School of Computer Sciences Universiti Sains Malaysia Penang
School of Computer Sciences Universiti Sains Malaysia Penang
School of Computer Sciences Universiti Sains Malaysia Penang
0|Page
TABLE OF CONTENT
1. INTRODUCTION2 2. THE COMPONENTS OF WORMS3 3. TYPES OF WORMS AND CASE STUDIES ON SEVERAL WELL KNOWN WORMS.5 4. REAL CASE/ISSUES RELATED TO STUXNET..15 5. WAYS TO PREVENT WORMS..16 6. CONCLUSION..18 7. REFERENCES19
1|Page
INTRODUCTION
WHAT IS WORM
A computer worms is a standalone malware computer program that is selfreplicating, and usually uses computer network to send copies of itself to other nodes. Worms are hard to detect because they are typically invisible files. They often go unnoticed until users computer begins to slow down or starts having other problems. Unlike viruses, worms can replicate themselves and travel between systems without any action from the user.
2|Page
2. Infection propagator A very important technique for worm to transfer itself to a new node in order gets control on remote machine. 3. Remote control and update interface The remote control of worm uses communication module which allow worms creator to control the worm network by sending control messages to the worm copies. Such remote control can allow the attacker to use the worm as a DDoS (distributed denial of service) tool on the zombie network against several unknown targets.
3|Page
4. Life-cycle manager Some worm creator prefers to run a version of computer worm for a prefix period of time. 5. Payload A common component of a worm. An increasingly popular payload is a DDoS attack against a particular website. 6. Self-tracking Many worms/virus creators are interested in seeing how many machines the virus can infect and also track the path of the worms/virus infections.
4|Page
Email worms
Computer worms often spread through email messages. It infects our computer system through attachments or an HTML link that will navigate readers to an infected website. If either are opened, then the computer worm will be downloaded and infect the computer. Some well-known email worms including ILOVEYOU, SoBig, Mydoom, Klez are given as examples at below:
5|Page
Examples ILOVEYOU
Figure 1: ILOVEYOU The ILOVEYOU worm, a computer worm written in VBScript is one of the famous and most damaging worm ever. It started in Philippines on May 4, 2000 and spread across the world in one day( travelling from Hong-Kong to Europe to the US), infecting 10 percent of all the computers connected to the internet and causing about $5.5 billion in damage. The Pentagon, CIA and the British Parliament had to shut down their email system to get rid of this worm, so as most large corporations. The worm arrived in mail boxes with simple subject of ILOVEYOU and an attachment LOVE-LETTER-FOR-YOU.TXT.vbs. The worm overwrites important files, music, multimedia and more with a copy of itself. It also sends the worm to everyone on a users contact list. This particular worm only affects computers with MS operating system.
6|Page
Sobig
Figure 2 :Sobig The Sobig worm has infected millions of internet-connected MS computers in August 2003. It was written using the Microsoft Visual C++ compiler, and subsequently compressed using a data compression program called tElock. The most destructive and widespread of variants of the SoBig worm is called SobigF. Sobig.F worm deactivated itself on September 10, 2003. On November 5 of the same year, Microsoft announced that they wil pay $250000 for information leading to the arrest of the creator of the Sobig worm.
7|Page
Mydoom
Figure 3: Mydoom Mydoom, also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, is a worm that affectS MS operating system. It was first sighted on January 26, 2004 and became the fastest spreading email-worm ever. This worm transmit via email, and appearing as a transmission error, with subject lines including Error, mail delivery system, test or mail transaction failed in different languages including English and French. The mail contains an attachment that, if executed, it resends the worm to all the contacts found in local files such as user address book.
8|Page
Klez
Figure 4: Klez Klez infects MS operating system, exploiting vulnerability in internet explorers trident layout engine, used by both MS outlook and outlook express to render HTML mail. The worm spreads through email includes a text portion and one or more attachments. If user download and open the attachment, then the system will be infected.
9|Page
Exploit-based worm
This type of worm exploits the system through the systems vulnerabilities. It can affect the system performance. For example, slowing down the computer performance by replicating many copy of itself, affect the system normal operation such as auto shutdown without user consent and so on. Examples of exploit-based worms including Blaster, Codered, Stuxnet, Sasser, Stuxnet and Nimda are given as below: Examples Blaster
Figure 5: Blaster
10 | P a g e
The blaster worm was a computer worm that spread on computers running on MS operating system. The worm was first noticed and started spreading on august 11,2003. This worm was programmed to start a SYN flood on august 15.2003 against port 80 of windowsupdate.com, thereby creating a distributed denial of service attack against the site.
Code red
Figure 6: Code red The code red worm was a computer worm observed on the internet on July 13, 2001. It attacked computers running Microsoft IIS web server. Number of infected hosts reached 359,000 by July 19,2001. It defaced the affected website and display the above line showed in figure.
11 | P a g e
Stuxnet
Figure 7: Stuxnet Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft MS, and targets Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit. More details about Stuxnet will be discussed in the real cases section.
12 | P a g e
Sasser
Figure 8: Sasser Sasser affects computer that runs MS operating system (Windows XP and Windows 2000). This worm spread by exploiting the system through a vulnerable network port. Sasser was first noticed and started spreading on April 30, 2004. The effect of Sasser include the news Agence France-Presse(AFP) having all its satellite communications blocked for hours and the US flight company Delta Air lines have to cancel several flights because its computer systems had been swamped by the worm. Nimda
Nimda is a file infector computer worm. It quickly spread, eclipsing the economic damage caused by past outbreaks such as Code Red. Multiple propagation vectors allowed Nimda to become the Internets most widespread virus/worm within 22 minutes. Nimda affects MS operating system. The worms name spelled backwards is admin.
13 | P a g e
Helpful worms
A helpful worm is a variant on a computer worm which delivers its payload by doing "helpful" actions instead of malicious actions. Even though they do not do anything malicious, most of the helpful worms do not log events, and they
automatically reboot the computer as part of the installation process without the user's consent. They also can put strain on the network as they spread and download updates. Examples Welchia
Welchia is a computer worm that exploits the vulnerability in the Microsoft Remote procedure call (RPC) service similar to the Blaster worm. However unlike Blaster, it tries to download and install security patches from Microsoft, so it is classified as a helpful worm. This worm infected systems by exploiting vulnerabilities in Microsoft Windows system code (TFTPD.EXE and TCP on ports 666-765, and a buffer overflow of the RPC on port 135). Its method of infection is to create a remote shell and instruct the system to download the worm by TFTPD.EXE. TFTPD is only on certain operating systems, and, without it, the connection fails at this stage. Specifically, the Welchia worm targeted machines running Windows XP. Once in the system, the worm would patch the vulnerability it used to gain access (thereby actually securing the system against other attempts to exploit the same method of intrusion) and run its payload, a series of Microsoft patches.
14 | P a g e
The programmable logic controller, or PLC, is one of the most critical pieces of technology you've never heard of. They contain circuitry and software essential for modern life and control the machines that run traffic lights, assembly lines, oil and gas pipelines, not to mention water treatment facilities, electric companies and nuclear power plants.[5]
Researchers found that Stuxnet wasnt just looking for a Siemens controller that ran a factory floor; it was looking for a specific factory floor, with a specific type and configuration of equipment including Iranian components that weren't used anywhere else in the world. Researchers suggest that its ultimate motive might be to attack Irans nuclear program instead of just for the sake of stealing Siemens industrial secret.
15 | P a g e
Never click on a link or attachment in an email if you dont know it is from a trusted source. If you think the email looks suspicious, it probably is. Beware of emails containing holiday themes, relating to money or any of your accounts.
Be careful about using Microsoft Outlook Outlook is more susceptible to virus and spyware infections than other email programs, unless you have efficient Anti-virus programs running. Try Outlook antispam add-ons freely available on Microsofts website.
Install an anti-virus program Make sure you keep your virus definitions updated and run a full system scan weekly.
16 | P a g e
Handle the random pop-up with caution when you are browsing the internet. Disable random pop up if possible. Make sure you delete your temporary internet files daily to prevent any virus or worms from storing inside the temporary files in your computer.
Set up your windows update to automatically download patches and upgrades. This will allow your computer to automatically download and updates to both windows and internet explorer. These updates fix security problems and block many spyware programs, viruses and worms.
Make sure your firewall is turned on. It will help to block unwanted internet traffic which can cause problems.
Back up your data Have a good routine of backing up your important data to prevent any unwanted data lost due to infections of worms towards your system.
17 | P a g e
CONCLUSION
From the overall point of views, worms are created to cause problems. (except for those helpful worms which are minority) Worms can be transmitted through email, instant messaging, USB pendrive, via infected website, vulnerable ports and so on. By exploiting users computer system, worms can affect users computer performance, causing data lost, creating havoc to time-critical system (Flight Company), creating denial of service attack to certain website, and causing millions of dollars of damages. Worms can be also written to affect a particular region or country. Stuxnet is one of the best examples of worms which can do huge damage to the people and society. Therefore, by studying the characteristics of worms and their damaging function, user can be more aware of the presence these malwares. Antivirus such as Karspersky and new techniques on detecting worms (by self-learning system based on existing and non-existing worms) are invented and available to combat these malwares.
18 | P a g e
REFERENCES
[1]http://www.computervirusproblems.com/types-of-worms.html Date accessed: 7/3/2012 [2]http://www.spamlaws.com/types-of-recent-worms.html Date accessed: 7/3/2012 [3]http://www.ehow.com/about_6596434_personal-computer-viruses-worms.html Date accessed: 7/3/2012 [4]http://wptidbits.com/resources/12-most-devastating-pc-viruses-and-worms-of-alltime/ Date accessed: 7/3/2012 [5]http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_att ack_irans_nuclear_program.html Date accessed: 7/3/2012 [6] http://en.wikipedia.org/wiki/Computer_worm Date accessed: 7/3/2012 Figure 1:http://cdn.wptidbits.com/wp-content/uploads/2010/03/iloveyou.gif Figure 2:http://cdn.wptidbits.com/wp-content/uploads/2010/03/sobige.gif Figure 3:http://cdn.wptidbits.com/wp-content/uploads/2010/03/mydoom-m.gif
19 | P a g e
Figure 4:http://cdn.wptidbits.com/wp-content/uploads/2010/03/virus_klez_pcc.jpg Figure 5:http://cdn.wptidbits.com/wp-content/uploads/2010/03/blastersov0.jpg Figure 6:http://cdn.wptidbits.com/wp-content/uploads/2010/03/codered-546x271.gif Figure 7 : http : //assets4.bigthink.com / system /idea_thumbnails / 39255/original / stuxnet.jpg?1310467514 Figure 8:http://cdn.wptidbits.com/wp-content/uploads/2010/03/sasser.png
20 | P a g e