A computer worm is a malicious program (computer program or script) with the property of replicating itself once it has been executed. In contrast to the computer virus, the worm spreads without infecting foreign files or boot sectors with its code. Worms often spread via mass email, networks or removable media such as USB sticks. To do this, they usually (but not necessarily need an auxiliary program such as a network service or application software as an interface to the respective network; for removable media, they usually need a service that allows the worm to start automatically after the contaminated medium has been connected (such as Autorun, sometimes also the active desktop of Windows).
Such a utility could be, for example, an e-mail program that the worm uses to distribute itself to all e-mail addresses entered there. Depending on the type of utility, the worm code can sometimes even execute itself on the target systems, so that interaction with the user is no longer necessary to spread from there. Therefore, this method is both more effective and more efficient compared to the method of spreading a virus. However, on systems that do not give the worm access to the required utility, the worm cannot reproduce, or at least not automatically.
The worm belongs to the family of unwanted or harmful programs, the so-called malware, which makes protective measures against worms necessary. In addition to the secret distribution, which already ties up resources without being asked, a possible malicious function of the worm can make changes to the system that cannot be controlled by the user. There is a risk that numerous networked computers will be compromised.
---
Characteristics of Computer Worms
Computer worms are designed to autonomously replicate and spread from one host to another without requiring user interaction. They exploit vulnerabilities in network protocols or software to propagate rapidly across interconnected systems. They often carry a malicious payload, such as a backdoor, remote access tool, or destructive code, designed to compromise the security of infected systems. This payload can vary in nature and can be tailored to suit the attacker’s objectives, including data theft, system hijacking, or distributed denial-of-service (DDoS) attacks.
Unlike other types of malware, worms possess network-awareness capabilities, allowing them to scan and identify potential targets within a network. They utilize techniques such as port scanning, network enumeration, and exploit propagation to identify and infect vulnerable systems. Worms may employ stealth techniques to evade detection by security mechanisms, such as antivirus software or intrusion detection systems. They can also establish persistence on infected systems by installing backdoors or modifying system configurations, ensuring continued access and control for the attacker.
Propagation Methods
Computer worms employ various propagation methods to spread across networks and infect vulnerable systems. Worms may spread through email attachments containing malicious executable files or documents. Many worms use email to spread. Either the executable file or a hyperlink to the executable file is sent. The emails can be sent either by remote control of pre-installed programs such as Microsoft Outlook or by the worm’s own SMTP subroutine. The recipient’s email address is often found in pre-installed address books. However, other files on the hard disks (such as temporary Internet files) can also be used by the worm or e-mail addresses from special websites (such as online guestbooks) can be used for initial distribution. Well-known representatives of this kind are Love letter, which exploded by e-mail in May 2000, or Netsky.
Instant messaging programs such as WhatsApp, ICQ, MSN Messenger or Skype are also vulnerable to malware due to their web connection. A worm of this type spreads by sending a link to a website containing the worm to a messenger. If the user clicks on the link, the worm is installed and executed on their computer, as the instant messenger usually does not contain its own HTML parser, but uses the parser of Internet Explorer. Now the worm sends the link from this computer to all registered contacts.
Worms exploit vulnerabilities in network protocols or software to infect systems connected to the same network. They may target unpatched or outdated systems, exploiting known security flaws to gain unauthorized access and propagate further. Worms can spread through removable media, such as USB drives or external hard drives, by infecting files or exploiting autorun features. When an infected device is connected to a new system, the worm may execute automatically, facilitating further spread.
Peer-to-peer is a form of networking that connects computers in the network without a server, i.e. establishes a direct connection between the individual users. Most of the file-sharing platforms available on the Internet, such as Kazaa, Morpheus or BitTorrent systems, use peer-to-peer technology. There are basically three ways in which a worm spreads in a file-sharing platform:
The first possibility is that the worm copies itself to the shared folder, from which other users can download files. For these types of worms, proper naming is important because more users will download a file with an interesting name than a file with a randomly created name. That’s why there are worms that search for their names on the Internet on special sites in order to be as credible as possible. This type of distribution in file-sharing networks is simple, but not particularly effective, as file-sharing platforms usually tend to exchange rather large files and almost every file-sharing program now has effective filters to exclude certain suspicious file formats.
In the second way of spreading, the worm uses a peer-to-peer protocol to offer an infected file (hashset or .torrent file) to other users of the P2P network as a search result for each search query. The user then copies the worm to their computer as a supposedly sought-after file and infects it when it is opened. This type of distribution is very effective if the worm’s file size is close to the size of the file being searched for, but difficult to program and therefore not widely distributed.
The third method is an attack by the worm on a vulnerability of its neighbors in the P2P network. This method can be very efficient in its propagation speed if no action is required on the part of the user (such as downloading a file and launching it on the computer). The worm then infects these systems in a fully automated manner. As soon as the worm is also able to view a list of its neighbors in the P2P network for each infected client, it can target them in a targeted manner. This allows the worm to prevent detection, as it does not need to establish an excessive number of connections to other systems on the Internet, which is considered abnormal behavior and would be noticeable. A P2P network is based on each user establishing many connections with other participants, which makes it much more difficult to detect the worm based on the traffic it causes.
