Worm

Introduction
A worm a type of malware that is designed to replicate itself and spread across networks to infect multiple computers. The payload of the worm may vary significantly, anything such as deleting files, installing backdoors, stealing information, using up network bandwidth, and installing additional malware undefined.

Worms have become a popular method of rapidly spreading malware across networks to infect multiple computers as quickly as possible. The WannaCry ransomware used a worm to automatically spread across networks and infect vulnerable systems. Some worms, like the Conficker worm, are designed to simply spread quickly and cause as much damage as possible.

Many people label a worm as a virus, but the two are very different pieces of malware. A virus needs a user to transfer an infected file to another computer in order to spread whereas a worm can use a network to spread by itself. This means a worm can spread a lot faster than a virus can. Worms also do not tend to infect files like a virus, but rather use up computer resources by replicating itself undefined.

The First Worm (1988)
The first computer worm on record was the Morris Worm in 1988. The purpose of the worm was to guage the size of the internet, however a programming error resulted in the worm triggering a type of denial of service (DoS) attack that brought down an estimated 10% of the internet worldwide undefined. This was also the first worm that was able to spread without user interaction, and this laid the foundation of propagation techniques still used today in computer worms.

The First Macro Worm (1996)
The first Microsoft Office Word document to contain a worm was in 1996. Although this worm was actually a virus, the attacker was able to exploit the growing popularity of people sharing documents, and the use of macros allowed the virus to spread relatively quickly. A macro is a series of commands that can be executed on a Microsoft Office document undefined. Attackers use this feature to run malicious code on the victim's computer.

First Worm to Spread with an Email Address Book (1999)
The famous Melissa virus was a simple malware that was spread by a worm. When the infected file was opened, the worm would go through the victim's Microsoft Outlook address book and send itself to the first fifty contacts undefined. When one of those contacts ran the infected file, it would repeat the process. This allowed the malware to spread at a very quick rate.

First Espionage Worm (2001)
One of the first worms to demonstrate a worm's potential success in espionage, the Sircam worm was noted for sending private documents to other people on the victim's Outlook address book who should not have access to those files. Although this was not the intention of the malware, it happened often by chance. The method of spreading was selecting documents at random on the victim's computer and sending it to people in their address book as infected files to spread further. This later inspired developers to work on worms that would specifically target sensitive files and information.

Mass Popularity in 2003 and 2004
In 2003 and 2004, computer worms were one of the most common threats faced by computers and many of them were capable of inflicting significant damage to computer systems and organizations. Some of the most notorious worms to date were launched around this time. From 2005, worms were no longer as prevalent as they use to be and other malware types were becoming more appealing to hackers.

Back with a Bang (2008)
In 2008, the worst malware outbreak at the time took place with the Conficker worm. This was one of the most damaging worms and spread to nearly 15 million computers worldwide, ranging from large organizations to simple home computers. This worm was capable of locking user accounts, disabling Windows updates and security services, created congestion on networks and made security and antivirus websites impossible to access undefined.

Most Advanced Worm (2010)
In 2010, a controversial worm believed to be a state-funded project was developed. The Stuxnet worm was believed to be designed to attack the Iranian nuclear power plants undefined. Almost a decade later and researchers are still trying to fully understand how it works. This worm has often been regarded as the most advanced piece of malware to date.

Post-2010
Today many modern worms are developed to conduct criminal activity such as stealing information, granting the attacker access to the infected computer and installing other malware on the infected system. Older worms were designed to either cause an inconvenience to the victim or to run more destructive methods like deleting files, running DoS attacks, and crippling networks.

How Worms Work
Worms generally have to be able to exploit some vulnerability within a system in order to infect and spread properly. Once these vulnerabilities are exploited, the worm can propagate and infect multiple computer across networks.

Initial Infection
In order for a worm to start spreading, the attacker has to infect a computer where it can be triggered. A common way a worm infects the first computer is by being sent as an email attachment undefined. When the victim opens the attachment, the malicious file executes and the worm can start propagating. These emails will often have attachments marked as invoices or some form of important document to try and trick the victim into opening the attachment.

The use of Microsoft Office document macros is another, early method of propagation for worms. Sharing Word, Excel and PowerPoint files makes up a vital portion of an organization's daily operations. This is a good opportunity for attackers to infect one of these file types with a malicious macro containing the worm. By default the macro feature is disabled, so the emails containing these files will instruct the user to enable them in order to view the contents of the file. Once the macro is enabled, the malicious code is executed and the worm infects.

With the growing popularity of internet users illegally downloading content, some worms are also embedded within torrent files. Once the torrent file is executed, the worm's payload is also executed and begins to infect. A large number of these torrented files get copied onto external devices when people copy them onto other systems. This is an additional method that worms can use to spread, because they make use of Microsoft Windows' autorun feature. This feature is used to determine what actions must take place when an external device is connected to the computer. This feature allows a worm on an external device to run and install itself on a computer and execute its payload on there to continue propagating.

Propagation
The worm will then begin scanning for ports on the infected computer and on the network the computer is connected to. This will help it determine which computers are connected and try to determine which are vulnerable. The worm will then replicate itself and send a copy of itself to the next vulnerable computer on the network undefined. The newly infected computers repeat this process and any other networks linked or connected to the infected computer are at risk of having the worm infect them as well. This is how worms are able to travel worldwide at such a rapid rate.

Payload
The payload of the worm may vary significantly. Some of the actions in the payload can include:
 * Install additional malware
 * Create backdoors and access for remote attackers
 * Trigger DoS attacks
 * Delete files
 * Steal information
 * Collect system and network information
 * Exploit vulnerabilities
 * Communicate with malicious remote servers
 * Help create botnets

How to Protect Against Worms
There are a number of ways one can protect themselves and networks from worms. Like any other malware, a single form of defense is often not enough so it is advisable to use multiple forms of defense for better protection undefined undefined undefined.

Patches and Updates
Worms rely significantly on vulnerabilities in networks and systems, therefore it is vital to ensure your system has the latest patches and keeps up-to-date with new patches as they come out. These patches often fix vulnerabilities so that they cannot be exploited, and by fixing these flaws, worms have fewer options (or none at all) to successfully infect a system. Many people tend to overlook patches and ignore them, yet this is one of the most fundamental security measures and one of the most critical. The most destructive malware using worms were successful because of users not patching their systems.

Antivirus and Firewalls
Always have a reputable antivirus suite installed on your system. Antiviruses can help detect worms based on malware signatures created through research and samples submitted to the vendors. If a worm is detected, then the antivirus should prevent it from running and remove it. Always remember to keep your antivirus up-to-date. When an antivirus is not updated regularly, it will not be able to detect the latest threats and will eventually become ineffective. Always research an antivirus brand before purchasing as there are a large number of fake or rogue security systems that do not actually work and just con the user into purchasing.

A firewall can be used to help prevent any worms from accessing your system or network from the internet. This is achieved by filtering out malicious traffic via rule sets undefined, however it's highly recommended to use an antivirus and firewall together. The reason being is the antivirus is the last line of defense and often the safety net that catches malware the firewall missed. A host-based firewall can also help prevent a worm from searching the network for other devices to infect, and network-based firewalls can prevent the worm from using up internet connections and prevent it from spreading over the internet.

Run Regular Scans
It's always good to run malware scans on a regular basis. This feature comes standard in any antivirus suite and can be configured to run when you want it to. A full scan is usually the best as this will scan all locations on the system and help detect any traces of a worm that may be residing on the system. Not all antiviruses will detect the same thing with scans, so it is also common for users to use additional tools to conduct scans just to be thorough. Some worms may only run when a certain condition is met, and data stealing worms often run in the background and are not resource intensive like other worms, therefore its harder to spot unusual computer behaviors.

Always Question Suspicious Emails
Often worms are sent as attachments to potential victims in spam email campaigns. Fake emails are becoming more proficient in mimicking email designs of legitimate organizations, and therefore making it a bit harder to determine if they are real or not. If you have even the slightest suspicion about an email, contact the organization it claims to be from to confirm the email. Until you have confirmed the legitimacy of the email, never open the attachment or click on web links.

Limit User Privileges
This measure is more for large organizations. Most users' privileges should be restricted to what they need to perform their daily tasks, and only elevate those privileges when necessary. By doing this, the user can be restricted from installing software on their work system and therefore prevent any worms from being installed by accident. It is often corporate networks that make it possible for worms to spread across the world as many organizations today are interconnected on a global level.

Disable the Windows Autorun Feature
This feature, also referred to as AutoPlay, is used to determine what action should be taken when an external device is connected to a computer. It is a common practice to disable this feature because worms have been found to abuse it by using it to automatically run and install themselves on the computer and also infect any other devices connected to the computer afterwards. Disabling this feature can reduce the risk of worms entering a network significantly.

Use Strong Passwords
Some worms have got tools embedded in them to try and break passwords. This is used to try gain access to machines with high privileges in order to conduct further malicious acts. A strong password should always contain upper and lower case letters, numbers and special characters. The length of the password differs from one organization to another, however the common minimum length password is recommended to be 8 characters long, however some best practices recommend a minimum length of 14 characters undefined. Plain text passwords can easily be broken by dictionary attacks and short passwords can easily be broken with a brute force attack or reverse engineered.

Create Regular Backups
This is not the best approach, but in the event an advanced worm manages to avoid detection and remains on a file or folder location, a backup can allow the user to permanently remove the infected files and replace them with clean copies.

Spam Filters
A spam filter can be implemented that can block email addresses known for spam activity. This feature comes built-in with some popular commercial email clients and can help prevent a malicious email from reaching a user. This is particularly useful in an organization as not all employees will be well-informed about malicious threats and could end up opening the malicious attachment of an email.

Famous Worms
Many worms have made news headlines over the years, mainly noted for their rapid spreading and destructive nature. Apart from the worms discussed above, here is a list of other famous worms undefined.

Michelangelo (1991)
The Michelangelo worm infected thousands of MS-DOS systems and would overwrite the hard disk and in some cases change the master boot record. Although only around 10 000 systems are affected, it caused mass panic worldwide.

SoBig (2003)
The SoBig worm was sent as a benign email and when executed would gather contacts from the victim's address book and send copies of itself out to infect more systems. It relied on public websites to carry out further stages of the payload, with millions of computers infected, the total cost of damages was estimated to be around $37.1 billion.

ILOVEYOU (2000)
The ILOVEYOU worm was sent via email to recipient with a .vbs file attachment claiming to be a love letter. Once executed, the worm would access the victim's Outlook address book and send itself out to the contacts, while the victim had a large number of their files overwritten. The total cost of damages was estimated to be as much as $8.7 billion.

Nimda (2001)
The Nimda ("admin" backwards) worm was one of the fastest spreading worms ever and spread by finding victim's email addresses in .html files found in their web cache folder. It would find their contacts and send itself out to them as well in order to spread. The result was user drives were shared without consent and guest accounts were created with administrative privileges. The total cost of damages was around $530 million.

Code Red (2001)
The Code Red worm exploited a buffer overflow vulnerability in Microsoft Internet Information Services servers. It used this vulnerability to replicate itself and would display a message to the victim stating that they have been hacked by the Chinese. After nearly a month after infection, the infected systems would form a botnet and launch a distributed denial of service (DDoS) attack on a large number of IP addresses, one of which linked to the White House's website. The total estimated damages caused by the worm were $2 billion.

Blaster (2003)
The Blaster worm exploited a vulnerability that Microsoft had announced a month prior to the outbreak. The worm installed a trivial file transfer protocol server on infected systems and downloaded malicious code onto the computers. A total of 25 million computers were believed to be infected, and after 6 months Microsoft launched a removal tool to completely remove traces of the worm. This is a classic example of what happens when users do not install a simple patch that could have protected them.

Storm (2007)
The Storm worm was a spam email worm that, to this day, has become one of the most difficult worms to resolve. Infected computers became part of a massive botnet and the attacker would be able to collect information about infected systems, launch DDoS attacks and send more emails to potential victims (over 1.2 billion emails were sent in total). The worm uses a fast flux DNS technique to update the botnet, and due to its decentralized nature, the infected computers have become very difficult to isolate and clean. To this day, it's estimated that around 10 million computers are still part of the botnet.

MyDoom (2004)
The MyDoom worm was designed to launch a DoS attack on the 1st of February 2004 and stop distributing itself on February 12th. It would also create a backdoor which other attacker and malware could use to attack the infected system. Like many other worms, it made use of email address books to spread itself to new victims. A second version of the worm targeted search engines by flooding engines like Google with millions of search requests at a time which slowed down the service and triggered a crash in some cases undefined.