Today everyone has heard of computer worms.
Worms can be classified according to the propagation nethod they use, i.e. how they deliver copies of themselves to new victim machines. Worms can also be classified by installation method, launch method and finally according to characteristics standard to all malware: polymorphism, stealth etc.
Many of the worms which managed to cause significant outbreaks use more then one propagation method as well as more than one infection technique. The methods are listed separately below.
Email worms spread via infected email messages. The worm may be in the form of an attachment or the email may contain a link to an infected website. However, in both cases email is the vehicle.
In the first case the worm will be activated when the user clicks on the attachment.In the second case the worm will be activated when the user clicks on the link leading to the infected site.
Email worms normally use one of the following methods to spread:
Email worms harvest email addresses from victim machines in order to spread further. Worms use one or more of the following techniques:
While these techniques are the most common, some worms even construct new sender addresses based lists of possible names combined with common domain names.
These worms have a single propagation method. They spread using instant messaging applications by sending links to infected websites to everyone on the local contact list. The only difference between these worms and email worms which send links is the media chosen to send the links.
Virus writers use other techniques to distribute computer worms, including:
In the first case, the worms locate remote machines and copy themselves into folders which are open for read and write functions. These network worms scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines. They will then attempt to connect to these machines and gain full access to them.
In the second case, the worms scan the Internet for machines that have not been patched, i.e. have operating systems with critical vulnerabilities still open to exploitation. The worm sends data packets or requests which install either the entire body of the worm or a section of the worm's source code containing downloader functionality. If this code is successfully installed the main worm body is then downloaded. In either case, once the worm is installed it will execute its code and the cycle continues.
Worms that use Web and FTP servers fall into a separate category. Infection is a two-stage process. These worms first penetrate service files on the file server, such as static web pages. Then the worms wait for clients to access the infected files and attack individual machines. These victim machines are then used as launch pads for further attacks.
Some virus writers use worms or Trojans to spread new worms. These writers first identify Trojans or worms that have successfully installed backdoors on victim machines. In most cases this functionality allows the master to send commands to the victim machine: such zombies which have backdoors installed can be commanded to download and execute files - in this case copies of the new worm.
Many worms use two or more propagation methods in combination, in order to more efficiently penetrate potential victim machines.
These worms target chat channels, although to day IRC worms have been detected. IRC worms also use the propagation methods listed above - sending links to infected websites or infected files to contacts harvested from the infected user. Sending infected files is less effective as the recipient needs to confirm receipt, save the file and open it before the worm is able to penetrate the victim machine.
P2P worms copy themselves into a shared folder, usually located on the local machine. Once the worm has successfully placed a copy of itself under a harmless name in a shared folder, the P2P network takes over: the network informs other users about the new resource and provides the infrastructure to download and execute the infected file.
More complex P2P worms imitate the network protocol of specific file-sharing networks: they respond affirmatively to all requests and offer infected files containing the worm body to all comers.
Malware writers usually use one of three methods to ensure that virus code will be launched on the victim machine:
Virus coders have been using social engineering techniques for a long time. The so-called LoveLetter (I love you) AnnaKournikova worm is probably one of the first worms to cause an outbreak which used this technique. Users were persuaded to open the attachment by thinking they would find pictures of the popular tennis start.
The goal is to make the email, link name or file name attractive to users, causing them to click on an infected object and thereby launch the virus code. Swen was the first worm in recent history September 2003 to use social engineering successfully, while Mydoom.a used social engineering in conjunction with other techniques to cause the most serious malware outbreak in 2004.
Critical vulnerabilities in operating systems and applications which are publicized on hacker sites or by security analysts are also favorite targets for worm writers. Unfortunately, many users, both corporate and individual do not monitor vulnerabilities or do not bother to patch even when vendors provide patches. We have already seen this Method been used by MSBlaster worm and the sasser worm. both theese worms exploites vulnerabilities in MS Windows XP and windows 2000