Worms
A worm is a program that can replicate itself and send
copies from computer to computer across network connections. Upon arrival, the
worm may be activated to replicate and propagate again. In addition to
propagation, the worm usually performs some unwanted function. A worm actively
seeks out more machines to infect and each machine that is infected serves as
an automated launching pad for attacks on other machines.
The concept of a computer worm was introduced in John
Brunner’s 1975 SF novel The Shockwave Rider. The first known worm
implementation was done in Xerox Palo Alto Labs in the early 1980s. It was
nonmalicious, searching for idle systems to use to run a computationally
intensive task.
Network worm programs use network connections to spread from
system to system. Once active within a system, a network worm can behave as a
computer virus or bacteria, or it could implant Trojan horse programs or
perform any number of disruptive or destructive actions.
To replicate itself, a network worm uses some sort of network
vehicle. Examples include the following:
·
Electronic mail facility: A worm mails a
copy of itself to other systems, so that its code is run when the e-mail or an
attachment is received or viewed.
·
Remote execution capability: A worm
executes a copy of itself on another system, either using an explicit remote
execution facility or by exploiting a program flaw in a network service to
subvert its operations.
·
Remote login capability: A worm logs onto
a remote system as a user and then uses commands to copy itself from one system
to the other, where it then executes.
The new copy of the worm program is then run on the remote
system where, in addition to any functions that it performs at that system, it
continues to spread in the same fashion.
A network worm exhibits the same
characteristics as a computer virus: a dormant phase, a propagation phase, a
triggering phase, and an execution phase. The propagation phase generally
performs the following functions:
1.
Search for other systems to infect by examining
host tables or similar repositories of remote system addresses.
2.
Establish a connection with a remote system.
3.
Copy itself to the remote system and cause the
copy to be run.
Example: Internet Worm of 1988 targeted Berkeley, Sun UNIX systems entered the Internet; within hours, it had rendered several thousand computers unusable. It used virus-like attack to inject instructions into running program and run them. To recover from this the machines had to disconnect system from Internet and reboot. To prevent re-infection, several critical programs had to be patched, recompiled, and reinstalled. The only way to determine if the program had suffered other malicious side effects was to disassemble it. Fortunately, the only purpose of this virus turned out to be self-propagation.
Example: The Father Christmas worm
was interesting because it was a form of macro worm. It was distributed in 1987
and was designed for IBM networks. It was an electronic letter instructing
recipient to save it and run it as a program that drew Christmas tree, printed
“Merry Christmas!” It also checked address book, list of previously received
email and sent copies to each address. The worm quickly overwhelmed the IBM
networks and forced the networks and systems to be shut down. This worm had the
characteristics of a macro worm. It was written in a high-level job control
language, which the IBM systems interpreted.
Worms with good
intent
The Nachi family of worms, for example, tried to download and install
patches from Microsoft's website to fix vulnerabilities in the host system — by
exploiting those same
vulnerabilities. In practice, although this may have made these systems
more secure, it generated considerable network traffic, rebooted the machine in
the course of patching it, and did its work without the consent of the
computer's owner or user.
In
1982, at the Xerox
Park research institute, a worm was created to find
idle machines. It was used to distribute workloads and was not a malicious
worm. So worms can be helpful.
No comments:
Post a Comment