Internet Worms

Since the Morris worm in 1988 , the security threat posed by worms has steadily increased, especially in the last several years. In 2001, the Code Red and Nimda infected hundreds of thousands of computers , causing millions of dollars loss to our society . After a relatively quiet period, the SQL Slammer appeared on January 25th, 2003, and quickly spread throughout the Internet . Because of its very fast scan rate, Slammer infected more than 90% of vulnerable computers on the Internet within 10 minutes . In addition, the large amount of scan packets sent outby Slammer caused a global-scale denial of service attack to the Internet.

Worms propagation  methods

Worms attack via numerous methods , Some of the most common methods include open services . modems , peer to peer applications , email, web browser , instant messenger , newsgroups , solid media , and macros . Almost every application written for use on a computer has had some sort of vulnerability discovered. The problem occurs when these services are facing the Internet. This allows them to be exploited any time these vulnerable services are found. Most of these worms are based on newly found vulnerabilities called “zero-day exploits”.  This means that the exploit is brand-new and has not been disclosed. Software companies have not had time to create software patches for zero-day exploits.

Another method available for worms is email . Email worms typically attempt to exploit vulnerabilities in a specific email client such as Thunderbird or MS Outlook . These worms will typically attempt to send an infected file or script to all the contacts in the address book. They also often use social engineering by appearing to reply to a legitimate email in the Inbox. This tricks users into opening the email since it appears to be from someone known to the user.

One of the original ways to get a worm or computer virus was through floppy disks. The boot record of a disk could be infected and as the disk was read on acomputer, that machine would also get infected. Today, we see the increased use of other solid media such as cdroms and flash media similar to the types used in digital cameras and USB keys. This physical transmission of data is bound to be exploited in the future.

Attacks on services are a very common method  by which worms propagate. This is typically because common services run on known ports so that clients can connect without needing proprietary information about  the service. It would be very difficult to access a company website if it was set to something other than the standard port  80. This feature common to services running on every platform causes them to become easy targets for worms . We have seen attacks on MS IIS on port 80 , RPC port 135 , and MS SQL Server . Any time an exploit is found it is quite easy to use the well known port number to search for attack vulnerable servers.



The best way to mitigate the threat of getting infected by a worm is through defense in depth . Through border protection, network segmentation, host security, application security, anti-virus software, and user training, a company can ensure the network is as secure as possible. There are many resources available on the Internet or by attending training classes that can help teach defense in depth. One of the biggest challenges against building a secure architecture is convincing the business that security is not about taking away access and slowing things down, it is about protecting the business from risk. Risk assessment can be used to include the business in the process of providing security. By including the business early and often, it becomes possible to influence decisions during requirements gathering rather than after the fact. This will help ensure business decisions are made while at the same time giving thought to security concerns. The first step is to keep the worms from entering the network. Border protection is the classic strategy of keeping the bad things out. If the worm cannot get to your network, it cannot infect it. It is important to think about every possible entry point into the network. The most obvious entry points are Internet connections. A large company will most likely have more than a single entry point from the Internet. Firewalls and intrusion detection devices can help to mitigate risk at the border. Modems are another common entry point into a network. Remote administration of servers and other devices is common, especially if third-party support is used. As laptops become more popular, they become another way to get into the network. If a user takes their laptop home and plugs it into their home network with broadband to connect back to the corporate network (hopefully through a virtual private network or VPN , the laptop could be openly exposed to internet without the firewall . This can be mitigated using Firewall appliance or personal firewall software like ipfw, ipf, iptables or Zone Alarm.

Network segmentation includes the use of security zones such as DMZs and physically separated networks. A DMZ refers to the concept of a demilitarized zone. This is typically a network segmented off between the Internet and the trusted internal network. Legitimate traffic from the Internet to web servers in the DMZ would pass through a firewall appliance prior to being able to get to the servers. A second firewall between the web servers and any back end processing servers would protect the trusted network servers from the Internet. This traffic would be tunneled through specific known ports and all others can be blocked. The traffic at each firewall can be analyzed using intrusion detection systems (IDS) and any attack attempts can be investigated. Another important concept with regards to the use of firewalls is egress filtering to prevent unauthorized traffic from leaving your network. Egress filtering is the concept of blocking specific ports, protocols, or hosts from sending data to the outside interface of the firewall. This prevents unknown programs such as worms from sending traffic outside this network, thus helping to prevent their spread across the Internet.