A quick guide to computer worms - what they are, how they spread and the potential effects of having a worm infection.
What Is A Worm?
Though many people use the term ‘worm’ interchangeably with ‘virus’ or ‘trojan’ to mean ‘a malicious program’, the three terms technically describe three distinctly different types of programs.
This is probably clearest when you consider the effects of their actions. Viruses and trojans subvert or exploit the normal operations of a computer system to perform malicious actions on the system itself. In contrast, worms exploit the normal operation of a network to spread copies of themselves to the various points, or nodes, of the network.
Theoretically, worms can be transmitted over any kind of network. The first worms began as computer programs that spread from one computer to another over a wired network. As digital communications became more complex, worms were created that could:
- Spread between mobile phones (via SMS or MMS messages over the telecommunications networks, or via Bluetooth wireless networks);
- Spread from removable media to computers (CDs, USB sticks, etc);
- Spread between accounts on a social networking site such as Facebook or Twitter.
Provided there’s a pathway to transmit data from one node (be it a computer, a phone or an online account) on a network to another, it appears a sufficiently clever programmer could probably create a program to travel between the two.
As a quick sample of some of the worm varieties:
Internet-worms can transmit themselves from a remote location on the Internet directly onto a computer. These worms are designed to exploit a vulnerability in a computer system that allows them to gain entry. To find their victims, these worms scan the Internet for vulnerable machines. Once found, the worm can then simply download itself onto the computer, and then continue finding and infecting other victims.
In contrast to an Internet-worm, a Net-worm copies itself to other computers connected to the first, infected machine by a local area network (LAN). One common tactic used by Net-worms is to put copies of itself onto any accessible network share - a media such as a hard drive or server that can be accessed by other users on the same network. Quite often, home networks, businesses and even major corporations will have a few open shares, which make it significantly easier for the worm to infect other users on the network.
Social Networking Worm
This type of worm is unique to major social networking sites, where the individual user accounts are the 'nodes' on the 'network' of connected accounts. These worms are typically fake or malicious messages posted on the public profile of the individual accounts. These worms are almost always designed to take advantage of a vulnerability on a specific social networking site; often, the user account is also compromised by the exploited vulnerability.
Similar to an e-mail worm, an IM-Worm uses instant messaging applications installed on the infected machine to send a message to everyone listed on the contact list. The message will usually contain a link to a site that will infect users who visit it. More rarely, the message may also include an infectious attachment. Almost all IM clients – AOL, AIM, MSN and so on – have been affected by IM-worms.
As you might expect, an e-mail worm spreads by using an e-mail message as the delivery vehicle. Sometimes, the worm’s main executable file may be included as an infected attachment to the e-mail, or it may be embedded as an object or script in the e-mail message.
Once the e-mail worm has installed itself on the computer, it will typically use the infected system’s local e-mail client to send out copies of the worm to other victims. Often, the people that the worm sends its copies to are those whose e-mail addresses are saved on the infected computer, in a data file or in the local e-mail client.
There are many other types of worms in the wild, of course, but these are some of the most prevalent ones seen.
How A Worm Spreads
Whether the network is made up of computers, phones or social networking accounts, a worm’s spread across the network tends to follow the same pattern.
Step 1: Infecting a node
In order to in infect a node on the network – for example, a computer on a home network - the worm can either a) trick a human user into performing an action that allows the worm to run on the system, or b) exploit a vulnerability in the computer that allows it to run without needing any human action.
Worms that need human intervention usually use some sort of social engineering trickery to lure the user into perform the desired action – e.g., using enticing file names to get an infected file opened or downloaded. In this case, the worm’s spread depends on users being taken in by the worm’s ‘bait’.
On the other hand, worms that exploit vulnerabilities to spread must scan the network for machines that have the required vulnerability; once a suitable target is found, the worm can silently infect it without any fuss. Oftentimes, human users may not even notice the worm’s presence.
Step 2a: Replicating itself
Once the worm is on the machine, it can replicate itself. Some worms produce copies of themselves independently, without needing any resources from the infected system. Others do use the system’s resources to create copies – e.g., multiple e-mails or SMS/MMS messages. This may involve misuse of the machine’s normal operations or an exploit of a vulnerability in the computer’s (or phone’s) operating system.
Step 2b: Executing a payload
Like viruses, worms may also carry a payload, or a programmed set of actions that affect the infected computer (or phone). This payload can vary from changing the wallpaper to erasing files, but is almost always unwanted, and usually outright malicious.
Step 3: Transmitting Worm Copies to another node
Once the worm has produced copies of itself, these copies are distributed to new victims on the network. Again, the worm may either misuse the machine’s normal operations or exploit a vulnerability in order to transmit the copies.
Some worms can also use multiple networks, to transmit copies of themselves to a greater number of victims. For example, an e-mail worm might send copies out as infected e-mail attachments and at the same time put copies of in local network shares, where other network users might access them and so infect themselves.
The Cost of Worms
Unless a worm has a destructive payload, a worm infection usually won’t significantly affect normal operations of the machine itself. That doesn’t mean the infection is benign however, just that the impact is felt in another area.
A worm distributing multiple copies of itself over a network can generate enough traffic to have a noticeable effect on network stability. Multiple nodes on a network distributing copies may cause an even sharper deterioration in stability. In extreme cases, the network may be overloaded to the point where services supported by the network – e-mails, websites, servers, etc – are effectively inaccessible until the worm is silenced.
There are real-world financial costs to a worm disrupting network stability, given how dependent modern businesses are on stable, working company networks and internet connections. For a home users who has may have to pay for the added data usage on a computer or phone, the cost is even more painfully immediate.
An additional financial cost is also incurred when the network has to be purged of its worm infections, as that often involves laborious time and service efforts from system administrators or the users themselves.
The Evolution of Worms
In years past, the most common types of worms were e-mailers, which spread on e-mail networks as malicious programs attached to deceptive e-mail messages. These did require the user to manually perform an action such as opening an infected e-mail attachment.
In recent years however, the most common worms are sophisticated creations that avoid the need for human action by exploiting vulnerabilities in the nodes on a network, or in the network itself, to spread. In these cases, the user may not even be aware that a worm is present.
As with viruses, the worms of today are becoming more sophisticated and complex. Some worms are beginning to appear which have features more characteristic of viruses than of worms. Also, instead of the more clear-cut transmission models of yesteryear (worm e-mails a copy of itself to machine A, the copy on machine A e-mails a copy of itself to machine B, ad nauseum), we are seeing:
- worms being delivered in trojan payloads,
- worms being downloaded by backdoor programs,
- worms being delivered via botnet commands
It seems malware authors are becoming increasingly creative in how they deploy the worms and today, a worm may be part of a multifaceted attack rather than just a standalone epidemic.
In addition, as digital communications continues to progress and grow, especially in the developing regions of the world, it's likely that new types of networks will emerge and with them, new types of worms. As such, worms don't appear to be dying out anytime soon.