| Revision as of 04:01, 27 June 2006 editSnori (talk | contribs)Autopatrolled, Extended confirmed users, Pending changes reviewers33,043 edits rvv a not very well thought out addition...← Previous edit | Revision as of 15:00, 28 June 2006 edit undoWw (talk | contribs)9,812 edits ref, phrasing, ...Next edit → | ||
| Line 1: | Line 1: | ||
| A '''computer worm''' is a self-replicating ], similar to a ]. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file ] capabilities found on many computers. The main difference between a ] and a worm is that a virus cannot propagate by itself whereas worms can. A worm uses a network to send copies of itself to other systems and it does so without any intervention. In general, worms harm the network and consume bandwidth, whereas viruses infect or corrupt files on a targeted computer. Viruses generally do not affect network performance, as their malicious activities are mostly confined within the target computer itself. | A '''computer worm''' is a self-replicating ], similar to a ]. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file ] capabilities found on many computers. The main difference between a ] and a worm is that a virus cannot propagate by itself whereas worms can. A worm uses a network to send copies of itself to other systems and it does so without any intervention. In general, worms harm the network and consume bandwidth, whereas viruses infect or corrupt files on a targeted computer. Viruses generally do not affect network performance, as their malicious activities are mostly confined within the target computer itself. | ||
| The name 'worm' was taken from '']'', a ] novel published in 1975 by ]. Researchers |
The name 'worm' was taken from '']'', a ] novel published in 1975 by ]. Researchers (JF Shoch and JA Hupp chose the name in a paper published while they were working at ] ]; ''The Worm Programs'', Comm ACM, 25(3):172-180, 1982)) noted the similarities between their software and the fictional program described by Brunner. So they proposed the name, which has since been widely adopted. | ||
| <!-- Who were they and what was the paper? --> | <!-- Who were they and what was the paper? -- see note just above--> | ||
| The first implementation of a worm was by two researchers at ] in 1978. The authors, John Shoch and Jon Hupp, originally designed the worm to find idle processors on the network and assign them tasks, sharing the processing and so improving the |
The first implementation of a worm was by two researchers at ] in 1978. The authors, John Shoch and Jon Hupp, originally designed the worm to find idle processors on the network and assign them tasks, sharing the processing load, and so improving the 'CPU cycle uss efficiency' across an entire network. They were self limited so they would spread no father than intendec. | ||
| Though it was technically a ], the Christmas Tree Worm was likely the first worm on a worldwide network, spreading across both IBM's own international network and ] in December 1987 - and bringing both networks to their knees. | |||
| An early worm on the Internet, and the first to attract wide attention, was the ]. It was also termed 'The Internet Worm' by Peter Denning in an article in American Scientist (March-April, 1988) in which he distinguished between a virus and a worm, thereby becoming an early computer zoologist. His definition was more restricted than that of some other computer zoologists of the time (McAfee adn Haynes, Computer i ruses, Wroms, Data Diddlers, ..., St Martin's Press, 1989). The Morris worm was written by ], at the time was a computer science graduate student at ], and released on ], ] using a friend's account on a Harvard University computer. It quickly infected large numbers of computers attached to the ], and caused massive disruption. That it didn't spread even farther and cause more trouble is largely due to some errors in its implementation. It propagated via several bugs in ] ] and related systems, and its component programs (including several versions of ']'). Morris was indentified, confessed, and was later convicted under the US Computer Crime and Abuse Act. He received three years probation, 400 hours community service and a fine in excess of $10,000. | |||
| In addition to replication, a worm may be designed to do any number of things, | In addition to replication, a worm may be designed to do any number of things, such as delete files on a host system, encrypt files in | ||
| ⚫ | a ] attack, or send documents via ]. Some more recent worms have been multi-headed and carry other executables as a ]. However, even in the absence of such a payload, a worm can be damaging, if only from the network traffic generated by its reproduction. ], for example, caused a noticeable worldwide Internet slowdown at the peak of its spread. | ||
| such as delete files on a host system, encrypt files in | |||
| ⚫ | a ] attack, or send documents via ]. |
||
| A common payload |
A common payload for worms is a ] in the infected computer; ] and ] are examples which created zombies. These ] are used by ] senders for sending junk email or to cloak their website's address. Spammers are thought to be a source of funding for the creation of such worms | ||
| , and worm writers have been caught selling lists of ]es of infected machines. Others try to blackmail companies with threatened ] attacks. |
, and worm writers have been caught selling lists of ]es of infected machines. Others try to blackmail companies with threatened ] attacks. | ||
| Backdoors, however installed, can be exploited by other malware, including worms. Examples include ], which spreads using the backdoor opened by ], and at least one <!-- which? how soon released after the news went public --> instance of malware taking advantage of the ] backdoor installed by the ] ] software they put on millions of music CDs ending in late 2005. | |||
| ⚫ | Whether worms can be useful is a common |
||
| ⚫ | Whether worms can be useful is a common conundrum amongst theorists in ] and ], beginning with the very first research into them at Xerox PARC. The ] family of worms, for example, tried to download then install patches from Microsoft's website to fix various vulnerabilities in the host system — the ''same'' vulnerabilities that they exploited. This eventually made the systems affected more secure, but generated considerable network traffic (sometimes more than would have worms they were protecting against), rebooted the machine in the course of patching it, and, maybe most importantly, did its work without the explicit consent of the computer's owner or user. As such, most security experts regard worms as malware, whatever their payload and their writer's intentions. | ||
| == Mitigation techniques == | == Mitigation techniques == | ||
Revision as of 15:00, 28 June 2006
A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. The main difference between a computer virus and a worm is that a virus cannot propagate by itself whereas worms can. A worm uses a network to send copies of itself to other systems and it does so without any intervention. In general, worms harm the network and consume bandwidth, whereas viruses infect or corrupt files on a targeted computer. Viruses generally do not affect network performance, as their malicious activities are mostly confined within the target computer itself.
The name 'worm' was taken from The Shockwave Rider, a science fiction novel published in 1975 by John Brunner. Researchers (JF Shoch and JA Hupp chose the name in a paper published while they were working at Xerox PARC; The Worm Programs, Comm ACM, 25(3):172-180, 1982)) noted the similarities between their software and the fictional program described by Brunner. So they proposed the name, which has since been widely adopted.
The first implementation of a worm was by two researchers at Xerox PARC in 1978. The authors, John Shoch and Jon Hupp, originally designed the worm to find idle processors on the network and assign them tasks, sharing the processing load, and so improving the 'CPU cycle uss efficiency' across an entire network. They were self limited so they would spread no father than intendec.
Though it was technically a trojan, the Christmas Tree Worm was likely the first worm on a worldwide network, spreading across both IBM's own international network and BITNET in December 1987 - and bringing both networks to their knees.
An early worm on the Internet, and the first to attract wide attention, was the Morris worm. It was also termed 'The Internet Worm' by Peter Denning in an article in American Scientist (March-April, 1988) in which he distinguished between a virus and a worm, thereby becoming an early computer zoologist. His definition was more restricted than that of some other computer zoologists of the time (McAfee adn Haynes, Computer i ruses, Wroms, Data Diddlers, ..., St Martin's Press, 1989). The Morris worm was written by Robert Tappan Morris, at the time was a computer science graduate student at Cornell University, and released on November 2, 1988 using a friend's account on a Harvard University computer. It quickly infected large numbers of computers attached to the Internet, and caused massive disruption. That it didn't spread even farther and cause more trouble is largely due to some errors in its implementation. It propagated via several bugs in BSD Unix and related systems, and its component programs (including several versions of 'sendmail'). Morris was indentified, confessed, and was later convicted under the US Computer Crime and Abuse Act. He received three years probation, 400 hours community service and a fine in excess of $10,000.
In addition to replication, a worm may be designed to do any number of things, such as delete files on a host system, encrypt files in a cryptoviral extortion attack, or send documents via e-mail. Some more recent worms have been multi-headed and carry other executables as a payload. However, even in the absence of such a payload, a worm can be damaging, if only from the network traffic generated by its reproduction. Mydoom, for example, caused a noticeable worldwide Internet slowdown at the peak of its spread.
A common payload for worms is a backdoor in the infected computer; Sobig and Mydoom are examples which created zombies. These zombie computers are used by spam senders for sending junk email or to cloak their website's address. Spammers are thought to be a source of funding for the creation of such worms , and worm writers have been caught selling lists of IP addresses of infected machines. Others try to blackmail companies with threatened DoS attacks.
Backdoors, however installed, can be exploited by other malware, including worms. Examples include Doomjuice, which spreads using the backdoor opened by Mydoom, and at least one instance of malware taking advantage of the rootkit backdoor installed by the Sony/BMG DRM software they put on millions of music CDs ending in late 2005.
Whether worms can be useful is a common conundrum amongst theorists in computer science and artificial intelligence, beginning with the very first research into them at Xerox PARC. The Nachi family of worms, for example, tried to download then install patches from Microsoft's website to fix various vulnerabilities in the host system — the same vulnerabilities that they exploited. This eventually made the systems affected more secure, but generated considerable network traffic (sometimes more than would have worms they were protecting against), rebooted the machine in the course of patching it, and, maybe most importantly, did its work without the explicit consent of the computer's owner or user. As such, most security experts regard worms as malware, whatever their payload and their writer's intentions.
Mitigation techniques
- TCP Wrapper/libwrap enabled network service daemons
- ACLs in routers and switches
- Packet-filters
See also
External links
- The Wildlist - List of viruses and worms 'in the wild' (i.e. regularly encountered by anti-virus companies)
- Worm parasites - Listed worm descriptions and removal tools.
- Jose Nazario discusses worms - Worms overview by a famous security researcher.
- Computer worm suspect in court
- Vernalex.com's Malware Removal Guide - Guide for understanding, removing and preventing worm infections
- John Shoch, Jon Hupp "The "Worm" Programs - Early Experience with a Distributed Computation"
- RFC 1135 The Helminthiasis of the Internet
- Surfing Safe - A site providing tips/advice on preventing and removing viruses.
- The Case for Using Layered Defenses to Stop Worms David Albanese, Michael Wiacek, Christopher Salter, Jeffrey Six 2004