Introduction to Internet Worms

by Jörn Nettingsmeier
submitted as term paper for the winter 2003/04 seminar
"Netzwerksicherheit" (Network Security),
held by Prof. Dr. Wolfram Luther
at Universität Duisburg-Essen, Dept. of Computer Science.

Abstract:

The following paper provides a brief introduction into self-replicating malicious programs, the so-called "worms". It is a primer document aimed at beginning network administrators, interested home users and students of network security.
Basic understanding of TCP/IP, UDP/IP and routing is required.
The references section at the end will point you to more in-depth material for your further studies.

After defining "worm" and related terms, we will look at the main components of a worm from the perspective of a malicious worm writer who seeks to optimize its efficiency, stealth, persistence or damage.
By putting us in this position, and by looking at both in-the-wild and (as of this writing) hypothetical worm designs, we hope to achieve a more precise assessment of current and future risks than a "traditional" victim-centric approach would yield.

Revision History, URL:

The latest version of this document can be found at http://spunk.dnsalias.org/public_stuff/cs_papers/Worms/.

Copyright, Credits:

(c) Copyleft 2004 Jörn Nettingsmeier <nettings@folkwang-hochschule.de>.
This document may be freely copied, modified and re-distributed. I would welcome credit if this paper is useful to you, and ask that you do not distribute modified versions with my name on without clearly indicating all changes.
I take no responsibility if the information given is inaccurate or plain wrong and eats your hardware or damages your data. Corrections are welcome.

This paper owes most of its existence to the excellent "NetWorm FAQ" and other papers by Stuart Staniford et al., listed in the References section.
Whenever you come across a good idea, assume it has been lifted from one of the fine sources mentioned there. Stupid ideas, as well as any mistakes, are mine.

This document uses correct XHTML 1.0 with CSS/2, and so should everyone. Browsers that can render it correctly are Mozilla 1.2+ or, if you must, IE5.5+.

Table of contents:

  1. Malevolent Code Basics
    1. Definition of terms
      1. Virus
      2. Worm
      3. Trojan
      4. Hoax
    2. Basic Worm Anatomy
      1. Exploits
      2. Propagation
        1. Targetting
        2. Attacking
      3. Payload
  2. Worm design
    1. Design goals
    2. Scanning algorithms
      1. random scanning
      2. topological scanning
      3. weighted random scanning
      4. hit-list scanning
      5. permutation scanning
    3. Hypothetical worm designs
  3. Case Studies
    1. The Morris Worm
    2. Code Red
    3. Sapphire/Slammer
  4. Threats and Countermeasures
    1. Motivations for worm writers
    2. Threat Assessment
    3. Countermeasures
      1. Keep your systems patched
      2. Understand your system configuration
      3. Educating users
      4. Inbound scan blocking
      5. Real-time blacklisting
      6. Worm containment and outbound scan blocking
    4. Conclusion - network security as a commons
  5. References and suggested reading