A computer worm is by definition a self-replicating code that infects computers. They can be malicious or for good use. They use a computer network to get from computer to computer. They can be made to send themselves through emails and other means that the user may not notice. Unlike viruses, worms do not need to attach to files to get onto computers.
Worms can attack computers to infect them using the latest exploits for that system. This is called a wormnet. This is where the original worm learns of a new exploit, wheter by means of AI and Exploit-db or by the original creater writing a new exploit to the worm and sending it out. Each worm will then copy the source of the worm it copied from so it can infect more computers. This method of high level attack can keep a single worm going for many months.
The difference between worms and viruses is that viruses are there to cause harm on purpose. They can modify or currupt the system. Worms however can cause harm to the network wheter as to just consume bandwidth or hook computers onto botnets.
Payloads are extra bits of code that make the worm do more than just copy itself, they can cause harm to the victim like the ExploreZip. This worm was sent by email to victims, when opened it would copy itself and modify WIN.INI so it is started on started on reboot. It would then look for Outlook and send itself to everyone in the mail contacts. Other payloads were ones that would encrypt a users files then display a pop-up asking the user to pay money to unlock their content or it would be deleted. This is called ransomware which a few worms have done.
Some payload free worms like the Morris worm and MyDoom didn’t cause any actual damage but can cause network trouble.
Other payloads are ones like backdoors, keyloggers and RAT, Remote Admin Tool. Backdoors are when a system can be accessed again with need of hacking as the system has already been attacked. Backdoors are usually shells that stay open for the attacker to use. Keyloggers are scripts that can capture what keys are pressed. It can send reports live to the attacker as the user types or they can be sent to an FTP server when the victim is offline or the attack is offline. The FTP server needs a username and password. The issue with this is that if this code isn’t obfusticated then if the worm is found and the source opened then the attack may get caught.
A RAT is a program that runs connects the victim to the attacker. Some advance RATs can allow the attacker to use the camera, microphone and the on screen keyboard. Most let you use a keylogger and several other tools. The best known RAT is DarkComet which can be tied to a worm to make it very very dangerous.
Not all worms are bad though. There are worms that infect computers to patch them. I would make a windows updater joke here but that’s too obvious. These worms use user made patches for computers. Some like the Nachi family of worms, for example, tried to download and install patches from Microsoft’s website to fix vulnerabilities in the host system–by exploiting those same vulnerabilities. These worms continued to infect and clean and so on until it hit a dead end and deleted itself. However these worms would work without the users concent and it rebooted the computer when the update was complete.
Worms can now spread though many other means like through social sites such as facebook by means of clickjacking and LikeJacking sessions. These encourage the victim to do something against their knowing, editing account info or visiting a site via iframe which can infect them.
Protecting from worms can be easy unless the bad guys have the upper hand. Zero day exploits are exploits that there is no patch for at the moment. These can be very dangerous and could take some time to get to the surface for the company to start fixing. Updating your system, keeping an eye on what needs urgent updates such as your java which you should update. Flash aswell as java needs to be monitered to be kept up to date as to protect your system from attack.
My personal favourite worm is the Blaster Worm which was written back in 2003 by a team of chinese hackers used to infect american computers. This worms infects the victim then says it will shut down the computer in 60 seconds. If the user can not react quick enough to kill this process then the computer will shutdown and reboot over and over. This worm would do one of a few things to infect other computers before shutting down. It would look for Outlook and use that and send itself to others. It would try to hijack an email session cookie for Hotmail or Yahoo. It would try to infect via port scanning the computer was in contact with and try to attack them wheter by wifi or wired connection.
Well known worms like the conficker worm in my opinion got way to much press for what it did. There are severeal versions of the worm and what was not told to the public was that users who were not infected with Conficker.A-D were not going to get infected with Conficker.E. This lack of information caused global panic and let companies like Symantic run rampid claiming that it was from Russia, it was from the UK, it accused people for writing it, they never found the person, they just proved that they are full of crap and know nothing on anything security as they can’t even do their jobs right.
The Conficker worm did very little, it blocked users from running some programs that would give it away. It killed processes including an error in the code from Conficker.B that let the worm kill itself and try to restart itself while it kills itself causing infected computers to overclock after an hour or so of this. This error was fixed in Conficker.C It also stopped the victim from looking up certain words, phrases, sites or IP ranges. The worm did also opened up the limit as to how much data could be sent on the network. The Conficker family is classed as sevre which is quite strange as it does no real long term damage with a simple fix for it. This is very strange as no other worm is classed as sevre without doing real damage to the computer. This is proof that media can seriously make things worse when they go talking about stuff they don’t know about.
Media and worms go about as well together as gas and fire do. When they come together things just blow up and get out of hand. Lack of understanding they are there to report a new unholy worm that will eat your memory and email your porn to your grandmother. When it will do what the Conficker does, very litt
le. With people who are reporting on these new worms before experts can even disect the matter. It’s all rush in get some small detail and blow it to all hell and scare half the internet offline. Also relying on companies like Symantic, AVG and Kaspersky have bad track records of keeping things quiet and bad monitering it as they are more focused on profit instead of just trying to catch and stop the worms and viruses.
This sort of behavior has allowed the bad guys to get the upperhand with new ways of encrypting their methods of attack and moving faster than any company can keep up.
This is a worm race between who can get which worm out fastest to the worm using whatever eploit they can. And an endless fight between which language is the dominant C++ or perl in worm creatation.
So all in all the worm is a fasinating piece of work, a masterpiece of coding which uses the most up to date attacks and is second to none in the world of infections.