Computer Worms: Past, Present, And Future

7/30/2019 Computer Worms: Past, Present, And Future

1/9

Computer Worms: Past, Present, and FutureCraig Fosnock

CISSP, MCSE, CNEEast Carolina University

Abstract:

Internet computer worms have gonefrom a hypothetical theorem to very real andvery dangerous threat to computer networks.They are even capable of affecting thebiggest network of our time, the Internet.Starting from humble and beneficialbeginnings computer worms are now theplague of the Internet and can cause billionsof dollars worth of damages in just a few

hours, if not minutes. In this paper I willdiscuss the history of computer worms, theirpast, present, and their possible future, butbefore we start this discussion aboutcomputer worms lets first define somecomputer terminology. It is important thatwe have these definitions up front not onlybecause we will need them to help explainthe rest of this paper, it is also important todiscuss this now because the term computervirus is often used interchangeably to referto computer worms. This may cause

confusion with some readers as this paper isfocusing on computer worms, not computerviruses. I have chosen not to address virusesbecause, although viruses take advantage ofnetwork services such as the Internet tospread, viruses are currently somewhat lesscommon than worms, and viruses do notseem to have emulated the scale ofdisruptive behavior, and monetary damagethat current computer worms are capable ofinflecting on todays computer networks.

Computer Program:Is an example of computer software thatprescribes the actions ("computations") thatare to be carried out by a computer. Mostprograms consist of a loadable set ofinstructions which determines how thecomputer will react to user input when thatprogram is running, i.e., when theinstructions are 'loaded'. The term program

or computer program is usedinterchangeably with software and softwareapplication. ("Computer Program," 2005)

Computer Virus:Is a self-replicating program that spreads byinserting copies of itself into otherexecutable code or documents. A computervirus behaves in a way similar to abiological virus, which spreads by insertingitself into living cells. Extending theanalogy, the insertion of the virus into a

program is termed infection, and theinfected file (or executable code that is notpart of a file) is called a host. ("ComputerVirus," 2005)

Computer Worm:Is a self-replicating computer program,similar to a computer virus but unlike avirus which attaches itself to, and becomespart of, another executable program, a wormis self-contained and does not need to bepart of another program to propagate itself.In other words a typical computer virus issimilar to a parasite and it requires a host. Inthis case the host is another executableprogram. A worm does not need a host, itcan spread on its own. ("Computer Worm,"2005)


2/9

I. The Past

A. Background

The roots of the modern computervirus go back to John Von Neumann. Von

Neumanns name because of his publicationof the concept, was given to the vonNeumann architecture. This architecture isused in most non-parallel-processingcomputers. Almost every commerciallyavailable home computer, microcomputerand supercomputer is a von Neumannmachine. In 1949 von Neumann created thefield of cellular automata only using penciland graph paper, when he presented a paperon the "Theory and Organization ofComplicated Automata." In this paper he

postulated that a computer program couldreproduce. The paper included a model ofwhat is now known as a computer virus.

In the 1950s Bell Labs employeesgave life to von Neumann's theory in a gamethey called "Core Wars." This game wascreated by H. Douglas McIlroy, VictorVysottsky, and Robert Morris, Sr. Theobject of the game was to unleash software"organisms" they called "self-alteringautomata" that attacked, erased, and tried to

propagate in a computer generated world.Each organism was a small programconsisting of well-defined instructions witheach of the instructions occupying a singlecell in a memory array. In modern times thiscomputer-generated world is actually alinear looping array of memory cells calledthe "Core, but in the 50's the word corereferred to magnetic core memory. Thegame was started when two programs wereloaded into random positions in the core.After a certain number of cycles, if neitherprogram has quit executing, a tie wasdeclared. If one program terminated, theother was declared the winner. The primaryobjective behind the game was to write anorganism that could terminate all theopponent processes. Re-energized andpopularized by A.K. Dewdney through hisseries of articles in Scientific American,Core Wars and its variants can still be found

and played on the Internet or on your localcomputer. The "organisms" now calledwarriorsthat are used in the Core Wars isconsidered the forebear of the moderncomputer virus including computer worms.

B. The First worms

The first computer worm wascreated at the legendary Xerox PARC ( PaloAlto Research Center). For those of youwho do not know this research center notonly created the first computer worm it gaveus the first personal computer, the firstgraphical user interface and the first laserprinter. The worm was created by JohnShoch. Shoch was a PARC engineerworking on his Stanford doctorate when he

created the worm. The program took itsname from the "tapeworm," a program thatappeared in a popular science-fiction novelof the time by John Brunner called "TheShockwave Rider." This science-fictionnovel ironically helped to promote theconcept of a replicating program more thanother more serious writings on the subject.

Unlike the worm in the bookShockwave Rider which was used to destroya sinister computer network, the PARC

worm's intended purpose was save Shochhours of tedious work. Shoch's doctoralresearch was an analysis of the trafficpatterns of PARC's Ethernet (another PARCfirst) that linked 200 of its "Altos," personalcomputers. His idea was to arrange forabout 100 of the machines to spew bits intothe Ethernet simultaneously, then measurethe ensuing electronic gridlock. ("Benefits,"n.d) Rather than loading the same programindividually into every machine, he devisedthe worm to do the loading automatically byseeking out idle Altos computers andtransmitting the test program by wire tothose that signaled they were available. Thetest proved successful and soon he turnedhis thoughts from communicating directlywith each machine to instructing them totalk among themselves. Shoch eventuallywas able to invest his worm with the abilityto seek out idle Altos, boot up a host


3/9

machine through the network and replicateby sending copies of itself from machine tomachine, remaining in communication withits dispersed offspring.

One night, however, something

unexpectedly went wrong. Shoch and twocolleagues had set a small worm loose in thePARC Ethernet to test a control function,and went home. At some point the programbecame corrupted so badly it crashed itshost computer. Sensing it had lost asegment, the control worm sent out a tendrilto another idle Alto. That host crashed, andthe next, and the next. For hours, the wormspread through the building until scores ofmachines were disabled. The next day thedown machines did not cause any alarm as

Altos frequently crashed for no reason.Soon, however, it became obvious that thiswas no random occurrence. Summoned tothe lab Shoch and his colleagues could notstop the worm and eventually they had nochoice but to eradicate the worm with afailsafe software mechanism that Shoch hadpre loaded as insurance against someunpredictable disaster. ("Benefits," n.d)

The next worm started out as a jokeor innocent prank, but is among the first and

most notable worms to qualify as a networkexploit. The worm was launched fromGermany on December 9, 1987. This date iswell before the Internet was officially born.The worm originated on the German EARNnetwork, propagated through connectedBitnet sites and eventually worked its waythrough Bitnet connections to wreak havocon the IBM Internal File Transfer Network(otherwise known as VNET) in the UnitedStates. (Henry, 2003) The name given tothis worm was the Christma Exec, whichhappened to be the name of the script theuser needed to execute to launch the worm.

As mentioned above Christma Execrequired the user to execute an innocentlooking script that was attached to an E-mailmessage, which appeared to come from anE-mail address that the recipient knew andtrusted. This ruse sounds really familiar, and

as we should all know by now that this ruseis still an effective means of computer wormdistribution. When the user executing thescript it would cause a Christmas tree toappear on the terminal and then it maileditself to everyone on the user's NAMES file

including any distribution lists. When itfinished sending itself to all addressees, iterased itself from the original victim'scomputer. When new recipients receivedand activated their copies of Christma Exec,the scenario would repeat, flooding thenetwork with Christma Exec messages. Theflood of traffic created left parts of the IBMnetwork unusable on December 10 and 11until it was finally brought under control.(Henry, 2003)

Even with the introduction of twofully functional worms, most people stilltreated computer worms as an obscuretheoretical problem. That perception ofworms took a dramatic turn in late-1988,when a college student, and son of theabove mentioned and co-creator of theCore Wars Robert Morris, Sr. unleashedthe infamous "Internet Worm," otherwiseknown as the Morris worm or the Greatworm, on the new and unsuspectingInternet.

The Morris worm was a MultiMode worm that attacked DEC VAXservers running Sun and BSD operatingsystems. It exploited weak passwords alongwith known vulnerabilities in the send mailapplication and Unix utilities fingerd andrsh/rexec. Although not, written to causedamage a bug in Roberts software allowedthe worm to reinfect individual serversmultiple times. Hence, each additionalinstance of the worm on the server causedadditional CPU resources to be consumed,slowing the server and effectively causingthe worlds first Internet denial of service(DoS) attack. (Henry, 2003) At the time ofthe attack it was estimated that the Morrisworm infected approximately 6,000 serversor 10% of the servers on the Internet, andcaused between $10 million and $100million in damages.


4/9

II. The Present

The development of computerworms seemed to die down until thedevelopment of the Melissa worm eleven(11) years later. Here is a time line and brief

synopsis of modern computer worms. Youwill notice that the time between virusoutbreaks, and the estimated amount ofdamages will be increasing. You will alsonotice no entries for the year 2002. This isbecause Klez which dominated that yearwas released in 2001, and none of theworms created that year althoughdestructive like the BugBear worm, did notprovided any new computer wormdevelopments.

Year 1999

Virus name: MelissaDescription: First found in March 26, 1999,using holes in Microsoft Outlook, Melissashut down Internet mail systems that gotclogged with infected e-mails propagatingfrom the worm. Once executed the originalversion of Melissa used a macro virus tospread to the first 50 addresses in the usersOutlook address book. However, if Internetaccess or Outlook were not available, it

would copy itself to other word documentsand attempt to E-mail those documents,revealing potentially confidentialinformation. Further, it would modifyexisting documents by inserting quotes fromthe Simpsons television show. (Henry,2003)

Estimated damage: $1.1 billion.

Year 2000

Virus name: I LOVE YOUDescription: First found on May, 3, 2000 inAsia it spread quickly across the globe.Instead of sending a copy of the worm to thefirst 50 or 100 addresses in the hostsOutlook address book like Melissa, I LoveYou used every single address in the hostsaddress book. This worm also had amalicious side to it, as the worm overwroteimportant files with a copy of itself, making

it virtually impossible to recover originalfiles. It also marked all mp3 files as hidden,and downloaded a Trojan horse that wouldsteal user names and passwords and them tothe viruss author.Estimated damage: $8.75 billion.

Year 2001

Virus name: Anna Kournikova Virus"wormDescription: First appearing in February2001 it was produced by a scrip kiddie,and is well known only for its socialengineering attachment that appeared to be agraphic image of Russian tennis star AnnaKournikova. However, when the file wasopened, a clandestine code extensionenabled the worm to copy itself to the

Windows directory and then send the file asan attachment to all addresses listed in yourMicrosoft Outlook e-mail address book.The "Anna Kournikova Virus" wormalthough famous was just a nuisance as itdid little to no damageEstimated damage: $166,827

Virus name: Code RedDescription: First found on July 13, 2001this worm exploited a vulnerability inMicrosoft's Internet Information Server (IIS)

web servers to deface the hosts website,and copy the command.com file and renameit root.exe in the Web servers publicallyaccessible scripts directory. This wouldprovide complete command line control toanyone who knew the Web server had beencompromised. It also waited 20-27 daysafter it was installed to launch denial ofservice attacks against the White Houses IPaddress. Code Red spread at a speed thatoverwhelmed network administrators asmore than 359,000 servers becamecompromised in just over 14 hours. At itspeak, more than 2,000 servers were beingcompromised every single minute.Estimates are that Code Red compromisedmore than 750,000 servers. (Henry, 2003)Estimated damage: $2.6 billion

Virus name: Sircam


5/9

Description: First found on July 19, 2001this mass mailing E-mail worm not onlyexploited Microsofts Outlook program ithad the ability of spreading throughWindows Network shares. The worm hadtwo deadly payloads, but due to a program

error they did not work.Estimated damage: $1.03 billion

Virus name:NIMDA

Description: First appearing in September2001, NIMDA, which is admin spelledbackwards was not as malicious in nature asprevious worms, but its advanced featuresand its different means of propagationwhich included from client to client viaemail, from client to client via open networkshares, from web server to client via

browsing of compromised web sites, fromclient to web server via active scanning forand exploitation of various Microsoft IISvulnerabilities, and from client to webserver via scanning for the back doors leftbehind by the "Code Red II" and"sadmind/IIS" worms, allowed it to spreadfaster than any preceding worm. NIMDAalso the first worm that contained its own E-mail program so it did not depend on thehosts E-mail program to propagate.Estimated damage:$645 million

Virus name: KlezDescription: First appearing in October 26,2001 Klez, and it variants were stillconsidered a problem late in 2003, makingKlez one of the most persistent viruses ever.Klez was a hybrid worm that took advantageof a flaw in Outlook that allowed it to beinstalled simply by viewing the E-mail inthe preview panel. As a hybrid threat itcould behave like a virus, a worm and atother times even like a Trojan horse. Klezalso incorporated a technique we saw in theChristma Exec worm as it selected one E-mail address from the hosts address book touse as the from address, then sending theworm to all the other addresses. In thismanner, the E-mail often appeared to havebeen sent from someone the addresseeactually knew.

Estimated damage: $18.9 billion

Year 2003.

Virus name: SQL SlammerDescription: Appearing January 25, 2003,and taking advantage of two buffer overflowbugs in Microsoft's SQL Server database

product, it spread rapidly, with a doublingtime of 8.5 seconds in the early phases ofthe attack allowing it to infecting most ofits victims within 10 minutes. SQL Slammerwas the first example of a "Warhol worm."A Warhol worm was first hypothesized in2002 in a paper by Nicholas Weaver, and itis an extremely rapidly propagatingcomputer worm that spreads as fast asphysically possible, infecting all vulnerablemachines on the entire Internet in 15minutes or less. The term is based on Andy

Warhol's remark that "In the future,everybody will have 15 minutes of fame.(Computer Worm, 2005)Estimated damage: $1.2 billion.

Virus name: SobigDescription: Originally put together inJanuary 2003 to spread a proxy servertrojan, its variant Sobig.F set a record insheer volume of e-mails. Sobig like Nimdaused a built-in SMTP engine so it did notdepend on the hosts E-mail program to

propagate. Then emulating Klez, it selectedone E-mail address from the hosts addressbook to use as the from address, thensending the worm to all the other addresses.It also attempted to create a copy of itself onnetwork shares, but failed due to bugs in thecode.


Virus name: Blaster

Description: Appearing August 11, 2003Blaster exploited a Microsoft DCOM RPCvulnerability to infect systems runningWindows 2000 and Windows XP, and causeinstability on systems running WindowsNT, and Windows Server 2003. Filtering ofvirus activity by Internet service providers(ISPs) worldwide greatly reduced the spreadof Blaster.Estimated damage: $1.3 billion


6/9

Year 2004

Virus name: MydoomDescription: Appearing January 26, 2004and primarily transmitted via E-mail toappear as a transmission error, Mydooms

rapid spread becomes the fastest spreadingemail worm ever. It slowed overall Internetperformance by about 10%, and averageweb page load times by about 50%.


Virus name: Witty

Description: Appearing March 19, 2004,the Witty worm was the fastest developedworm to date as there was only 36 hoursbetween the release of the advisory to therelease of the virus. Witty infected the entire

exposed population of twelve thousandmachines in 45 minutes, and it was the firstwidespread worm that destroyed the hosts itinfected (by randomly erasing a section ofthe hard drive) without significantly slowingthe worm's expansion.Estimated damage: $11 million

Virus name: SasserDescription: Appearing on April 30, 2004and spreading by exploiting a bufferoverflow in the component known as

LSASS, (Local Security AuthoritySubsystem Service) it hit the Internet a littlemore than two weeks after Microsoftwarned users of this flaw. Although itcaused infected Windows XP and Windows2000 computers to repeatedly reboot, Sasserdid little damage, as was merely designed tospread and carried no payload.


Although all the computer virusesdiscussed above in the time line are

malicious in nature, not all computer wormsare meant to be bad. These viruses are oftencalled "beneficial viruses" or "antivirus"viruses because they attack other virusesand disinfect them from the systems thatthey have compromised. An early exampleof this is the Den_Zuko boot virus37, whichwas actually a worm that disinfected theBrain virus. The Brain virus was a malicious

code created in Pakistan which infectedboot sectors of disks so that their contentscould not be accessed. Brain was the firstPC virus created and it infected MS-DOS.Another more resent example of thisbehavior is found in the Nachi family of

worms, which terminated and deleted theBlaster worm, then tried to download andinstall patches to fix the Microsoft DCOMRPC vulnerability in the host system.Although considered beneficial in natureboth of these worms cause problems. In thecase of Nachi it generated more networktraffic than the Blaster worm it wasprotecting against. In the case of Den_Zukoboot virus37 it could not infect 1.2M or 3.5"diskettes correctly, and because of this itdestroyed data on them. Most importantly

both worms worked without the explicitconsent of the computer's owner or user.Because of these problems no truebeneficial worm has been created,whatever their payload.

II. The Future

It is expected that in the future thatwe will see ever more complex wormslabeled Super Worms. These worms willincorporating complex polymorphic, and

metamorphic behavior routines that willmake use of entry-point obscuration. Thecurrent trends in traditional areas of wormdevelopment do not seem to be leading usimmediately in the direction of the SuperWorm, but they are getting their slowly.SpyBot.KEG is an example the new batchof worms attempting to use these behaviormethods. It is considered a sophisticatedvulnerability assessment worm, and it setnew standards for all computer worms.SpyBot.KEG has managed to remain belowmost peoples radar as it causes no damage,and only reports discovered vulnerabilitiesback to the author via IRC channels.Security experts have also seen the releaseof multiple variants per a single day ofanother sophisticated worm called Mytob.This worm has recently included a phishingtrick in the form of a fake URL pointing to aWeb site that hosts the worms code.


7/9

Another possible future threat that coulddevelop into the next Super Wormoutbreak is called YellowFever.YellowFever is an advanced i-worm withsome really interesting features, whichshows that conceptual complexity of current

i-worms in the wild is well far from whatcan be done. A Short virus description: theworm installs itself as a system service. Onstartup, it enumerates all runningapplications looking for its target (Outlook).The infection procedure is very interesting:the virus has a small built-in debugger thatuses to attach to the host. Next, itimpersonates the host and, using its own"SMTP" engine, E-mails itself."YellowFever" is not polymorphic but itwould be possible to add a poly-engine to it.

The virus can bypass many of the user levelfirewalls, but it has not been coded forspreading. (Labir, 2005) Although complexthese worms have failed to be modified tothe point where they can cause any majordamage, but that could change at anytime.

Other new worm developmentsinclude the Cabir worm. The Cabir worm isthe first worm that can infect mobilephones. Cabir appears to be a so-called"proof of concept" worm and requires social

engineering to reach its goal but once aphone is infected, it will activate each timethe phone is started, scan to nearbyBluetooth enabled phones, and transmit acopy of itself to the any vulnerable phone itreaches.

The most prevalent and immediatelydangerous worms that seem to bedeveloping are those designed to propagatevia instant messaging (IM). Although olderbut less well known worms like the Helloworm used Microsoft's MAN Messenger tospread, the current batch of worms using IMseems to hold the most promise of being thenext major outbreak. When we take a closerlook at this theat we can see that there areabout 60 published IM vulnerabilities, andthe types of IM threats are expanding toinclude SPIM (spam over IM) and phishingattacks. As we have already seen,

propagation speed for worms is limited onlyby their ability to find new hosts. In the caseof Code Red took about 14 hours to pingevery IP address in the world looking forvulnerable systems, and in Slammers caseit took only 20 minutes. A similar threat

targeting IM, according to a Symantecsimulation could lead to half a millionsystems being infected in only 30 seconds.This is because the worm would alreadyhave a list of vulnerable machines located

onusers buddy lists. This any new wormusing IM would not have to use time-consuming methods to locate vulnerablesystems. Once inside a vulnerable company,an IM worm would cause a lot of damage asit would bypass all existing securitydefenses.

Could the next major wormoutbreak not even involve computers? Willthe outbreak be a new development intraditional propagation methods or will itcome from new areas such as IM?Regardless history has shown us that nomatter what method it will use to propagate,it is only a matter of time before we see thenext major worm outbreak.

References

Benefits of the Computer Virus. (Unknown)Owl Editing

Retrieved July 15, 2005, fromhttp://www.owled.com/essays/virus.html

Blaster Worm. (2005).Wikipedia, the free encyclopedia.Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/Blaster_worm

Cabir. (2005).Wikipedia, the free encyclopedia.Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/Cabir

Cathleen Moore (2005)

Worms wiggle into IM. ComputerWorldRetrieved July 15, 2005, fromhttp://www.computerworld.com /securitytopics/security/virus/story/0,10801,101201,00.html?source=x10

Computer Worm. (2005).Wikipedia, the free encyclopedia.Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/Computer_worm


8/9

Computer program. (2005).Wikipedia, the free encyclopedia.Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/Computer_program

Computer virus . (2005).Wikipedia, the free encyclopedia.

Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/Computer_virus

Chen, T.M.. (2003). Trends in viruses and worms.The Internet Protocol Journal, Vol. 6,No. 3.

Daniel Tynan (2003)Dawn of the Superworm.PC World.Retrieved July 15, 2005, fromhttp://www.pcworld.com/news/article /0,aid,110014,tfg,tfg,00.asp

Edward Skoudis. (2002, July) Malware - TheWorm Turns.Information Security Magazine .

Eduardo Labir (2004) VX reversing II, Sasser B.The CodeBreakers-Journal, Vol. 1, No. 1

George V. Hulme (2005)First Worm For Mobile Phones Detected.

Information Week.Retrieved July 15, 2005, fromhttp://www.informationweek.com/story/showArticle.jhtml?articleID=21800340

Gregg Keizer (2005)IM Worms Could Spread In Seconds. Security

Pipeline

Retrieved July 15, 2005, fromhttp://www.securitypipeline.com/news/22100839

Ingrid Marson. (2005)Mytob worm picks up phishing trick.News .

Retrieved July 15, 2005, from

http://news.com.com/Mytob+worm+picks+up+phishing+trick/2100-7349_3-5739271.html?part=rss&tag=5739271&subj=news

ILOVEYOU. (2005).Wikipedia, the free encyclopedia.Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/VBS/Loveletter

Jack M. Germain (2004)Is the Superworm a Mere Myth?.Tech News World.Retrieved July 15, 2005, fromhttp://www.technewsworld.com/story/32721.html

Julia Allen. (2002) System and Network SecurityPractices. Journal of Information Security, Vol1, No 2

Klez. (2005).Wikipedia, the free encyclopedia.Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/Klez

Mary Landesman. (2005)Mytob prevention.About.Retrieved July 15, 2005, fromhttp://antivirus.about.com/od/virusdescriptions/a/mytob.htm

Melissa worm (2005).Wikipedia, the free encyclopedia.Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/Melissa_worm

Morris worm (2005).Wikipedia, the free encyclopedia.

Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/Morris_wormOpic (2004) Introductory Primer To

Polymorphism. The CodeBreakers-Journal, Vol. 1, No. 2

Paul Henry. (2003).A Brief Look at the Evolution of Killer Worms.CyberGuard.Retrieved July 15, 2005, fromhttp://www.csoonline.com/whitepapers /050504_cyberguard/EvolutionoftheKillerWorms.pdf

Peter Szor. (2005)Strategies of Computer Worms. The Informit NetworkRetrieved July 15, 2005, fromhttp://www.informit.com/articles/article.asp?p=36689

1&seqNum=8&rl=1

Peter Westrin. (2001) Critical Information InfrastructureProtection (CIIP). Information & Security: An

International Journal. Volume 7, 67-79

Rinku Dewr (2003)Artificial Life: A Programmer's Perspective.Retrieved July 15, 2005, fromhttp://ai-depot.com/ArtificialLife/Programmer-Perspective.html

Scarlet Pruitt (2005)Are Virus Writers Creating a Super Worm?.PC

World

Retrieved July 15, 2005, from

Sasser worm.(2005).Wikipedia, the free encyclopedia.Retrieved July 15, 2005, fromhttp://en.wikipedia.org/wiki/Sasser worm

Symantec, Symantec Antivirus Software and Information.2005.


9/9

Computer Worms: Past, Present, And Future

Documents

Transcript of Computer Worms: Past, Present, And Future