, Worms, Data Diddlers, ..., St Martin's Press, 1989). The Morris worm was written by Robert Tappan Morris, at the time a computer science graduate student at Cornell University, and released on November 2, 1988 using a friend's account on a Harvard University computer. It quickly infected large numbers of computers attached to the Internet and caused massive disruption. That it didn't spread even farther and cause more trouble is largely due to some errors in its implementation. It propagated via several bugs in BSD Unix and related systems, and its component programs (including several versions of 'sendmail'). Morris was identified, confessed, and was later convicted under the US Computer Crime and Abuse Act. He received three years probation, 400 hours community service and a fine in excess of $10,000.

[edit] Types of computer worms

Email Worms Spread via email messages. Typically the worm will arrive as email, where the message body or attachment contains the worm code, but it may also link to code on an external website. Poor design^[3] aside, most email systems require the user to explicitly open an attachment to activate the worm, but "social engineering" can often successfully be used to encourage this; as the author of the "Anna Kournikova" worm set out to prove^[4]. Once activated the worm will send itself out using either local email systems (e.g. MS Outlook services, Windows MAPI functions), or directly using SMTP. The addresses it sends to are often harvested from the infected computers email system or files. Since Klez.E in 2002^[5], worms using SMTP typically fake the sender's address, so recipients of email worms should assume that they are not sent by the person listed in the 'From' field of e-mail message (sender's address).

Instant messaging worms The spreading used is via instant messaging applications by sending links to infected websites to everyone on the local contact list. The only difference between these and email worms is the way chosen to send the links.

IRC worms Chat channels are the main target and the same infection/spreading method is used as above — sending infected files or links to infected websites. Infected file sending is less effective as the recipient needs to confirm receipt, save the file and open it before infection will take place.

File-sharing networks worms Copies itself into a shared folder, most likely located on the local machine. The worm will place a copy of itself in a shared folder under a harmless name. Now the worm is ready for download via the P2P network and spreading of the infected file will continue.

Internet worms Those which target low level TCP/IP ports directly, rather than going via higher level protocols such as email or IRC. A classic example is "Blaster" which exploited a vulnerability in Microsoft's RPC. An infected machine aggressively scans random ^[6] computers on both its local network^[7] and the public Internet attempting an exploit against port 135 which, if successful, spreads the worm to that machine.

[edit] Payloads

Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through. However, as the Morris worm, and Mydoom showed, the network traffic and other unintended effects can often cause major disruption. A "payload" is code designed to do more than spread the worm - it might delete files on a host system (eg the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" under control of the worm author - Sobig and Mydoom are examples which created zombies. Network of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's address.^[8] Spammers are therefore thought to be a source of funding for the creation of such worms ^{[9] [10]}, and worm writers have been caught selling lists of IP addresses of infected machines.^[11] Others try to blackmail companies with threatened DoS attacks.^[12]]

Backdoors, however they may be installed, can be exploited by other malware, including worms. Examples include Doomjuice, which spreads using the backdoor opened by Mydoom, and at least one instance of malware taking advantage of the rootkit backdoor installed by the Sony/BMG DRM software utilized by millions of music CDs prior to late 2005.

[edit] Worms with good intent

Whether worms can be useful is a common conundrum amongst theorists in computer science and artificial intelligence, beginning with the very first research into them at Xerox PARC. The Nachi family of worms, for example, tried to download then install patches from Microsoft's website to fix various vulnerabilities in the host system—the same vulnerabilities the Nachi worm itself exploited. This eventually made the systems affected more secure, but generated considerable network traffic (sometimes more traffic than the worms they were protecting against), rebooted the machine in the course of patching it, and, most importantly, did its work without the explicit consent of the computer's owner or user. As such, most security experts regard worms as malware, whatever their payload or their writers' intentions.

[edit] Protecting against Dangerous computer worms

Worms mainly spread by exploiting vulnerabilities in operating systems, or by tricking users to assist them.

All vendors supply regular security updates^[13] (see "Patch Tuesday"), and if these are installed to a machine then the majority of worms are unable to spread to it. If a vendor acknowledges a vulnerability but has yet to release a security update to patch it a zero day exploit is possible, but these are relatively rare.

Users need to be wary of opening unexpected email, and certainly should not run attached files or programs, or visit web sites that such emails link to. However, as the ILOVEYOU showed long ago, and phishing attacks continue to prove, tricking a percentage of users will always be possible.

Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files at least every few days.

[edit] Mitigation techniques

• TCP Wrapper/libwrap enabled network service daemons
• ACLs in routers and switches
• Packet-filters

[edit] See also

• Timeline of notable computer viruses and worms
• Spam
• Spy software

[edit] References

1. ^ http://www.parc.xerox.com/about/history/default.html
2. ^ Worm (Tapeworm) - The first description of a set of computer codes that moves from one computer to another on a network as a coherent entity.
3. ^ http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx
4. ^ http://www.wired.com/news/technology/0,1282,41782,00.html
5. ^ F-Secure Virus Descriptions: Klez.E
6. ^ http://www.symantec.com/security_response/writeup.jsp?docid=2003-081113-0229-99&tabid=2
7. ^ http://www.symantec.com/security_response/writeup.jsp?docid=2003-081113-0229-99&tabid=2
8. ^ http://seattletimes.nwsource.com/html/businesstechnology/2001859752_spamdoubles18.html
9. ^ http://www.wired.com/news/business/0,1367,60747,00.html
10. ^ http://www.channelnewsasia.com/stories/afp_world/view/68810/1/.html
11. ^ http://www.heise.de/english/newsticker/news/44879
12. ^ http://news.bbc.co.uk/1/hi/technology/3513849.stm
13. ^ [1]

[edit] External links

• The Wildlist - List of viruses and worms 'in the wild' (i.e. regularly encountered by anti-virus companies)
• Worm parasites - Listed worm descriptions and removal tools.
• Jose Nazario discusses worms - Worms overview by a famous security researcher.
• Computer worm suspect in court
• Vernalex.com's Malware Removal Guide - Guide for understanding, removing and preventing worm infections
• John Shoch, Jon Hupp "The "Worm" Programs - Early Experience with a Distributed Computation"
• RFC 1135 The Helminthiasis of the Internet
• Surfing Safe - A site providing tips/advice on preventing and removing viruses.
• Computer Worms Information
• The Case for Using Layered Defenses to Stop Worms David Albanese, Michael Wiacek, Christopher Salter, Jeffrey Six 2004