Computer Worms: Past, Present, and Future Craig Fosnock CISSP, MCSE, CNE East Carolina University

Total Page:16

File Type:pdf, Size:1020Kb

Computer Worms: Past, Present, and Future Craig Fosnock CISSP, MCSE, CNE East Carolina University Computer Worms: Past, Present, and Future Craig Fosnock CISSP, MCSE, CNE East Carolina University Abstract: Internet computer worms have gone Computer Program: from a hypothetical theorem to very real and Is an example of computer software that very dangerous threat to computer networks. prescribes the actions ("computations") that They are even capable of affecting the are to be carried out by a computer. Most biggest network of our time, the Internet. programs consist of a loadable set of Starting from humble and beneficial instructions which determines how the beginnings computer worms are now the computer will react to user input when that plague of the Internet and can cause billions program is running, i.e., when the of dollars worth of damages in just a few instructions are 'loaded'. The term program hours, if not minutes. In this paper I will or computer program is used discuss the history of computer worms, their interchangeably with software and software past, present, and their possible future, but application. ("Computer Program," 2005) before we start this discussion about computer worms lets first define some Computer Virus: computer terminology. It is important that Is a self-replicating program that spreads by we have these definitions up front not only inserting copies of itself into other because we will need them to help explain executable code or documents. A computer the rest of this paper, it is also important to virus behaves in a way similar to a discuss this now because the term computer biological virus, which spreads by inserting virus is often used interchangeably to refer itself into living cells. Extending the to computer worms. This may cause analogy, the insertion of the virus into a confusion with some readers as this paper is program is termed infection, and the focusing on computer worms, not computer infected file (or executable code that is not viruses. I have chosen not to address viruses part of a file) is called a host. ("Computer because, although viruses take advantage of Virus," 2005) network services such as the Internet to spread, viruses are currently somewhat less Computer Worm: common than worms, and viruses do not Is a self-replicating computer program, seem to have emulated the scale of similar to a computer virus but unlike a disruptive behavior, and monetary damage virus which attaches itself to, and becomes that current computer worms are capable of part of, another executable program, a worm inflecting on today’s computer networks. is self-contained and does not need to be part of another program to propagate itself. In other words a typical computer virus is similar to a parasite and it requires a host. In this case the host is another executable program. A worm does not need a host, it can spread on its own. ("Computer Worm," 2005) I. The Past and played on the Internet or on your local computer. The "organisms" now called A. Background “warriors”that are used in the Core Wars is considered the forebear of the modern The roots of the modern computer computer virus including computer worms. virus go back to John Von Neumann. Von Neumann’s name because of his publication B. The First worms of the concept, was given to the von Neumann architecture. This architecture is The first computer worm was used in most non-parallel-processing created at the legendary Xerox PARC ( Palo computers. Almost every commercially Alto Research Center). For those of you available home computer, microcomputer who do not know this research center not and supercomputer is a von Neumann only created the first computer worm it gave machine. In 1949 von Neumann created the us the first personal computer, the first field of cellular automata only using pencil graphical user interface and the first laser and graph paper, when he presented a paper printer. The worm was created by John on the "Theory and Organization of Shoch. Shoch was a PARC engineer Complicated Automata." In this paper he working on his Stanford doctorate when he postulated that a computer program could created the worm. The program took its reproduce. The paper included a model of name from the "tapeworm," a program that what is now known as a computer virus. appeared in a popular science-fiction novel of the time by John Brunner called "The In the 1950s Bell Labs employees Shockwave Rider." This science-fiction gave life to von Neumann's theory in a game novel ironically helped to promote the they called "Core Wars." This game was concept of a replicating program more than created by H. Douglas McIlroy, Victor other more serious writings on the subject. Vysottsky, and Robert Morris, Sr. The object of the game was to unleash software Unlike the worm in the book "organisms" they called "self-altering Shockwave Rider which was used to destroy automata" that attacked, erased, and tried to a sinister computer network, the PARC propagate in a computer generated world. worm's intended purpose was save Shoch Each organism was a small program hours of tedious work. Shoch's doctoral consisting of well-defined instructions with research was an analysis of the traffic each of the instructions occupying a single patterns of PARC's Ethernet (another PARC cell in a memory array. In modern times this first) that linked 200 of its "Altos," personal computer-generated world is actually a computers. His idea was to arrange for linear looping array of memory cells called about 100 of the machines to spew bits into the "Core,” but in the 50's the word core the Ethernet simultaneously, then measure referred to magnetic core memory. The the ensuing electronic gridlock. ("Benefits," game was started when two programs were n.d) Rather than loading the same program loaded into random positions in the core. individually into every machine, he devised After a certain number of cycles, if neither the worm to do the loading automatically by program has quit executing, a tie was seeking out idle Altos computers and declared. If one program terminated, the transmitting the test program by wire to other was declared the winner. The primary those that signaled they were available. The objective behind the game was to write an test proved successful and soon he turned organism that could terminate all the his thoughts from communicating directly opponent processes. Re-energized and with each machine to instructing them to popularized by A.K. Dewdney through his talk among themselves. Shoch eventually series of articles in Scientific American, was able to invest his worm with the ability Core Wars and its variants can still be found to seek out idle Altos, boot up a host machine through the network and replicate as we should all know by now that this ruse by sending copies of itself from machine to is still an effective means of computer worm machine, remaining in communication with distribution. When the user executing the its dispersed offspring. script it would cause a Christmas tree to appear on the terminal and then it mailed One night, however, something itself to everyone on the user's NAMES file unexpectedly went wrong. Shoch and two including any distribution lists. When it colleagues had set a small worm loose in the finished sending itself to all addressees, it PARC Ethernet to test a control function, erased itself from the original victim's and went home. At some point the program computer. When new recipients received became corrupted so badly it crashed its and activated their copies of Christma Exec, host computer. Sensing it had lost a the scenario would repeat, flooding the segment, the control worm sent out a tendril network with Christma Exec messages. The to another idle Alto. That host crashed, and flood of traffic created left parts of the IBM the next, and the next. For hours, the worm network unusable on December 10 and 11 spread through the building until scores of until it was finally brought under control. machines were disabled. The next day the (Henry, 2003) down machines did not cause any alarm as Altos frequently crashed for no reason. Even with the introduction of two Soon, however, it became obvious that this fully functional worms, most people still was no random occurrence. Summoned to treated computer worms as an obscure the lab Shoch and his colleagues could not theoretical problem. That perception of stop the worm and eventually they had no worms took a dramatic turn in late-1988, choice but to eradicate the worm with a when a college student, and son of the failsafe software mechanism that Shoch had above mentioned and co-creator of the pre loaded as insurance against some “Core Wars” Robert Morris, Sr. unleashed unpredictable disaster. ("Benefits," n.d) the infamous "Internet Worm," otherwise known as the Morris worm or the “Great The next worm started out as a joke worm,” on the new and unsuspecting or innocent prank, but is among the first and Internet. most notable worms to qualify as a network exploit. The worm was launched from The Morris worm was a “Multi Germany on December 9, 1987. This date is Mode” worm that attacked DEC VAX well before the Internet was officially born. servers running Sun and BSD operating The worm originated on the German EARN systems. It exploited weak passwords along network, propagated through connected with known vulnerabilities in the send mail Bitnet sites and eventually worked its way application and Unix utilities fingerd and through Bitnet connections to wreak havoc rsh/rexec. Although not, written to cause on the IBM Internal File Transfer Network damage a bug in Robert’s software allowed (otherwise known as VNET) in the United the worm to reinfect individual servers States.
Recommended publications
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress
    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
    [Show full text]
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • A Taxonomy of Computer Worms ∗
    A Taxonomy of Computer Worms ∗ † ‡ § ¶ Nicholas Vern Stuart Robert Weaver Paxson Staniford Cunningham UC Berkeley ICSI Silicon Defense MIT Lincoln Laboratory ABSTRACT 1. INTRODUCTION To understand the threat posed by computer worms, it is A computer worm is a program that self-propagates across necessary to understand the classes of worms, the attackers a network exploiting security or policy flaws in widely-used who may employ them, and the potential payloads. This pa- services. They are not a new phenomenon, having first per describes a preliminary taxonomy based on worm target gained widespread notice in 1988 [16]. discovery and selection strategies, worm carrier mechanisms, We distinguish between worms and viruses in that the worm activation, possible payloads, and plausible attackers latter infect otherwise non-mobile files and therefore require who would employ a worm. some sort of user action to abet their propagation. As such, viruses tend to propagate more slowly. They also have more Categories and Subject Descriptors mature defenses due to the presence of a large anti-virus industry that actively seeks to identify and control their D.4.6 [Operating Systems]: Security and Protection—In- spread. vasive Software We note, however, that the line between worms and viruses is not all that sharp. In particular, the contagion worms General Terms discussed in Staniford et al [47] might be considered viruses Security by the definition we use here, though not of the traditional form, in that they do not need the user to activate them, but Keywords instead they hide their spread in otherwise unconnected user activity. Thus, for ease of exposition, and for scoping our computer worms, mobile malicious code, taxonomy, attack- analysis, we will loosen our definition somewhat and term ers, motivation malicious code such as contagion, for which user action is not central to activation, as a type of worm.
    [Show full text]
  • Undergraduate Report
    UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually
    [Show full text]
  • Jeffrey Heim, Marcel Hernandez, Maria Nunez,& Matthias Katerna Morris Worm on November 2, 1988, Robert Tappan Morris Releas
    Jeffrey Heim, Marcel Hernandez, Maria Nunez,& Matthias Katerna Morris Worm On November 2, 1988, Robert Tappan Morris released a worm into the internet. The experimental worm was the first of its kind. It replicated itself and programmed itself, so it ended up spreading much faster than Morris expected. It self-programmed and self-replicated at an exponential rate in a manner that had never been seen before. Morris knew this worm was not necessarily ethical, for he released it out of MIT instead of his own Cornell University. In due course, many computers across the United States had crashed because of Morris. Once he discovered how much damage the worm had been causing, he reached out to a friend at Harvard looking for a solution to stop it. They attempted in sending an anonymous message to the network with directions that could kill the worm, but the message came through too late since they system was clogged. Many significant computers at colleges, businesses and the military became infected. The cost to fix each computer ranged from $200 to over $53,000. The worm exploited vulnerabilities in computer systems and in the UNIX email software. Within 24 hours of releasing the worm, thousands of people were aware something was unusual. Eventually, it would infect ten percent of all computers using the internet. The Morris Worm was the largest malware case ever to reach this percentage. However, the percentage was so high due to the fact that the number of computers was much less than today. The computers it impacted included significant systems, such as Stanford’s, Berkley’s and NASA’s.
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone
    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner ETH Zurich, Switzerland [email protected] DIMVA 2005, Wien, Austria Agenda 1) Introduction 2) Flow-Level Backbone Traffic 3) Network Worm Blaster.A 4) E-Mail Worm Sobig.F 5) Conclusions and Outlook © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -2- 1) Introduction Authors Prof. Dr. Bernhard Plattner Professor, ETH Zurich (since 1988) Head of the Communication Systems Group at the Computer Engineering and Networks Laboratory TIK Prorector of education at ETH Zurich (since 2005) Thomas Dübendorfer Dipl. Informatik-Ing., ETH Zurich, Switzerland (2001) ISC2 CISSP (Certified Information System Security Professional) (2003) PhD student at TIK, ETH Zurich (since 2001) Network security research in the context of the DDoSVax project at ETH Further authors: Arno Wagner, Theus Hossmann © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -3- 1) Introduction Worm Analysis Why analyse Internet worms? • basis for research and development of: • worm detection methods • effective countermeasures • understand network impact of worms Wasn‘t this already done by anti-virus software vendors? • Anti-virus software works with host-centric signatures Research method used 1. Execute worm code in an Internet-like testbed and observe infections 2. Measure packet-level traffic and determine network-centric worm signatures on flow-level 3. Extensive analysis of flow-level traffic of the actual worm outbreaks captured in a Swiss backbone © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -4- 1) Introduction Related Work Internet backbone worm analyses: • Many theoretical worm spreading models and simulations exist (e.g.
    [Show full text]
  • Strategies of Computer Worms
    304543_ch09.qxd 1/7/05 9:05 AM Page 313 CHAPTER 9 Strategies of Computer Worms “Worm: n., A self-replicating program able to propagate itself across network, typically having a detrimental effect.” —Concise Oxford English Dictionary, Revised Tenth Edition 313 304543_ch09.qxd 1/7/05 9:05 AM Page 314 Chapter 9—Strategies of Computer Worms 9.1 Introduction This chapter discusses the generic (or at least “typical”) structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within CARO (Computer Antivirus Researchers Organization), researchers do not share a common view about what exactly can be classified as a “worm.” We wish to share a common view, but well, at least a few of us agree that all computer worms are ultimately viruses1. Let me explain. The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take con- trol of remote systems without any help from the users, usually exploiting a vul- nerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold. Table 9.1 shows several well-known threats. Table
    [Show full text]
  • Wannacry Ransomware
    KNOW THE UNKNOWN® Success Story: WannaCry Ransomware WHITE PAPER Challenge Stopping a Worm & Saving Millions Worms like WannaCry and Petya operate as essentially Even the most recent of these attacks like WannaCry and zero-day attacks: they can lie dormant on our networks Petya still echo the basic principles of past-worms, and as and then rapidly spread between devices upon waking up. such, they are both preventable and stoppable. During The consequences of being hit by one is dramatic: precious the Code Red, Nimda, and ILOVEYOU attacks of the early- data is either ransom-locked or wiped and thus often 2000s, businesses that had invested in a NIKSUN-like irrecoverable. This means millions in lost data, restoration solution were able to run a rapid report to get a list of fees, public relations, and stock-holder confidence. all infected devices and cut them off from their network. Instead of thousands of machines being affected, they When FedEx was hit by Petya, for example, their subsidiary were able to resolve the incident with minor losses of TNT Express experienced “widespread service delays” and hundreds or less. This process takes a mere few minutes were unable to “fully restore all of the affected systems and thus could have saved Reckitt Benckiser from their and recover all of the critical business data that was hour-long attack. encrypted by the virus.”1 Shares in the company dropped 3.4% in the wake of the attack.2 Total, 100% visibility is simply the only way to stop these worms from becoming too damaging.
    [Show full text]
  • Storm: When Researchers Collide 7 Based on the Kademlia DHT Algorithm [5]
    When It comes to Internet threats, B R a n d o n E n R i g h t, g E o ff V o E l k er , few topics get researchers and the media as Stefan SaVagE, ChRiS kaniCh, and kiRill LevchEnko excited as the propagation speed and vital- ity of modern malware. One such example is the SQL Slammer worm, which was the first so-called Warhol Worm, a term used to Storm: when describe worms that get their “15 minutes of fame” by spreading at an exponential researchers collide rate—infecting every vulnerable machine Brandon Enright is a network security analyst at in under 15 minutes [1]. It is ironic, then, that the University of California, San Diego. He is pri- the latest malware to capture the attention marily interested in malware and exploit research. of researchers is not one of the shortest- [email protected] lived but one of the longest, largest, and most successful bots ever: Storm. Geoff Voelker is an associate professor of computer science at the University of California, San Diego. He works in computer systems and networking. Storm got its name from a particular self-propa- [email protected] gation spam email subject line used in early 2007: “230 dead as storm batters Europe.” Storm, also known as the Storm worm, is not actually a worm. It is hybrid malware: part worm, part bot (a pro- Stefan Savage is an associate professor of computer gram designed to perform automated tasks), part science at the University of California, San Diego.
    [Show full text]
  • Common Threats to Cyber Security Part 1 of 2
    Common Threats to Cyber Security Part 1 of 2 Table of Contents Malware .......................................................................................................................................... 2 Viruses ............................................................................................................................................. 3 Worms ............................................................................................................................................. 4 Downloaders ................................................................................................................................... 6 Attack Scripts .................................................................................................................................. 8 Botnet ........................................................................................................................................... 10 IRCBotnet Example ....................................................................................................................... 12 Trojans (Backdoor) ........................................................................................................................ 14 Denial of Service ........................................................................................................................... 18 Rootkits ......................................................................................................................................... 20 Notices .........................................................................................................................................
    [Show full text]
  • Detection, Propagation Modeling and Designing of Advanced Internet Worms
    DETECTION, PROPAGATION MODELING AND DESIGNING OF ADVANCED INTERNET WORMS By PARBATI KUMAR MANNA A DISSERTATION PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY UNIVERSITY OF FLORIDA 2008 1 °c 2008 Parbati Kumar Manna 2 To my family, friends, and teachers 3 ACKNOWLEDGMENTS I want to take this opportunity to thank all the people who helped me during my doctoral sojourn. I understand that it is rather late to acknowledge their contributions, but as the saying goes, better late than never! First, I want to thank my committee, starting with my advisor and Chair, Dr. Sanjay Ranka. He expressed his intention to work with me during my very first week of class at University of Florida, and has been a true guide to me in every aspect since then. He offered me complete freedom in pursuing my research in any area that I felt passionate about, and provided ample research direction from time to time. I am truly thankful and honored to work as his student for the past six years. It has also been a pleasure to work with Dr. Shigang Chen, who served as my co-chair. A stalwart in the network research community, he has been instrumental in providing his domain expertise to my research area in a very big way. Without his help, I can barely imagine myself to be where I am now. I would also like to thank Dr. Alin Dobra, Dr. Christopher Germaine, Dr. Sartaj Sahni and Dr. Malay Ghosh who helped me in various academic as well as non-academic matters throughout my stay at Gainesville.
    [Show full text]