Worm (computers): Difference between revisions
imported>Howard C. Berkowitz No edit summary |
imported>Howard C. Berkowitz No edit summary |
||
Line 28: | Line 28: | ||
It was readily identifiable by its fixed length, and the random source addresses that it used. It also exploited a general vulnerability; a basic rule of network security is that [[User Datagram Protocol]] packets should be accepted only from trusted sources, or if, as in the case of [[Domain Name System]] queries, they are read-only and rate-limited. | It was readily identifiable by its fixed length, and the random source addresses that it used. It also exploited a general vulnerability; a basic rule of network security is that [[User Datagram Protocol]] packets should be accepted only from trusted sources, or if, as in the case of [[Domain Name System]] queries, they are read-only and rate-limited. | ||
==Worms defend themselves=== | |||
Once the signature of a worm was identified, the worm writers fought back. Methods they use inlclude [[malware polymorphism]] to bypass length tests. In the case of Slammer, the specific port could still be filtered. | |||
Since worms live in computers, the first line of defense is to have up-to-date [[host intrusion detection system]]s (HIDS) that are not limited to [[virus (computer)]] detection, but to the full range of malware. Keeping such software updated often means checking the HIDS vendor database daily, or even hourly. | |||
===Spoofing and counter-spoofing=== | |||
On the network side, a strong general countermeasure has been[[ingress filtering]], usually in routers, which can reject packets with random source addresses. <ref name=ingress-MH>{{citation | |||
| url = http://www.ietf.org/rfc/rfc3704.txt | | url = http://www.ietf.org/rfc/rfc3704.txt | ||
| title = Ingress Filtering for Multihomed Networks | | title = Ingress Filtering for Multihomed Networks | ||
| author = F. Baker & P. Savola | | author = F. Baker & P. Savola | ||
| date = March 2004 | id = RFC 3704, IETF BCP (Best Current Practice) 84}}</ref> | | date = March 2004 | id = RFC 3704, IETF BCP (Best Current Practice) 84}}</ref> A major miscreant countermeasure to ingress filtering, however, is the use of the [[botnet]], so the attack traffic comes from a legitimate address. | ||
When the addresses are legitimate, worm defense external to a computer returns to recognizing the signature of the worm. It may be difficult to recognize a polymorphic attacker, and, indeed, its polymorphed spawn. Nevertheless, an active worm's reproduction may well produce a traffic signature that can be recognized. | |||
==References== | ==References== | ||
{{reflist|2}} | {{reflist|2}} |
Revision as of 20:52, 22 February 2009
In computer and network security, a worm is a form of malware that, once it activates inside a victim's computer, can replicate and propagate itself without further user activity. Worms often take up valuable memory and network bandwidth, which can cause a computer to stop responding, and can also allow attackers to gain unauthorized remote control of one or more computers.
While the idea of a parasitic biological worm goes far back in biology, the term appears to have first been used as, as a concept in computing, in John Brunner's 1975 science fiction novel, Shockwave Rider. Actual software, under tightly controlled conditions, was developed in 1981-1982.[1]
Morris worm: first wild infection
The first widespread Internet worm attack took place in 1988.[2] It had several attack vectors, the most notable exploiting the most common BSD UNIX electronic mail server, sendmail
, in a manner that caused an executable program, in a mail message, to immediately begin executing. Another vector was a password guessing attack on the logins to common services. Yet another method exploited UNIX utility programs then in common use, but largely abandoned as vulnerabilities.
After entry, some of the malware function simply performed network reconnaissance, to determine such things as account names that could be exploited by other parts of the worm. Once it had a name and password on another computer, it used one of several methods to attempt to log in to that computer and copy itself there, to begin executing and propagating.
For most practical purpose, the Internet, still primarily a research environment, was shut down for several days, until corrective software patches were defined and distributed through secure channels. The miscreant who wrote it was later apprehended, convicted and imprisoned; there is some evidence that he had not intended it to be as destructive, but incorrectly programmed some features that were intended to limit its infectivity.
Slammer worm
One of the most destructive worms was Slammer, a 2003 exploit that exploited vulnerabilities in certain features of Microsoft Structured Query Language (SQL) software. [3] It propagated rapidly, executing self-propagating code and taking over the infected computer's resources such that it did little but try to replicate itself. That was sufficient, however, to make the computer useless. One of the features of this malware was that the basic code randomly generated Internet Protocol version 4 addresses to which it would try to propagate itself, without checking if the address was that of a plausible target. This simplicity, even though inefficient, allowed a small piece of code, 376 bytes in length, to be extremely infectious.
It was readily identifiable by its fixed length, and the random source addresses that it used. It also exploited a general vulnerability; a basic rule of network security is that User Datagram Protocol packets should be accepted only from trusted sources, or if, as in the case of Domain Name System queries, they are read-only and rate-limited.
Worms defend themselves=
Once the signature of a worm was identified, the worm writers fought back. Methods they use inlclude malware polymorphism to bypass length tests. In the case of Slammer, the specific port could still be filtered.
Since worms live in computers, the first line of defense is to have up-to-date host intrusion detection systems (HIDS) that are not limited to virus (computer) detection, but to the full range of malware. Keeping such software updated often means checking the HIDS vendor database daily, or even hourly.
Spoofing and counter-spoofing
On the network side, a strong general countermeasure has beeningress filtering, usually in routers, which can reject packets with random source addresses. [4] A major miscreant countermeasure to ingress filtering, however, is the use of the botnet, so the attack traffic comes from a legitimate address.
When the addresses are legitimate, worm defense external to a computer returns to recognizing the signature of the worm. It may be difficult to recognize a polymorphic attacker, and, indeed, its polymorphed spawn. Nevertheless, an active worm's reproduction may well produce a traffic signature that can be recognized.
References
- ↑ Shoch, John F. and Jon A. Hupp, "The Worm Programs — Early Experience with a Distributed Computation,’’", Communications of the ACM 25 (3): 172-180
- ↑ Eugene H. Spafford (1988), The Internet Worm Program: An Analysis, Department of Computer Sciences, Purdue University, Purdue Technical Report CSD-TR-823
- ↑ US-CERT, CERT® Advisory CA-2003-04 MS-SQL Server Worm
- ↑ F. Baker & P. Savola (March 2004), Ingress Filtering for Multihomed Networks, RFC 3704, IETF BCP (Best Current Practice) 84