Skip to content

Computer Worm

Computer Worms: Lifecycle, Impact, and Defense Strategies

Protect Against Computer Worms
Table of Contents

What is a computer worm?

Computer worms have been around for more than three decades and show no sign of extinction. Throughout their existence, they have been responsible for billions of dollars in damage. Their fast, self-replicating nature is no match for legacy security measures—which are typically prone to vulnerabilities. Recent reports show that 33% of all applications have a serious vulnerability—which is a common point of entry for computer worms. 

A computer worm is a type of self-replicating malware designed to infect networks by exploiting weaknesses found in operating systems. Once a system is infected, the computer worm duplicates with the intention of infecting other computers. Due to its rapid replicating design, worms normally cause damage by consuming bandwidth and overloading web servers.

Computer worms vs. viruses

A computer worm is often referred to as a type of computer virus, but that is not technically correct. There are a few small yet notable differences that separate the computer worm from the virus. The most significant incongruity between computer worms and viruses has to do with how these malicious programs are activated. Viruses require some sort of activation to infect devices, whereas worms do not. Computer worms are malicious cyber intrusions that can both self-replicate and self-propagate once they integrate into a system. Another key difference between a computer virus and a computer worm concerns their host interaction. Viruses require some sort of human interaction, whether it is clicking a malicious link or opening a corrupt attachment. Computer worms, on the other hand, need no trigger event to start causing damage, rapidly replicating and sending duplicates of themselves throughout networks to connected devices.  

Computer worms vs. trojans

A Trojan or Trojan horse is a type of malicious code or program that is initiated on systems after some sort of trigger—like clicking a malicious link or opening an application. A Trojan cannot replicate itself as a computer worm can and does not self-propagate. Areas of attack depend on the programming objective of a Trojan, which is most often to steal information or damage devices. A typical action of Trojans is to create a back-door entry into applications—exposing the infrastructure that could lead to sensitive data exposure. Like other malware, including rootkit and worms, Trojans remain invisible and are able to initiate damage without detection by users or systems.

First computer worm

The first computer worm was designed and launched in 1988. Cornell University student Robert Morris visited the Massachusetts Institute of Technology (MIT) campus to test his experimental computer program. The design targeted a vulnerability Morris noticed in emails, which led him to develop a malicious program that self-replicates and self-propagates to spread and infect other systems. One vulnerability within the programming of the first designed computer worm resulted in a continuous replication, even within already infected computers. The final result crashed one-tenth of the internet and cost millions of dollars to fix.

Most famous computer worms 

From then on, the World Wide Web has encountered a long list of computer worms, some almost crashing the entire internet due to their fast-acting nature. Take Melissa, for example, a bait-and-switch style worm launched in 1999. Presenting itself as a link leading to free access of more than 80 pornographic websites, Melissa made its way into email inboxes, capable of mass mailing itself to lists of contacts without any human action. Just one year later, the ILOVEYOU computer worm infected more than 10 million computers before it was brought to a halt. It spread quickly via email with the subject: ILOVEYOU. Unsuspecting victims would often open the email, clicking on an attachment that activated the computer worm. From there, the same email and attachment would manually forward itself to all contacts within the user’s Windows address book.    

Advanced computer worms of the 2010s

Fast forward 10 years and cybersecurity teams came into acquaintance with the Stuxnet computer worm. Different from previously mentioned attacks, Stuxnet propagated from infected USB devices. Created in a collaborative effort between the U.S. and Israel to set back Iran’s Uranium Enrichment Program, the malicious software targeted automated machinery and industrial control systems (ICS) typically used in the manufacturing of nuclear weapons. In the end, 984 total centrifuges were destroyed and productions were set back almost two years. 

The Flame computer worm from 2012 is considered one of today's most sophisticated attacks. It spreads to systems through local-area networks (LANs), and once integrated into a system, can perform advanced espionage activities such as audio recording and keystroke logging. It can even take screenshots of activity. 

How does a computer worm work?

Computer worms are designed to exploit vulnerabilities. These weaknesses provide an entry point into operating systems when computer worms can begin self-replication and self-propagation. Without the need for any further action, these computer worms look for similar vulnerabilities in other systems, sending itself via email, text message, or even between operating systems.

Potential damages of a computer worm depend on the design

The damages a computer worm can cause depend on its design. Different types of computer worms target different vulnerabilities, created to infect as many computers and gather as much data as possible.

Email worms

Email worms present themselves as legitimate emails with malicious programs attached. Depending on the construction of the worm, it could send itself to all contacts within the victim’s mailing list, spreading when emails are opened and links are followed. For example, a cross-site scripting (XSS) attack sends malicious script on the browser side that causes corrupted HTTP requests. If applications are prone to XSS attacks, they could be at risk for an XSS worm, easily initiated by clicking a malicious link sent via email. If clicked, not only will the targeeds computer suffer but all contacts are exposed to the same attack as it replicates and propagates. XSS attacks have spiked due to increased use of JavaScript for development, due to its openness and scalability. Analysis of serious vulnerabilities by language showed that applications developed with Java has the largest risk overall—totaling 39%.

Bot worms

Bot worms are created to infect computers, converting them into zombie computers. Attackers can take control of these computers and use them to launch distributed denial-of-service (DDoS) attacks that overwhelm systems by flooding them with traffic. With the help of botnets, these DDoS attacks are far more aggressive and cause more damage than a human-executed attack could.  

Instant messaging attacks

Much like the email worm, this application attack is sent to devices from a known contact that has been infected. Instead of an email, targets receive a text message with an attachment or file that, when clicked, spreads to all listed contacts. A sophisticated attacker could exploit a vulnerable application, manipulating its payload to perform undesired executions. For example, SQL injection attack inserts malicious SQL statements that put back-end data at risk by opening up a portal of entry for a computer worm. In the last few months, 81% of applications saw an SQL injection attack, an application vulnerability that an advanced worm could exploit, destroying the application if left undetected.  

Identification of a worm

Because worms work by exploiting weaknesses, they can be difficult to detect—or worse, they can be detected too late. They are most often unnoticed until code injection is complete and has spread and damage has started. Likely reactions of computers once infected by a worm include slow startup, long loading times, or deleted or destroyed files. A computer worm could set off alerts to application security measures, making them a top priority to protect both systems and users. The best defense against a computer worm is prevention—a task that traditional security measures cannot do on their own. 

Penetration testing: pre-deployment

penetration test is a simulated cyberattack launched by security teams to uncover vulnerabilities. In an attempt to exploit these vulnerabilities, application security teams stage attacks to better understand their risks. Deploying a penetration test pre-deployment helps to point out weaknesses and fine-tune perimeter protection. While penetration testing does provide a better look at an application's defense line, it is both time-consuming and prone to false alarms. As penetration tests occur later in the software development life cycle, vulnerability management incurs much higher costs and time. Additionally, penetration tests require application security specialists—both to run the actual tests and then to interpret the findings. Due to the cybersecurity skills shortage, this is problematic for most organizations that struggle to find and retain the right skill sets. Finally, as penetration testing looks only at code, it struggles to detect vulnerabilities in application programming interfaces (APIs) that are on a dramatic rise.

Scanning for vulnerabilities: development and production

Scanning is another legacy line of defense used in application security testing (AST) to expose vulnerabilities. Static application security testing (SAST) analyzes every line of code, pointing out areas that are prone to attacks. This is generally done pre-deployment, leaving application security teams to guess how the application will behave at runtime. This results in a large number of false positives that can delay development cycles and increase inefficiencies. A downside to legacy SAST is its lack of visibility. With the use of open-source frameworks and libraries on the rise, SAST is no match for vulnerabilities within library code—leading to false negatives. Legacy SAST approaches, like penetration testing, also struggles to identify vulnerabilities in APIs.

Dynamic application security testing (DAST) analyzes code, but in its running state. Considering the results, ethical hackers will stage different types of attacks, including XSS and SQL injection, to test the strength of an application’s defenses. A downside of DAST comes from its lack of perceptibility in the internal frameworks of an application. It is highly sensitive when it comes to APIs and is known to produce alerts on probes. These probes only pose a threat if vulnerabilities create a path toward them, resulting in an unnecessary patch. Additionally, reliant on a signature scan engine, DAST tools miss true vulnerabilities (false negatives).

Application vulnerability vs. exploit—the need for continuous application protection

Both legacy SAST and DAST are great for pointing out vulnerabilities, but they are prone to both false negatives and false positives. They only offer a point-in-time look into applications and do not shift application security all of the way left in the software development life cycle (SDLC). Further, they cannot monitor continuously, leaving time for computer worms to enter if vulnerabilities are not patched before deployment. When cybersecurity teams are presented with all the potential vulnerabilities found during legacy vulnerability scanning, they must decide which deserve attention. The presence of so many false positives and false negatives makes their job more challenging, leaving teams to focus on those they believe pose the biggest risk. Plus, already pushed for faster deployment times, these inaccurate detections waste time and extend development cycles. Waiting to fix a vulnerability in production or even late in the stage of development is costly.   

Web application firewalls (WAFs) are inaccurate and cannot scale

Once an application is in production, application security does not get any better. https://www.contrastsecurity.com/knowledge-hub/glossary/web-application-firewall sit on the outside of the application and attempt to keep malicious programs from attacking the application's infrastructure. This decade-old approach uses signature-based engines that are inaccurate and produce large numbers of false positives. This is a problem with the typical application receiving an average of 13,279 attacks per month. In addition, reliant on signature engines, they are particularly vulnerable to unknown threats and zero-day attacks.

WAFs also require constant tuning and management to improve their accuracy. This wastes significant time for security operations (SecOps) teams that must triage and diagnose the piles of alerts generated by WAFs to determine which ones are true.

Security instrumentation is accurate and continuous

Instead of equipping applications with security and protection from the outside, organizations are taking the lead from security instrumentation and embedding sensors within software. Security instrumentation is always-on analysis that shifts left to the very beginning of development and right through production. Often coined interactive application security testing (IAST), security instrumentation empowers developers to analyze code while they ware writing it. It is highly accurate and produces a low rate of false positives and false negatives. Developers can produce applications with more confidence and keeping pace with the demands of modern software development.

Using instrumentation to extend security telemetry into production prevents attacks from exploiting vulnerabilities and provides an application with its own line of defense. Embedding security into an application’s runtime with runtime application self-protection (RASP), defense systems stand alongside vulnerabilities, continuously monitoring for attacks on them in real time and blocking the attack before the vulnerability can be exploited. RASP sensors recognize probes, can distinguish nonexploitable vulnerabilities, and increase visibility into application frameworks and libraries, which eliminates false alarms. Filling in all the gaps left by legacy application security measures, RASP is an aggressive approach that provides advanced solutions to modern-day attacks.

How to remove a computer worm

Worms work by exploiting vulnerabilities left unpatched by of out-of-date security software or systems. The resulting damage of a computer worm depends on the type and the amount of time it is left to replicate. Rapid replication within a system and instantaneous propagation make its removal a top priority when a system is infected. Once a worm is detected, the first thing users should do is disconnect from the internet to prevent spreading. Users also need to remove any storage devices that could have been infected by the malicious program. The next steps depend on the type of worm and the amount of damage caused. In extreme cases, systems must be completely reformatted while other cases could use the help of worm removal tools.

In the case of a computer worm, prevention is the best defense. This is especially true for those that are highly aggressive and programmed to propagate rapidly to other systems with similar exploitable vulnerabilities. Computer worms have evolved and become more aggressive since their first appearance back in 1988. The most well-known attacks resulted in millions (some even billions) of dollars to stop and remediate. Legacy application security that produces false alarms won’t cut it when it comes to aggressive malicious programs, perhaps catching them when it is far too late. Application security that rests within the software and continuously monitors for vulnerabilities in real time is the best method of prevention, providing both accurate and reliable self-defenses from the inside out.   

 

Learn More About Contrast Security