Understanding Worms, Their Behaviour andContaining ThemFarhan Syed, [email protected] (A project report written under theguidance of Prof. Raj Jain)DownloadAbstractWorms have emerged as one of the most potent threat to Network Security in the recent years. In this paper,we will present a detailed introduction about worms. This paper is intended for Network Security researcherswho need a brief, yet comprehensive and technical introduction, when they start their research on worms.The paper covers a detailed introduction to worms and discusses some of the most potent and dangerousworms known today in brief.Table of Contents1. Introduction2. Definition2.1. Where and how does it start?2.2. What it affects?2.3. How does it spread?2.4. What is it intended to do?3. Brief History of worms4. Understanding Popular Worms4.1. Creeper Worm4.2. Morris Worm4.3. Melissa Worm4.4. ExploreZip4.5. ILOVEYOU4.6. Code Red4.7. Nimda4.8. Mydoom4.9. Sasser5. Aspects of designing a worm5.1. Finding Vulnerabilities in a system5.2, Speed of propagation5.3. Stealth5.4 Propagation Vectors6. Detecting Worms6.1 Detection by Monitoring "mistrusted processes"6.2. Detection by Monitoring "trusted processes"6.3. Detection by Byte Pattern Monitoring6.4. Detection by Monitoring IP address scanning6.5. Detection by deploying Guardian NodesUnderstanding Worms, Their Behavior and Containing Themhttp://www.cse.wustl.edu/~jain/cse571-09/ftp/worms/index.html 1 of 167. Containing and Destroying Worms7.1 Quarantine and Monitor7.2. Setting minimal permissions for specific processes7.3. Installing the latest update from antivirus software and Operation System vendor8. Summary9. References"10. List of Acronyms1. Introduction The paper discusses worms, one of the most potent threats to Network security. Worms have the uniqueability to mimic the approach taken by biological viruses. They can infect a host and then choose a medium topropagate to a neighboring host. Generally, the intent of the worm is assumed to be malicious. There are someworms, which do not have malicious intent. They are referred to as anti-worms. The paper is divided into sixsections. The first section defines the worm using various criterions. Section two tabulates all the well knownworms so far. The next section discusses some of the most potent worms. In section four, we will discuss theaspects of worm design. The next section is dedicated to discussing the methods to detect worms. The lastsection talks about containment and elimination of worms. Throughout the paper we will refer to thecomputer as host or PC and the person or victim as user.2. Definition Worms are one of the most ill defined concepts in Network Security. There is still no universalconsensus on the definition of the worm. Usually worms and viruses display similar characteristics and theirintention is also similar. To define worms, we will use the following points and then define worm based onthese points.2.1. Where and how does it start? Worms can start on a host (Computer) in various fashions. It may be an attachment to a mail and whenthe attachment is opened, will execute the code written in the worm. This is called "invocation by humanintervention". It may also start without any human intervention. For example, rebooting the system.2.2. What it affects? It affects the host. In contrast to computer viruses, it can affect anything on the host. It may corrupt thefiles on the host. It may affect communication of the host with other systems. It may disable the anti-virussoftware on the host, which will enable it to cause more damage. Computer Viruses in the other hand are veryspecific to files. Worms have a broader scope of attack than viruses.2.3. How does it spread? Worms are self replicating codes. This is the most distinct feature of a worm. Once they infect a host,they will try to find a nearby host which they can access, and copy themselves to that host. There it willperform the same actions that it performed on the original host.Understanding Worms, Their Behavior and Containing Themhttp://www.cse.wustl.edu/~jain/cse571-09/ftp/worms/index.html 2 of 162.4. What is it intended to do? The intention of the worm depends on what the authors of the worm designed it for. Usually, the wormsare intended to cause DoS attacks (mischief) or collect personal information from the host. It may scan thehost and send all the confidential information on the host to the authors. It may create a back door on thehost, allowing the author to remotely control the host. It may simply delete all the files on the host. Based on the points mentioned above, we can define the worms as, "A worm is a computer program, which can self-replicate and propagate over the network,with or without human intervention, and has malicious intent."3. Brief History of worms Now that we have defined worms, we will take a brief look at the worms that we have encountered untiltoday. A very brief description of each worm is provided in table. The next section will discuss some of theseworms in detail.Table 1 : History of Wroms (Source [Wiki09][Darrell03][Eisenberg89][Chen04][Symantec99][Arbaugh00][Cliff02][Chen03][Cynthia04])Worm(Author)Release/DiscoveredDateCharacteristics DamageCreeper(Bob Thomas) Early 1970'sInfected DEC PDP-10 computersrunning the TENEX OS. It replicatedcopies of itself to remote systems viaARPANET and displayed a message"I'm the creeper, catch me if you can!"No damage.Was anexperimentalprogram.Morris(Robert TappanMorris)2-Nov-88Infected DEC VAX and SUN machinesconnected to the internet, running BSDUNIX OS. It targeted the bufferoverflow flaw of operating systems.Over 10 millionUSDHappy99(Spanska) Mid Jan 1999Infected Windows OS. When executed,modified Winsock and attached itself toall the mails sent by the user.No physicaldamageMelissa(David L. Smith) Mid March 1999Was a MACRO in a word file that hadpassword to 80 pornographic websites.When the MACRO was executed, itpicked up the first 50 entries in theaddress book of the host and mailed acopy of itself. It clogged the mail servers.Estimated over400 millionUSDExploreZip(Author notknown)6-Jun-99Propagated as a zipped attachment inMicrosoft Outlook and registered itselfto Windows NT Registry. Re-executeditself upon system reboot and maileditself to all the people in the Outlook'saddress book. Also deleted MicrosoftDocuments and C and C++ source filesNot known.Understanding Worms, Their Behavior and