By: Serafin Sanchez 2/11/08
A computer worm is a self-replicating computer program. It uses a network or the internet to send copies of itself to other computers and it may do so without any user intervention.
Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through. However, as the Morris worm and Mydoom showed, the network traffic and other unintended effects can often cause major disruption. A payload is code designed to do more than spread the worm, it might delete files on a host system or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a zombie under control of the worm author. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's address. Spammers are therefore thought to be a source of funding for the creation of such worms, and worm writers have been caught selling lists of IP addresses of infected machines. Others try to blackmail companies with threatened DoS attacks.
Most security experts regard all worms as malware, whatever their payload or their writers' intentions.
Users need to be wary of opening unexpected email, and should not run attached files or programs, or visit web sites that are linked to such emails. However, as with the ILOVEYOU worm, and with the increased growth and efficiency of phishing attacks, it remains possible to trick the end-user into running a malicious code.
Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files at least every few days. The use of a firewall is also recommended
A lot of modern worms use email spoofing when they send themselves from an infected computer. This spoofing tactic has led to a great deal of finger pointing and confusion among Internet users. Because of spoofing, it may appear that person A sent person B a worm-infected email when this was not the case. Thus, spoofing increases the negative impact of worm outbreaks because it leads to unfair accusations, miss-directed warnings, and the erroneous blacklisting of email addresses.
Simply put, spoofing as it relates to worm dissemination, works like this:
Someone who has your email address stored somewhere on her or his computer, becomes infected by a worm that uses spoofing.
The worm searches for email addresses on the infected computer and sends itself to them.
The worm inserts one of the email addresses it finds in the "From:" field of the virus emails it sends. In other words, it may use your address in the "From:" field, which tricks unwary recipients into thinking that the virus came from your computer.
Thus, even though you may practice safe computing and have a worm free machine, you may be unfairly accused of spreading the infection. Meanwhile, the actual sender may remain unaware that his or her machine is infected. If you are unfairly accused:
- First, make sure your system really is free of infection by running a full system scan with up-to-date anti-virus software.
- Next, reply to the accuser with an explanation of spoofing and assure him or her that your system is not infected. Try to include a link to a webpage that provides information about email worm spoofing to back up your statement.
If you receive a worm-infected email, don't immediately fire off an email that accuses the apparent sender of posting you the worm. If possible, look up information about the worm on an Anti-Virus website and try to determine if the worm is one that uses spoofing. You may also be able to verify the actual sender by checking the headers of the email carrying the worm. View a detailed explanation of interpreting email headers.
You can help to reduce the impact of worm outbreaks by being aware of this spoofing issue and informing others where necessary.
Many of the worms which managed to cause significant outbreaks use more then one propagation method as well as more than one infection technique. The methods are listed separately below.
Email worms spread via infected email messages. The worm may be in the form of an attachment or the email may contain a link to an infected website. However, in both cases email is the vehicle.
In the first case the worm will be activated when the user clicks on the attachment. In the second case the worm will be activated when the user clicks on the link leading to the infected site.
Email worms normally use one of the following methods to spread:
Direct connection to SMTP servers using a SMTP API library coded into the worm
MS Outlook services
Windows MAPI functions
Email worms harvest email addresses from victim machines in order to spread further. Worms use one or more of the following techniques:
Scanning the local MS Outlook address book
Scanning the WAB address database
Scanning files with appropriate extensions for
email address-like text strings
Sending copies of itself to all mail in the
user's mailbox (worms may even 'answer' unopened items in the inbox)
While these techniques are the most common, some worms even construct new sender addresses based lists of possible names combined with common domain names.
These Instant Messaging worms (ICQ and MSN) have a single propagation method. They spread using instant messaging applications by sending links to infected websites to everyone on the local contact list. The only difference between these worms and email worms which send links is the media chosen to send the links.
Internet worms - virus writers use other techniques to distribute computer worms, including:
Copying the worm to networked resources
Exploiting operating system vulnerabilities to
penetrate computers and/or networks
Penetrating public networks
Piggy-backing: using other malware to act as a
carrier for the worm.
In the first case, the worms locate remote machines and copy themselves into folders which are open for read and write functions. These network worms scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines. They will then attempt to connect to these machines and gain full access to them.
In the second case, the worms scan the Internet for machines that have not been patched, have operating systems with critical vulnerabilities still open to exploitation. The worm sends data packets or requests which install either the entire body of the worm or a section of the worm's source code containing downloader functionality. If this code is successfully installed the main worm body is then downloaded. In either case, once the worm is installed it will execute its code and the cycle continues.
Worms that use Web and FTP servers fall into a separate category. Infection is a two-stage process. These worms first penetrate service files on the file server, such as static web pages. Then the worms wait for clients to access the infected files and attack individual machines. These victim machines are then used as launch pads for further attacks.
Some virus writers use worms or Trojans to spread new worms. These writers first identify Trojans or worms that have successfully installed backdoors on victim machines. In most cases this functionality allows the master to send commands to the victim machine: such zombies which have backdoors installed can be commanded to download and execute files - in these case copies of the new worm.
Many worms use two or more propagation methods in combination, in order to more efficiently penetrate potential victim machines.
IRC worms target chat channels, although to day IRC worms have been detected. IRC worms also use the propagation methods listed above - sending links to infected websites or infected files to contacts harvested from the infected user. Sending infected files is less effective as the recipient needs to confirm receipt, save the file and open it before the worm is able to penetrate the victim machine.
File-sharing Networks or P2P Worms
P2P worms copy themselves into a shared folder, usually located on the local machine. Once the worm has successfully placed a copy of itself under a harmless name in a shared folder, the P2P network takes over: the network informs other users about the new resource and provides the infrastructure to download and execute the infected file.
More complex P2P worms imitate the network protocol of specific file-sharing networks: they respond affirmatively to all requests and offer infected files containing the worm body to all comers.