313CHAPTER 9Strategies of ComputerWorms“Worm: n., A self-replicating program able to propagate itself across network, typicallyhaving a detrimental effect.”—Concise Oxford English Dictionary, Revised Tenth Edition304543_ch09.qxd 1/7/05 9:05 AM Page 3139.1 IntroductionThis chapter discusses the generic (or at least “typical”) structure of advancedcomputer worms and the common strategies that computer worms use to invadenew target systems. Computer worms primarily replicate on networks, but theyrepresent a subclass of computer viruses. Interestingly enough, even in securityresearch communities, many people imply that computer worms are dramaticallydifferent from computer viruses. In fact, even within CARO (Computer AntivirusResearchers Organization), researchers do not share a common view about whatexactly can be classified as a “worm.” We wish to share a common view, but well,at least a few of us agree that all computer worms are ultimately viruses1. Let meexplain.The network-oriented infection strategy is indeed a primary difference betweenviruses and computer worms. Moreover, worms usually do not need to infect filesbut propagate as standalone programs. Additionally, several worms can take con-trol of remote systems without any help from the users, usually exploiting a vul-nerability or set of vulnerabilities. These usual characteristics of computer worms,however, do not always hold. Table 9.1 shows several well-known threats.Table 9.1 Well-Known Computer Worms and Their Infection MethodsName / Discovered Type Infection Execution MethodWM/ShareFun Microsoft Mail Word 6 and 7 By userFebruary 1997 dependent mailer documentsWin/RedTeam Injects outgoing mail Infects Windows By userJanuary 1998 to Eudora mailboxes NE filesW32/Ska@m(Happy99 worm) 32-bit Windows Infects WSOCK32.DLL By userJanuary 1999 mailer worm (by inserting a little hook function)W97M/Melissa@mm Word 97 Infects other Word 97 By userMarch 1999 mass-mailer worm documentsVBS/LoveLetter@mm2Visual Basic Script Overwrites other VBS By user May 2000 mass-mailer worm files with itselfW32/Nimda@mm 32-bit Windows Infects 32-bit PE files Exploits September 2001 mass-mailer worm vulnerabilities to execute itself on targetChapter 9—Strategies of Computer Worms314304543_ch09.qxd 1/7/05 9:05 AM Page 314Table 9.1 suggests that infection of file objects is a fairly common techniqueamong early, successful computer worms. According to one of the worm definitions, a worm must be self-contained and spread whole, not depending onattaching itself to a host file. However, this definition does not mean that wormscannot act as file infector viruses in addition to network-based propagators.Of course, many other worms, such as Morris3, Slapper4, CodeRed, Ramen,Cheese5, Sadmind6, and Blaster, do not have file infection strategies but simplyinfect new nodes over the network. Thus defense methods against worms mustfocus on the protection of the network and the network-connected node.9.2 The Generic Structure of Computer WormsEach computer worm has a few essential components, such as the target locatorand the infection propagator modules, and a couple of other nonessential mod-ules, such as the remote control, update interface, life-cycle manager, and payloadroutines.9.2.1 Target LocatorTo spread rapidly on the network, the worm needs to be able to find new targets.Most worms search your system to discover e-mail addresses and simply sendcopies of themselves to such addresses. This is convenient for attackers becausecorporations typically need to allow e-mail messages across the corporate fire-walls, thereby allowing an easy penetration point for the worm.Many worms deploy techniques to scan the network for nodes on the IP leveland even “fingerprint” the remote system to check whether such a system mightbe vulnerable.9.2.2 Infection PropagatorA very important component of the worm is the strategy the worm uses to transferitself to a new node and get control on the remote system. Most worms assumethat you have a certain kind of system, such as a Windows machine, and send youa worm compatible with such systems. For example, the author of the worm canuse any script language, document format, and binary or in-memory injected code(or a combination of these) to attack your system. Typically, the attacker tricks therecipient into executing the worm based on social engineering techniques.However, more and more worms deploy several exploit modules to execute theworm automatically on the vulnerable remote system without the user’s help.9.2 The Generic Structure of Computer Worms315304543_ch09.qxd 1/7/05 9:05 AM Page 315Exploitation of vulnerabilities is the subject of Chapter 10, “Exploits,Vulnerabilities, and Buffer Overflow Attacks.”NoteSome mini-worms such as W32/Witty and W32/Slammerappear to combine the target locator (network scan) and infec-tion propagator in a single function call. However, they still sup-port distinct features: the generation of random IP addresses andthe propagation of the worm body to new targets.9.2.3 Remote Control and Update InterfaceAnother important component of a worm is remote control using a communica-tion module. Without such a module, the worm’s author cannot control the wormnetwork by sending control messages to the worm copies. Such remote controlcan allow the attacker to use the worm as a DDoS (distributed denial of service)tool7on the zombie network against several unknown targets.An update or plug-in interface is an important feature of advanced worms toupdate the worm’s code on an already-compromised system. A common problemfor the attacker is that after a system is compromised with a particular exploit, itoften cannot be exploited again with the same one. Such a problem helps theattacker to avoid multiple infections of the same node, which could result in acrash. However, the intruder can find many other ways to avoid multiple infec-tions.The attacker is interested in changing the behavior of the worm and evensending new infection strategies to as many compromised nodes as possible. Thequick introduction of new infection vectors is especially dangerous. For example,the intruder can use a single exploit during the first 24 hours of the outbreak andthen introduce a set of others via the worm’s update interface.9.2.4 Life-Cycle ManagerSome worm writers prefer to run a version of a computer worm for a preset periodof time. For instance, the W32/Welchia.A worm