Worms

 

Background.  In the past it used to be easy to distinguish between a worm and a virus.  But in recent years the distinctions have blurred.  Likely you have noticed these sorts of blurred lines of demarcation throughout much of our discussion of malware.

One definition of a worm that comes from the White book is

A worm is a piece of software that tries to penetrate a network and/or computer system.  Once a penetration has occurred the worm will propagate itself by

  • create a new copy of itself on the penetrated system
  • work to penetrate other systems

The biggest distinction between worms and viruses relates to how they penetrate new systems.  Viruses need to be attached to something else to be propagated from one system to another.  Worms work autonomically/automatically to penetrate other systems.  So the big distinction can also be viewed as

  • viruses need to attach themselves to something else to survive and propagate
  • worms do not need to attach themselves to something else to survive and propagate

Some Examples.  Some examples of some trojan horses follow.

  • Morris Worm -
    • was originally appeared in 1988
    • so easily inserted itself into so many systems on the new Internet it is often said to have brought the Internet to its knees
    • this worm caused the creation of the CERT - Computer Emergency Response Team Coordination Center at Carnegie Mellon University
    • it made use of several known vulnerabilities to gain access to networks and password guessing to gain access to some accounts
    • once it penetrated a system a small bootstrap program was used to load in the rest of the worm
    • the worm had some stealth capabilities
    • at first it could not be loaded on a system if it already found a copy of itself there but eventually this changed
    • eventually it got so that some systems were running so many copies of the virus it slowed the systems down completely even though the worm carried no specific malicious payload
  • Nimda -
    • appeared in 2001
    • attacked known vulnerabilities in Microsoft IIS - Internet Information Server
    • implants itself on victim machines and immediately starts scanning for other vulnerabilities
    • many variants of Nimda focused much of their efforts on finding open shares on networks
    • Nimda would almost always create open network shares on penetrated machines
    • Nimda would also create a guest account with administrator privileges
    • these modifications would make penetrated machines vulnerable to just about anything a knowledgeable hacker would want to do
  • Code Red -
    • appeared in 2001
    • attacked known vulnerabilities in Microsoft IIS - Internet Information Server
    • implants itself on victim machines and immediately starts scanning for other vulnerabilities
    • Code Red II would also open up a backdoor on infected systems
    • all variants of Code Red would
      • deface web sites
      • degrade system performance and use up bandwidth
      • cause instability by spawning multiple threads
  • SQL Slammer Worm -
    • appeared in 2003
    • exploited a known buffer overflow in Microsoft's SQL Server and SQL Server Desktop Engine (MSDE)
    • it caused infected machines to generate enormous amounts of traffic when trying to reproduce itself
    • both LANs and the Internet were noticeably slowed down
  • Blaster Worm -
    • appeared in 2003
    • exploited a known buffer overflow in an RPC - Remote Procedure Call service in Microsoft's DCOM - Distributed Component Object Model
    • SQL Slammer caused
      • instability
      • spontaneous reboots
    • it tried to actuate a DDoS attack against windowsupdate.com - which was easily thwarted
  • Sasser Worm -
    • appeared in 2004
    • exploited a known buffer overflow in Microsoft's LSAS service through port 139
    • it caused infected machines to spontaneously reboot
    • it affected a number of different networks including
      • Delta Airlines
      • Goldman Sachs
      • the British Coastguard
  • Zotob Worm -
    • appeared in 2005
    • in 2006 a Moroccan teenager was sentenced for its creation
    • exploited a known vulnerability in Microsoft's Plug-and-Play service to spread through networks
    • it affected a number of different networks including
      • CNN
        • which got it reported on live television

 

Protection.  The single best approach to protecting your system from worms is to never download, open and/or install that has uncertain sources, security and integrity.  A good up-to-date virus scanning program should help considerably with detecting known worms that have gotten installed on a system.  Such virus scanning software should also help to detect and prevent installation of worms.

You should always do the following

  • keep patches up to date
  • eliminate unnecessary services
  • open only essential ports both inbound and outbound
  • it is very important to restrict SQL Server and NetBIOS ports so they are not exposed outside of the enterprise network
    • the following worms made use of SQL Server and NetBIOS ports
      • SQL Slammer
      • Blaster
      • Sasser
  • enforce good password security
  • utilize firewalls
  • utilize intrusion detection systems

More will be added.