Internet Worms: Walking on Unstable Ground

By | December 4, 2011

Source: SANS Institute

Each day, worms are becoming a more common occurrence on the Internet. As the incidents increase, we must be thinking proactively in order to lessen the negative effects these worms have on the Internet community. It is important to remember that the livelihood of many businesses is based on an Internet presence.
The monetary losses incurred by businesses relating to these worms are hard to measure. Some estimate losses for each occurrence to be around $1 billion. 1 The true value of damages may never be known. Many companies prefer not to publicly report losses since they do not want to diminish customer confidence in their services.
So far, we have been lucky. There has not been a worm that caused widespread permanent damage to computers. Everything we have seen so far has been related to some sort of denial of service. In order to prepare for the future, we need to be thinking ahead to beat worm writers before they release the next worm onto the Internet. The worms we have seen so far have been fairly sloppy. Most propagate slowly, giving system administrators a chance to catch up on their security practices prior to any major damage taking place.

Brief History of Worms
One definition of an Internet Worm is: “A program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer’s resources and possibly shutting the system down.” 2 The main difference between a worm and a virus is that the worm purposely replicates until the host runs out of space for it to go any further, while the typical virus infects one host and moves on to the next. This characteristic of worms is what causes them to be particularly damaging as they spread across the Internet and on to private networks.
Worms can be traced back to 1982 at the Xerox Palo Alto Research Center for network experiments. 3 Observations showed that it was difficult to control how many instances of the worm would exist at any one time. This same fact is what allows worms to spread so quickly in the wild. The first malicious worm was launched in 1988 by Robert T. Morris from MIT. Morris realized his worm was spreading faster than he anticipated and tried to post removal instructions. These instructions were not viewed widely due to many administrators removing themselves from the Internet. It is thought this worm caused $98 million worth of damage across the Internet. Morris was sentenced to three years of probation, four hundred hours of community service, $10,050 in fines plus the cost of his supervision.” 4

Starting in the late 1990’s, we began to see an increase in both the frequency and damages caused by worms. On the Microsoft platform, these include Melissa in 1999, Code Red and Nimda in 2001, Slammer and Blaster in 2003. On various Linux platforms, the most famous include Ramen in 2001 and Simile in 2002. We have even seen a few occurrences of worms that can propagate across multiple platforms. Examples include Explorezip and W32.Winux.

We have seen these worms attack via numerous vectors. Some of the most common vectors include open services, modems, peer to peer applications, email, web browser, instant messenger, newsgroups, solid media, and macros. Almost every application written for use on a computer has had some sort of vulnerability discovered. The problem occurs when these services are facing the Internet. This allows them to be exploited any time these vulnerable services are found. Most of these worms are based on newly found vulnerabilities called “zero-day exploits”. 5 This means that the exploit is brand-new and has not been disclosed. Software companies have not had time to create software patches for zero-day exploits.
Another vector available for worms is email. Email worms typically attempt to exploit vulnerabilities in a specific email client such as Microsoft Outlook. These worms will typically attempt to send an infected file or script to all the contacts in the address book. They also often use social engineering by appearing to reply to a legitimate email in the Inbox. This tricks users into opening the email since it appears to be from someone known to the user.
One of the original ways to get a worm or computer virus was through floppy disks. The boot record of a disk could be infected and as the disk was read on a computer, that machine would also get infected. Today, we see the increased use of other solid media such as cdroms and flash media similar to the types used in digital cameras and USB keys. This physical transmission of data is bound to be exploited in the future. Attacks on services are a very common vector by which worms propagate. This is typically because common services run on known ports so that clients can connect without needing proprietary information about the service. It would be very difficult to access a company website if it was set to something other than the standard port 80. This feature common to services running on every platform causes them to become easy targets for worms. We have seen attacks on Internet Information Services (Microsoft’s IIS on port 80), Remote procedure call (RPC on port 135), Microsoft’s SQL Server (database server on port 1434), and File transport protocol (FTP on port 21). Any time an exploit is found, it is quite easy to use the well known port number to search for and attack vulnerable servers. Newsgroups and peer to peer applications are an easy way to share files. This also makes these technologies likely to become an infection vector for worms. The Morris worm mentioned above was first distributed from a newsgroup.Today, peer to peer applications are being used by millions of users and should be thought of as being un trusted. For this reason, it is a good idea to be sure common peer to peer application ports are blocked at the firewall.
We have yet to see worms attack via vectors such as PDAs, cell phones, and wireless technologies such as 802.11 and Bluetooth. Devices such as PDAs and cell phones are just starting to become complex enough to make easy targets. As the code they run becomes more complicated, it will be only a matter of time before vulnerabilities are found and exploited.
Wireless technologies are becoming an increasingly common way for attacks to get into a network. The 802.11b wireless protocol standard has already been proven to be inherently insecure. 6 The implementation of encryption algorithms used for the devices is flawed and can be broken in a matter of minutes. If exploited, this could be just another way for a worm to propagate across computer networks. Bluetooth is not very widespread at this time, but if it gains acceptance as 802.11b did, exploits will surely be found in the protocol. Imagine a worm that could spread from a computer, to a keyboard, to a wrist watch, to a telephone, and then to another computer. As devices become more “user friendly”, we must take the time to thoroughly evaluate the security behind them.

Read the entire document here.

Leave a Reply