Worm (computers): Difference between revisions
imported>Howard C. Berkowitz No edit summary |
imported>Howard C. Berkowitz No edit summary |
||
Line 1: | Line 1: | ||
{{subpages}} | {{subpages}} | ||
In computer and network security, a '''worm''' is a form of [[malware]] that, once it activates inside a victim's computer, can replicate and propagate itself without further user activity. The first widespread Internet worm attack took place in 1988.<ref name=MorrisWorm>{{citation | In computer and network security, a '''worm''' is a form of [[malware]] that, once it activates inside a victim's computer, can replicate and propagate itself without further user activity. Worms often take up valuable memory and network bandwidth, which can cause a computer to stop responding, and can also allow attackers to gain unauthorized remote control of one or more computers. | ||
| url = | |||
}}</ref> | While the idea of a parasitic biological worm goes far back in biology, the term appears to have first been used as, as a concept in computing, in [[John Brunner]]'s 1975 science fiction novel, ''[[Shockwave Rider]]''. Actual software, under tightly controlled conditions, was developed in 1981-1982.<ref name=Schoc>{{citation | ||
| author = Shoch, John F. and Jon A. Hupp | |||
| title = The Worm Programs — Early Experience with a Distributed Computation,’’ | |||
| journal = Communications of the ACM | |||
| volume = 25 | issue = 3 |pages= 172-180 | date March 1982}}</ref> | |||
==Morris worm: first wild infection== | |||
The first widespread Internet worm attack took place in 1988.<ref name=MorrisWorm>{{citation | |||
| url =http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf | |||
| title = The Internet Worm Program: An Analysis | |||
| id = Purdue Technical Report CSD-TR-823 | |||
| author = Eugene H. Spafford | |||
| year = 1988 | |||
| publisher = Department of Computer Sciences, Purdue University | |||
}}</ref> It had several [[attack vector (computers)| attack vectors]], the most notable exploiting the most common [[BSD UNIX]] electronic mail server, <code>[[sendmail]]</code>, in a manner that caused an executable program, in a mail message, to immediately begin executing. Another vector was a [[password guessing]] attack on the logins to common services. Yet another method exploited UNIX utility programs then in common use, but largely abandoned as vulnerabilities. | |||
After entry, some of the malware function simply performed [[reconnaissance (network)|network reconnaissance]], to determine such things as account names that could be exploited by other parts of the worm. Once it had a name and password on another computer, it used one of several methods to attempt to log in to that computer and copy itself there, to begin executing and propagating. | |||
For most practical purpose, the Internet, still primarily a research environment, was shut down for several days, until corrective software patches were defined and distributed through secure channels. The [[miscreant]] who wrote it was later apprehended, convicted and imprisoned; there is some evidence that he had not intended it to be as destructive, but incorrectly programmed some features that were intended to limit its [[infectivity]]. | |||
==Slammer worm== | |||
One of the most destructive worms was Slammer, a 2003 exploit that exploited vulnerabilities in certain features of Microsoft [[Structured Query Language]] (SQL) software. <ref name=CERT-SLAMMER>{{citation | |||
| title = CERT® Advisory CA-2003-04 MS-SQL Server Worm | |||
| date January 27, 2003 | |||
| author = US-CERT | |||
| url = http://www.cert.org/advisories/CA-2003-04.html}}</ref> It propagated rapidly, executing self-propagating code and taking over the infected computer's resources such that it did little but try to replicate itself. That was sufficient, however, to make the computer useless. One of the features of this malware was that the basic code randomly generated [[Internet Protocol version 4]] addresses to which it would try to propagate itself, without checking if the address was that of a plausible target. This simplicity, even though inefficient, allowed a small piece of code, 376 bytes in length, to be extremely infectious. | |||
It was readily identifiable by its fixed length, and the random source addresses that it used. It also exploited a general vulnerability; a basic rule of network security is that [[User Datagram Protocol]] packets should be accepted only from trusted sources, or if, as in the case of [[Domain Name System]] queries, they are read-only and rate-limited. | |||
More dangerous variants employed [[malware polymorphism]] to bypass length tests, but the specific port could still be filtered, and [[ingress filtering]] security measures, usually in routers, would reject many of the packets with random source addresses. <ref name=ingress>{{citation | |||
| url = http://www.ietf.org/rfc/rfc3704.txt | |||
| title = Ingress Filtering for Multihomed Networks | |||
| author = F. Baker & P. Savola | |||
| date = March 2004 | id = RFC 3704, IETF BCP (Best Current Practice) 84}}</ref> | |||
==References== | ==References== | ||
{{reflist|2}} |
Revision as of 16:12, 22 February 2009
In computer and network security, a worm is a form of malware that, once it activates inside a victim's computer, can replicate and propagate itself without further user activity. Worms often take up valuable memory and network bandwidth, which can cause a computer to stop responding, and can also allow attackers to gain unauthorized remote control of one or more computers.
While the idea of a parasitic biological worm goes far back in biology, the term appears to have first been used as, as a concept in computing, in John Brunner's 1975 science fiction novel, Shockwave Rider. Actual software, under tightly controlled conditions, was developed in 1981-1982.[1]
Morris worm: first wild infection
The first widespread Internet worm attack took place in 1988.[2] It had several attack vectors, the most notable exploiting the most common BSD UNIX electronic mail server, sendmail
, in a manner that caused an executable program, in a mail message, to immediately begin executing. Another vector was a password guessing attack on the logins to common services. Yet another method exploited UNIX utility programs then in common use, but largely abandoned as vulnerabilities.
After entry, some of the malware function simply performed network reconnaissance, to determine such things as account names that could be exploited by other parts of the worm. Once it had a name and password on another computer, it used one of several methods to attempt to log in to that computer and copy itself there, to begin executing and propagating.
For most practical purpose, the Internet, still primarily a research environment, was shut down for several days, until corrective software patches were defined and distributed through secure channels. The miscreant who wrote it was later apprehended, convicted and imprisoned; there is some evidence that he had not intended it to be as destructive, but incorrectly programmed some features that were intended to limit its infectivity.
Slammer worm
One of the most destructive worms was Slammer, a 2003 exploit that exploited vulnerabilities in certain features of Microsoft Structured Query Language (SQL) software. [3] It propagated rapidly, executing self-propagating code and taking over the infected computer's resources such that it did little but try to replicate itself. That was sufficient, however, to make the computer useless. One of the features of this malware was that the basic code randomly generated Internet Protocol version 4 addresses to which it would try to propagate itself, without checking if the address was that of a plausible target. This simplicity, even though inefficient, allowed a small piece of code, 376 bytes in length, to be extremely infectious.
It was readily identifiable by its fixed length, and the random source addresses that it used. It also exploited a general vulnerability; a basic rule of network security is that User Datagram Protocol packets should be accepted only from trusted sources, or if, as in the case of Domain Name System queries, they are read-only and rate-limited.
More dangerous variants employed malware polymorphism to bypass length tests, but the specific port could still be filtered, and ingress filtering security measures, usually in routers, would reject many of the packets with random source addresses. [4]
References
- ↑ Shoch, John F. and Jon A. Hupp, "The Worm Programs — Early Experience with a Distributed Computation,’’", Communications of the ACM 25 (3): 172-180
- ↑ Eugene H. Spafford (1988), The Internet Worm Program: An Analysis, Department of Computer Sciences, Purdue University, Purdue Technical Report CSD-TR-823
- ↑ US-CERT, CERT® Advisory CA-2003-04 MS-SQL Server Worm
- ↑ F. Baker & P. Savola (March 2004), Ingress Filtering for Multihomed Networks, RFC 3704, IETF BCP (Best Current Practice) 84