Computer Worms

Witty worm

Sapphire/Slammer worm

Worm spreads via zero day Microsoft DNS vulnerability

Honeynets and Botnets

Storm Worm Botnet More Powerful Than Top Supercomputers

Is Desktop Anti-Virus Dead?

 

 

What is a computer worm?

A worm is a self-replicating piece of code that spreads via networks and usually doesn't require human interaction to propagate.

A worm is a self-contained program (or set of programs), that is able to spread functional copies of itself or its segments to other computer systems (usually via network connections).

 

A typical Internet worm travels as a file attachment in an email. The user runs the attached file, and the worm invades the user's system and sends itself to recipients on the user's email address book lists. An email arrives in the new victim's inbox, sent by a known acquaintance. It implores the new victim to run the attached file or web link. The W32.Melting.Worm is typical of such programs. It appears in a user's Outlook inbox with the subject line, "Fantastic Screensaver." The body includes the follow text, "Hello my friend! Attached is my newest and funniest Screensaver, I named it MeltingScreen. Test it and tell me what you think. Have a nice day my friend." If a user runs the attachment, the worm copies itself as MeltingScreen.exe to the user's Windows directory and begins renaming .EXE files to .BIN, while executing a graphics routine that makes the screen appear to melt. Upon reboot, the system is likely to lock up. It emails itself to everyone in the victim's email address book as an attachment called MeltingScreen.exe or Melting.exe.

Signs of a worm compromising a network:

-  the most common sign is a new previously unknown symptom or email appearing at two or more connected PCs at the same time.

-  The email server and network could start to slow down under the strain of sending thousands of emails all at once.

- A firewall might report a sudden onset of either incoming or outgoing traffic on a rarely used TCP/IP port.

- On a single PC, a common sign is a sudden decrease in processing speed soon after downloading a new file, reading an unexpected email, or visiting a new web site. Other symptoms include strange error messages that don't indicate which program caused them, new programs in memory, new files with current modification dates, an inverted screen, a CD-ROM tray opens and closes by its self, or programs starting and ending by themselves.

 

 

 

The difference between worms and viruses.

Viruses versus Worms

Malware Type

Replication

Spread Via…

User Interaction Required for Spread?

Virus

Self-replicating

Infecting a file, such as an executable or document file.

Typically, user interaction is required for propagation, such as running a program or opening a document file.

Worm

Self-replicating

Propagating across a network, such as an internal network or the Internet.

Typically, no user interaction is required, as the worm spreads via vulnerabilities or misconfigurations in target systems. However, for a small number of worms, some user interaction is necessary for propagation (e.g., opening an e-mail viewer).

 

 

Why Worms?

 

Taking over Vast Numbers of Systems

Making Traceback More Difficult

Vulnerability scanning from one machine versus a distributed network of worm-conquered systems.

 

Amplifying Damage

 

 

A Brief History of Worms

Notable Worms

Worm Name

Release Time Frame

Target Platform

Notable Characteristics

Morris Worm (also known simply as "The Internet Worm")

November 1988

UNIX

This virulent worm disabled major components of the early Internet, making news headlines worldwide. Most geeks older than a certain age can easily answer the question, "Where were you when the big worm hit?" I was in college, taking a class in C programming, where we got to study the worm in action. Ahhhh… the good old days.

Melissa

March 1999

Microsoft Outlook e-mail client

Since the Morris Worm 11 years before, only a few minor worm outbreaks had occurred. Most malware development focused on virus writing, which took off in the early and mid-1990s. That all changed with the release of Melissa, which harnessed the power of the Internet to spread malware. This Microsoft Word macro virus spread via Outlook e-mail, acting as a virus (infecting .DOC files) and a worm (spreading via the network).

The Love Bug

May 2000

Microsoft Outlook e-mail client

This Visual Basic Script worm spread via Outlook e-mail. Several organizations disconnected themselves from the Internet for a couple of days, waiting for this storm to pass.

Ramen

January 2001

Linux

This worm conquered systems using three different buffer overflow vulnerabilities. Upon installation, it altered the default Web page to proclaim, "Hackers loooove noodles!" Now, I love ramen noodles as much as the next guy. However, I've never felt the need to immortalize them with a worm.

Code Red

July 2001

Windows IIS Web server

This extremely virulent worm conquered 250,000 systems in less than nine hours. From systems around the world, it planned a packet flood against the IP address of www.whitehouse.gov.

Nimda

September 2001

Windows–Internet Explorer, file sharing, IIS Web server, Microsoft Outlook

This multiexploit worm included approximately 12 different spreading mechanisms. Released only a week after the September 11, 2001 terrorist attacks, it was one of the most rapidly expanding and determined worms we've ever faced.

Klez

January 2002

Microsoft Outlook e-mail clients and Windows file sharing

This worm contained a small step toward polymorphism with its randomization of e-mail subject lines and attachment file types. Klez also actively attempted to disable antivirus products.

Slapper

September 2002

Linux systems running Apache with OpenSSL

This worm spread via a flaw in the Secure Sockets Layer (SSL) code used by Apache Web servers. As it spread, it built a massive peer-to-peer distributed denial-of-service network, awaiting a command from the attacker to launch a massive flood.

SQL Slammer/Sapphire

January
2003

Windows systems running Microsoft SQL Server database

This evil little program spread very efficiently, disabling much of South Korea's Internet connectivity for several hours and shutting down thousands of cash machines in North America.
Blaster/Lovsan August 2003 Windows systems It spread by exploiting a buffer overflow in the DCOM RPC service on the affected operating systems, for which a patch had been released one month earlier. It was designed to launch a DDOS on windowsupdate.com
Witty March 2004 Internet Security Systems software It exploited holes in several Internet Security Systems (ISS) products. It was the first worm to carry a destructive payload and it spread rapidly using a pre-populated list of ground-zero hosts.
Sasser May 2004 Windows XP and 2000 It spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service). The worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. The most common characteristic of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe and rebooting the machine.
Nyxem January 2006 MS Windows It spreads by mass-mailing. Its payload, which activates on the third of every month, starting on February 3, attempts to disable security-related and file sharing software, and destroy files of certain types, such as Microsoft Office files.
Storm January 2007 MS Windows It spreads by mass-mailing. It merges compromised machines into a botnet with no centralized control (peer-to-peer), which makes it difficult to estimate the true size of the botnet.

 

Cycles of worm releases

Just as vulnerabilities have a window of exposure between the release of information about the vulnerability and the widespread use of exploits against them, worms have an interval of time between the release of the vulnerability and the appearance of the worm. Nearly any widespread application with a vulnerability can be capitalized on by a worm.

Interval between Vulnerability Announcement and Worm Appearance

Name

Vulnerability Announced

Worm Found

Interval (Days)

SQLsnake

November 27, 2001

May 22, 2002

176

Code Red

June 19, 2001

July 19, 2001

30

Nimda

May 15, 2001

September 18, 2001

126

August 6, 2001

42

April 3, 2001

168

Sadmind/IIS

December 14, 1999

May 8, 2001

511

October 10, 2000

210

Ramen

July 7, 2000

January 18, 2001

195

July 16, 2000

186

September 25, 2000

115

Slapper

July 30, 2002

September 14, 2002

45

Scalper

June 17, 2002

June 28, 2002

11

Sapphire

July 24, 2002

January 25, 2003

184

Table above shows the interval between the release of information about a vulnerability and the introduction of a worm that has exploited that weakness. Some worms are fast to appear, such as the Slapper worm (with an interval of 11 days), while others are much slower such as the sadmind/IIS worm (with a minimum internal of 210 days). This table clearly illustrates the need to evaluate patches for known vulnerabilities and implement them as efficiently as possible as a means to stop the spread of future worms.

This relates directly to the importance of the rapid deployment of security patches to hosts and the sound design of a network. Worms can appear rapidly (as the Slapper worm did), quickly changing the job of a security administrator or architect from prevention to damage control.

 

Worm Components

The component elements of a worm.

 

The Worm Warhead

A methods worms use to first gain access to the victim machine.

·         Buffer Overflow Exploits.

·         File-sharing Attacks.

·         E-mail.

·         Other Common Misconfigurations.

Propagation Engine

A method the worm uses to transfer the rest of its body to the target.

 Worm Propagation Methods Using File Transfer Mechanisms

File Transfer Program

Description

FTP

The File Transfer Protocol is used to move files across networks, with clear-text user ID and password authentication or anonymous access.

TFTP

The Trivial File Transfer Protocol, a little sibling of the more complex FTP protocol, supports unauthenticated access to push or pull files across the network.

HTTP

The HyperText Transfer Protocol is commonly used to access Web pages, but can also be used to transfer files.

SMB

Microsoft's Server Message Block protocol is used for Windows file sharing, and is also supported in UNIX servers running SAMBA.

 

Target Selection Algorithm

Once the worm is running on the victim machine, the target selection algorithm starts looking for new victims to attack.

·         E-Mail Addresses.

·         Host Lists.

·         Trusted Systems.

·         Network Neighborhood.

·         DNS Queries.

·         Randomly Selecting a Target Network Address.

.

IP Address Assignment Based on Class

Class

IP Address Range

Number of Networks in This Class

Number of IP Addresses in Range

Class A

First octet ranges from 1 to 126, other octets are zero to 255: [1–126].x.y.z

126

16,777,214

Class B

First octet ranges from 128 to 191, other octets are zero to 255: [128–191].x.y.z

16,384

65,534

Class C

First octet ranges from 192 to 223, other octets are zero to 255: [192–223].x.y.z

2,097,152

254

 

Scanning Engine

The scanning engine is used to test a potential target for the worm's exploit.

Payload

A worm's payload is a chunk of code designed to implement some specific action on behalf of the attacker on a target system.

·         Opening up a Backdoor.

·         Planting a Distributed Denial of Service Flood Agent.

·         Performing a Complex Mathematical Operation.

 

Nimda Case Study

 

 

Impediments to Worm Spread

 

Diversity of Target Environment

Methods a worm uses to adapt to an unsuitable environment.

 

Crashing Victims Limits Spread

Overexuberant Spread Could Congest Networks

Steping on Itself

Geting Stepped on By Someone Else

 

 

The Coming Superworms - Already here!

Multiplatform Worms
1. W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including the DCOM RPC vulnerability  using TCP port 135 on Windows XP machines and The WebDav using TCP port 80on machines running Microsoft IIS 5.0. As coded in this worm, this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.

2.  MSIL.Yakizake is a cross-platform worm that will infect not only Vista, Linux and Solaris but also Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003 and Windows 2000. But essentially, the worm is designed to run in the .NET or Mono framework, and since it comes complete with mass-mailing capabilities, it also requires the Thunderbird desktop email client to be installed.

Multiexploit Worms

Zero-Day Exploit Worms

 A "zero-day" exploit is any vulnerability that's exploited immediately after its discovery. This is a rapid attack that takes place before the security community or the vendor knows about the vulnerability or has been able to repair it. Such exploits are a Holy Grail for hackers because they take advantage of the vendor's lack of awareness and the lack of a patch, enabling the hacker to wreak maximum havoc.

See article Worm spreads via zero day Microsoft DNS vulnerability

Fast-Spreading Worms

 

The Warhol/Flash technique lets worms spread much more quickly.

The SQL Slammer/Sapphire worm was the first observed example of a Warhol worm. The mechanism of its spread used a pseudo-random number generator  to determine which IP addresses to attack next. Also, the worm infected new hosts over UDP protocol, and the entire worm (only 376 bytes) was send as a single packet. According to an analysis of the SQL Slammer outbreak, its growth followed an exponential curve with a doubling time of 8.5 seconds in the early phases of the attack, which was only slowed by the collapse of many networks because of the congestion caused by SQL Slammer's traffic. 90% (of 75,000) of all vulnerable machines were infected within 10 minutes, showing that the original estimate for infection speed was roughly correct.Watch this  before-and-after animation showing the number of infected Sapphire hosts in a half-hour period between 05:29 UTC and 06:00 UTC.

Polymorphic Worms  

Metamorphic Worms

Polymorphic and metamorphic components added to the worm mix.

 

Truly Nasty Worms

 

 

Bigger Isn't Always Better: The Un-Superworm

 

Why UDP is a more efficient spreading mechanism for worms.

 

 

 

Worm Defenses

 

Ethical Worms

Antivirus: A Good Idea, But Only with Other Defenses

Deploy Vendor Patches and Harden Publicly Accessible Systems

Block Arbitrary Outbound Connections

Establish Incident Response Capabilities

Don't Play with Worms, Even Ethical Ones, Unless…

A new way to protect computer networks against worms