Sunday, June 30, 2013

The Malware Trilogy: Worms

The weaknesses of computer viruses lie in their similarity to "real" viruses: they depend on their hosts to spread the infection.  They depend on human intervention—files and programs can't be infected if they aren't run first.  Viruses leave tracks everywhere they go and the rate at which the infection spreads is highly variable, depending on how much the computer is actually used.

At the turn of the millennium, the Internet was beginning to experience widespread use.  The opportunity rose for hackers to make money off of people using their credit cards online or doing their banking online, etc.  Viruses could help them do the job, but they weren’t exactly the stealthiest or most efficient programs out there.  There was yet another program—the worm—that would prove much more helpful.

(It’s important to note that worms had come into existence long before the late 90s.  This was just the time when they began to become popular.)

How Worms Work

Worms have a couple of things in common with viruses:
  • They self-replicate
  • They have some dependency on the host computer to spread
However, the way they spread makes them far different—and more dangerous: worms do NOT infect files.  That’s right; they leave your files alone.  However, this actually makes them more of a threat because it increases their efficiency.  Instead of depending on infecting files to get around, worms employ two other major avenues of travel:
  • Through computer network connections* (ex. if you work in an office and are connected to an office network)
  • Through email (many worms can automatically send spam emails with themselves as attachments to your contacts)

* For those who aren’t familiar with the term, a “network” is a group of computers that are connected to one another and can share files with each other.

Both of these actions are automated.  For example, as long as you are connected to a network, the worm can travel from your computer to other computers in the network completely on its own.  With viruses, you have to actually be using your computer to spread the bug around.  However, a worm really doesn't need you at all after it has embedded itself in your system.  A worm could spread right under your nose whenever it wants—while you’re eating lunch, taking a walk, or even reading a nice informative blog on Internet security.
As for email: it gets a bit tricky here.  A lot of people have online email accounts now—like Yahoo! or Gmail.  If you have an online email account and you’re infected by a worm, the worm won’t be able to reach your email because your email account and your hard drive are not connected.  The worm can’t “jump” from the hard drive to the password-protected online email account, thank God!
However, let’s assume you use, say, Outlook Express, which is an email program that resides on your computer.  In this case, your email account and your hard drive are connected.  Many worms are programmed so that, upon infection, a spam email with the worm as the attachment will be sent to all your contacts.
In the last several years, worms have received a lot of media attention simply because their ability to exploit weaknesses in network and email security allows them to travel the globe in a very short period of time.  These are some worms you may have heard about:
  • LoveLetter (a.k.a. the "ILOVEYOU virus")
  • MsBlast/Blaster
  • Conficker (or Downadup, Kido, the "virus" that gave you a couple of days off work a few years ago because it crashed the entire computer system at your office, whatever you want to call it)

Conficker, in particular, is an important one.  It has been accurately described as one of the most “obstinate” malicious programs out there.  It was first discovered in November 2008, reached its peak infection count within a few months, and despite security experts’ efforts is still prevalent in the cyber world.  It is primarily a network worm, and at its peak it had anywhere from 7 to 12 million computers under its control—including computers owned by not only major corporations but the British Parliament and the French Navy.  Even today, about 4 1/2 years after its initial release, infection estimates remain at about 7 million.

Conficker is a major problem, especially since worms of this caliber can theoretically be used as digital international weapons.  I have plans to bring the subject up again in later posts, but honestly, if you are really interested in learning about not only Conficker but the threat posed by hackers and malware in general in the modern world, I strongly recommend you read Worm: The First Digital World War by Mark Bowden.  It’s a fantastic book, and one of the very few pieces of tech literature that is aimed at everyday people and explains rather complex subjects in an easy-to-understand manner.  It was also one of my main inspirations for wanting to become a security specialist myself.


The Basics of the Worm:
  • Self-replicate
  • Do NOT infect files
  • Spread mainly via networks and email
  • Harder to discover infection because there are no infected files
  • Can spread faster, more mobile on its own
  • Less dependent on human intervention
  • Because it spreads so easily, it’s not good for contained attacks.
  • In email form, it still relies on tricking the user into opening the attachment.

Next time, we’ll talk about the final, most common, and—in some ways—the most dangerous type of malware of all: the Trojan Horse.

No comments:

Post a Comment