Worms By: Aaron Stahler

Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another on a single computer. Worms are insidious because they rely less (or not at all) on human behavior in order to spread themselves from one computer to another and unlike viruses worms are not worried how many time they get copied on one machine but rather how many machines they infect.

Worm Classification Classified Based on Two Characteristics: 1.Worm Transport Classifications 2.Worm Launch Classifications

Worm Transport Classifications Worms – Native Embedded in the – Parasitic Sent as an attachment Arbitrary protocol Worms: IRC Worms, TCIP/IP Worms – Spread by using one or more non based protocols

Worm Launch Classifications: How it Gains Control Self -launching Worms – Worms that are capable of spreading to a new system and actively running on that system. User-launched Worms – Require user intervention in order to execute on a system. Hybrid-launch Worms – Are capable of spreading using both of the above mechanisms

Brief History of Worms The Xerox Worms: The first Computer Worms (1980) The CHRISMA EXEC Worm: The First Widespread , User-launched Worm (1987) The Internet Worm: The First Arbitrary Protocol, BACK Door Worm (1988) The IRC Worms: The First Consumer-oriented Arbitrary Protocol, Self Launching Worms (1997)

Brief History of Worms The Happy99 Worm: The First Mainstream Consumer-oriented Worm (1999) The Melissa Virus+Worm: The First Mainstream Corporate Macro Hybrid The ExploreZip Worm: The First Widespread Hybrid-launch, Arbitrary Protocol Worm Conficker:

Evolution of Enabling Technology Infrastructural Homogeneity: Homogeneity of computers, operating systems and communications platforms has been the single largest enabler for computer worms. Ubiquitous Programmability: Ubiquitous programmability of Windows components has made it possible for worms to spread without complex programming. Increased Connectedness via Homogenous Communications Mechanism: The increasing connectedness of the internet permits worms to spread faster, and to more machines, than ever before.

Other Factors Corporate/Consumer Bridge Technologies: The Malware authors only program against the worms they see. Home Networking: Many virus writers can test their product on these unsecured home network, so when they finally unleash the full version it has already been tested.

Future of Worms Cable/DSL Brings Worms Home: Continuous static connection+ Connected desktop apps+ scripting Capabilities= Worm heaven MAPI Worms: Such as Outlook, Exchange, and etc. Worms can leverage functionality. Information Stealers and Remote Control Worms: Example Prettypark worm sits on someone's computer and waits for the creator to call on it to retrieve information or send malicious code out. Peer-to-Peer Worms: Sent through s and any peer-to-peer networks. Scripting Worms: that has code scripted inside so when you open the your computer is infected. Mostly in corporate settings. ActiveX and Java Worms: Very rare but uses ActiveX to be deployed on the system

Second Generation Worms Polymorphic Worms: sends a virtually identical text message to everyone through and peer-to-peer. Retro Worms: These worms actively attack anti- virus software prevent themselves from being discovered. Stubborn Worms: The worms that prevent themselves from being unloaded from a system. Wireless Worms: These can attack palm pilots and other wireless devices.

Examination of Worms Epidemics Case Study on Mass Worms Easy to obtain “addresses” of other targets Homogenous makes spreading easy Humans are the biggest security risk: there's no need to find a back door into the system Corporate systems offer “one degree of separation” Why infect one other computer when you can infect 50 or 50,000 Spread to other computers as soon as they can Mailbox Penetration or computer penetration

Easy Ways to Exploit a System 1.Exploiting default passwords that have not been reset, to gain access to the system. 2.Using dictionary based password attacks to break into user accounts and remotely login to a system. 3.Using buffer overflows. 4.Exploitation of debugging facilities that are built into standard network services. 5.Attack of non-secured shared drives and peer- to-peer devices.

Case Study: Back Door Worms and The Internet Worm It’s easy to obtain “addresses” of other targets Homogeneous environments makes spreading easy Back door worms spread best unhindered Spread to other computers without user intervention

Case Study: Hybrid Worms and ExploreZip It’s easy to obtain “addresses” of other targets Homogeneous computers makes spreading easy The human is the biggest security risk; there’s no need to find a back door into the system It can Spread Slowly or Spread Quickly Mailbox penetration or computer penetration can happen Payload and trigger conditions affect the worms’ viability

Containment Proactive Steps Run Anti-virus Software on Servers, Gateways, and Desktops Remove “all company” Addresses from your lists Lock Down All Peer-to-Peer Networking Deploy Internal Firewalls Disable Script Capabilities Strip Executable Content From Incoming Use Heuristics and If Possible, Digital Immune System Technology

Active Infection If hit by a destructive Worm: Update File Server Permissions If hit by a data export Worm: Limit access to data and Networks If hit by an or arbitrary-protocol Worm infection: Distribute Virus definitions to gateways, servers and file servers first If hit by a file server-aware Worm infection: Distribute virus definitions to file servers first If hit by a back door Worm infection: Down all affected networks

Future Anti-worm Technologies Windows Memory Scanning and Repair Behavior Blockers Personal Firewalls Worm Heuristics Automated Worm Replication and Analysis

Future Containment Approaches Ubiquitous Authentication Policy-driven File/Macro-level Access Control Macro-free Products