Custom Search

Cyber-Security:

Worms

Worms were invented as a curiosity and have even been suggested as ways of testing networks or distributing software patches across a network; however their drawbacks far outweigh their benefits. Even the most 'benign' worm consumes resources and can affect the performance of a computer system.

Worms are not computer viruses - they are a different form of malware. They have been around even longer than viruses, all the way back to mainframe days. Like the virus, they are a type of self-replicating malware - designed to make copies of itself, but unlike a virus, a worm is a standalone application.

Email brought them into fashion in the late 1990s, and for nearly a decade, computer security officers in companies, schools and organisations were besieged by malicious worms that arrived as message attachments.

One person would open a 'wormed email' and in a short time the entire company would be infected - as the organisation's system would pass the worm onto the pendrives of all users - thereby taking them to employees homes too.

What makes an effective worm so devastating is its ability to spread without end-user action.

Viruses, by contrast, require that an end-user at least kick it off, before it can try to infect other innocent files and users.

Worms use other files and programs to do their dirty work. For example, the SQL Slammer worm used a (patched) vulnerability in Microsoft SQL to incur buffer overflows on nearly every unpatched SQL server connected to the internet in about 10 minutes, a speed record that still stands today.

The distinctive trait of the computer worm is that it's self-replicating.

Take the notorious 'Iloveyou' worm: When it first went off, it hit nearly every email user in the world, overloaded phone systems (with fraudulently sent texts), brought down television networks, and even delayed my daily afternoon paper for half a day.

Several other worms, including SQL Slammer and MS Blaster, ensured the worm's place in computer security history.

How do worms 'spread'?

Worms spread through network connections, accessing uninfected machines and then hijacking their resources to transmit yet more copies across the network.

There are four stages in a worm attack:

Stage I: the worm probes other machines looking for a vulnerability that can be exploited to copy itself to.

Stage II: the worm penetrates the vulnerable machine by performing the operations necessary to exploit the vulnerability. For example, the worm might detect an open network connection, through which it can get the remote machine to execute arbitrary instructions.

Stage III: the worm downloads itself onto the remote machine, and stores itself there. (This is often called the 'persist' stage).

Stage IV: the worm propagates itself by picking new machines to attempt to probe.