Professional Documents
Culture Documents
Computer Worm: Causal Connection Relationship
Computer Worm: Causal Connection Relationship
Computer worms are a form of malware that have the capability to rapidly infect many
computers on a network by sending copies of themselves from one system to another over
network connections
Computer worms are among the most common types of malware . They spread
over computer networks by exploiting operating system vulnerabilities. Worms
typically cause harm to their host networks by consuming bandwidth and
overloading web servers. Computer worms can also contain “payloads” that
damage host computers. Payloads are pieces of code written to perform actions on
affected computers beyond simply spreading the worm. Payloads are commonly
designed to steal data or delete files. Some payloads even create backdoors in host
computers that allow them to be controlled by other computers. Malicious parties
can use networks of these infected computers (“botnets”) to spread spam and
perform denial-of-service attacks.
Movement between hosts is a necessary behavior of worms. Before a worm may attempt a
connection to a host there must have been an incoming connection from some other host that
deposited the worm. A victim host cannot infect other hosts before the victim itself is infected.
Self-similarity
Worms gain entry to systems by exploiting known vulnerabilities on the target systems. The
limited number of vulnerabilities and systems known to a particular worm causes the worm to
repeatedly select the same vulnerability for attacks. These attacks will exhibit a similarity to
previous attacks.
One of the design goals for worms is to infect large numbers of hosts. To accomplish this goal,
hosts infected with worms attempt to connect to more hosts than non-infected hosts would
normally attempt to connect to. This increased number of connection attempts will eventually
become apparent.
Continuity
Continuous propagation to infect new hosts is a defining characteristic of worm behavior. Even
with a slow rate of infection, “as more and more hosts of a domain become infected a growing
number of worm connections will cross the gateway of an infected domain” (p. 2). This increase
in connections from multiple hosts should also become apparent.
Book worms in the realm of malicious software derive their classification from the tendency of
the worms to bore through the address books belonging to users of infected computers to locate
future targets. These worms spread through infected email messages which may contain an
attachment or a link to an infected website. This class of worm was the earliest developed type of
worm and varied from the original viruses by not requiring an infected file for a transport
mechanism. Two well known variations of the book worm class were the W97/Melissa worm
and the W32/Magistr worm.
Remote access utilities aid network administrators in managing network servers from long
distances. However, remote access services use special administrative shares and these shares are
the targets of remote system worms. McAfee Labs (2003) discovered the Mumu worm, which
targets the IPC$ and ADMIN$ shares of windows servers by using the uHFind.exe Trojan to
scan for Random class C IP addresses on the local network and retrieve share passwords. The
passwords are then used to infiltrate and control host systems.
Internet Worms
Internet worms are that scans the Internet to seek out new hosts to infect. Conficker, a widely
publicized worm, used dynamic domain generation as a command and control mechanism to
coordinate the attacks of infected hosts.
Shared folders used by P2P networks are the typical targets of file sharing network worms unlike
Internet worms that may use P2P networks for command and control.The most notorious of this
type of worm was the Storm Worm, also known as Trojan Peacomm, which received its name
from the subject lines or titles used to entice victims.
Install antivirus or endpoint security software on all your desktops and servers, and make sure to
keep them up to date. New malware can spread extremely quickly, so have an infrastructure in
place that can update all the computers in your organization seamlessly, frequently and on short
notice.
To protect against email-borne viruses, spam and spyware, run email filtering software at your
gateway.
And don’t forget to protect laptop computers, desktop computers and mobile devices used by
employees who telecommute.
Block executable file types from being received by email or downloaded from the Internet. It is
unlikely that your organization will ever need to receive these types of files from the outside
world.
Use a firewall to protect computers that are connected to a network. Many worms can enter even
a closed network via USB drives, CDs and mobile devices. Laptops and telecommuters will also
need firewall protection.
We encourage using automatic (patch) updating, especially in the case of Windows computers.
Patches often close loopholes that can make you vulnerable to malware threats.
Make regular backups of important work and data, and check that the backups were successful.
You should also find a safe place to store your backups, preferably off-site in case of fire. If your
computer is infected with malware, you will be able to restore any lost programs and data. Any
sensitive backup information should be encrypted and physically secured.
Prevent unauthorized devices from connecting to your computers. Unauthorized devices such as
USB drives, music players and mobile phones can carry malware that will infect a computer
when plugged in.
Conclusion
Worms exhibit certain behavioral characteristics that make classification of the types of worms
possible. Book worms use a victim’s address book to generate e-mail. Remote system worms
may attack the mechanisms that administrators use for remote administration. Internet worms use
the Internet namespace to aid attacks. File sharing network worms attack network shares.
Although the mechanisms for attack may differ according to the type of worm, each of the worm
types still exhibit characteristic worm behavior, chief of which is self-propagation. Worms
spread between hosts and networks using the resources of the infected host and do not require the
aid of a file to infect for transport as is the case for normal viruses. Some worms exhibit stealth
technology making those worms difficult to detect and clean from infected systems.