Understanding Worms Their Behavior and Containing Them Understanding Worms Their Behaviour and Containing Them Farhan Syed farhans cse wustl edu A project report written under the guidance of Prof Raj Jain Download Abstract Worms have emerged as one of the most potent threat to Network Security in the recent years In this paper we will present a detailed introduction about worms This paper is intended for Network Security researchers who need a brief yet comprehensive and technical introduction when they start their research on worms The paper covers a detailed introduction to worms and discusses some of the most potent and dangerous worms known today in brief Table of Contents 1 Introduction 2 Definition 2 1 Where and how does it start 2 2 What it affects 2 3 How does it spread 2 4 What is it intended to do 3 Brief History of worms 4 Understanding Popular Worms 4 1 Creeper Worm 4 2 Morris Worm 4 3 Melissa Worm 4 4 ExploreZip 4 5 ILOVEYOU 4 6 Code Red 4 7 Nimda 4 8 Mydoom 4 9 Sasser 5 Aspects of designing a worm 5 1 Finding Vulnerabilities in a system 5 2 Speed of propagation 5 3 Stealth 5 4 Propagation Vectors 6 Detecting Worms 6 1 Detection by Monitoring mistrusted processes 6 2 Detection by Monitoring trusted processes 6 3 Detection by Byte Pattern Monitoring 6 4 Detection by Monitoring IP address scanning 6 5 Detection by deploying Guardian Nodes http www cse wustl edu jain cse571 09 ftp worms index html 1 of 16 Understanding Worms Their Behavior and Containing Them 7 Containing and Destroying Worms 7 1 Quarantine and Monitor 7 2 Setting minimal permissions for specific processes 7 3 Installing the latest update from antivirus software and Operation System vendor 8 Summary 9 References 10 List of Acronyms 1 Introduction The paper discusses worms one of the most potent threats to Network security Worms have the unique ability to mimic the approach taken by biological viruses They can infect a host and then choose a medium to propagate to a neighboring host Generally the intent of the worm is assumed to be malicious There are some worms which do not have malicious intent They are referred to as anti worms The paper is divided into six sections The first section defines the worm using various criterions Section two tabulates all the well known worms so far The next section discusses some of the most potent worms In section four we will discuss the aspects of worm design The next section is dedicated to discussing the methods to detect worms The last section talks about containment and elimination of worms Throughout the paper we will refer to the computer as host or PC and the person or victim as user 2 Definition Worms are one of the most ill defined concepts in Network Security There is still no universal consensus on the definition of the worm Usually worms and viruses display similar characteristics and their intention is also similar To define worms we will use the following points and then define worm based on these points 2 1 Where and how does it start Worms can start on a host Computer in various fashions It may be an attachment to a mail and when the attachment is opened will execute the code written in the worm This is called invocation by human intervention It may also start without any human intervention For example rebooting the system 2 2 What it affects It affects the host In contrast to computer viruses it can affect anything on the host It may corrupt the files on the host It may affect communication of the host with other systems It may disable the anti virus software on the host which will enable it to cause more damage Computer Viruses in the other hand are very specific to files Worms have a broader scope of attack than viruses 2 3 How does it spread Worms are self replicating codes This is the most distinct feature of a worm Once they infect a host they will try to find a nearby host which they can access and copy themselves to that host There it will perform the same actions that it performed on the original host http www cse wustl edu jain cse571 09 ftp worms index html 2 of 16 Understanding Worms Their Behavior and Containing Them 2 4 What is it intended to do The intention of the worm depends on what the authors of the worm designed it for Usually the worms are intended to cause DoS attacks mischief or collect personal information from the host It may scan the host and send all the confidential information on the host to the authors It may create a back door on the host allowing the author to remotely control the host It may simply delete all the files on the host Based on the points mentioned above we can define the worms as A worm is a computer program which can self replicate and propagate over the network with or without human intervention and has malicious intent 3 Brief History of worms Now that we have defined worms we will take a brief look at the worms that we have encountered until today A very brief description of each worm is provided in table The next section will discuss some of these worms in detail Table 1 History of Wroms Source Wiki09 Darrell03 Eisenberg89 Chen04 Symantec99 Arbaugh00 Cliff02 Chen03 Cynthia04 Release Discovered Worm Author Characteristics Damage Date Infected DEC PDP 10 computers No damage running the TENEX OS It replicated Was an Creeper Bob Thomas Early 1970 s copies of itself to remote systems via experimental ARPANET and displayed a message program I m the creeper catch me if you can Infected DEC VAX and SUN machines Morris Robert Tappan connected to the internet running BSD Over 10 million 2 Nov 88 Morris UNIX OS It targeted the buffer USD overflow flaw of operating systems Happy99 Spanska Mid Jan 1999 Melissa David L Smith Mid March 1999 ExploreZip Author not known 6 Jun 99 http www cse wustl edu jain cse571 09 ftp worms index html Infected Windows OS When executed modified Winsock and attached itself to all the mails sent by the user Was a MACRO in a word file that had password to 80 pornographic websites When the MACRO was executed it picked up the first 50 entries in the address book of the host and mailed a copy of itself It clogged the mail servers Propagated as a zipped attachment in Microsoft Outlook and registered itself to Windows NT Registry Re executed itself upon system reboot and mailed itself to all the people in the Outlook s address book Also deleted Microsoft Documents and C and C source files No physical damage Estimated over 400 million USD Not known 3 of 16 Understanding Worms Their Behavior