Early virus writers were not concerned with the possibility of their creations being discovered. In fact, in the early days of computer viruses the creators of viruses wanted their inventions to be discovered to add to the writer’s notoriety. However, the motivation for writing malicious software has shifted from fame and notoriety to revenge and money.
With this shift in motivation the creators of worms wish their creations to remain undiscovered. Worm authors now employ stealth techniques in their creations to aid in hiding the worms for as long as possible. In the words of Li and Knickerbocker (2007), a worm that exhibits aggressive behavior is doomed to be discovered by the intrusion detection systems of today.
One distinct characteristic of computer worms is the ability to move between systems without the need to piggyback to a file for transport. Worms develop certain behavior patterns as they move between systems. LI, Stafford, and Ehrenkranz (n.d.) observed four distinct behavior patterns that worm connections between computers exhibit. The connection patterns of worms aid researchers in the discovery of new worms. Those behavior patterns are as follows:
- causal connection relationship
- greedy destination visiting pattern
(LI, Stafford, & Ehrenkranz, n.d.)
Causal Connection Relationship
Movement between hosts is a necessary behavior of worms. Before a worm may attempt a connection to a host there must have been an incoming connection from some other host that deposited the worm. A victim host cannot infect other hosts before the victim itself is infected.
Worms gain entry to systems by exploiting known vulnerabilities on the target systems. The limited number of vulnerabilities and systems known to a particular worm causes the worm to repeatedly select the same vulnerability for attacks. These attacks will exhibit a similarity to previous attacks.
Greedy Destination Visiting Pattern
One of the design goals for worms is to infect large numbers of hosts. To accomplish this goal, hosts infected with worms attempt to connect to more hosts than non-infected hosts would normally attempt to connect to. This increased number of connection attempts will eventually become apparent.
Continuous propagation to infect new hosts is a defining characteristic of worm behavior. Even with a slow rate of infection, “as more and more hosts of a domain become infected a growing number of worm connections will cross the gateway of an infected domain” (p. 2). This increase in connections from multiple hosts should also become apparent.
Four Types of Worms
Computer worms exhibit certain connection behavioral patterns to infect hosts as discussed above but there are also characteristics of the manner in which worms infect hosts that may be used to classify those worms. Some of these characteristics involve the methods used to locate hosts to infect, while other characteristics involve the types of hosts targeted by the worm. Four types of computer worms investigated by the author are as follows:
- Book worms
- Remote system worms
- Internet worms
- File sharing network worms
Book worms in the realm of malicious software derive their classification from the tendency of the worms to bore through the address books belonging to users of infected computers to locate future targets. These worms spread through infected email messages which may contain an attachment or a link to an infected website (Computer Virus Problems, 2008). This class of worm was the earliest developed type of worm and varied from the original viruses by not requiring an infected file for a transport mechanism. Two well known variations of the book worm class were the W97/Melissa worm and the W32/Magistr worm, which the author researched in further detail.
W97 / Melissa
The Melissa worm spread very quickly because antivirus software installed on end user devices had not kept up with zero-day exploits. The worm e-mailed itself to people known to users of infected computers and enticed those people to open the infected e-mail messages. Schneier (1999) claimed that the Melissa worm infected nearly 2 million hosts before an update to antivirus software was developed and released. The volume of traffic that Melissa generated required many administrators to shut down and disinfect e-mail servers, which caused lengthy outages for a number of facilities.
The author was involved in the cleanup efforts following an incident of an infestation of the Melissa worm. The incident involved the infection of a large number of client hosts comprising a network of around 50,000 computers. Five e-mail servers were taken offline for three days and IT staff had to visit every client computer to check for the worm and disinfect the computer as necessary. The costs of the cleanup would be hard for the author to estimate but part of the cost included travel expenses for IT staff; the network was spread across 37 states.
W32 / Magistr
Although, as stated by Manelli (2001), the Magistr worm was not as quick to infect hosts as Melissa was, the Magistr worm was much more destructive. The worm could compromise or destroy private or confidential data and prevent a PC from rebooting. The Magistr worm also took advantage of three different methods of propagation: LAN connections, removable media, and e-mail.
Magistr imposed a method to confuse users by generating gibberish in the subject headings of mail messages. This had the effect of enticing users to open the messages to see what the contents could possibly be. Opening the message triggered the worm, which would then lay dormant for thirty days. The end of the thirty day wait was marked by extremely malicious activity, finally resulting in the destruction of the system Basic Input Output System (BIOS) of hosts running Windows operating system releases prior to Windows NT (Manelli, 2001).
Remote System Worms
Remote access utilities aid network administrators in managing network servers from long distances. However, remote access services use special administrative shares and these shares are the targets of remote system worms. McAfee Labs (2003) discovered the Mumu worm, which targets the IPC$ and ADMIN$ shares of windows servers by using the uHFind.exe Trojan to scan for Random class C IP addresses on the local network and retrieve share passwords. The passwords are then used to infiltrate and control host systems.
Other worms that scan for remote systems have overwhelmed infrastructure resources, such as routers and switches. “The SQL Slammer/Sapphire worm and the Ramen worm generated large volumes of scans destined to multicast addresses creating a storm of Source Active (SA) messages that propagated across Multicast Source Discovery Protocol (MSDP) enabled networks” (Saudi, Tamil, & Idris, 2008, p. 46). The large amounts of network traffic and congestion caused by such worms can bring down entire networks.
The most notable feature of the Bugbear worm was that the worm would attempt to circumvent host firewalls and antivirus utilities. Bugbear could traverse network shares to infect systems in a similar fashion to the Mamu worm and could leave behind backdoors to facilitate the hacker’s re-entry into the system (Liu, 2003). The main payload of the Bugbear worm was a key-logging utility that hackers could use to capture sensitive information from the victim.
Microsoft (2007) classified the Wangy worm as a mass-mailer worm. This particular type of worm contains an imbedded Simple Mail Transport Protocol (SMTP) engine, which the worm used to generate large volumes of e-mail. Since the e-mail application is imbedded in the worm, the worm does not rely on the host computer’s address book or mail application. Mail originating from the Wangy worm would not appear in the victim’s outbox so the traffic was difficult to detect.
Computer Virus Problems (2008) detailed a type of worm that scans the Internet to seek out new hosts to infect. Conficker, a widely publicized worm, used dynamic domain generation as a command and control mechanism to coordinate the attacks of infected hosts. Porras (2009) claimed that a patch to the buffer overflow vulnerability that Conficker used to infiltrate systems had been out for a month before the worm’s release. Conficker also used Peer-to-Peer (P2P) networking over encrypted channels to distribute the worm’s payloads.
One interesting development of the Conficker outbreak was that the worm mainly infected computers in Asian countries. Microsoft tests computers for valid operating system licenses before update downloads may begin. High occurrences of software piracy in Asian countries condemned computers in those countries that connected to the Internet and ran pirate versions of Microsoft Windows to be infected by the Conficker worm.
File Sharing Network Worms
Shared folders used by P2P networks are the typical targets of file sharing network worms unlike Internet worms that may use P2P networks for command and control. Computer Virus Problems (2008) identified file sharing network worms as those which drop copies of the worms with innocent names in the shared folders used by P2P networks. The most notorious of this type of worm was the Storm Worm, also known as Trojan Peacomm, which received its name from the subject lines or titles used to entice victims.
Chien (2009) claimed that “Peacomm is a combination of an open source email worm, a file infecting virus, a polymorphic packer, a spam relay, a rootkit, and a botnet that operates over a peer-to-peer network” (para 1). Most Trojans or worms may contain one or two of these features but Peacomm contained them all. Peacomm could also retaliate against researchers who probed the botnet while attempting to discover a means to disable the command and control structure.
The purpose of the Storm worm was to generate spam. Chien (2009) stated that early measurements demonstrated that the worm was capable of sending mail at a rate reaching 1,800 messages in a five minute. This volume of traffic originating from a single machine could slow down a network somewhat but a mass of machines infected with the Storm worm could bring a network down to its knees.
Worms exhibit certain behavioral characteristics that make classification of the types of worms possible. Book worms use a victim’s address book to generate e-mail. Remote system worms may attack the mechanisms that administrators use for remote administration. Internet worms use the Internet namespace to aid attacks. File sharing network worms attack network shares.
Although the mechanisms for attack may differ according to the type of worm, each of the worm types still exhibit characteristic worm behavior, chief of which is self-propagation. Worms spread between hosts and networks using the resources of the infected host and do not require the aid of a file to infect for transport as is the case for normal viruses. Some worms exhibit stealth technology making those worms difficult to detect and clean from infected systems.
The effects of a computer worm infection on an organization’s network may be total devastation. Down time, lost productivity, and the expense of disinfecting the network may well run into the hundreds of thousands of dollars or more for a large organization. Other side effects may also accompany a worm infection, for instance, an organization with a large infection by spam generating worms may wind up on the organization’s ISP’s black list for offensive e-mail. This would prevent the organization from sending any e-mail until the black list entry was removed.
Much can be written about the mechanisms of worm infection and the effects to victims but the most important concern should be prevention. Most computer worms do require an action from a user for the worm’s payload to download or the worm to activate. Educating users on safe web surfing habits and e-mail practices could eliminate most infections before they occur.
- Chien, E. (2009). The perfect storm. Symantec
While Trojan.Peacomm (aka Storm Worm) received its alias because of unprecedented storms that battered Europe, the threat deserves the name more because Peacomm itself is the perfect storm.
- Computer Virus Problems. (2008). Types of Computer Worms. Computer Virus Problems.
- Li, J., & Knickerbocker, P. (2007).
Functional similarities between computer worms and biological pathogens. Computer and Security , 338-347.
- Network & Security Research Lab @ University of Oregon
Li, J., Stafford, S., & Ehrenkranz, T. (n.d.). SWORD: Self-propogating worm observation and rapid detection. Department of Computer Science. University of Oregon.
- W32.Bugbear@mm | Symantec
Liu, Y. (2003). Remove W32.Bugbear@mm - Symantec Security Response provides comprehensive internet protection expertise to guard against complex threats, information about latest new computer viruses and spyware.
- Recent Malware - McAfee Labs Threat Center
McAfee Labs. (2003). This page shows details and results of our analysis on the malware BAT/Mumu.worm
Microsoft. (2007). Microsoft Malware Protection Center. Search the malware encyclopedia.
- Porras, P. (2009). Inside risks: Reflections on Conficker. Communications of the ACM , 52 (10), 23-24. Retrieved from EBSCOhost.
- Saudi, M., Tamil, E., & Idris, M. (2008). Worm analysis through computer simulation (WAtCOS). International Journal of Learning , 15 (5), 45-56. Retrieved from EBSCOhost.
- Schneier, B. (1999). The Trojan horse race. Communication of the ACM , 42 (9), 128. Retrieved from EBSCOhost.