Survey on Computer Worms

paper presented by Author:B. Rajesh Co Author: Isthak Ahmed International Conference on Bangalore on 27th July.
of 9
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
   Survey on Computer Worms K. Ishthaq Ahamed and B. Rajesh Associate Professor, Department of Computer Science and Engineering, G. Pulla Reddy Engineering College, Kurnool-5! #, And$ra Prades$, Email% is$t$a&' Department of Computer Science and Engineering, G. Pulla Reddy Engineering College, Kurnool-5! #, And$ra  Prades$, Email% ra(es$ 5)'ya$  A  BSTRACT     –    The Computer worms have drawnsignii!ant attention in the resear!h !ommunity due totheir enormous y adverse impa!t on the o!a networ#sand a so on internet. to understand the adverse impa!tsposed $y !omputer worms it is ne!essary to understandthe ! asses o worms. This paper des!ri$es the deinitiono Computer worm% &istory and Time ine o Computerworms% ! assii!ation o Computer Worms% ie !y! e o Computer worm and worms !ode ana ysis.' I(TR)*+CTI)(   Computer *orm is a self-replicating computer  program. +t uses a net*or to send copies of itself toot$er nodes i.e., computers on t$e net*or and it maydo so *it$out any user interention. iruses are needto /e attac$ed to t$e system files /elongs to t$eoperating system it re&uires some sort of user actionto a/et t$eir propagation. iruses tends to propagatemore slo*ly   0$ey also $ae more mature defensesdue to t$e presence of a large anti-irus industry t$atactiely sees to identify and control t$eir spread.1nlie a irus computer *orms does not need toattac$ itself to an e2isting program. Computer *orms almost and al*ayscause $arm to t$e net*or if only /y consuming /and*idt$ *$ere as iruses almost al*ays corrupt or modify files on a target computer. Computer *ormsare $ated /ecause t$ey consumes more 3and*idt$and also t$ey mig$t cras$ computers if t$ey areinfected *it$ computer *orms. +nfected computersmay also used for ot$er attacs suc$ as DDos, p$is$ing attacs etc..   Computer *orms are one formof mal*are along *it$ iruses and 0ro(ans. A persontypically installs *orms /y inadertently opening anemail attac$ment or message t$at contains e2ecuta/lescripts. 4nce installed on a computer, *ormsspontaneously generate additional email messagescontaining copies of t$e *orm. 0$ey may also open0CP ports to create net*ors security $oles for ot$er applications, and t$ey may attempt to flood t$e6A7 *it$ spurious Denial of Serice 8DoS9 datatransmissions   ,  *-I(ITI)( ) C)/0+T-R W)R/  Definition 1.  Computer *orms are malicious soft*areapplications designed to spread ia computer net*ors.  Definition 2.  A computer *orm is a eil-intentioned program t$at can replicate and run itself. 1. &IST)R2 ) C)/0+T-R W)R/ 0$e first eer program t$at could /e called a :orm,as per definition, *as deeloped for t$e assistance of air traffic controllers /y 3o/ 0$omas in );. t$is*orm program *ould notify air traffic controllers*$en t$e controls of a plane moed from oncomputer to anot$er. 0$is *orm named <creeper=*ould trael from one computer screen to anot$er ont$e net*or s$o*ing t$e message < iam reeper>Catc$ me if you can> < t$e difference from most*orms *as t$at t$is creeper did not reproduce it self. 0$e first +nternet infection t$at re&uired no$uman interention to propagate *as t$e ?orris:orm, discoered in )!! and released /y Ro/ert?orris. +t spread ery &uicly, infecting a num/er of ulnera/le computers in a matter of $ours. 0$e?orris :orm infected arious mac$ines and alsoused multiple e2ploits including /uffer oerflo*s,de/ugging routines in mail components, pass*ordsniffing, and ot$er streams of e2ecution to improeits a/ility to attac ot$er computers.   Alt$oug$released on accident, t$e /enign concept doesn@treally apply to t$e ?orris :orm, as it $ad asignificant amount of impact /ecause of t$e /ug in itscode. :$en reinfecting a computer, t$ere remainedt$e possi/ility t$at t$e ne* infection *ould /e persistent, allo*ing ot$er *orms to run and terri/lyimpact system performance. o*eer, t$is caused t$e*orm to /e noticed instantly, and t$erefore, &uiclycontained. /odern Worms. Actie computer *orms $aereturned to prominence in recent times. 0$e first oneto cause an eruption *as Code Red. 0$is infection proed $o* &uicly a simple self-replicating programcould spread ia t$e internet@s current infrastructure.Code Red e2ploited a /uffer flo* condition in t$e?icrosoft ++S 8+nternet +nformation Serer9. +t *as  a/le to propagate &uicly /ecause of t$e al*ays onnature of ++S and many ersions of t$e :indo*soperating system. Code Red *as also e&uipped *it$scanning capa/ilities t$at improed its t$roug$putand gae it t$e a/ility to elude numerous +P addresssecurity features. 1.' Time ine o Computer Worms 2ear3 '45'Worm (ame3 Creeper*es!ription3   0$e Creeper irus, an e2perimentalself-replicating program, is *ritten /y 3o/ 0$omas at337 0ec$nologies. Creeper infected DEC PDP- computers running t$e 0E7EB operating system.Creeper gained access ia t$e ARPA7E0 and copieditself to t$e remote system *$ere t$e message, +@mt$e creeper, catc$ me if you can> *as displayed. 0$eReaper program *as later created to delete Creeper. 2ear3 '456Worm (ame3 Wa$$it*es!ription3 0$e :a//it irus, more a for /om/t$an a irus, is *ritten. 0$e :a//it irus maesmultiple copies of itself on a single computer 8and*as named :a//it for t$e speed at *$ic$ it did so9until it clogs t$e system, reducing system performance, /efore finally reac$ing a t$res$old andcras$ing t$e computer. 2ear3 '457Worm (ame3 Anima *es!ription3 Animal is *ritten /y o$n :aler for t$e 17+AC  !. Animal ased a num/er of &uestions to t$e user in an attempt to guess t$e typeof animal t$at t$e user *as t$ining of, *$ile t$erelated program PERADE *ould create a copy of itself and A7+?A6 in eery directory to *$ic$ t$ecurrent user $ad access. +t spread across t$e multi-user 17+ACs *$en users *it$ oerlapping permissions discoered t$e game, and to ot$er computers *$en tapes *ere s$ared. 0$e program *ascarefully *ritten to aoid damage to e2isting file or directory structure, and not to copy itself if  permissions did not e2ist or if damage could result.+ts spread *as t$erefore $alted /y an 4S upgrade*$ic$ c$anged t$e format of t$e file status ta/les t$atPERADE used for safe copying. 0$oug$ non-malicious, Perading Animal represents t$e first0ro(an in t$e *ild. 2ear3 '488Worm (ame3 /orris worm*es!ription3 0$e ?orris *orm, created /y Ro/ert0appan ?orris, infects DEC AB and Sun mac$inesrunning 3SD 17+B connected to t$e +nternet, and /ecomes t$e first *orm to spread e2tensiely in t$e*ild, and one of t$e first *ell-no*n programse2ploiting /uffer oerrun ulnera/ilities. 2ear3 '444Worm (ame3 /e issa*es!ription3   irst found in ?arc$ #, ))), using$oles in ?icrosoft 4utloo, ?elissa s$ut do*n+nternet mail systems t$at got clogged *it$ infectede-mails propagating from t$e *orm. 4nce e2ecutedt$e srcinal ersion of ?elissa used a macro irus tospread to t$e first 5 addresses in t$e userFs 4utloo address /oo. o*eer, if +nternet access or 4utloo *ere not aaila/le, it *ould copy itself to ot$er *orddocuments and attempt to E-mail t$ose documents,reealing potentially confidential information.urt$er, it *ould modify e2isting documents /yinserting &uotes from t$e SimpsonFs teleision s$o*.8enry, # 9 -stimated damage % H. /illion. 2ear3 ,999Worm (ame3 I :);- 2)+*es!ription3 irst found on ?ay, , # in Asia itspread &uicly across t$e glo/e. +nstead of sending acopy of t$e *orm to t$e first 5 or  addresses int$e $ostFs 4utloo address /oo lie ?elissa, + 6oeIou used eery single address in t$e $ostFs address /oo. 0$is *orm also $ad a malicious side to it, ast$e *orm oer*rote important files *it$ a copy of itself, maing it irtually impossi/le to recoer srcinal files. +t also mared all mp files as $idden,and do*nloaded a 0ro(an $orse t$at *ould steal user names and pass*ords and t$em to t$e irusFs aut$or. -stimated damage3 H!.;5 /illion. 2ear3 ,99'Worm (ame3  “ Anna Kourni#ova ;irus< worm *es!ription3 irst appearing in e/ruary #  it *as produced /y a <scrip iddie,= and is *ell no*n onlyfor its social engineering attac$ment t$at appeared to /e a grap$ic image of Russian tennis star AnnaKournioa. o*eer, *$en t$e file *as opened, aclandestine code e2tension ena/led t$e *orm to copyitself to t$e :indo*s directory and t$en send t$e fileas an attac$ment to all addresses listed in your ?icrosoft 4utloo e-mail address /oo. 0$e AnnaKournioa irus *orm alt$oug$ famous *as (ust anuisance as it did little to no damage -stimated damage3  H,!#; 2ear3 ,99'  Worm (ame3   Code Red *es!ription3   irst found on uly , #  t$is *orme2ploited a ulnera/ility in ?icrosoft@s +nternet+nformation Serer 8++S9 *e/ serers to deface t$e$ostFs *e/site, and copy t$e file andrename it root.e2e in t$e :e/ sererFs pu/liclyaccessi/le scripts directory. 0$is *ould proidecomplete command line control to anyone *$o ne*t$e :e/ serer $ad /een compromised. +t also *aited# -#; days after it *as installed to launc$ denial of serice attacs against t$e :$ite ouseFs +P address.Code Red spread at a speed t$at oer*$elmednet*or administrators as more t$an 5), serers /ecame compromised in (ust oer J $ours. At its pea, more t$an #, serers *ere /eingcompromised eery single minute. Estimates are t$atCode Red compromised more t$an ;5 , serers.8enry, # 9 -stimated damage3  H#. /illion 2ear3 ,99'Worm (ame3   Sir!am *es!ription3 irst found on uly ), #  t$is massmailing E-mail *orm not only e2ploited ?icrosoftFs4utloo program it $ad t$e a/ility of spreadingt$roug$ :indo*s 7et*or s$ares. 0$e *orm $adt*o deadly payloads, /ut due to a program error t$eydid not *or. -stimated damage3  H.  /illion 2ear3 ,99'Worm (ame3   (I/*A *es!ription3 irst appearing in Septem/er # , 7+?DA, *$ic$ is admin spelled /ac*ards *as notas malicious in nature as preious *orms, /ut itsadanced features and its different means of  propagation *$ic$ included from client to client iaemail, from client to client ia open net*or s$ares,from *e/ serer to client ia /ro*sing of compromised *e/ sites, from client to *e/ serer iaactie scanning for and e2ploitation of arious?icrosoft ++S ulnera/ilities, and from client to *e/serer ia scanning for t$e /ac doors left /e$ind /yt$e Code Red ++ and sadmind++S *orms, allo*edit to spread faster t$an any preceding *orm. 7+?DAalso t$e first *orm t$at contained its o*n Email program so it did not depend on t$e $ostFs E-mail program to propagate. -stimated damage3 HJ5 million 2ear3 ,99'Worm (ame3   K e= *es!ription3 irst appearing in 4cto/er #, # KleL, and it ariants *ere still considered a pro/lemlate in # , maing KleL one of t$e most persistentiruses eer. KleL *as a $y/rid *orm t$at too adantage of a fla* in 4utloo t$at allo*ed it to /einstalled simply /y ie*ing t$e E-mail in t$e preie* panel. As a $y/rid t$reat it could /e$ae lie a irus,a *orm and at ot$er times een lie a 0ro(an $orse.KleL also incorporated a tec$ni&ue *e sa* in t$eC$ristmas E2ec *orm as it selected one Emailaddress from t$e $ostFs address /oo to use as t$e<from= address, t$en sending t$e *orm to all t$eot$er addresses. +n t$is manner, t$e E-mail oftenappeared to $ae /een sent from someone t$eaddressee actually ne*. -stimated damage3  H!.) /illion 2ear3 ,991Worm (ame3   S>: S ammer *es!ription3   Appearing anuary #5, # , andtaing adantage of t*o /uffer oerflo* /ugs in?icrosoft@s SM6 Serer data/ase product, it spreadrapidly, *it$ a dou/ling time of !.5 seconds in t$eearly p$ases of t$e attac allo*ing it to infectingmost of its ictims *it$in  minutes. SM6 Slammer *as t$e first e2ample of a :ar$ol *orm. A :ar$ol*orm *as first $ypot$esiLed in # # in a paper /y 7ic$olas :eaer, and it is an e2tremely rapidly propagating computer *orm t$at spreads as fast as p$ysically possi/le, infecting all ulnera/le mac$ineson t$e entire +nternet in 5 minutes or less. 0$e termis /ased on Andy :ar$ol@s remar t$at +n t$e future,Eery/ody *ill $ae 5 minutes of fame.=8Computer :orm, # 59 -stimated damage3  H.# /illion. 2ear3 ,991Worm (ame3   So$ig *es!ription3 4riginally put toget$er in anuary # to spread a pro2y serer 0ro(an, its ariant So/ig.set a record in s$eer olume of e-mails. So/ig lie 7imda used a /uilt-in S?0P engine so it did notdepend on t$e $ostFs E-mail program to propagate.0$en emulating KleL, it selected one E-mail addressfrom t$e $ostFs address /oo to use as t$e <from=address, t$en sending t$e *orm to all t$e ot$er addresses. +t also attempted to create a copy of itself on net*or s$ares, /ut failed due to /ugs in t$e code. -stimated damage3 H. /illion 2ear3 ,991Worm (ame3   B aster*es!ription %   Appearing August , #  3laster   e2ploited a ?icrosoft DC4? RPC ulnera/ility toinfect systems running :indo*s # and :indo*sBP, and cause insta/ility on systems running:indo*s 70, and :indo*s Serer # . iltering of irus actiity /y +nternet serice proiders 8+SPs9*orld*ide greatly reduced t$e spread of 3laster. -stimated damage % H. /illion 2ear3 ,996Worm (ame3   /ydoom *es!ription3 Appearing anuary #, # J and primarily transmitted ia E-mail to appear as atransmission error, ?ydoomFs rapid spread /ecomest$e fastest spreading email *orm eer. +t slo*edoerall +nternet performance /y a/out  N, andaerage *e/ page load times /y a/out 5 N. -stimated damage3  H!.5 /illion 2ear3 ,996Worm (ame3   Witty*es!ription3 Appearing ?arc$ ), # J, t$e :itty*orm *as t$e fastest deeloped *orm to date ast$ere *as only  $ours /et*een t$e release of t$eadisory to t$e release of t$e irus. :itty infected t$eentire e2posed population of t*ele t$ousandmac$ines in J5 minutes, and it *as t$e first*idespread *orm t$at destroyed t$e $osts it infected8/y randomly erasing a section of t$e $ard drie9*it$out significantly slo*ing t$e *orm@s e2pansion. -stimated damage3  H million 2ear3 ,996Worm (ame3   Sasser *es!ription3 Appearing on April  , # J andspreading /y e2ploiting a /uffer oerflo* in t$ecomponent no*n as 6SASS, 86ocal SecurityAut$ority Su/system Serice9 it $it t$e +nternet alittle more t$an t*o *ees after ?icrosoft *arnedusers of t$is fla*. Alt$oug$ it caused infected:indo*s BP and :indo*s # computers torepeatedly re/oot, Sasser did little damage, as *asmerely designed to spread and carried no payload. -stimated damage3  HJ.! /illion 2ear3 ,997Worm (ame3   ?oto$ *es!ription3  Ooto/ is a computer *orm *$ic$e2ploits security ulnera/ilities in ?icrosoftoperating systems lie :indo*s # , including t$e?S 5- ) plug-and-play ulnera/ility. 0$is *orm$as /een no*n to spread on ?icrosoft-ds or 0CP port JJ5.   0$e Ooto/ *orm and seeral ariations of it, no*n as R/ot.c/&, SD3ot./L$ and Ooto/.d,infected computers at companies suc$ as A3C, C77,0$e Associated Press, 0$e 7e* Ior 0imes, andCaterpillar +nc. -stimated damage3  H);, 2ear3 ,99@Worm (ame3   (yem*es!ription3 0$e 7y2em *orm *as discoered. +tspread /y mass-mailing. +ts payload, *$ic$ actiateson t$e t$ird of eery mont$, starting on e/ruary ,attempts to disa/le security-related and file s$aringsoft*are, and destroy files of certain types, suc$ as?icrosoft 4ffice files 2ear3 ,995Worm (ame3   Storm*es!ription3 0$e Storm :orm is a /acdoor 0ro(an$orse t$at affects computers using ?icrosoftoperating systems, discoered on anuary ;, # ;.0$e *orm is also no*n as%0ro(Dorf and ?alDorf 8Sop$os90ro(an.D6.0i/s.Gen>PacQ0ro(an.Do*nloader-J;0ro(an.Peacomm 8Symantec9 2ear3 ,998Worm (ame3 Koo$a!e*es!ription3 Koo/face is a computer *orm t$attargets users of t$e social net*oring *e/sitesace/oo, ?ySpace, $i5, 3e/o, riendster and0*itter. Koo/face is designed to infect ?icrosoft:indo*s and ?ac 4S B, /ut also *ors on 6inu2 ina limited fas$ion. Koo/face ultimately attempts,upon successful infection, to gat$er login informationfor 0P sites, ace/oo, and ot$er social media platforms, /ut not any sensitie financial data. +t t$enuses compromised computers to /uild a peer-to-peer  /otnet. A compromised computer contacts ot$er compromised computers to receie commands in a peer-to-peer fas$ion. 0$e /otnet is used to installadditional pay-per-install mal*are on t$ecompromised computer as *ell as $i(ac searc$&ueries to display adertisements. +t *as firstdetected in Decem/er # ! and a more potentersion appeared in ?arc$ # ). A study /y t$e+nformation :arfare ?onitor, a (oint   colla/orationfrom SecDe Group and t$e CitiLen 6a/ in t$e ?un Sc$ool of Glo/al Affairs at t$e 1niersity 0oronto,$as reealed t$at t$e operators of t$is sc$eme $aegenerated oer H# million in reenue from une # )to une #  .
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks