An Analytical Survey of Recent Worm Attacks

An Analytical Survey of Recent Worm Attacks

IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.11, November 2011 99 An Analytical Survey of Recent Worm Attacks Vishrut Sharma Member of ACM, IEEE ABSTRACT In this paper, I’ve discussed the past and present of worms In this paper, I will present a broad overview of recent worm and related malicious code with special focus on worms attacks starting from the year 2000 through 2011. Some of the like Code Red, Nimda, Slammer, and Conficker. most ‘notorious’ worms were discovered during this period The following section presents the definition and including code red, slammer, and conficker. categories of a computer worm. Though this paper does not contain any original research, it is meant to provide malware researchers with well-documented information of some worms that caused havoc during the said period. After sifting through thousands of entries on virus 2. Definition and Type of Worms information repositories, I present, in this paper, only those that I considered novel in their approach, primarily from a technical In general, worm is a type of malware that can self- perspective. propagate and/or self-replicate over a network of As a summary to the paper, I have presented a broad overview of computers. Self-propagation means it can propagate trends that I extracted from this raw data and also focussed on through a network without human intervention. Self- the ever increasing destructive potential of worms. propagation is what makes a worm differ from a virus. A KEYWORDS virus, on the other hand, usually infects non-mobile files Worms, virus, recent attacks, self-propagating, malwares i.e. those files that when carried from one computer to another computer through a media, may propagate the virus attack thus making virus propagation very slow as 1. Introduction compared to worm. In recent years, many different categories of worms, based The outbreak of Morris worm in 1988 marked a new era on their programming and payloads, have been found. of self-replicating malware. In May, 2000, the Broadly, worms can be categorised as follows:- ILOVEYOU worm also known as VBS/Loveletter appeared and soon infected millions of computers • Email Worms worldwide. The worm came through e-mail with the • Instant Messaging Worms simple subject of "ILOVEYOU" and an attachment • Internet Worms "LOVE-LETTER-FOR-YOU.". The file extension was • IRC Worms hidden by default, leading unsuspecting users to think it • File-sharing Network Worms was a normal text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows • PDF Worms Address Book and with the user's sender address. It also made a number of malicious changes to the user's system. The following sections explain each of these types in This marked the beginning of an era of fast, self- detail. However, this is not a strict classification scheme. propagating, and self-replicating worms. Some worms, like Nimda, fall in two or more categories. In March 2001, cnet declared that 2001 would be “The Year of the Worm” [2]. They predicted that fast-moving, 2.1 Email Worms self-replicating code would become the weapon of choice Such worms spread via infected email messages. Any for those wanting to inflict widespread damage on the form of attachment or link in an email may contain a link Internet. As it turns out, 2001 saw a renaissance in worm to an infected website. In the first case activation starts creation. This culminated in the release of Nimda, an when the user clicks on the attachment while in the second incredibly sophisticated worm that made headlines case the activation starts when clicking the link in the worldwide [1]. email. The goal of this study was to enhance knowledge about Known methods to spread are: recent trends in worm development and attempt to predict - MS Outlook services future worm developments. In this paper, I present my - Direct connection to SMTP servers using their own findings about recent worms, their technical specifications, SMTP API etc. - Windows MAPI functions Manuscript received November 5, 2011 Manuscript revised November 20, 2011 100 IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.11, November 2011 Table 1: some infamous worms, date of their detection, category, and method of infection. [6], [7], [8] software prior to 2.0.11, Worm Date of which are vulnerable to Category Method of Infection Name Detection the PHPBB Viewtopic.PHP PHP Running the email Script Injection attachment received Vulnerability. VBS/Lo either accidentally or May 4, Email/IR Opens a back door and veletter intentionally will install 2000 C exploits the Microsoft @MM it to the local system, W32/IR Windows Plug and Play and also to all available Cbot.w August Internet/I Buffer Overflow drives. orm!M 16, 2005 RC Vulnerability (described W32/C Exploited Microsoft IIS S05- July 12, in Microsoft Security odeRed. Internet 5.0 IDQ path overflow 039 2001 Bulletin MS05-039) on f.worm vulnerability TCP port 445. Through email and W32/Ni A mass-mailing worm September Email/Inte exploiting various mda.ge that attempts to spread 18, 2001 rnet vulnerabilities present in n@MM through network shares Microsoft IIS Servers Win32. Email/File and lower security January Exploits vulnerability in Nyxem. -Sharing settings. On the third MSOutlook and Outlook 17, 2006 W32/Kl e Network day of every month it November Express & tries ez.gen Email attempts to rewrite files 9, 2001 executing itself when @MM with certain extensions you open or preview the with custom text. message. W32.R W32/S Exploited buffer ontokbr April 22, QLSla January Email A mass-mailing worm. Internet overflow vulnerability in o.AN@ 2006 mmer.w 25, 2003 Microsoft SQL Server. mm orm Spreads primarily Propagates via email through social W32/So Email/File (contains its own SMTP August networking sites as links big.f@ -sharing engine) and attempts to 19, 2003 to videos. When a user MM Network spread via accessible W32/K visits the website that is August 3, network shares. oobface Internet hosting the video, they W32/Ba January Spreads as email 2008 Email .worm are prompted to gle.gen 18, 2004 attachment. download a video codec A mass-mailing worm or other necessary W32.M that arrives as an January update, which is actually yDoom Email attachment with the file 26, 2004 a copy of the worm. @mm extension .bat, .cmd, .ex Exploits the MS08-067 e, .pif, .scr, or .zip. W32/C Microsoft Windows January A mass-mailing worm onficker Internet Server Service 13, 2009 that uses its own SMTP .worm vulnerability in order to W32/N engine to send itself to March 8, propagate. etsky.j Email the email addresses it 2004 Targets systems running @MM finds when scanning WinCC SCADA hard drives and mapped software. It spreads drives. utilizing CVE-2010- Attempts to exploit the W32.St July 13, 2568 which allows Internet vulnerability described uxnet 2010 arbitrary code execution in Microsoft Security W32/Sa via a crafted .lnk file. April 30, Bulletin MS04-011. It sser.wo Internet This has been noted to 2004 spreads by scanning the rm.a spread via removable randomly selected IP USB drives. addresses for vulnerable Attempts to spread using W32.M August systems. Internet the Remote Desktop Attempts to spread to orto 28, 2011 Perl/Sa Protocol. December Web servers running nty.wor Internet W32.D October Not 21, 2004 versions of the phpBB Not known m uqu 18, 2011 known 2.x bulletin board IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.11, November 2011 101 Attackers have been using email to propagate malicious (CIFS) protocol to gather information and compromise code from as early as 1987, the year when Christmas the target host. CIFS is an extension to Server Message Tree Trojan horse appeared. Malwares that use email to Block (SMB) protocol. Since this protocol was designed propagate are generally referred to as mailers. to allow small workgroups to share files in a trusted Unfortunately, these mailers are used even today. In fact, environment more emphasis was given to resource- in past few years these mailers have gained more sharing than security and this loophole is reflected in the popularity since email is the most efficient way for worm attacks. propagation of malicious codes in order to compromise a Some worms that made use of this are sizeable amount of hosts on the Internet. W32/Autorun.worm.g, W32/Mydoom.f@MM, Some worms that used this method for propagation in the W32/Pandem.worm,W32/Sobig.e@MM, etc. last 10 years are VBS/Loveletter@MM, W32/Pandem.worm, W32/Nimda.gen@MM, 2.6 PDF Worms W32/Mydoom.f@MM, etc. In 2001, a new exploit came into existence that used 2.2 Instant Messaging Worms Adobe Acrobat PDF format as a platform. However, it only worked under the full 'developer' version of Acrobat. Such worms spread via instant messaging applications The common Acrobat Reader program was not affected like by sending links to infected websites to everyone on by this worm. The worm operated as a VB script the local contact list. The only difference between these embedded within a PDF file [4]. Since 2001, the number and email worm is the way chosen to send the links. of such exploits has increased but fortunately no worm Some worms that used this method for propagation are has appeared yet. It seems that this category of worms is W32/YahLover.worm, W32/Sdbot.worm!im, etc. yet to unleash. As we can see in the above examples of worms, some 2.3 Internet Worms worms appear in different categories such as VBS/Loveletter@MM is both an IRC worm and an These worms scan all available network resources using Email worm.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    5 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us