26 February, 2008

technical Details series - 2 : Network Worms

Another tech. documentation on virus recognized as “network worms”

Too good…

This is one of the most dangerous in small office LAN & Corporate LAN…

 

Education is the most powerful weapon which you can use to change the World.

--- Nelson Mandela

From:
Sent: Monday, February 25, 2008 10:10 AM

Network Worms

Today everyone has heard of computer worms.

Worms can be classified according to the propagation method they use, i.e. how they deliver copies of themselves to new victim machines. Worms can also be classified by installation method, launch method and finally according to characteristics standard to all malware: polymorphism, stealth etc.

Many of the worms which managed to cause significant outbreaks use more then one propagation method as well as more than one infection technique. The methods are listed separately below.

Email worms

Email worms spread via infected email messages. The worm may be in the form of an attachment or the email may contain a link to an infected website. However, in both cases email is the vehicle.

In the first case the worm will be activated when the user clicks on the attachment.In the second case the worm will be activated when the user clicks on the link leading to the infected site.

Email worms normally use one of the following methods to spread:

  • Direct connection to SMTP servers using a SMTP API library coded into the worm
  • MS Outlook services
  • Windows MAPI functions

Email worms harvest email addresses from victim machines in order to spread further. Worms use one or more of the following techniques:

  • Scanning the local MS Outlook address book
  • Scanning the WAB address database
  • Scanning files with appropriate extensions for email address-like text strings
  • Sending copies of itself to all mail in the user's mailbox (worms may even 'answer' unopened items in the inbox)

While these techniques are the most common, some worms even construct new sender addresses based lists of possible names combined with common domain names.

Instant Messaging (ICQ and MSN) Worms

These worms have a single propagation method. They spread using instant messaging applications by sending links to infected websites to everyone on the local contact list. The only difference between these worms and email worms which send links is the media chosen to send the links.

Internet Worms

Virus writers use other techniques to distribute computer worms, including:

  • Copying the worm to networked resources
  • Exploiting operating system vulnerabilities to penetrate computers and/or networks
  • Penetrating public networks
  • Piggy-backing: using other malware to act as a carrier for the worm.

In the first case, the worms locate remote machines and copy themselves into folders which are open for read and write functions. These network worms scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines. They will then attempt to connect to these machines and gain full access to them.

In the second case, the worms scan the Internet for machines that have not been patched, i.e. have operating systems with critical vulnerabilities still open to exploitation. The worm sends data packets or requests which install either the entire body of the worm or a section of the worm's source code containing downloader functionality. If this code is successfully installed the main worm body is then downloaded. In either case, once the worm is installed it will execute its code and the cycle continues.

Worms that use Web and FTP servers fall into a separate category. Infection is a two-stage process. These worms first penetrate service files on the file server, such as static web pages. Then the worms wait for clients to access the infected files and attack individual machines. These victim machines are then used as launch pads for further attacks.

Some virus writers use worms or Trojans to spread new worms. These writers first identify Trojans or worms that have successfully installed backdoors on victim machines. In most cases this functionality allows the master to send commands to the victim machine: such zombies which have backdoors installed can be commanded to download and execute files - in this case copies of the new worm.

Many worms use two or more propagation methods in combination, in order to more efficiently penetrate potential victim machines.

IRC Worms

These worms target chat channels, although to day IRC worms have been detected. IRC worms also use the propagation methods listed above - sending links to infected websites or infected files to contacts harvested from the infected user. Sending infected files is less effective as the recipient needs to confirm receipt, save the file and open it before the worm is able to penetrate the victim machine.

File-sharing Networks or P2P Worms

P2P worms copy themselves into a shared folder, usually located on the local machine. Once the worm has successfully placed a copy of itself under a harmless name in a shared folder, the P2P network takes over: the network informs other users about the new resource and provides the infrastructure to download and execute the infected file.

More complex P2P worms imitate the network protocol of specific file-sharing networks: they respond affirmatively to all requests and offer infected files containing the worm body to all comers.

BE SURE, Be Protected

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)