Happy Trails Computer Club

home > security > attack vectors > worms  
Attacked by Worms

Internet worms

"Worms" are a highly efficient way to deliver malicious code to a large number of computers. Worms are self replicating attack vectors. They can carry any kind of payload. Worms use the Internet (or other networks) to look for computers that will let them in. When they find one, they use the newly compromised computer to look for more vulnerable computers. Some worms multiply very rapidly this way. Millions of computers can be attacked in minutes.

There's a bit of confusion in the way worms are classified. One (logical) way to define them is the way that Stuart Staniford of The Worm Information Center does.

  • If the malicious code can break into another computer and start itself running there immediately with no human intervention, then it's a worm.
  • If the malicious code gets carried around in some other content and then may or may not start running on other computers depending on when and whether humans decide to process that content, then it's a virus.

I've separated worms into system worms and email worms at times, which corresponds to the two definitions above. In other words, in the past (and at places in this website) I've called self mailing email code a worm while Staniford calls it a virus. He calls it that because a human must decide to open the attachment. You can take your pick of what to call them. I'm beginning to like his definitions in some contexts though. I guess I could have called them worm-like viruses.

Scanning worms

Scanning worms operate like an automated hacker. These worms scan Internet addresses looking for computers that will let them enter. (Every computer connected to the Internet, including yours when it's connected, is assigned an Internet address.) If they succeed, they set up shop in the newly effected computer and get busy scanning from it too. You can see how worms can multiply faster than rabbits. While they're there they can do many other things. Often they create a "backdoor" that lets the worm writer find and enter the computer to use it for other nefarious purposes. If the computer is a website server, worms could install malicious webpages or deface the website. Worms can erase or corrupt the contents of hard drives. They can search for personal information. They can even ruin the BIOS so that the hardware needs to be repaired. Many times the worm master sells access through the backdoor to spammers to use for relaying email. Nasty! Firewalls and patches are the best defense against scanning worms. Anti-malware and antiviurus program vendor's don't get their signature files updated during the early stages of a worm storm.

Lifecycle of an email worm

The worm writer launches the worm by attaching it to an enticing email message and sending it to a bunch of addresses -- probably via a computer that lets him hide his real address. A few of the fools that receive the message open the attachment. The attachment contains malicious code that, for example, installs a Trojan-horse.

Next, the code plunders the victim's address book, picking both "From:" and "To:" addresses at random. Using these addresses, the worm emails itself from the computer, often using its own built-in email program.

This cycle repeats itself until there are millions of these worms unleashed around the world via the Internet. Eventually people wake up, the worm is contained (but often never goes completely away) and finally becomes yesterday's worm. By this time several new worms have been launched.

If your address happens to be in the victim's address book, one or more of the messages may appear to come from you. You may eventually get an irate reply from someone who thinks you sent them the worm that infected their computer.

Common sense is the best defense against email worms because they rely on deception for propagation. Antivirus and anti-malware software are good for backup defense against email worms. They are fairly useless during the early days of a scanning worm attack, because there hasn't been time to update their malware signature files.

Example of an email worm

Excerpt from one of Brian Livingston's newsletters that illustrates the chaos, confusion and consternation that Internet worms cause:

SEPTEMBER 3, 2003 - Issue 13

You can't trust that From line

The continuing rampage of the SoBig virus, the most widespread e-mail virus in history, has already resulted in more than 100 million bogus messages being sent around the world, according to security experts. SoBig, like many viruses, reads through people's e-mail address books. It then inserts random addresses into the From line of each outgoing message to make it appear to be coming from a person that it's not.

I was horrified when I realized that PC users might receive bogus e-mail messages that appeared to be sent from me. Because I'm in so many people's address books, at the height of the attack I myself was receiving more than 500 copies of SoBig messages a day. I easily filtered these out without harm, but I could see that one of my BrianLivingston.com addresses had received a virus that had supposedly been sent from one of my own BriansBuzz.com addresses! (It hadn't been.)

If you ever receive a virus or a piece of spam that claims to have been sent from one of my addresses, please don't assume it had anything to do with me. My privacy guarantee assures you that I'll never sell, trade, or give away your address or use it for any purpose other than sending newsletter updates. But I can't stop viruses from impersonating my address or anyone else's. To my readers' credit, no one has ever written to accuse me of sending this junk, even though (by chance) many, many people must have seen my return address on a bogus message. I appreciate your understanding, if this ever happens to you. --Brian Livingston


http://www.networm.org/faq/ -- the Worm FAQ (frequently asked questions) -- the mother lode of worm information

http://www.uksecurityonline.com/threat/worms.php -- excellent article on worms at UK Security Online

"Never underestimate the power of human stupidity." -- Sam Spade
club stuff
   lost? > index
attack vectors
   web sites
   #  2  3
safe settings
   email client
safe practices
   file handling
defense tools
defense tests