2. Worms
Worms: A worm is a program that uses computer
networks and security holes to replicate itself.
Scans the network for another machine that has a
specific security hole and copies itself
Use up computer processing time and network bandwidth
during replication.
Carry payloads that do considerable damage.
3. Virus v/s Worm
Virus
• Attaches itself to OS or the
programs
• Need user action to abet their
propagation.
• Damages caused is mostly
local to the machine
• Spread quite slowly
Worm
• Do not Attaches itself to OS
• Self propagates across a network
exploiting security in widely used
services.
• It harms the network and consumes
n/w
bandwidth.
• Spread much more rapidly Ex. SQL
Slammer worm 75,000 victims
within ten minutes.
6. I. Target Discovery
Scanning:
Scanning entails probing a set of addresses to identify
vulnerable hosts. (Sequential form or Random form)
Pre- Generated Target Lists
Externally Generated Target Lists
An target list maintained on a server (Metaserver)
Internal Target Lists
Network-based applications always contain information
about other hosts
Passive
Not positively search for victim hosts, it waiting for potential
victims contact and produces no abnormal traffic
More stealthy
7. II. Propagation Carriers
Two basic types
Positively spread itself machine by machine(Self-
Carried)
Be carried along with normal communication.
Second Channel
Need second communication channel
Embedded
Either appending to or replacing normal messages and very
difficult to detect
8. III. Activation
Human Activation(slowest worm activation method)
Try to convince people by using social engineering
techniques
Indicating urgency, “Attached is an important message for you”
Using people’s vanity, “Open this message to see who loves
you”
Human Activity-Based Activation
Resetting the machine
Logging in
Opening a remotely infected file
Scheduled Process Activation
Auto-updater programs
Self Activation(fastest worm activation)
Attach themselves to running services
9. IV. Payloads
A "payload" is code in the worm designed to do more
than spread the worm.
None/nonfunctional (Morris worms)
Internet Remote Control (Code Red II)
Spam-Relays (Sobig.f)
Internet DOS (Code Red, Yaha)
Data Collection(target on sensitive data and identity theft)
Data Damage(erase data)
Physical-world Damage
Reflashing the BIOSs
Destroying the motherboards
10. Work of Payloads
Delete files
Encrypt files
Send documents via e-mail
Install a “backdoor” in the infected computer to allow the
creation of a “zombie” computer under control of the worm
author. Networks of such machines are often referred to as
botnets.
11. Prevalence Table – November
2011
Malware Type %
Autorun Worm 8.08%
Heuristic/generic Worm 5.13%
Conficker/Downadup Worm 2.85%
VB Worm 2.12%
Dorkbot Worm 1.46%
According to VIRUS BULLETIN (www.virusbtn.com)JANUARY 2012
13. Morris worms
Launched on November 2, 1988 from MIT, by Robert Morris.
Designed to spread on UNIX System.
6000 computers out of 60000 computers at that time (i.e 10%).
The U.S. GAO(Government Accountability Office) put the cost of
the damage at $10M–100M.
He was convicted in the US under the 1986 Computer Fraud and
Abuse Act.
14. Code Red
Made huge headlines in 2001.
It slowed down Internet traffic when it began to replicate itself.
Worm scanned the Internet for unpatched Windows NT or Windows
2000 servers.
The Code Red worm had instructions to do three things:
Replicate itself for the first 20 days of each month
Replace Web pages featuring the message "Hacked by
Chinese"
Launch a concerted attack on the White House Web site.
----The U.S. government changed the IP address of
www.whitehouse.gov (198.137.240.91).
15. Nimda
The worm was released on September 18, 2001
the Internet’s most widespread virus/worm within 22 minutes.
Nimda affected both user workstations (clients) running Windows
95, 98, Me, NT, 2000 or XP and servers running Windows NT and
2000.
Nimda spread by five different infection vectors:
via email
via open network shares
via browsing of compromised web sites
via back doors left behind by the "Code Red II" and "sadmind/IIS" worms.
16. SQL Slammer worm
Starting on January 25, 2003. It spread rapidly, infecting most of its
75,000 victims within ten minutes.
Although titled "SQL slammer worm", the program did not use the
SQL language
It exploited a buffer overflow bug in Microsoft's SQL Server
Slammer's tiny (376 byte) program.
17. Sobig.f Worm
In late 2003, the Sobig.f worm exploited open proxy servers to turn
infected machines into a spam engine.
The Sobig worm appears as an electronic mail with one of the
following subjects: Re: Approved, Re: Details, Re: My details, Re:
Thank you!, Re: That movie etc.
It will contain the text: "See the attached file for details” and have
attachments such as application.pif, details.pif, movie0045.pif etc.
At its peak Sobig.f reportedly accounted for 1 in every 17
messages.
It produced more than one million copies of itself with in the first 24
hours.
It was written using the Microsoft Visual C++ compiler.
18. Prevention
How can I prevent virus’, trojans, worms and malware fromgetting
onto my system?
Careful web browsing
E-mail safety
Keep protection tools up to date
Review software being installed
and monitor your child’s computer usage
19. Current research Focus
Modelling: To model Worm propagation
Scanning Techniques
Sequential Scanning
Hit List Based Scanning
Permutation Scanning
Preferential Subnet Scanning
Propagation Mechanisms
Prevention Techniques
20. Refrences
1. VIRUS BULLETIN (www.virusbtn.com)JANUARY 2012
2. A Taxonomy of ComputerWorms WO RM’0 3, O cto be r 27 , 20 0 3,
Washing to n, DC, USA.
3. www.vxheavens.com
4. www. wikipe dia. co m
5. www. ho wstuffwo rks. co m
6. NetworkSecurity Essentials -William Stallings
