Network Worms
Today everyone has heard of computer worms.
Worms can be classified according to the propagation method they
use, i.e. how they deliver copies of themselves to new victim machines.
Worms can also be classified by installation method, launch method and
finally according to characteristics standard to all malware:
polymorphism, stealth etc.
Many of the worms which managed to cause significant outbreaks use
more then one propagation method as well as more than one infection
technique. The methods are listed separately below.
Email worms
Email worms spread via infected email messages. The worm may be in
the form of an attachment or the email may contain a link to an
infected website. However, in both cases email is the vehicle.
In the first case the worm will be activated when the user clicks on
the attachment.In the second case the worm will be activated when the
user clicks on the link leading to the infected site.
Email worms normally use one of the following methods to spread:
- Direct connection to SMTP servers using a SMTP API library coded into the worm
- MS Outlook services
- Windows MAPI functions
Email worms harvest email addresses from victim machines in order to
spread further. Worms use one or more of the following techniques:
- Scanning the local MS Outlook address book
- Scanning the WAB address database
- Scanning files with appropriate extensions for email address-like text strings
- Sending copies of itself to all mail in the user’s mailbox (worms may even ‘answer’ unopened items in the inbox)
While these techniques are the most common, some worms even
construct new sender addresses based lists of possible names combined
with common domain names.
Instant Messaging (ICQ and MSN) Worms
These worms have a single propagation method. They spread using
instant messaging applications by sending links to infected websites to
everyone on the local contact list. The only difference between these
worms and email worms which send links is the media chosen to send the
links.
Internet Worms
Virus writers use other techniques to distribute computer worms, including:
- Copying the worm to networked resources
- Exploiting operating system vulnerabilities to penetrate computers and/or networks
- Penetrating public networks
- Piggy-backing: using other malware to act as a carrier for the worm.
In the first case, the worms locate remote machines and copy
themselves into folders which are open for read and write functions.
These network worms scan all available network resources using local
operating system services and/or scan the Internet for vulnerable
machines. They will then attempt to connect to these machines and gain
full access to them.
In the second case, the worms scan the Internet for machines that
have not been patched, i.e. have operating systems with critical
vulnerabilities still open to exploitation. The worm sends data packets
or requests which install either the entire body of the worm or a
section of the worm’s source code containing downloader functionality.
If this code is successfully installed the main worm body is then
downloaded. In either case, once the worm is installed it will execute
its code and the cycle continues.
Worms that use Web and FTP servers fall into a separate category.
Infection is a two-stage process. These worms first penetrate service
files on the file server, such as static web pages. Then the worms wait
for clients to access the infected files and attack individual
machines. These victim machines are then used as launch pads for
further attacks.
Some virus writers use worms or Trojans to spread new worms. These
writers first identify Trojans or worms that have successfully
installed backdoors on victim machines. In most cases this
functionality allows the master to send commands to the victim machine:
such zombies which have backdoors installed can be commanded to
download and execute files – in this case copies of the new worm.
Many worms use two or more propagation methods in combination, in order to more efficiently penetrate potential victim machines.
IRC Worms
These worms target chat channels, although to day IRC worms have
been detected. IRC worms also use the propagation methods listed above
- sending links to infected websites or infected files to contacts
harvested from the infected user. Sending infected files is less
effective as the recipient needs to confirm receipt, save the file and
open it before the worm is able to penetrate the victim machine.
File-sharing Networks or P2P Worms
P2P worms copy themselves into a shared folder, usually located on
the local machine. Once the worm has successfully placed a copy of
itself under a harmless name in a shared folder, the P2P network takes
over: the network informs other users about the new resource and
provides the infrastructure to download and execute the infected file.
More complex P2P worms imitate the network protocol of specific
file-sharing networks: they respond affirmatively to all requests and
offer infected files containing the worm body to all comers.
