Monday, November 28, 2005

Newsworthy Worms

Worms are certainly an online threat. Although you probably hear the word “virus” more often than you hear the word “worm,” in today’s world, worms are among the most infectious bits of program code to damage computer systems.
The reason worms are so dangerous lies in their ability to spread so quickly to so many users, as well as their ability to compromise servers for the purpose of performing DoS attacks.
Let’s take a look at several well-known worms to see what factors made each of them such a nuisance.
Code Red. In July 2001, Code Red debuted as a particularly dangerous, active worm. It propagated very quickly and only took nine hours to infect more than 250,000 systems. One of the goals of Code Red was to launch a DoS attack on the server administering a White House web site. Although government officials avoided the DoS attack by moving the site’s server to a different IP address, the amount of traffic Code Red caused other servers to endure, including those of ISPs, either shut them down or slowed them to an agonizing crawl.
Code Red worked by taking advantage of vulnerabilities in Microsoft Windows NT 4.0, Windows 2000, the beta version of Windows XP, and IIS (Internet Information Server) 4.0 and 5.0. Microsoft soon released patches to block Code Red and other worms from performing such exploitations.
Goner. This worm arrives in the payload of a Trojan horse attachment. The message indicates that the attachment is a screen saver, and the file has a .SCR extension, making it appear to be a screen saver.
But when a recipient launches the SCR file, the Trojan horse opens and unleashes the Goner worm. An on-screen error message appears to distract the user while the worm does its dirty work in the background. And Goner’s dirty work is quite dirty: It puts a stop to the activities of anti-virus software, making the system vulnerable to many types of attacks, and then it sends copies of itself to other systems.
Hybris. Also known as Snow White, this passive worm arrives as an email attachment and contains no additional malicious code other than the means to propagate. After a user launches the Hybris attachment, it alters the WSOCK32.dll file. The user will notice no immediate effect and may not even realize malware infected his computer. But each time the user sends an email message to someone afterward, Hybris will send a message to that same recipient. The message appears to come from, and its subject line is “Snowhite and the seven Dwarfs – The REAL Story!” Hybris also sends a copy of itself in the attachment it adds to the Snow White message.
Hybris doesn’t compromise a system’s security or damage files; instead, it does its damage by doubling the number of email messages each infected user sends. So if a network is hit with the Hybris worm, it may become slow or shut down under the weight of the additional traffic.
Nimda. The Nimda worm has many methods of propagation. It forwards copies of itself as an attachment to an email message, transmits through shared networks, finds vulnerable IP addresses, invades through backdoors (vulnerabilities that let hackers or code enter a system and control it remotely), and infects web sites, altering their HTML (Hypertext Markup Language) code to include a copy of the virus. Therefore, a user could unknowingly download the worm from an infected web site.
When the Nimda worm propagates, it alters the code of web documents (such as HTML files) or executable files. Also, it changes its name to one of many file names when it replicates, making it harder to detect its presence. Unlike Code Red, Nimda can affect workstations and servers, as well as systems running Windows 95, Windows 98, Windows Me, WinNT, and Win2000.
The email side of the worm has several components. First, Nimda collects email addresses to which it will send itself by scanning a user’s cached HTML files and email messages. After attempting to send itself to all these recipients, Nimda waits 10 days to collect email addresses and try to propagate through email once again.
Nimda also alters system directories and web files and turns on the File Sharing feature of the infected system’s OS (operating system). On systems running WinNT or Win2000, Nimda goes a step further and creates a Guest account and adds it to the Administrator list, giving this account permission to write to files and breach the security further.
Finally, because of the speed at which Nimda can propagate, the increased traffic it causes can flood a system and cause a DoS-related failure.
SirCam. When SirCam’s creator unleashed this worm, it not only sent itself through the network, causing delays in service, it also compromised the privacy of many users.
SirCam arrives in one of two ways: by replicating through shared networks or by adding code to an email attachment. If SirCam propagates through a shared network, it’s simply a worm, able to propagate without any interaction on the part of the user. If, however, SirCam propagates through email, it hides in the payload of a Trojan horse.
A SirCam-infected email message usually comes from someone the recipient knows and includes an attachment with two file extensions, such as .XLS.EXE or .DOC.BAT. This is technically a combination of a Trojan horse and a worm because the user must launch the Trojan horse to unleash the worm. (But this is only true for the email version of SirCam; the version that spreads through shared networks requires no interaction to propagate.)
If a user opens the attachment, two things happen. First, a document “stolen” from the last infected system (that of the email message’s sender) opens. Second, the action unleashes the worm, which then changes the Registry and copies itself into a temporary folder and the Recycled folder.
Next, SirCam searches for email addresses in a user’s address book and cached files. It then randomly selects a personal file from the user’s hard drive, attaches its code to the file, and sends copies of this file to the addresses it located on the infected system.
SirCam is dangerous for a couple of key reasons. First, because SirCam sends itself to people in a user’s address book, it looks as if the message comes from a trusted friend or colleague. Second, because SirCam sends copies of random files to other recipients, there is a risk for a huge violation of privacy.
For instance, SirCam might infect a professor’s computer and send copies of a document containing student names and grades. The worm also might infect a home user’s system and send copies of a personal Microsoft Word document, such as a private letter, to everyone in the user’s address book