Worms

What Is a Computer Worm?

A computer worm is a type of malware infection designed to  deliver a malicious payload  to a target machine. Unlike viruses, which require an infected host file to spread, a computer worm is a standalone program that does not need any help or human intervention to travel around, using solely networks like the Internet or a local intranet. Worms can be harmful in many ways as the payloads which they can drop on a computer can have various malicious features. Payloads are typically designed to corrupt important files or steal data. Furthermore, some worms can create a backdoor in host computers and make them accessible for hostile parties, allowing also cyber criminals to turn the network in which the compromised computers are connected into a botnet. Botnets can, later on, be used for performing DDoS attacks and spreading other kinds of malware. Yet, even without a malicious payload on board, a worm is considered a threat. Its ability to replicate itself indefinitely could make computers and web servers crash due to resources overload. Therefore, a worm should be removed from the infected system immediately. Over the past several years, worms have typically taken the third place among other types of malware infections, following Trojans and traditional viruses, which shows that they continue to be a significant threat for the cyber security.

Image – Computer Worms Explanation – Source: Slideplayer.com

The latest example of a massive cyber attack using a computer worm happened just a couple of months ago. Called “Olympic Destroyer”, the new worm appeared in February 2018 with the purpose of disrupting the opening ceremony of the Olympic games in Pyeongchang. The malware was supposed to have had a political goal as well. Its authors obviously attempted to prevent the expected warming of the relationship between South and North Korea by attributing falsely the attack to a notorious, nation-state backed, North Korean hacking group known as Lazarus. Olympic Destroyer was successful in shutting down the WiFi connection during the Olympic Games opening ceremony, and it also prevented the event’s broadcast by knocking off the television screens that were supposed to display the ceremony. 

According to researchers, the Olympic Destroyer was created to infect computers within the entire network of Pyeongchang as it also impacted the official website of the games, where it blocked the printing of tickets and the display of event results. Several South Korean ski resorts were affected by the hack as well as the operation of some ski lifts and ski gates had been distorted. Once the researchers dismantled the malware’s creator’s attempt to put Lazarus’ fingerprints on the malware code, numerous speculations concerning the true origin of attack emerged, particularly involving famous cyber-espionage groups from Russia, China, and Iran. Yet, for now the truth remains uncovered.

Image: Top 10 Computer Worms – Source: Microsoft.com

Worm Distribution Methods and Stealth Techniques

Most infections, including computer worms, exploit vulnerabilities in software or hardware to penetrate  targeted machines. Mostly attacked are systems  running Windows OS because its popularity and wide use guarantee that the attackers will compromise a significantly large number of devices. However,flaws that PC users do not patch in a timely fashion by installing the latest available updates also contribute to the vast spread of malware infections. Common distribution methods of a computer worm  might be:

1. Email. Computer worms are often hidden in spam emails, coming in the form of a malware-laced file attachment. One click opens the gateway for a computer worm to silently install onto the target system , without the PC user  realizing  that an infection has entered the computer. However, malicious programs, like worms, work in the background and drain system resources because of the rate and speed with which they multiply. That distorts the performance of the system and eventually leads to its crashing down.
2. File Share. Malware is often cloaked inside legitimate freeware or shareware, hidden behind the face of adware that comes in courtesy of some ambiguous end user license agreement (EULA) that many PCs refuse to take the time to fully read. Any software or tools that spy on your habits and reports this and other data to a third-party, or a remote server, should be considered potentially dangerous.. Additionally, any software that is difficult to uninstall using standard Windows functionality should also be  removed immediately as it could be disguising some malicious activity happening in the background without the user’s notice or knowledge.
3. Trojan dropper. A Trojan dropper is another type of infection   that is often housed on compromised websites. It only requires a visit for the malicious program to ‘jump down’ the user’s PC and install its payload.  Computer worms can also be contained inside such pieces of malware. 
4. Social Media. Unfortunately, social networks allow malware to permeate the online environment quickly and easily. The bait may be an imposter or a spoofed member’s account used to lure their friends into a trap.Whether a chat room or a newsfeed, a humorous or a sensationalized title tease, all can lead to the infamous ‘Adobe Flash update’  – type of scam, for example. This scam tricks users into downloading fake video player updates or codecs to watch some phantom video that is nothing else but a computer worm, or some other malware infection. A highly used marketing tool known as the ‘Like’ functionality is also  helping malware spread like wildfire. Not realizing a malicious script is hiding behind a ‘Like’ icon/feature, PC users click on such buttons (this method being known as  ‘click-jacking’) and thus unknowingly post the malware to their profile for their friends to click on it too,  and  making the vicious cycle go on an on.

The Destructive Path of a Computer Worm

After gaining unauthorized access to the target machine , a computer worm wastes no time and quickly does the following:

1. Unpack the malicious files or programs (possibly viruses or Trojans) it smuggled inside.
2. Use an algorithm to find and delete all files associated with security programs or tools.
3. Add values to AutoRun keys in the  Registry of the infected system, including a registry service that hides the malware’s  executable and runs it at every Windows start.
4. Create temp files and assume the trusted file extensions of legitimate Registry, system, or .dll files to hide its malicious activity from  scanning tools or prying eyes.
5. Use an algorithm to locate all drives (internal or external) and nodes so it can infect them. Nodes include DCE (modem, hub, bridge, or switch) or DTE (digital phone handset, printer, router, workstation, or server) elements. 
6. Create a new directory and drop malicious files.
7. Install a keylogger to log key data, i.e. of a financial matter, and send the logged information to a remote server.
8. Open a port and connect to an IRC (Internet Relay Chat) server to report findings or receive new instructions.
9. Download a Trojan backdoor and give a hacker secret remote access so that he can turn the compromised  system into a zombie, distribute a DNS attack, or launch a mass email spam campaign.
10. Overtake your email account so it can send a copy of its venomous file to every address in your contact list. This can be extremely dangerous for poorly managed networks, especially those allowing firewall penetrations.
11. Install system hooks and hide processes.
12. Restrict Windows functionalities and intercept program messages, especially ones warning of a malware intrusion.
13. Introduce and support presence of a rogue security program using fake alerts, warnings, scans and reporting to scare the victim into buying fraudulent and useless software.

First Appearances of Computer Worms

The first reported cases of computer worms date back to the early 1970s. The Creeper is considered the first worm and it appeared in 1971, created by Robert H. Thomas at BBN Technologies. Creeper did not require physical mediums to spread around over the earliest version of ARPANET — the precursor of the modern Internet as we know it today. The program was quite sophisticated for its time and, as its creator claims, did not have any malicious intentions. Running on the TENEX operating system, the Creeper application was intended to provide a convenient way for transferring programs to other computers with the purpose of finding the most efficient machine for a particular task. Yet, the self-replicating code of the Creeper caused trouble, more serious than just displaying the mocking message: “I am the Creeper: Catch me if you can.” The worm clogged compromised systems by replicating itself repeatedly, distorting thus the performance of the infected computers and even crushing them down completely. 

The Morris was the next famous computer worm to come around. It was the first worm to get significant media attention at the end of the past century as it resulted in the first felony conviction in the US under the Computer Fraud and Abuse Act. It was also the first worm for which it is known to have had malicious content, although it had not been created with the intention to cause any trouble. Supposedly, its author, a 23-year old college student, wrote the program with the intention to gauge the size of the Internet at that time, however, a critical error in the spreading mechanism turned the code into a virulent weapon for denial of service attacks.

Image: Evolution of Cyber Threats – Source: slidesharecdn.com)

The Morris worm exploited weak passwords, as well as vulnerabilities in the UNIX sendmail command. In particular, the worm exploited a buffer overflow vulnerability in the BSD variant of UNIX, a flaw that still pops up in some contemporary software. Exploits based on this type of bug work by setting up a container for information called buffer where the developer can store data. The problem occurs when the stored data is larger than the space available within the buffer, and that is when the buffer starts to overflow, causing unpredictable behavior of the operating system, which may include granting unauthorized access to the affected machine. Once the Morris worm penetrated a host computer, it started executing its instructions which consisted of installing itself on that computer, and then trying to infects as many other computers as possible. Thus, the malware scanned the network for new hosts to propagate itself to, whereby it copied its code even on systems on which the worm was already running, taking the spreading of the malware completely out of control and resulting in numerous copies of the program running simultaneously on one and the same machine. New instances of the worm on each host launched additional processes of reproducing the worm code, each of these processes slowing down the system and, eventually,  making it crash down completely.

The Morris worm became the precursor of some of the most destructive modern malware threats, some of which still exploit buffer overflows and other well-known vulnerabilities. Unfortunately, not all software developers pay enough attention to security when building new programs, or revising old software, which makes it preferable for users to install a reliable anti-malware program.

The Most Destructive Worms of All Times

Many highly destructive computer worms have spread across the Internet since the Creeper and the Morris worms, yet only several of them have imposed billion dollar damages. Some of the first mass destruction worms employed social engineering techniques to infect target machines. In the beginning of the 21st century, ILOVEYOU was let loose on the Internet, and quickly became the most damaging malware of all time. It represented a visual basic script that spread through email messages with a subject line saying “I love you.” Then, the user only needed to open the attached text file to get his or her entire system files overwritten and, basically, destroyed. What made the malware spread like wildfire was its ability to send a copy of itself to all contacts stored in the victim’s Microsoft Outlook account. 

A few years later, My Doom appeared, and it topped the record dollar cost of all previous malware attacks seen before as it hit major technology companies like Google and Microsoft with Distributed Denial of Service (DDOS) attacks. Total costs caused by My Doom have been estimated at $38 billion. It was distributed through a “Sending Failed” message from the mail server which contained an attachment laced with the malicious code. The user was supposed to click on the attachment in order to re-send the mail, however, opening the infected file resulted in the installation of the worm. My Doom then sent a copy of itself to all contacts in the user’s address book, as well as to Peer — to — Peer shared devices. 

Image of Most Costly Malware Outbreaks – Source: digitaltrends.com

Other examples of successful worms from the beginning of the century include Code Red, Nimda, Jerusalem, Storm Worm, MSBlast (The Blaster Worm). Code Red attacked computers running Microsoft IIS web server in the summer of 2001. Named after the drink that the researchers were having at the time of the discovery, the worm spread by exploiting the good old buffer overflow-type of vulnerability while its payload defaced the infected website to display the message: “HELLO! Welcome to hxxp://www(dot)worm(dot)com! Hacked by Chinese”! Code Red demonstrated a brand new propagandation technique — the malware did not rely on sending copies of itself to the victim’s mailing contacts;  instead, it scanned the network to find connected IP addresses and used these as vectors of distribution.  Nimda was another worm that appeared in September the same year and its name came from the backward spelling of the word “admin”. It was both a computer worm and a file infector. Its release coincidently collided with the 11/9 World Trade Center attacks, leaving many to speculate about a possible connection between the two events, a claim later found ungrounded. Nimda eclipsed neighbor Code Red and similar outbreaks due the multiple propagation vectors it used, helping it spread quickly and making it the Internet’s most widely spread infection within 22 minutes. Nimda attacked IIS Web servers and network computers running Windows 2000, Pro, NT, 98, and 95. The Blaster worm (also known as MSBlast, Lovesan, or Lovsan) attacked systems running Windows XP and 2000, also exploiting a buffer overflow vulnerability. It did not require the user to open any attachment, but simply spammed itself to random IP addresses until it managed to enter a big network of a company or a university. It was designed to start a SYN flood attack against port 80 of windowsupdate.com and create DDoS attacks against the site, whereby there was a particular rule related to the attacked system’s date and month.

More Recent Cases of Worm Infections

Probably the most prominent example of a more recent worm infection is the Stuxnet worm. Stuxnet was created in 2006 when US military and intelligence forces started working together with Israel on a top-secret cyberwar program named “Olympic Games”. The program had the purpose of delaying, or stopping completely, Iran’s nuclear weapon production, whereby the idea was to create the most sophisticated computer worm that the world had seen by then. Until the beginning of 2010, the worm had managed to crash 20% of Iran’s functioning centrifuges for uranium enrichment, setting back the country’s nuclear program with 2 years. It did not take long, however, before the infection leaked out and copies of the worm began spreading all over the Internet, infecting 130,000 computers worldwide. It was also in 2010 when the worm was discovered by researchers after it started affecting machines outside of the initial target range. 

The worm spread on Windows operating systems and targeted industrial control systems (ICS) made by Siemens, whereby Stuxnet is considered the first malware of that type capable of spying on and destroying such systems. Also, it was the first malware that was able to change the modifications of Programmable Logic ControlLers (PLCs) of infrastructure facilities like power plants, gas lines, water treatment facilities and so on. In order to be able to reach these highly secured systems, Stuxnet incorporated sophisticated propagation techniques which allowed it to infect target files without using the Internet or any other network. Stuxnet was able to spread across Windows computers by copying itself from a Windows computer to a USB stick.  However, PLCs are not based on Windows, therefore the worm needed to find another way to infect the target machines: it scanned Windows systems in order to find those that manage the PLCs, and dropped its payload on them. In order to alter the PLCs settings, the malware then sought out and infected the so called STEP 7 project files which are the files used by Siemens to program the PLCs. Once the malware had identified the specific PLC model, it gained complete control over all data flowing in and out of the infected PLC.

In the following two years, Stuxnet continued to exist, and even became the framework for the development of other pieces of malware. Parts of the Stuxnet source code have been discovered in the cyber spying program the Flame, while the Duqu worm, which was also created to disrupt the nuclear weapons production, also shows striking similarities. Unlike Stuxnet though, Duqu does not replicate itself and does not have a payload. Instead, it uses Trojans to gather sensitive information and it can set up remote access as well. 

Symptoms of a Worm Infection and Removal

Not all pieces of malware want to alert their victims they’ve arrived, so without a scan alert, or the keen eye of a computer security expert, you may not be aware you are being hacked. In the absence of a stealth scan alert, below are some subtle signs of a worm intrusion of some sort:

• Slowed system performance
• Web page redirecting to unwanted, or malicious websites
• Web searches repeatedly hanging up
• Addition or removal of icons on your desktop or in your tray
• Applications not loading or running properly
• System rebooting on its own, or forcing hard boots
• Drivers failing, or some devices not working
• Flooding with pop-up advertisements when surfing the Web
• Flooding with pop-alerts from some antivirus program you did not load which shows the behavior of a rogue security program
• Blue screen of death (BSOD)

If you suspect that a malicious program or tool has somehow managed to penetrate your system, there are several steps that you can undertake. First of all, it is very important to make sure that your computer’s operating system is up-to-date, and that you have downloaded and installed the latest versions of all your applications. Whenever a new cyber threat is discovered, software developers try to fix the vulnerabilities which have allowed the particular malware to operate, and to push updates with patches to end-users as soon as possible. If you have an antivirus program installed on your computer, you should also check whether is has the latest malware definitions since that is the only way it can protect you efficiently. Then, run a scan with your antivirus malware to find out if there are any suspicious elements in your computer. In case the scan detects a computer worm, you can safely use its functions to remove the detected malware and clean infected files. You may need to disconnect your computer from the Internet, as well as from any other networks, in order to prevent the worm from spreading to other devices connected to those networks. In this case, you will need an uninfected computer to download and install any necessary programs and updates, and then transfer them to the compromised computer using an external storage device.

The Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft’s IIS web server. The payload of the worm included defacing the affected web site to display: HELLO! Welcome to hxxp://www.worm.com! Hacked By Chinese! This message became a meme to indicate an online defeat.

The Blaster Worm (also known as Lovsan, Lovesan or MSBlast) was observed during August 2003 and spread on computers running Windows XP and Windows 2000. The worm exploited a buffer overflow, which allowed the infection to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. The worm was programmed to start a SYN flood against port 80 of windowsupdate.com, thereby creating a distributed denial of service attack (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead of windowsupdate.microsoft.com to which it was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.

Nimda (spelled backwards ‘admin’) is both computer worm and file infector. Its release coincidently collided with the 911 World Trace Attacks leaving many to speculate it was connected, a claim later unfounded. Nimda eclipsed neighbor Code Red and similar outbreaks due the multiple propagation vectors it used, helping it spread quickly and making it the Internet’s most widely spread infection within 22 minutes. Nimda attacked IIS Web servers and network computers running Windows 2000, Pro, NT, 98, and 95. 

ILoveYou, also known as the Love Bug Worm, had persons clicking on its infectious email attachment, which automatically sent a copy of the worm to everyone in the victim’s email address contact list, to the tune of 10 million computers.

How To Detect and Remove a Computer Worm

Not all viruses want to alert their victims they’ve arrived, so without a scan alert, or the keen eye of a computer security expert, you may not be aware you are being violated. Absent a stealth scan alert, below are subtle signs of a worm intrusion:

• Slowed system performance
• Web page redirects to unwanted or malicious websites
• Web searches repeatedly hanging up
• Addition or removal of icons on your desktop or in your tray
• Applications not loading or running properly
• System rebooting on its own or forcing hard boots
• Drivers failing or some devices not working
• Assault of pop-up advertisements when surfing the Web
• Assault of pop-alerts and appearance of some antivirus program you did not load, i.e. behavior of rogue security program
• Blue screen of death (BSOD)