Worm (computers)
Template:TOC-right In computer and network security, a worm is a form of malware that, once it activates inside a victim's computer, can replicate and propagate itself without further user activity. Worms often take up valuable memory and network bandwidth, which can cause a computer to stop responding, and can also allow attackers to gain unauthorized remote control of one or more computers.
While the idea of a parasitic worm goes far back in biology, the term appears to have first been used as, as a concept in computing, in John Brunner's 1975 science fiction novel, Shockwave Rider. Actual software, under tightly controlled conditions, was developed in 1981-1982.[1]
Morris worm: first wild infection
The first widespread Internet worm attack took place in 1988.[2] It had several attack vectors, the most notable exploiting the most common BSD UNIX electronic mail server, sendmail
, in a manner that caused an executable program, in a mail message, to immediately begin executing. Another vector was a password guessing attack on the logins to common services. Yet another method exploited UNIX utility programs then in common use, but largely abandoned as vulnerabilities.
After entry, some of the malware function simply performed network reconnaissance, to determine such things as account names that could be exploited by other parts of the worm. Once it had a name and password on another computer, it used one of several methods to attempt to log in to that computer and copy itself there, to begin executing and propagating.
For most practical purpose, the Internet, still primarily a research environment, was shut down for several days, until corrective software patches were defined and distributed through secure channels. The miscreant who wrote it was later apprehended, convicted and imprisoned; there is some evidence that he had not intended it to be as destructive, but incorrectly programmed some features that were intended to limit its infectivity.
Slammer worm
One of the most destructive worms was Slammer, a 2003 exploit that exploited vulnerabilities in certain features of Microsoft Structured Query Language (SQL) software. [3] It propagated rapidly, executing self-propagating code and taking over the infected computer's resources such that it did little but try to replicate itself. That was sufficient, however, to make the computer useless. One of the features of this malware was that the basic code randomly generated Internet Protocol version 4 addresses to which it would try to propagate itself, without checking if the address was that of a plausible target. This simplicity, even though inefficient, allowed a small piece of code, 376 bytes in length, to be extremely infectious.
It was readily identifiable by its fixed length, and the random source addresses that it used. It also exploited a general vulnerability; a basic rule of network security
- User Datagram Protocol packets should be accepted only from trusted sources, or if, as in the case of Domain Name System queries, they are read-only and rate-limited.
Worms defend themselves
Once the signature of a worm was identified, the worm writers fought back. Methods they use included malware polymorphism to bypass length tests, but, in an early worm such as Slammer, the specific port could still be filtered.
Since worms live in computers, the first line of defense is to have up-to-date host intrusion detection systems (HIDS) that are not limited to virus (computer) detection, but to the full range of malware. Keeping such software updated often means checking the HIDS vendor database daily, or even hourly.
Spoofing and counter-spoofing
On the network side, a strong general countermeasure has been ingress filtering, usually in routers, which can reject packets with random source addresses. [4] A major miscreant countermeasure to ingress filtering, however, is the use of the botnet, so the attack traffic comes from a legitimate address.
When the addresses are legitimate, worm defense external to a computer returns to recognizing the signature of the worm. It may be difficult to recognize a polymorphic attacker, and, indeed, its polymorphed spawn. Nevertheless, an active worm's reproduction may well produce a traffic signature that can be recognized.
References
- ↑ Shoch, John F. and Jon A. Hupp, "The Worm Programs — Early Experience with a Distributed Computation,’’", Communications of the ACM 25 (3): 172-180
- ↑ Eugene H. Spafford (1988), The Internet Worm Program: An Analysis, Department of Computer Sciences, Purdue University, Purdue Technical Report CSD-TR-823
- ↑ US-CERT, CERT® Advisory CA-2003-04 MS-SQL Server Worm
- ↑ F. Baker & P. Savola (March 2004), Ingress Filtering for Multihomed Networks, RFC 3704, IETF BCP (Best Current Practice) 84