A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Computer worms are classified as a type of computer virus, but there are several characteristics that distinguish computer worms from regular viruses. A major difference is the fact that viruses spread through human activity (running a program, opening a file, etc) while computer worms have the ability to spread automatically without human initiation. In addition to being able to spread unassisted, computer worms have the ability to self-replicate. This means that worms can create multiple copies of themselves to send to other computers. This often happens through the sending of mass emails to infected users’ email contacts.
Spread
Many worms that have been created are designed only to spread, and do not attempt to change the systems they pass through. However, as the Morris worm and Mydoom showed, even these “payload free” worms can cause major disruption by increasing network traffic and other unintended effects. A “payload” is code in the worm designed to do more than spread the worm—it might delete files on a host system (e.g., the ExploreZip worm), encrypt files in a ransomware attack, or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a “zombie” computer under control of the worm author. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website’s address. Spammers are therefore thought to be a source of funding for the creation of such worms, and the worm writers have been caught selling lists of IP addresses of infected machines. Others try to blackmail companies with threatened DoS attacks.
There are numerous propagation mechanisms used by worms, e.g., P2P, IRC, instant messaging, SQL injection, web pages, buffer overflow, emails, and perhaps one of the most important is simply file sharing. It is estimated that the propagation of malicious code via this latter sharing mechanism using USB flash drives increased by 40% from the first half of 2007 to the second half of that year. On November 28, 2008, the Los Angeles Times reported that the US Department of Defense’s decision to ban the use of USB drives and other removable data storage devices was prompted by a significant attack, agent.btz worm, on combat zone computers and the US Central Command that oversees Iraq and Afghanistan. The attack is believed to have originated in Russia. While no specific details about the attack were provided, it is known that at least one highly protected classified network was affected.
Protection
There are several best practices users can follow to protect their computers from worms. Following these steps will not only decrease the risk of infection, but also provide for easier detection and computer worm removal.
- Keep the computers’ operating system and software up-to-date with vendor-issued security releases. These updates often contain security patches designed to protect computers from newly discovered worms.
- Avoid opening emails that you don’t recognize or expect, as many computer worms spread via email.
- Refrain from opening attachments and clicking on links from untrusted/unfamiliar sources.
- Run a firewall and antivirus software to be further protected from computer worms. Software firewalls will keep the computer protected from unauthorized access. Choose an antivirus program that includes download scanning functionality (to detect malicious content in email and web downloads) as well as malware removal tools.
Conficker.A Worm
The Conficker worm, discovered in November 2008, leveraged not only an extremely new vulnerability discovered in September 2008, but also relied upon features such as the Server Message Block (SMB) path traversal and password guessing. It ultimately evolved to use a sophisticated peer-to-peer (P2P) update mechanism as well. This malware was equipped with polymorphic mutation in order to escape detection. It is a very well designed worm that housed both a vulnerability and malware feature set that remains a threat. The SRI International Computer Science Laboratory stated that not since the Storm worm outbreak of 2007 has a worm caused such a broad spectrum of antivirus tools to do such a consistently poor job of detecting malware binary variants. Conficker adopts sophisticated algorithms of encryption, digital signatures, and advanced hash algorithms to prevent third-party hijacking of the infected hosts. At its core, the main purpose of Conficker is to provide a secure binary updating service that effectively controls millions of PCs worldwide. Through the use of these encryption methods, Conficker ensures that other groups cannot upload codes to their infected drone population, and these protections cover all Conficker updating services: Internet rendezvous point downloads, buffer overflow re-exploitation, and the latest P2P control protocol. A number of different Conficker worms have been developed and they are discussed in the material that follows.
The most sophiscated Stuxnet worm, discovered in 2011, relies on a zero-day vulnerability for propagating through USB drives to intranets.
