Worms

What is a Worm?

A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers.

The name 'worm' was taken from The Shockwave Rider, a 1970s science fiction novel by John Brunner. Researchers writing an early paper on experiments in distributed computing noted the similarities between their software and the program described by Brunner and adopted the name.

The first implementation of a worm was by two researchers at Xerox PARC in 1978. The authors, John Shoch and Jon Hupp, originally designed the worm to find idle processors on the network and assign them tasks, sharing the processing and so improving the whole network efficiency. In addition to replication, a worm may be designed to do any number of things, such as delete files on a host system or send documents via email. More recent worms may be multi-headed and carry other executables as a payload. However, even in the absence of such a payload, a worm can wreak havoc just with the network traffic generated by its reproduction. Mydoom, for example, caused a noticeable worldwide Internet slowdown at the peak of its spread.

A common payload is for a worm to install a backdoor in the infected computer, as was done by Sobig and Mydoom. These zombie computers are used by spam senders for sending junk email or to cloak their website's address. Spammers are thought to pay for the creation of such worms, and worm writers have been caught selling lists of IP addresses of infected machines. Others try to blackmail companies with threatened DoS attacks. The backdoors can also be exploited by other worms, such as Doomjuice, which spreads using the backdoor opened by Mydoom.

Email Worms Spread via email messages. Typically the worm will arrive as email, where the message body or attachment contains the worm code, but it may also link to code on an external website. Poor design aside, most email systems requires the user to explicitly open an attachment to activate the worm, but "social engineering" can often successfully be used to encourage this; as the author of the "Anna Kournikova" worm set out to prove. Once activated the worm will send itself out using either local email systems (e.g. MS Outlook services, Windows MAPI functions), or directly using SMTP. The addresses it sends to are often harvested from the infected computers email system or files. Since Klez.E in 2002, worms using SMTP typically fake the sender's address, so recipients of email worms should assume that they are not sent by the person listed in the 'From' field of e-mail message (sender's address).

Protecting against computer worms:

Worms mainly spread by exploiting vulnerabilities in operating systems, or by tricking users to assist them. If a vendor acknowledges a vulnerability but has yet to release a security update to patch it a zero day exploit is possible, but these are relatively rare. Users need to be wary of opening unexpected email, and certainly should not run attached files or programs, or visit web sites which such email link to. However, as the ILOVEYOU showed long ago, and phishing attacks continue to improve, tricking a percentage of users will always be possible. Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files every few days at least.