A white paper published by McAfee in 2005. All citations and credits for any part or content should be for McAfee. McAfee however holds no liability for any thing in this blog since this blog is created by a third party without their express consent. This blog is created for academic purposes only.

Worms

Worms are malicious programs that spread themselves automatically. Viruses are malicious programs that spread by human intervention such as inserting a floppy disk into a computer or double-clicking on an e-mail attachment. Most viruses are spread by convincing the system user to open a malicious attachment. Worms are able to propagate autonomously. Worms spread by exploiting vulnerabilities in a computer system, then using network connectivity to find and attack other vulnerable systems. The lack of user intervention allows worms to spread far faster than viruses.

The term worm was first applied to self-replicating computer programs by John Brunner in the 1975 sci-fi novel, The Shockwave Rider. In the book, a malicious program spreads itself throughout the government’s massive computer system, exposing private data and government secrets. Researchers at Xerox’s famous PARC laboratory first applied the term to real-world, self-spreading programs.
Worms are equally if not more damaging than viruses. Recent worms such as Code Red and Nimda have caused billions of dollars of damage,1 clean-up costs, and loss of business revenue. Attackers are using worms more frequently, since they can do so much damage so quickly.

The first widespread Internet worm appeared in 1988. A graduate student at Cornell University, Robert Morris, created a worm program that exploited several vulnerabilities and released it to the then-growing Internet. Although Morris claimed that there was no malicious intent behind the worm, and that it was just an “experiment” that went terribly wrong, the Morris worm damaged over 6,000 Internet-connected computers and caused hundreds of thousands of dollars in clean-up costs. As an example of the speed with which worm technology has evolved, consider that Code Red spread over 300,000 computers in just 14 hours.

The anatomy of a worm

Worms have three main parts:
·         Attack mechanism
·         Payload
·         New target selection

Worms exploit one or more specific vulnerabilities in a computer system. A worm’s attack mechanism exploits the vulnerability in the target system and uses that vulnerability to copy itself onto the target system.

The payload is the part of the worm code that performs malicious actions against the compromised host. Some worms have no payload; they simply spread themselves and drain system resources. Similarly, a worm can be any type of program. If a worm targets a vulnerability that allows the worm to run its payload at the root or administrator privilege level, the payload will be able to reformat the hard drive, or install rootkits and backdoor programs. The payload may search the computer for data to send to a central server where the worm’s author can collect it. Any number of other malicious activities can be part of a worm payload.
Once the worm code is executing on the attacked system, it attempts to spread again. To do this, a worm must locate target computers which are vulnerable to its attack mechanism. The mechanisms used vary in sophistication.

The dissection of a worm attack
Code Red exploited vulnerability in the Microsoft® IIS Web server. It had three different versions, each one improving the distribution mechanism, which resulted in dramatic acceleration and spreading. The first version of the Code Red worm simply sent Hypertext Transfer Protocol (HTTP—the underlying protocol used by the World Wide Web) requests containing its exploit code to random Internet Protocol (IP—an address that identifies a computer on a network) addresses. Such a simple target selection technique requires a large number of attempted attacks for each successful one. In order for Code Red to successfully infect the randomly selected IP address, the following criteria have to be met:
·         There is a computer at that IP address
·         The computer at that IP address must be running an Internet Information Server (IIS—the Microsoft Web server that runs on Windows NT platforms)
·         The IIS Web server application must be vulnerable to exploitation (the server is not yet patched or protected)

A later version of Code Red improved on the target selection mechanism by selecting target IP addresses that were numerically close to the IP address of the infected machine. For example, if the infected machine’s IP address was 192.168.1.134, Code Red II randomly selected IP addresses that begin with 192.168.1 before targeting other IP addresses. Since computers on a given network often have similar addresses, this greatly improves the chances that the IP address chosen will actually have a computer at that IP address.

More intelligent, targeted worms may use predefined lists of known servers, telecommunication providers, well-known companies, government departments, domain name system (DNS) data, or other techniques to more efficiently select potential targets.

No comments:

Post a Comment

Subscribe to: Posts (Atom)