Worms, Viruses, and Trojan Horses

Viruses are malicious software that are attached to other programs and which execute a particular unwanted function on a user workstation. A virus propagates itself by infecting other programs on the same computer. Viruses can do serious damage, such as erasing files or erasing an entire disk. They can also be a simple annoyance such as popping up a window that says:

"Ha ha you are infected!"

True viruses cannot spread to a new computer without human assistance such as introducing an infected file on a floppy disc, or as an email attachment or through file sharing.

A worm executes arbitrary code and installs copies of itself in the memory of the infected computer. It can then infect other hosts from the infected computer. Like a virus, a worm is also a program that propagates itself. Unlike a virus, a worm can spread itself automatically over the network from one computer to the next. Worms are not clever or evil, they just take advantage of automatic file sending and receiving features found on many computers.

Trojan horse is a general term, referring to programs that appear desirable, but actually contain something harmful. For example, a downloaded game could erase files. The contents could also hold a virus or a worm.

A Trojan horse can attack on three levels. A virus known as the Love Bug is an example of a Trojan horse because it pretended to be a love letter when it actually carried a harmful program.

The Love Bug was a virus because it infected all image files on the attacked disk, turning them into new Trojans. Finally, the Love Bug was worm because it propagated itself over the Internet by hiding in the Trojan horses that it sent out using addresses in the attacked email address book.

Viruses and Trojan horse attacks can be contained through the effective use of antivirus software at the user level and potentially at the network level. Antivirus software can detect most viruses and many Trojan horse applications and prevent them from spreading in the network. Keeping up-to-date with the latest developments in these sorts of attacks can also lead to a more effective posture against these attacks. As new virus or Trojan horse applications are released, enterprises need to keep up-to-date with the latest antivirus software and application versions.

The anatomy of a worm attack is as follows:

The enabling vulnerability: A worm installs itself on a vulnerable system.

Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets.

Payload: Once the device is infected with a worm, the attacker has access to the host often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.

Typically, worms are self-contained programs that attack a system and try to exploit vulnerabilities in the target. Upon successful exploitation of the vulnerability, the worm copies its program from the attacking host to the newly exploited system to begin the cycle again.

A virus normally requires a path to carry the virus code from one system to another. The vector can be a word-processing document, an e-mail message, or an executable program.

The key element that distinguishes a computer worm from a computer virus is that human interaction is required to facilitate the spread of a virus.

Worm attack mitigation requires diligence on the part of system and network administration staff. Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident.

The following are the recommended steps for worm attack mitigation:

Containment: Contain the spread of the worm inside your network and within your network. Compartmentalize parts of your network that have not been infected.

Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.

Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network.

Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

Typical incident response methodologies can be subdivided into six major categories. The following categories are based on the network service provider security (NSP-SEC) incident response methodology:

Preparation:       Acquire the resources to respond.

Identification:     Identify the worm.

Classification:    Classify the type of worm.

Traceback:         Trace the worm back to its origin.

Reaction:             Isolate and repair the affected systems.

Post mortem:     Document and analyze the process used for the future.

- CITC - NTS Support Centre

Sales: 01993 777780Free Technical Helpline: 01993 777785