Technology Survey

Internet Worms

by Brian Farrelly, Stephen Kerin and Eoghan Hurley

Definition of Internet Worms

The most basic definition of an internet worm is mischievous code that attempts to propagate over networks. The term "worm" itself has its origins in a science fiction story called The Shockwave Rider written by John Brunner in 1975[1]. It should be noted that worms aren't inherently bad by nature; the early worms were developed as tools to aid computers. However, it soon became apparent that they could easily harness a destructive force.

Internet worms are automated intrusion agents; they will attack a vulnerable host, infect it, and then use it as a base to attack further vulnerable targets. Worms differ from viruses in their approach; viruses generally expose human weaknesses, tricking the user into initiating the virus. Worms however, more subtly attack the technical weaknesses of a host. They also differ in design, a virus attaches onto existing programs while a worm will run independently.

As discussed later in this article, there have been several worms that have given the practice of creating internet worms popularity, most famously Robert Morris' 1988 worm. This was not the first worm, nor the last, but it was the worm that managed to dominate the front pages for over a week and thus secure its place in the wall of fame of internet worms. This worm gave the concept notoriety that surely inspired others to follow in his footsteps.

Efforts have been made to model the behaviour of worms as they propagate. Cliff Zau's paper "Monitoring and Early Warning for Internet Worms" uses the following discrete model.

formula It is the number of host infected in real time.
beta is the pair wise rate of infection.
alpha is the infection rate.

graph of number of hosts infected versus time

The graph[3] of number of hosts infected versus time clearly shows a slow build up stage before an incredibly quick propagation phase before finally completing with a slow finishing stage. This should highlight the devastating effect that worms have; they can in general be blocked and killed off once we know of their existence.

When a worm designer is aware of a particular platform weakness, they will exploit it, usually through stealth and speed the worm will successfully propagate. Eventually a vaccine is created and the platform flaw is patched. Should the worm designer have malicious intentions the damage done could be horrific, in terms of money and data loss.

So why are worm based intrusions persistent? Two main reasons are ease and penetration; they will continue to work in the developer's absence and can aggressively attack many networks at speed.

What are worms comprised of? There are six main components to a worm.

Reconnaissance mechanisms allow the worm to survey the world around it and determine information to allow it to identify targets. The attack capabilities are how the worm gains entry; most common exploits are buffer overflows or cgi-bin errors. An important point is that worms are predominantly aimed at a particular platform due to the fact that making it cross platform would result in significantly larger programs. A system of nodes is useless unless they can be controlled. The command interface allows the system, using a master slave relationship to allow an intruder access to manually command the system. Communication capabilities are vital to allow sharing of reconnaissance information over distributed nodes. The worm will also keep records of its members and their locations. Worms like and good piece of software are adaptable, they maintain a set of functions that allow the worm to adapt to new targets.

Worms frequently attack hosts by buffer overflow. This is where a user-provided input is stored in memory of fixed size. Languages such as C have no memory management or protection systems so if the input is excessively long it will over write other data. This input may be created in such a way as to insert arbitrary code into the running process inheriting existing privileges.

History of Internet Worms

This is a brief overview of some of the major events in the history of Internet worms.

As already stated in our definition the first incarnations of internet worms weren't the malevolent threat they are today. These early worms (developed in 1982 at Xerox's Palo Alto Research Center by John Shock and Jon Hepps) were in fact, designed to perform useful tasks within a network.[1]

Despite the evident usefulness of these programs it was also clear that, in the wrong hands they could quite easily be turned to malevolent uses. (E.g. all the computers at Xerox's research centre crashed when one of the overnight worms malfunctioned). Due to these problems the profile of worm research diminished for a number of years, until later in the 1980's when the malevolent impact of worms began to rear its ugly head.

The first true Internet worm (and probably the most famous) was released on 2nd November 1988 by Robert T. Morris. It attacked Sun and DEC UNIX systems attached to Robert T. Morristhe Internet and within 24 hours had invaded 4,000-6,000 machines.[5][6]

Morris originally intended the program to be a benign proof of concept; however it had a massive effect due to a bug in the code. When it reinfected a machine, there was a fixed chance that the new infection wouldn't quit, causing the number of running worms on a machine to build up, thereby causing a heavy load on many systems. Even on a modern machine, such bugs would have a similar effect of overwhelming the system. This caused the worm to be quickly noticed and caused significant disruption. Most subsequent worms have mechanisms to prevent this from happening.[4]

Morris' worm received massive media attention and brought the dangers posed by worms to the world's attention. Techniques Morris used in his worm laid a base for future worms to build and improve upon.

The Melissa Worm was first recognised on 26th March 1999, it was the first major mail worm - a form of worm which was to become hugely prevalent. Melissa was written by David L. Smith and named after a lap dancer he met in Florida. David L. Smith

Melissa contained a Word macro virus (Macro viruses are computer viruses that use an application's own macro programming language to distribute themselves) [7], but unlike previous viruses of this type it could spread in a semi-active manner. It attacked Microsoft's Outlook and Word programs (Any time an infected user attached a Word document to an email, this email sent to the first 50 addresses in the recipients' address book if they use Outlook as the mail client). [8][4]

Melissa shut down Internet mail systems that got clogged with infected e-mails propagating from the worm and Smith received a 20 month prison sentence for his trouble. A large number of mail worms followed Melissa and continue to be a significant threat.

In 2001 active worms made a return to prominence. The first of these worms to be noticed was called Code Red. Code Red was a relatively simple worm which affected computers running Microsoft's Internet Information Server (IIS) web server. It infected over 350,000 servers in just over 12 hours. Once it infected a system Code Red waited for 20-27 days to launch denial of service attacks on several fixed IP addresses. (Including the IP address of the White House). [4][9][10]

Other examples of this new breed of active worm include Code Red 2 and Nimda. On 25th January 2003 the SQL Slammer worm caused on of the largest and fastest spreading Denial of Service attacks ever. In less than 10 minutes the Slammer spread worldwide, the worm took down 5 of the 13 DNS root servers along with tens of thousands of other servers, and impacted a multitude of systems ranging from ATM systems to air traffic control to emergency systems. [11]

How to Combat Internet Worms?

Current security measures against internet worms predominantly take the approach of observing the effects of worms and trying to ensure they don't happen again. In essence, they are in a constant state of catch-up, systems need constant updating to be aware of new threats. This may be a great money-spinner for security software vendors who charge subscriptions for updates, but is this an acceptable situation for internet users, business and personal alike? The fact remains that there are no proven alternatives at the moment. However, there seems to be a growing feeling that a new approach must be taken, that prevention is better than cure. A recently released product claims to be both 100 percent accurate and does not need updates [12]. This product works by monitoring system calls and tries to block anything unusual. This product is based "on the principle that malicious code always violates basic software conventions" [13]. A very bold assumption, you'll agree. Recent history has shown us that the very nature of both internet worms and the people that develop them is that they will adapt to any situation. With the window of time between the discovery of a vulnerability and the development of a worm to exploit it getting smaller all the time [14], we must face up to the possibility that they will prove impossible to eradicate.

The sheer amount of companies that develop technologies and products that are web-based or that can be spread across a network has provided an enormous amount of loopholes to allow worm programs to be developed. A recent worm targeted Windows XP systems that ran the open-source database program MySQL [15], by exploiting a backdoor within the database code. In situations like this the line is blurred as to who exactly is responsible for the security breach. The movement towards intrusion prevention has thus taken on even greater impetus. The idea of segmenting a network around security in order that any potential threats can be isolated is one that is currently being explored [14]. The current movement towards XML as the main language of the Web and its underlying technologies has provided a brand new set of problems for internet security [16]. The SQL compatibility techniques have made it imperative that security be not confined to the network layer alone, but rather spread across all the application layers.

Many industry experts accept the fact that the development of a worm that could cause greater devastation than anything experienced before is almost inevitable. Theoretically, the so-called Warhol worms could infect all vulnerable servers in 30 seconds, rather than 15 minutes [17]. The recent Slammer worm showed the very real possibilities of such at threat. It is estimated, that in a worst case attack, the US could suffer $50 billion in direct damages [18]. Pessimists think that enemy nations or terrorist groups could have the facilities to sniff out an as yet unknown Windows vulnerability and exploit it with dire consequences. The existence and discovery of a potentially huge vulnerability in the Windows operating system is not impossible. Being the dominant OS on worldwide computer systems has made Windows the number one target for worm developers who want their worms to cause the most damage. The 10 most effective worms of 2004 targeted Windows machines [19]. While this trend is not going to change for a while, despite rumours that Microsoft are preparing to enter the market of providing security software directly, Windows machines are far from the only system at risk. Indeed, there was an alarming growth in 2004 in worms that targeted mobile phones and PDA's [20]. IBM has identified this threat as a possible major attack in 2005 [21]. Thus, it can be seen how woefully inadequate current security measures are when dealing with internet worms. Not only are they constantly playing catch-up with worm developers, they are failing to deal with the fact that as soon as new technologies are developed and deployed they become viable targets.


(Please Note: All resources were verified in February 2005)
No. Article Author URL
1. The Morris Internet Worm Thomas Darby and Charles Schmidt www.snowplow.org
2. The Future of Internet Worms Jose Nazario, Crimelabs research www.crimelabs.net
3. Monitoring and Early Warning for Internet Worms Cliff Changchun Zou www-unix.ecs.umass.edu
4. A Brief History of The Worm Nicholas Weaver www.securityfocus.com
5. Assessment of Malicious Code & Human Threats Lawrence E. Bassham www.csrc.nist.gov
6. The Internet Worm Williams College www.cs.williams.edu
7. About Word Macro Viruses Microsoft www.support.microsoft.com
8. Melissa worm Wikipedia www.answers.com
9. Code Red worm Wikipedia www.answers.com
10. Our Ability to Protect the Net Rob Lemos www.news.com.
11. Internet Timeline Zakon Group LLC www.zakon.org
12. Determina Inc Determina Inc www.determina.com
13. Hands-free host protection Doug Dineley www.infoworld.com
14. The future of network security Bob Geiger www.searchnetworking.com
15. MySQL MySQL www.mysql.com
16. Securing the High-Speed Internet Simon S.Y. Shim www.computer.org
17. Exposing the Future of Internet Security Ziff Davis Media Inc www.findarticles.com
18. Worst-Case Worm Gregg Keizer www.internetweek.com
19. Netsky worm was worst virus of year Reuters www.msnbc.msn.com
20. 'Ring' worm: virus hits phones Stefan C. Friedman www.nypost.com
21. IBM Security Report Predicts Attacks ISSJ News Desk www.sys-con.com