A quick & dirty guide to malware (part 3: worms)

Threats & Hacks

Worm:SymbOS/Commwarrior asking permission for installation

This is the last posting in a three-part series covering common threats a user may encounter.

This series serves as a rough and ready guide, highlighting key features and trends relevant to most users.

In my previous posts, I covered Trojans and Viruses, two ‘big-name’ threats most users are familiar with. Last but not least, we’ll take a look at Worms – a malware type that’s becoming especially prominent as more businesses and users become connected, both to the Internet and to other businesses around the world.

All things worm-y

Worms are, thankfully, one of the more straightforward malware types.  According to this description, this time kindly provided by Wikipedia, a computer worm is:

“…a self-replicating computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention.

The description highlights a peculiar characteristic of a worm – they are surprisingly independent creations, usually designed to handle their own functions without much, or even any, human interaction. Slightly more technically, worms have two abilities that set them apart from trojans and viruses: they can self-replicate and  self-distribute.

No humans necessary…almost

Unlike trojans that use social engineering to convince a user to run them, or viruses that piggyback on other programs, worms need neither a host nor the user to make copies of themselves. Once it’s arrived on a computer, a worm can happily churn out multiple copies of itself without any help.

To be fair, many worms still need a human user to to allow it access to the machine (e.g., click on an infectious e-mail attachment or accept a Bluetooth transmission) before it can start replicating. Nowadays though, we’res eeing sophisticated worms avoiding human contact entirely by exploiting vulnerabilities in the computer or an installed program, allowing them to arrive, replicate and leave without the user ever realizing they were there.

Copies for everyone, don’t be shy!

Worms also actively find new victims themselves, by sending their copies to any vulnerable machine accessible over a network.  Theoretically, worms can spread over any kind of network; as long as one computer has a data connection to another, a sufficiently clever hacker could probably find a way to sneak a program from one machine to the next.

Most antivirus vendors logically and straightforwardly categorize worms based on the type of network they primarily use to spread (email-worm, SMS-worm, bluetooth-worm,  etc). Of course, some worms are also designed to spread over multiple networks, just to make life more interesting and network administrators more annoyed.

Networks are a worm’s best friends

Most of the recent media-reported worm outbreaks have taken place over the Internet, which users often forget is really just a gigantic network of computers. They can also spread on specialized ‘sub-networks’ layered on the Internet backbone – e-mail networks, Internet Messaging, Peer-to-Peer and Internet Relay Chat networks, and so on.

Mikeey Twitter worm
The Mikeey Twitter worm

Then there are social networking sites, which you could think of as hubs hosting multiple, overlapping networks of contacts. Particularly popular sites like Twitter and Facebook have suffered site-specific outbreaks in the last few years, though the vigorous vigilance of the site admins and alert, community-minded users have helped mitigate the threats.

Off the Internet, there are telecommunications networks, which suffer SMS, MMS and Bluetooth based worms. Even isolated intranets or standalone terminals are vulnerable if a user accidentally transfers a worm into the restricted space, though it does require a worm that can infect the ‘bridging medium’, which is almost always removable media. (*cough* thumb drives *cough*).

The Point Is…

If you’ve been following this series, you’ll already know that knowing what type of malware is present gives a good indicator of what kind of damage you need to watch out for. Whereas trojans lead to loss of user data and computer control and viruses deal damage to software integrity, with worms users have to worry about disruption of network stability.

Unlike viruses, a worm replicating on your computer isn’t particularly troublesome, as the copies themselves don’t do damage; it’s when it tries to send out its copies to new victims that the trouble starts. A worm distributing copies of itself over a network can potentially generate overwhelming amounts of traffic, effectively preventing other users from using the connection until the worm stops broadcasting. Given how dependent most businesses today are on stable internal office networks and a working Internet connection, any disruption to either is a serious matter.

Worm infections can have significant financial costs for businesses, in terms of lost productivity and disrupted business transactions. Financial costs aren’t limited to computer users either; infections on mobile devices can also generate unexpected bills, since the worms generally spread by sending out (usually chargeable) SMS or MMS messages.

Worm infections: a good way to annoy other users

The range of fallout from a worm infection is also different. Trojans and viruses tends to limit their destructive attentions to the infected machine; they may affect your programs and data, but other computers on the network aren’t likely to be affected. Worms on the other hand are egalitarian by nature; they love to share the misery, indiscriminately infecting any machines they can reach.

That also makes removal a miserable business, since administrators generally have to shut down the entire network and clean each computer before restarting services, to ensure one overlooked computer doesn’t enthusiastically share its infection with the entire network again.

Uninfected users can also be seriously inconvenienced, as local networks, e-mail services or social networking sites are temporarily shut down to clear out an infection. In major outbreaks, even the Internet infrastructure of entire countries can be slowed by too many infected computers connecting and trying to find new victims. That’s from personal experience, as I’ve had to listen to a voice recording from my ISP telling me they’re very sorry, but Internet connectivity for the whole of Malaysia is currently being affected by the Conficker worm outbreak.

Other effects
Worm:iPhoneOS/iKee's dastardly payload

In addition to the effects of its replicating behavior, a worm bring extra headaches to the party if it includes a malicious payload. Like trojans and viruses, a worm’s payload can involve compromise of the user’s information, take over control of the computer or damage to files. A small sample of payloads we’ve seen delivered by worms are: disabling programs (Email-Worm:W32/Nyxem), infecting files with a virus (Worm:W32/Klez) and installing a backdoor program (Email-Worm:W32/Bagle). Or just setting Rick Astley as your wallpaper (Worm:iPhoneOS/iKee).

And finally, an often overlooked but still significant side effect of a worm infection is the ensuing social awkwardness if it gets out that your computer or phone was the one sending out all those infectious e-mails or SMS messages. Noone likes being pointed to as the computing equivalent of Typhoid Mary.

Worms in the future

Unlike viruses, worms – as a malware type – are still going strong, rivaling trojans as the most common type of malware users encounter today, though the specific type of worm involved seems to have undergone a sea change.

Previous major outbreaks (Bagle, Mydoom and Sobig, among others) involved email-worms, which affected businesses globally as their e-mail systems were overwhelmed and effectively ‘DOS’ed by the worms.  Nowadays, probably because of the extra security around e-mail applications, email-worm outbreaks seem to have died down. More recent worm activities have been Internet-based, as net-worms targeting specific vulnerabilities (such as Conficker) infect Internet-connected computers by the millions.

On mobile networks, Bluetooth-transmitted worms have been vying neck in neck with trojans for the title of most common mobile malware nuisance. So far, most worms on mobile networks have been designed to infect devices running Symbian operating systems, for the practical reason that Symbian has, at least until very recently, held the lion’s share of the smartphone OS market (reported here as 44.6% as of 10 Nov 2010). That may change though as other mobile operating systems rapidly gain greater market share. 2011 looks to be an interesting year for mobile malware; we’ll just have to wait and see…

If you’re still interested

So while we wait to see if worms make more news, here’s some links to other, more in-depth resources on them:

Also partially available on Google Books:

  • Elements of Computer Security By David Salomon
  • Network Intrusion Detection and Prevention: Concepts and Techniques by Ali A. Ghorbani

Tags

Rate this article

2 votes

3 Comments

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like