IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.11, November 2011 99

An Analytical Survey of Recent Worm Attacks

Vishrut Sharma

Member of ACM, IEEE

ABSTRACT In this paper, I’ve discussed the past and present of worms In this paper, I will present a broad overview of recent worm and related malicious code with special focus on worms attacks starting from the year 2000 through 2011. Some of the like Code Red, Nimda, Slammer, and Conficker. most ‘notorious’ worms were discovered during this period The following section presents the definition and including code red, slammer, and conficker. categories of a computer worm. Though this paper does not contain any original research, it is meant to provide malware researchers with well-documented information of some worms that caused havoc during the said period. After sifting through thousands of entries on virus 2. Definition and Type of Worms information repositories, I present, in this paper, only those that I considered novel in their approach, primarily from a technical In general, worm is a type of malware that can self- perspective. propagate and/or self-replicate over a network of As a summary to the paper, I have presented a broad overview of computers. Self-propagation means it can propagate trends that I extracted from this raw data and also focussed on through a network without human intervention. Self- the ever increasing destructive potential of worms. propagation is what makes a worm differ from a virus. A KEYWORDS virus, on the other hand, usually infects non-mobile files Worms, virus, recent attacks, self-propagating, malwares i.e. those files that when carried from one computer to another computer through a media, may propagate the virus attack thus making virus propagation very slow as 1. Introduction compared to worm. In recent years, many different categories of worms, based The outbreak of Morris worm in 1988 marked a new era on their programming and payloads, have been found. of self-replicating malware. In May, 2000, the Broadly, worms can be categorised as follows:- ILOVEYOU worm also known as VBS/Loveletter appeared and soon infected millions of computers • Email Worms worldwide. The worm came through e-mail with the • Instant Messaging Worms simple subject of "ILOVEYOU" and an attachment • Internet Worms "LOVE-LETTER-FOR-YOU.". The file extension was • IRC Worms hidden by default, leading unsuspecting users to think it • File-sharing Network Worms was a normal text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows • PDF Worms Address Book and with the user's sender address. It also made a number of malicious changes to the user's system. The following sections explain each of these types in This marked the beginning of an era of fast, self- detail. However, this is not a strict classification scheme. propagating, and self-replicating worms. Some worms, like Nimda, fall in two or more categories. In March 2001, cnet declared that 2001 would be “The Year of the Worm” [2]. They predicted that fast-moving, 2.1 Email Worms self-replicating code would become the weapon of choice Such worms spread via infected email messages. Any for those wanting to inflict widespread damage on the form of attachment or link in an email may contain a link Internet. As it turns out, 2001 saw a renaissance in worm to an infected website. In the first case activation starts creation. This culminated in the release of Nimda, an when the user clicks on the attachment while in the second incredibly sophisticated worm that made headlines case the activation starts when clicking the link in the worldwide [1]. email. The goal of this study was to enhance knowledge about Known methods to spread are: recent trends in worm development and attempt to predict - MS Outlook services future worm developments. In this paper, I present my - Direct connection to SMTP servers using their own findings about recent worms, their technical specifications, SMTP API etc. - Windows MAPI functions

Manuscript received November 5, 2011 Manuscript revised November 20, 2011

100 IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.11, November 2011

Table 1: some infamous worms, date of their detection, category, and method of infection. [6], [7], [8] software prior to 2.0.11, Worm Date of which are vulnerable to Category Method of Infection Name Detection the PHPBB Viewtopic.PHP PHP Running the email Script Injection attachment received Vulnerability. VBS/Lo either accidentally or May 4, Email/IR Opens a back door and veletter intentionally will install 2000 C exploits the Microsoft @MM it to the local system, W32/IR Windows Plug and Play and also to all available Cbot.w August Internet/I Buffer Overflow drives. orm!M 16, 2005 RC Vulnerability (described W32/C Exploited Microsoft IIS S05- July 12, in Microsoft Security odeRed. Internet 5.0 IDQ path overflow 039 2001 Bulletin MS05-039) on f.worm vulnerability TCP port 445. Through email and W32/Ni A mass-mailing worm September Email/Inte exploiting various mda.ge that attempts to spread 18, 2001 rnet vulnerabilities present in n@MM through network shares Microsoft IIS Servers Win32. Email/File and lower security January Exploits vulnerability in Nyxem. -Sharing settings. On the third MSOutlook and Outlook 17, 2006 W32/Kl e Network day of every month it November Express & tries ez.gen Email attempts to rewrite files 9, 2001 executing itself when @MM with certain extensions you open or preview the with custom text. message. W32.R W32/S Exploited buffer ontokbr April 22, QLSla January Email A mass-mailing worm. Internet overflow vulnerability in o.AN@ 2006 mmer.w 25, 2003 Microsoft SQL Server. mm orm Spreads primarily Propagates via email through social W32/So Email/File (contains its own SMTP August networking sites as links big.f@ -sharing engine) and attempts to 19, 2003 to videos. When a user MM Network spread via accessible W32/K visits the website that is August 3, network shares. oobface Internet hosting the video, they W32/Ba January Spreads as email 2008 Email .worm are prompted to gle.gen 18, 2004 attachment. download a video codec A mass-mailing worm or other necessary W32.M that arrives as an January update, which is actually yDoom Email attachment with the file 26, 2004 a copy of the worm. @mm extension .bat, .cmd, .ex Exploits the MS08-067 e, .pif, .scr, or .zip. W32/C Microsoft Windows January A mass-mailing worm onficker Internet Server Service 13, 2009 that uses its own SMTP .worm vulnerability in order to W32/N engine to send itself to March 8, propagate. etsky.j Email the email addresses it 2004 Targets systems running @MM finds when scanning WinCC SCADA hard drives and mapped software. It spreads drives. utilizing CVE-2010- Attempts to exploit the W32.St July 13, 2568 which allows Internet vulnerability described uxnet 2010 arbitrary code execution in Microsoft Security W32/Sa via a crafted .lnk file. April 30, Bulletin MS04-011. It sser.wo Internet This has been noted to 2004 spreads by scanning the rm.a spread via removable randomly selected IP USB drives. addresses for vulnerable Attempts to spread using W32.M August systems. Internet the Remote Desktop Attempts to spread to orto 28, 2011 Perl/Sa Protocol. December Web servers running nty.wor Internet W32.D October Not 21, 2004 versions of the phpBB Not known m uqu 18, 2011 known 2.x bulletin board

IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.11, November 2011 101

Attackers have been using email to propagate malicious (CIFS) protocol to gather information and compromise code from as early as 1987, the year when Christmas the target host. CIFS is an extension to Server Message Tree Trojan horse appeared. Malwares that use email to Block (SMB) protocol. Since this protocol was designed propagate are generally referred to as mailers. to allow small workgroups to share files in a trusted Unfortunately, these mailers are used even today. In fact, environment more emphasis was given to resource- in past few years these mailers have gained more sharing than security and this loophole is reflected in the popularity since email is the most efficient way for worm attacks. propagation of malicious codes in order to compromise a Some worms that made use of this are sizeable amount of hosts on the Internet. W32/Autorun.worm.g, W32/Mydoom.f@MM, Some worms that used this method for propagation in the W32/Pandem.worm,W32/Sobig.e@MM, etc. last 10 years are VBS/Loveletter@MM, W32/Pandem.worm, W32/Nimda.gen@MM, 2.6 PDF Worms W32/Mydoom.f@MM, etc. In 2001, a new exploit came into existence that used 2.2 Instant Messaging Worms Adobe Acrobat PDF format as a platform. However, it only worked under the full 'developer' version of Acrobat. Such worms spread via instant messaging applications The common Acrobat Reader program was not affected like by sending links to infected websites to everyone on by this worm. The worm operated as a VB script the local contact list. The only difference between these embedded within a PDF file [4]. Since 2001, the number and email worm is the way chosen to send the links. of such exploits has increased but fortunately no worm Some worms that used this method for propagation are has appeared yet. It seems that this category of worms is W32/YahLover.worm, W32/Sdbot.worm!im, etc. yet to unleash. As we can see in the above examples of worms, some 2.3 Internet Worms worms appear in different categories such as VBS/Loveletter@MM is both an IRC worm and an These worms scan all available network resources using Email worm. This happens because of the payload that local operating system services and/or scan the Internet was used by the worm author. Similarly, for vulnerable machines. Attempt will be made to W32/Pandem.worm appears in 3 different categories viz. connect to these machines and gain full access to them. Email worm, Internet worm and File-sharing Network Another way is that the worms scan the Internet for worm. Such worms have different propagation method machines still open for exploitation i.e. machines which and hence fall in different categories. are not patched. Data packets or requests will be sent which install the worm or a worm downloader. If succeeded the worm will execute and compromises the 3. Worm Characteristics system. This is one of the most efficient ways of propagation of A worm may be characterised based on its propagation worms just after email. Some worms that made use of method and payload. General consensus is that a worm is this method are W32/SQLSlammer.worm, a form of malware that can self-propagate through a W32/Pandem.worm, W32/Conficker.worm, network without any human intervention. But, some W32/Nimda.gen@MM, W32/CodeRed.f.worm, etc. worms were discovered lately that needed some user action in order to propagate, thus modifying this 2.4 IRC Worms definition to “A worm is a form of malware that can propagate through a network with or without any human Same as the Instant Messaging worms but it infects and intervention”. Various characteristics of a worm are uses IRC (Internet Relay Chat) in order to propagate. known and agreed upon by researchers worldwide, some Some worms under this category are IRC/Stages.worm, of them are given below. W32/Pandem.worm, VBS/Loveletter@MM, etc. • Malicious Code: We all know that worms are malicious in nature. Some people say that there have 2.5 File-sharing Network Worms been “good worms” too that breaks into systems in These worms copy themselves into a shared folder, most order to repair them. The first computer worm likely located on the local machine. Now the worm is created at XEROX PARC was actually a self- ready to download via the P2P network thus making it propagating maintenance program [5], although, the spread. connotation of worm now is one of an uninvited Most worms today exploit windows file-sharing and for this they make use of the Common Internet File System

102 IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.11, November 2011

program that executes malicious code to perform an compared to propagation through email. File-Sharing unauthorized, harmful or undesirable act. Network worms or P2P worms have been there from the • Self-propagation: Worms can actively propagate year 2000 and has become one of the most favoured propagation methods since then, the latest worm utilising over a network and this makes them unique. The this method of propagation being Duqu that appeared in earlier malwares often relied on humans to carry September 2011. In September 2011, a new threat storage media such as pen-drive or floppy disk from emerged when Kaspersky Labs detected malicious QR one system to another, a worm, on the other hand, codes [10]. Soon this could be another propagation attacks another computer directly over some network vector for worms. interface. File-infecting viruses that infect local files 4.2 Qualitative Trends that happen to be remotely mounted from another machine are generally not considered worms Based on my study of hundreds of worms, I observed because they are not actively aware of the network some qualitative trends. These trends are my personal [1]. observations and may differ from person to person. • User Action: Traditionally, virus has required user a. Technological Commoditization intervention to spread from one machine to another Advances in technology soon become more of a commodity for every other worm that appears after the (e.g., copying via pen-drive). Whereas, worm is said first significant worm. The best example could be that of to be a malware that self-propagates i.e. it requires email propagation of worms. The first malicious code no human intervention. with email propagation capability appeared in the year 1987, then it would have been considered a complex However, some people say there are two categories of code since it allowed self-propagation based on email worm: one that requires user intervention to propagate which no one had ever thought of. Now, email (e.g., opening an email message or attachment) and one propagation has become a routine. Anyone can now that does not require user intervention [2]. The degree of design an email worm by either making a new worm on user intervention varies: some worms that do not require top of an existing one or using toolkits. File-Sharing the user to actively execute or open malicious code files network worms were first seen in the year 2000 but now require the user to take other seemingly unrelated actions, it has become one of the most favoured propagation such as rebooting or running a mail program. techniques. Maybe in the coming few years, worms may start propagating using some other technique such as QR codes. 4. Trends in Worm Programming b. Propagation Vector and Convergence Although Internet and Email have been the two most While studying about worms I found some qualitative efficient ways of propagating a worm, last few years and quantitative trends in the programming of worms. have seen a growth in different propagation methods These trends are given in sections below. such as that using Instant Messaging applications or IRC, etc. These days worms are designed with multiple 4.1 Quantitative Trends capabilities such as that of a Trojan Horse or a Backdoor hence making them less distinguishable. Worms such as To be able to determine approximate quantitative trends, Duqu enabled attackers with different services such as I made use of Trend Micro’s Threat Encyclopaedia [9] to that of a backdoor. So, it seems that the malware study about worms that can be classified according to the technology is now converging from different types of types I mentioned. I searched for some keywords such as malwares to one having different capabilities. ‘@mm’ (mass-mailer) or ‘@m’ (mailer) for worms that c. Propagation Speed propagate through email, ‘net’ for Internet worm, ‘IRC’ The speed of propagation has increased since the Morris for IRC worm, ‘IM’ for IM worm, apart from studying worm. While Code Red infected around 2000 hosts per all the other worms. Since no access to the database files minute during its peak infection rate the Witty worm that was available I made use of ordinary web search for this. came in 2004 infected approximately 12000 hosts in a Some trends that I inferred show that the most common minute. The Conficker worm that made its presence in propagation method is still through email apart from late 2008 is still in the wild and has infected over 7 propagation through Internet. IM worm made its million computers worldwide making it the largest presence not until 2005 when WORM_BROPIA came infection till date. This worm may have finally reached into existence alongwith its several variants. Though, the the ultimate propagation speed, even much greater than first IRC worm was released in 1997 this method of that of SQL/Slammer worm. Unfortunately enough, it propagation doesn’t seem to be that popular when

IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.11, November 2011 103 seems anti-virus softwares have lagged behind malwares Communications of the ACM, Vol. 25 No. 3 (March when it comes to speed. 1982), 172-180. d. Platforms The worm authors seem to be much interested in writing [6] ThreatExpert. http://www.threatexpert.com worms that run on Windows system based on the fact [7] McAfee Threat Library. http://www.mcafee.com/threat- that Windows OS is a widely used operating system intelligence/malware/latest.aspx whether for personal computers or servers. Lately, there have been worms that infected Windows servers [8] Symantec Security Response. exploiting vulnerabilities such as those in IIS, etc. On the http://www.symantec.com/security_response/ other hand, operating systems such as Macintosh, or different distributions of Linux such as Ubuntu are less [9] Trend Micro Threat Encyclopaedia. http://about- vulnerable to worm attacks since they are used less as threats.trendmicro.com/ compared to Windows. [10] Kaspersky Lab. http://usa.kaspersky.com/about-us/press- center/press-blog/malicious-qr-codes-attack-methods- techniques-infographic Summary

Worms have been an interesting piece of program to the researchers worldwide. Since the first worm in 1988 I completed the degree of Bachelor of there have been huge technological advancements in Technology in Computer Science and worm writing. The propagation methods, speed of Engineering in the year 2010 and then propagation, payloads, etc. have all increased. There’s no pursued PG Diploma in Information Systems & Cyber Security and doubt in saying that the next worm attack will be much completed it in February, 2011. I’ve more damaging and technologically advanced. When the two research publications. My first cloud technology came into existence some people paper with title “A Comparative predicted that this may be the most secure technology Analysis of Exact String-Matching ever but worm authors proved them wrong. The Algorithms for Virus Signature Conficker worm was the first worm that penetrated the Detection”, co-authored by Mr. Amit Kumar and Dr. Shishir cloud. This tells us about the ultimate intelligence that Kumar, got published in the proceedings of First International worm authors possess. In order to counter-attack these Conference on Emerging Trends in Soft Computing and ICT malwares there is a growing need to develop more (SCICT - 2011). Second paper with title “A Theoretical Implementation of Blended Program Analysis for Virus enhanced and efficient anti-virus softwares. Until this Signature Extraction” got published recently in the proceedings day, a worm can propagate much faster than the average of 45th IEEE Carnahan Conference on Security Technology detection rate of the best anti-virus and this is a major (ICCST - 2011). My area of interest includes hacking, malware hindrance. The malware authors have now shifted to analysis and research, reverse engineering, and programming in other technologies too such as mobile. Although, there Microsoft technologies (VB, VB.Net, C#.Net) can’t be a system which has no vulnerability but a software can be made that can launch a counter-attack in case a vulnerability is being exploited.

References [1] Darrel M. Kienzle, Matthew C. Elder. “Recent Worms: A Survey and Trends”. WORM '03 Proceedings of the 2003 ACM workshop on Rapid malcode.

[2] Lemos, R. “Year of the Worm: Fast-spreading code is weapon of choice for Net vandals”. CNET News.com, http://news.com.com/2009-1001-254061.html, March 2001.

[3] http://virusall.com/computer%20worms/worms.php

[4] F-Secure. F-Secure Computer Virus Information Centre. http://www.f-secure.com/v-descs/pdf.shtml

[5] J. Shoch and J. Hupp. “The Worm Programs: Early Experience with a Distributed Computation”.