Internet worms
"Worms" are a highly efficient
way to deliver malicious code to a large
number of computers. Worms are self replicating
attack vectors. They can carry any kind of
payload. Worms use the Internet (or other networks)
to look for computers that will
let them
in. When they find one, they
use the newly
compromised computer to look
for more vulnerable
computers. Some worms multiply
very rapidly
this way. Millions of computers
can be attacked
in minutes.
There's a bit of confusion in the way worms
are classified. One (logical) way to define
them is the way that Stuart Staniford of
The Worm Information Center does.
- If the malicious code can break into another
computer and start itself running there immediately
with no human intervention, then it's a worm.
- If the malicious code gets carried around
in some other content and then may or may
not start running on other computers depending
on when and whether humans decide to process
that content, then it's a virus.
I've separated worms into system worms and
email worms at times, which corresponds to
the two definitions above. In other words,
in the past (and at places in this website)
I've called self mailing email code a worm
while Staniford calls it a virus. He calls
it that because a human must decide to open
the attachment. You can take your pick of
what to call them. I'm beginning to like
his definitions in some contexts though.
I guess I could have called them worm-like
viruses.
Scanning worms
Scanning worms operate like an automated
hacker. These worms scan Internet addresses
looking for computers that will let them
enter. (Every computer connected to the Internet,
including yours when it's connected, is assigned
an Internet address.) If they succeed, they
set up shop in the newly effected computer
and get busy scanning from it too. You can
see how worms can multiply faster than rabbits.
While they're there they can do many other
things. Often they create a "backdoor"
that lets the worm writer find and enter
the computer to use it for other nefarious
purposes. If the computer is a website server,
worms could install malicious webpages or
deface the website. Worms can erase or corrupt
the contents of hard drives. They can search
for personal information. They can even ruin
the BIOS so that the hardware needs to be
repaired. Many times the worm master sells
access through the backdoor to spammers to
use for relaying email. Nasty! Firewalls and patches are the best defense against scanning worms.
Anti-malware and antiviurus program
vendor's
don't get their signature files
updated during
the early stages of a worm storm.
Lifecycle of an email worm
The worm writer launches the worm by attaching
it to an enticing email message and sending
it to a bunch of addresses -- probably via
a computer that lets him hide his real address.
A few of the fools that receive the message
open the attachment. The attachment contains
malicious code that, for example, installs
a Trojan-horse.
Next, the code plunders the victim's address
book, picking both "From:" and
"To:" addresses at random. Using
these addresses, the worm emails itself from
the computer, often using its own built-in
email program.
This cycle repeats itself until there are
millions of these worms unleashed around
the world via the Internet. Eventually people
wake up, the worm is contained (but often
never goes completely away) and finally becomes
yesterday's worm. By this time several new
worms have been launched.
If your address happens to be in the victim's
address book, one or more of the messages
may appear to come from you. You may eventually
get an irate reply from someone who thinks
you sent them the worm that infected their
computer.
Common sense is the best defense against
email worms because they rely on deception for propagation. Antivirus and anti-malware software are good for backup defense against
email worms. They are fairly useless during
the early days of a scanning worm attack,
because there hasn't been time to update
their malware signature files.
Example of an email worm
Excerpt from one of Brian Livingston's newsletters that illustrates the chaos, confusion and
consternation that Internet worms cause:
SEPTEMBER 3, 2003 - Issue 13
You can't trust that From line
The continuing rampage of the SoBig virus,
the most widespread e-mail virus in history,
has already resulted in more than 100 million
bogus messages being sent around the world,
according to security experts. SoBig, like
many viruses, reads through people's e-mail
address books. It then inserts random addresses
into the From line of each outgoing message
to make it appear to be coming from a person
that it's not.
I was horrified when I realized that PC users
might receive bogus e-mail messages that
appeared to be sent from me. Because I'm
in so many people's address books, at the
height of the attack I myself was receiving
more than 500 copies of SoBig messages a
day. I easily filtered these out without
harm, but I could see that one of my BrianLivingston.com
addresses had received a virus that had supposedly
been sent from one of my own BriansBuzz.com
addresses! (It hadn't been.)
If you ever receive a virus or a piece of
spam that claims to have been sent from one
of my addresses, please don't assume it had
anything to do with me. My privacy guarantee
assures you that I'll never sell, trade,
or give away your address or use it for any
purpose other than sending newsletter updates.
But I can't stop viruses from impersonating
my address or anyone else's. To my readers'
credit, no one has ever written to accuse
me of sending this junk, even though (by
chance) many, many people must have seen
my return address on a bogus message. I appreciate
your understanding, if this ever happens
to you. --Brian Livingston
Resources
http://www.networm.org/faq/ -- the Worm FAQ (frequently asked questions)
-- the mother lode of worm information
http://www.uksecurityonline.com/threat/worms.php -- excellent article on worms at UK Security
Online
|