• InPhySec

Worms: A slippery sabotager

A computer worm is a type of malware that spreads through self-replication and is focused on the lateral movement of an infected system to uninfected hosts. Worms often exploit parts of an operating system that are automatic and/or are invisible to the user and is only usually noticed by a user when a system begins to slow due to the replication being unmanaged, resulting in a large consumption of a system resources.

Worms can spread in many ways, usually by exploiting vulnerabilities in unpatched systems to move throughout a network, or more simply via infected storage media such as floppy disks, USB drives and/or external HDDs.

Worms are not only good at spreading from host to host, but they are also extremely flexible in the damages they can cause and the way they propagate. Many worms often carry additional payloads such as a virus or ransomware which can cause further damage to a user’s system, and other types of worms such as “bot worms” are able to turn infected hosts into “zombies” or “bots” which are often used in coordinated attacks, commonly known as a DDoS attack to take down entire servers and/or networks. Worms have also been known to spread via instant messaging systems and/or email systems that exploit its access to a user’s contact list to spread uncontrollably.

A major example of a worm was the WannaCry ransomware. This worm exploited a vulnerability in the first version of the Server Message Block (SMB) resource sharing protocol implemented in Windows to laterally replicate to new hosts. The worm worked by first infecting an initial host and then beginning a network wide search for potential new victims based on the responses to the SMB requests made by the worm from its potential new victims. This can then further propagate when users bring BYOD devices, as it can potentially expose the worm to other networks in which it can then repeat this action, resulting in mass replication.

Another example of a worm was Stuxnet, and it one of the most notorious worms to date. Stuxnet propagated initially via USB drives before propagating throughout a network and would target the supervisory control and data acquisition systems (SCADA) and programmable logic controllers (PLC) which are commonly used in many industrial environments such a power and sewage plants etc. While the worm itself did little to no harm to computers not related to uranium enrichment, the worm could result in physical damage by causing centrifuges to be spun too quickly and for too long, all the while telling the controller computer that everything is working fine. This worm was especially impactful because malware was no longer confined digitally but could have real-world consequences and even once almost caused a war when it infected an Iranian Nuclear Facility.

Other fascinating examples of worms include:

Badtrans – this was a malicious worm that would target systems that ran Windows and spread via email. It exploited a vulnerability in an older version of Internet Explorer that allowed it to install and execute the worm as soon as an email was read, which meant it was extremely easy for users to become infected. The worm would begin by installing a keylogger which is used to capture everything typed on the affected user and then replicate itself and send its copies to the other email addresses found host’s machine.

Morris – One of the first worms distributed via the internet and resulting in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act, the Morris worm was written by graduate student Robert Tappan Morris, and was initially created to highlight security flaws. The worm spread by exploiting vulnerabilities in Unix sendmail, finger, remote shell, exec and weak passwords and while not meant to be malicious, resulted in systems being completely unusable due to unintended consequences of its code; infecting a host multiple times to the point of absolute system resource consumption.

SQL Slammer – A 2003 worm that caused a dramatic slow down of general internet traffic due to its denial of service on some internet hosts, resulting in over 75,000 victims within 10 minutes. The worm itself exploited a buffer overflow bug in Microsoft’s SQL Server and Desktop Engine database product and was a proof of concept demonstrated by David Litchfield that simply generated random IP addresses, which it would then send itself to. If the host coincidently ran the unpatched copy of Microsoft SQL server, it would become infected and then begin its propagation process to other victims.

Written by Jason Chen, Security Operations Analyst


0800 463 673 (NZ)

+64 27 554 9243 (Aus, UK)

©2020 by InPhySec.