COMPUTER WORMS

By:

SADIQUE NAYEEM Pondicherry University

Worms

Worms: A worm is a program that uses computer networks and security holes to replicate itself. Scans the network for another machine that has a specific security hole and copies itself Use up computer processing time and network bandwidth during replication. Carry payloads that do considerable damage.

Virus v/s Worm

Virus

Worm

Attaches itself to OS or the programs

Need user action to abet their propagation.

Do not Attaches itself to OS

Self propagates across a network exploiting security in widely used servi ces. It harms the network and consumes n/ w bandwidth. Spread much more rapidly Ex. SQL Sl ammer worm 75,000 victims within ten minutes.

Damages caused is mostly local to the machine

Spread quite slowly

Mechanism of Operation

CLASSIFICATION
Target discovery Carrier Activation Payloads

I. Target Discovery

Scanning:

Scanning entails probing a set of addresses to identify vulnerable hosts. (Sequential form or Random form)

Pre- Generated Target Lists Externally Generated Target Lists

An target list maintained on a server (Metaserver)

Network-based applications always contain information about other hosts
Not positively search for victim hosts, it waiting for potential victims contact and produces no abnormal traffic More stealthy

Internal Target Lists

Passive

II. Propagation Carriers

Two basic types

Positively spread itself machine by machine(SelfCarried) Be carried along with normal communication.

Second Channel Need second communication channel Embedded Either appending to or replacing normal messages and very difficult to detect

III. Activation

Human Activation(slowest worm activation method)

Try to convince people by using social engineering techniques

Indicating urgency, Attached is an important message for you Using peoples vanity, Open this message to see who loves you

Human

Activity-Based Activation

Resetting the machine Logging in Opening a remotely infected file

Scheduled

Process Activation

Auto-updater programs Attach themselves to running services

Self

Activation(fastest worm activation)

IV. Payloads

A "payload" is code in the worm designed to do more than spread the worm.

None/nonfunctional (Morris worms) Internet Remote Control (Code Red II) Spam-Relays (Sobig.f) Internet DOS (Code Red, Yaha) Data Collection(target on sensitive data and identity theft) Data Damage(erase data) Physical-world Damage

Reflashing the BIOSs Destroying the motherboards

Work of Payloads

Delete files Encrypt files Send documents via e-mail Install a backdoor in the infected computer to allow the creation of a zombie computer under control of the worm author. Networks of such machines are often referred to as botnets.

Prevalence Table November 2011

Malware Autorun Heuristic/generic Type Worm Worm % 8.08% 5.13%

Conficker/Downadup
VB Dorkbot

Worm
Worm Worm

2.85%
2.12% 1.46%

According to VIRUS BULLETIN (www.virusbtn.com)JANUARY 2012

Motivation

experimental curiosity(Morris worms) pride extortion and criminal gain random protest political protest terrorism Cyber warfare

Morris worms

Launched on November 2, 1988 from MIT, by Robert Morris. Designed to spread on UNIX System. 6000 computers out of 60000 computers at that time (i.e 10%). The U.S. GAO(Government Accountability Office) put the cost of the damage at $10M100M.

He was convicted in the US under the 1986 Computer Fraud and Abuse Act.

Code Red

Made huge headlines in 2001. It slowed down Internet traffic when it began to replicate itself. Worm scanned the Internet for unpatched Windows NT or Windows 2000 servers. The Code Red worm had instructions to do three things: Replicate itself for the first 20 days of each month Replace Web pages featuring the message "Hacked by Chinese" Launch a concerted attack on the White House Web site.

----The U.S. government changed the IP address of www.whitehouse.gov (198.137.240.91).

Nimda

The worm was released on September 18, 2001 the Internets most widespread virus/worm within 22 minutes. Nimda affected both user workstations (clients) running Windows 95, 98, Me, NT, 2000 or XP and servers running Windows NT and 2000. Nimda spread by five different infection vectors:

via email via open network shares via browsing of compromised web sites via back doors left behind by the "Code Red II" and "sadmind/IIS" worms.

SQL Slammer worm

Starting on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within ten minutes. Although titled "SQL slammer worm", the program did not use the SQL language It exploited a buffer overflow bug in Microsoft's SQL Server Slammer's tiny (376 byte) program.

Sobig.f Worm

In late 2003, the Sobig.f worm exploited open proxy servers to turn infected machines into a spam engine. The Sobig worm appears as an electronic mail with one of the following subjects: Re: Approved, Re: Details, Re: My details, Re: Thank you!, Re: That movie etc. It will contain the text: "See the attached file for details and have attachments such as application.pif, details.pif, movie0045.pif etc. At its peak Sobig.f reportedly accounted for 1 in every 17 messages. It produced more than one million copies of itself with in the first 24 hours. It was written using the Microsoft Visual C++ compiler.

Prevention

How can I prevent virus, trojans, worms and malware from getting onto my system?

Careful web browsing E-mail safety Keep protection tools up to date

Review software being installed and monitor your childs computer usage

Current research Focus

Modelling: To model Worm propagation Scanning Techniques

Sequential Scanning Hit List Based Scanning Permutation Scanning Preferential Subnet Scanning

Propagation Mechanisms Prevention Techniques

Refrences
1. 2.

VIRUS BULLETIN (www.virusbtn.com)JANUARY 2012 A Taxonomy of Computer Worms WORM03, October 27, 2003, Washington, DC, USA. www.vxheavens.com www.wikipedia.com www.howstuffworks.com Network Security Essentials -William Stallings

3. 4. 5. 6.