The following paragraph tries to clean up some of the messsy terminology around
malicious programs.
Unfortunately, the language found in most press coverage of computer security
incidents is notoriously imprecise, and even the vendors of security software
have shown a tendency towards a hyped-up rhetoric better suited to induce fear
than clarify.
The distinction of worms and viruses was taken from [Staniford2003].
A virus (plural "viruses" [here's why]) is a malicious program that infects computers by installing itself in a place where it will be regularly executed while the system is running. In order to become effective, viruses require user action, such as clicking on a mail attachment to execute it.
To reproduce, a virus may try to infect (i.e. copy itself into) other programs or documents that allow the inclusion of executable content (such as texts or spreadsheet data containing macros) and wait for them to be transferred to other potential victims and eventually activated, or to mail copies of itself to other users in the hope that they will execute it.
The most typical infection vector for viruses today is email attachments. It provides easy access to millions of
inexperienced users. The mail body lends itself well to the social engineering
needed to coerce the victims into activating the virus code.
In the days before every household was connected to the internet, viruses
travelled on privately shared floppy disks containing infected software, or on
improperly screened CD-ROM supplements of computer magazines. Some vendors even
distributed viruses with their official installation media by accident.
Since the leading operating system and mail client manufacturer has long preferred ease-of-use and integration over even the most basic security precautions with a stubborn incompetence that is hard not to interpret as outright sabotage, viruses today comprise as much as 40 per cent of the total mail traffic on the internet during heavy outbreaks (MyDoom/Novarg 2004). The damage in bandwidth consumption alone is immeasurable and the network congestion affects even sites with carefully implemented virus protection.
On the upside, these blatant software deficiencies have created a thriving new industry, as third-party anti-virus software is mandatory to connect any Microsoft Windows system to a public network.
A worm is a malicious program similar to a virus, with the notable difference that it does not require any user interaction to spread. Instead, it exploits a programming error in server software or the underlying operating system to infect a machine. This means it requires an appropriate weakness to be present on the target.
Once a target is infected, the worm activates itself and begins to use the network resources of the victim to scan for other potential targets. Since the infection happens automatically, worms spread many orders of magnitude faster than viruses.
Apart from the nuisance and damage from network congestion due to scanning traffic, worms may contain a payload, i.e. perform actions determined by the attacker on the infected hosts. These may include destruction (or worse, subtle alteration) of data, password or data sniffing or the installation of back doors, persistent programs that run stealthily in the background and provide the attacker with remote system access.
Often, the many thousands of infected hosts are used as part of a flood net to launch distributed denial-of-service (dDoS) attacks against third-party sites by simply overloading them with bogus requests. These incidents are very hard to defend against since there is no coherent IP range to block, and the traffic is almost indistiguishable from legitimate usage.
Recently, spammers have been known to use networks of compromised hosts as untraceable (and readily disposable) mail relays.
In this paper, we will use the term worm for the
code itself and in a more general way for the worm design. A single
active piece of worm code on an infected host (and, for simplicity, the infected
host itself) will be referred to as a worm
instance.
To emphasize the likeness of worm outbreaks to the proliferation of contagious
diseases, we will borrow the medical terms epidemic to denote a locally confined spreading pattern
around a clearly defined center, and pandemic for
simultaneous occurances of new infections in many distinct places with no
obvious origin or locality.
It appears that like so many computer terms, both "virus" and "worm" have their origin in science fiction literature. Refer to [Spafford1988], p.4, for details.
A trojan (short for the "trojan horse" of Greek
mythology) is a program that pretends to do something useful, while actually
performing malicious actions either openly or surreptitiously in the
background.
Apart from its camouflage that encourages people to run it and
possibly pass it on to friends, a trojan has no active mechanism for
replication.
A popular form of trojan is the dialler, a program causing a user's modem to dial a special phone number belonging to the originator, which produces horrendous costs per minute that will be charged to the victim's phone bill. Most diallers masquerade as access programs to pornographic content.
Hoaxes are chain mails that intentionally spread misinformation, often about computer security issues.
One notorious hoax tried to persuade the readers to perform some action described
as security countermeasures (such as deleting files from their disks which
allegedly belonged to viruses, but were critical system files instead,
effectively talking the victims into maiming their own systems), and to forward
the "important security news" to all their email contacts.
Another classic hoax is the heart-breaking story of some child suffering from a
terminal disease with a few months to live, and would the readers please send a
postcard to the following address with some kind words, this being the last wish
of an innocent being wasting away in the prime of its youth - and, yes, please
also forward this letter to everyone you know.
While they abuse people's goodwill and create fear and misconceptions, hoaxes have no direct adverse effects on machines, as they do not contain any code.
In order to function, a worm needs to perform a number of tasks:
These tasks are completely orthogonal, and we will look at approaches to each of them individually with the assumption that actual worms can consist of any combination of these.
At the core of each worm epidemic lies a programming flaw in some server software that enables a remote attacker to gain privileged access to a system.
The most frequent type of flaw is the buffer
overflow, where a user-provided data string is stored in a fixed-size
memory area without prior length checking. In languages such as C that have no
memory management or protection for efficiency reasons, a string of more than
the allocated length will cause the program code after the allocated area on
the process stack to be overwritten (thus the term stack
smashing attack).
In the usual case, this will cause the program to
either produce bogus output or crash with a segmentation violation if a pointer
address was altered by accident. But if the extraneous data is carefully
crafted, it can be used to inject arbitrary code into the running
process, inheriting its privileges.
The usual approach is to include the
binary equivalent of the C statement execve('/bin/sh', NULL, NULL);
(the UNIX system call to execute a command shell) along with appropriate padding
and a number of jump instructions to increase the likelihood that the execve()
portion will actually be called. (cf. [AlephOne1996] for a detailed discussion
of stack smashing techniques.)
Once an appropriate exploit is found, all that's left to do for a worm writer is code an efficient means for the worm to propagate. A number of different approaches are possible:
When targetting, the worm basically has two options.
It can either aim at maximum speed, giving itself
away by huge amounts of highly suspicious network traffic, in the hope that it
will already have completed its mission by the time countermeasures become
effective, or go for stealth, emitting only a few
scans in varying intervals, to remain unnoticed long enough to do its job.
When the worm has found a promising target, it will try to launch the exploit.
It is customary to send a short probe first to find out whether the target has
already been infected by another worm instance. This is especially important
when the exploit code is comparably huge, to minimize superflous network
traffic.
In cases where the code is small, targetting and attacking can be
combined into one step (as seen with the SQL slammer worm [Moore2003], whose
exploit consisted of a single UDP packet of some 400 bytes).
Again the tradeoff in conducting the attacks is speed vs. stealth.
After successfully exploiting a flaw, the worm code runs with the security privileges of the compromised process. If the server runs with root (UNIX) or Administrator (Windows) privileges, the attacker effectively owns the machine, but even lesser privileges offer a surprising number of other options besides mere reproduction.
The most common payload is a short piece of code that will deface web sites found on the infected host, usually by
adding lines as "L33T CRACKERZ 0WN U" or similar poetic utterances.
Such actions are not considered truly malevolent by many, since they merely
show off the fact that a vulnerability was found and abused, and in turn cause
it to be fixed before actual damage is done.
However, the loss of credibility for the website owner can be immense if
this happens on a business transaction site handling credit card data, or on the
front page of a company dealing in cyber security. But then, this embarassment
has a very good reason :-D.
Since web site defacements provide the worm
author with a public forum for his or her pseudonym and "message", it is
the most frequent type of payload.
Things become a lot nastier when important data is wiped
out or, worse because likely to go undetected, subtly altered by a worm.
This is the network equivalent to indiscriminate vandalism and sabotage in real
life, and is not endorsed nor tolerated among the hacker community, who often
can be found talking rather enthusiatically about worms for the technical
challenges they pose and the cleverness that went into them. Apart from ethical
considerations, random destruction is too easy to code and inelegant, and
will at best win the author a reputation as a brute and not very intelligent
sociopath.
For this reason, vandalizing worms have been rare.
From a worm authors' point of view, the most interesting payload is the
back door that remains in effect even after the
worm itself has ceased to operate.
A successfully planted back door will grant the attacker complete control over
the machine via a concealed communications channel that will not easily be
noticed by the legitimate administrator.
Once in place, back doors can be
used for further attacks that seem to originate from the unknowing victim, and
to abuse the storage and bandwidth resources of the victim for distributed
denial-of-service attacks or sharing and distribution of warez, pornography or
other unwanted and possibly illegal data.