Worm (computers): Difference between revisions
imported>Howard C. Berkowitz No edit summary |
mNo edit summary |
||
(6 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
{{subpages}} | {{PropDel}}<br><br>{{subpages}} | ||
{{TOC|right}} | |||
In computer and network security, a '''worm''' is a form of [[malware]] that, once it activates inside a victim's computer, can replicate and propagate itself without further user activity. Worms often take up valuable memory and network bandwidth, which can cause a computer to stop responding, and can also allow attackers to gain unauthorized remote control of one or more computers. | In computer and network security, a '''worm''' is a form of [[malware]] that, once it activates inside a victim's computer, can replicate and propagate itself without further user activity. Worms often take up valuable memory and network bandwidth, which can cause a computer to stop responding, and can also allow attackers to gain unauthorized remote control of one or more computers. | ||
While the idea of a parasitic | While the idea of a parasitic worm goes far back in biology, the term appears to have first been used as, as a concept in computing, in [[John Brunner]]'s 1975 science fiction novel, ''[[Shockwave Rider]]''. Actual software, under tightly controlled conditions, was developed in 1981-1982.<ref name=Schoc>{{citation | ||
| author = Shoch, John F. and Jon A. Hupp | | author = Shoch, John F. and Jon A. Hupp | ||
| title = The Worm Programs — Early Experience with a Distributed Computation,’’ | | title = The Worm Programs — Early Experience with a Distributed Computation,’’ | ||
Line 27: | Line 28: | ||
| url = http://www.cert.org/advisories/CA-2003-04.html}}</ref> It propagated rapidly, executing self-propagating code and taking over the infected computer's resources such that it did little but try to replicate itself. That was sufficient, however, to make the computer useless. One of the features of this malware was that the basic code randomly generated [[Internet Protocol version 4]] addresses to which it would try to propagate itself, without checking if the address was that of a plausible target. This simplicity, even though inefficient, allowed a small piece of code, 376 bytes in length, to be extremely infectious. | | url = http://www.cert.org/advisories/CA-2003-04.html}}</ref> It propagated rapidly, executing self-propagating code and taking over the infected computer's resources such that it did little but try to replicate itself. That was sufficient, however, to make the computer useless. One of the features of this malware was that the basic code randomly generated [[Internet Protocol version 4]] addresses to which it would try to propagate itself, without checking if the address was that of a plausible target. This simplicity, even though inefficient, allowed a small piece of code, 376 bytes in length, to be extremely infectious. | ||
It was readily identifiable by its fixed length, and the random source addresses that it used. It also exploited a general vulnerability; a basic rule of network security | It was readily identifiable by its fixed length, and the random source addresses that it used. It also exploited a general vulnerability; a basic rule of network security | ||
*[[User Datagram Protocol]] packets should be accepted only from trusted sources, or if, as in the case of [[Domain Name System]] queries, they are read-only and rate-limited. | |||
==Worms defend themselves== | |||
Once the signature of a worm was identified, the worm writers fought back. Methods they use included [[malware polymorphism]] to bypass length tests, but, in an early worm such as Slammer, the specific port could still be filtered. | |||
Since worms live in computers, the first line of defense is to have up-to-date [[host intrusion detection system]]s (HIDS) that are not limited to [[virus (computer)]] detection, but to the full range of malware. Keeping such software updated often means checking the HIDS vendor database daily, or even hourly. | |||
===Spoofing and counter-spoofing=== | |||
On the network side, a strong general countermeasure has been [[ingress filtering]], usually in routers, which can reject packets with random source addresses. <ref name=ingress-MH>{{citation | |||
| url = http://www.ietf.org/rfc/rfc3704.txt | | url = http://www.ietf.org/rfc/rfc3704.txt | ||
| title = Ingress Filtering for Multihomed Networks | | title = Ingress Filtering for Multihomed Networks | ||
| author = F. Baker & P. Savola | | author = F. Baker & P. Savola | ||
| date = March 2004 | id = RFC 3704, IETF BCP (Best Current Practice) 84}}</ref> | | date = March 2004 | id = RFC 3704, IETF BCP (Best Current Practice) 84}}</ref> A major miscreant countermeasure to ingress filtering, however, is the use of the [[botnet]], so the attack traffic comes from a legitimate address. | ||
When the addresses are legitimate, worm defense external to a computer returns to recognizing the signature of the worm. It may be difficult to recognize a polymorphic attacker, and, indeed, its polymorphed spawn. Nevertheless, an active worm's reproduction may well produce a traffic signature that can be recognized. | |||
==References== | ==References== | ||
{{reflist|2}} | {{reflist|2}} | ||
[[Category:Suggestion Bot Tag]] |
Latest revision as of 12:00, 9 November 2024
This article may be deleted soon. | ||
---|---|---|
In computer and network security, a worm is a form of malware that, once it activates inside a victim's computer, can replicate and propagate itself without further user activity. Worms often take up valuable memory and network bandwidth, which can cause a computer to stop responding, and can also allow attackers to gain unauthorized remote control of one or more computers. While the idea of a parasitic worm goes far back in biology, the term appears to have first been used as, as a concept in computing, in John Brunner's 1975 science fiction novel, Shockwave Rider. Actual software, under tightly controlled conditions, was developed in 1981-1982.[1] Morris worm: first wild infectionThe first widespread Internet worm attack took place in 1988.[2] It had several attack vectors, the most notable exploiting the most common BSD UNIX electronic mail server, After entry, some of the malware function simply performed network reconnaissance, to determine such things as account names that could be exploited by other parts of the worm. Once it had a name and password on another computer, it used one of several methods to attempt to log in to that computer and copy itself there, to begin executing and propagating. For most practical purpose, the Internet, still primarily a research environment, was shut down for several days, until corrective software patches were defined and distributed through secure channels. The miscreant who wrote it was later apprehended, convicted and imprisoned; there is some evidence that he had not intended it to be as destructive, but incorrectly programmed some features that were intended to limit its infectivity. Slammer wormOne of the most destructive worms was Slammer, a 2003 exploit that exploited vulnerabilities in certain features of Microsoft Structured Query Language (SQL) software. [3] It propagated rapidly, executing self-propagating code and taking over the infected computer's resources such that it did little but try to replicate itself. That was sufficient, however, to make the computer useless. One of the features of this malware was that the basic code randomly generated Internet Protocol version 4 addresses to which it would try to propagate itself, without checking if the address was that of a plausible target. This simplicity, even though inefficient, allowed a small piece of code, 376 bytes in length, to be extremely infectious. It was readily identifiable by its fixed length, and the random source addresses that it used. It also exploited a general vulnerability; a basic rule of network security
Worms defend themselvesOnce the signature of a worm was identified, the worm writers fought back. Methods they use included malware polymorphism to bypass length tests, but, in an early worm such as Slammer, the specific port could still be filtered. Since worms live in computers, the first line of defense is to have up-to-date host intrusion detection systems (HIDS) that are not limited to virus (computer) detection, but to the full range of malware. Keeping such software updated often means checking the HIDS vendor database daily, or even hourly. Spoofing and counter-spoofingOn the network side, a strong general countermeasure has been ingress filtering, usually in routers, which can reject packets with random source addresses. [4] A major miscreant countermeasure to ingress filtering, however, is the use of the botnet, so the attack traffic comes from a legitimate address. When the addresses are legitimate, worm defense external to a computer returns to recognizing the signature of the worm. It may be difficult to recognize a polymorphic attacker, and, indeed, its polymorphed spawn. Nevertheless, an active worm's reproduction may well produce a traffic signature that can be recognized. References
|