24 January 2008

Computer worms are more malicious

Speaking of malware (malicious software), the definition includes virus, worms, Trojans, spyware and deceitful adware and they are all simple ‘badware’. Today we focus on the malware called worms getting more malicious and see how they are on the rise in the world of mobile phones. Some you might have already wondered that if antivirus software can detect virus, then what detects worms.

Worms replicate
Computer Worms are self-reproducing programs that run independently (just like the biological worms) and travel across network connections. They do not need to stick to files or sectors to transfer their image and infect other media or machines. Worms can spread completely independent and so they are more challenging to locate and eradicate completely.
This challenge is tougher in a multi-user networked environment. In exchanging or copying files or images, the worms copy code from a floppy disk, CD-ROM or USB device and they may be execute without the user ’s knowledge or consent.

In these days of using USBs for a variety purposes from storing office files to personal emails and holiday photographs, we have exposed ourselves to worms and continue to spread them through systems where we have used these USB devices.

Name origin
Research scientists John Shock and Jon Hupp titled their paper on malicious software as ‘The Worm programs’ in 1982 but the word was first coined by John Brunner in his fiction novel ‘The Shockwave Rider’ where he described self-replicating software as worms.

First infection
As a matter of fact the scientist’s Shock-Hupp worm was intended to serve a useful purpose: identified idle CPU cycles on the XEROX-PARC network and assigned them to queued tasks, thereby improving overall system efficiency. But the original intent has deviated grossly in modern malicious worms.

The first Internet worm is the Morris worm which was authored by a 23yrs old Cornell University student Robert Tappan Morris in 1988. Around 6,000 major Unix machines were infected by the Morris worm costing damage of $10M–100M according to the US government.

The infamous Internet worm of 1988, copied itself across the internet, infecting every Sun-3 and VAX system with so many copies of itself that the systems were unusable. Eventually several sites disconnected themselves from the internet to avoid re-infection. The author Morris claims that he wrote the worm without malicious intent and designed it merely to propagate in an effort to gauge the size of the Internet as it existed in 1988.
Worms create vulnerability in your systems that can be exploited other malware. Some worms cause data loss just as the Windows ExploreZip worm and the Code Red worm which junked data in files when infecting the entire network.

The I Love You worm was first discovered in May 2000, with the simple subject of "ILOVEYOU" with an attachment ‘LOVE-LETTER-FOR-YOU.TXT.vbs’. Starting in Philippines this worm spread across the whole world in one day, infecting 10% of all computers connected to the Internet and causing about 5.5 billion dollars in damage. The worm overwrote important files, as well as music, multimedia and more, with a copy of itself. It also sent the worm to everyone on a user's email contact list. Since there were no Philippine laws against virus-writing at the time, on August 21, 2000, the prosecutors dropped all charges against the author who was again a university student.

Mail of worms
Email worms do spread via infected email messages but not necessarily need external attachments. Any embedded object or a link in an email may contain a link to an infected website. While receiving such email even a single click on the object or the link activated the worm which starts replicating. It is not always necessary that a file is to be attached to spread the worm infection. Worms are capable of even sending spurious emails and direct traffic to infected sites.

An infected user’s mail box can serve as worm distribution center because the worms can send spurious emails with dummy sender’s email addresses. In the interest of safety do not click or respond to unknown or suspicious emails. In the same way a local contact list of chat friends provided in some free email services may activate additional infections.

Internet infection
The Internet is a good source of information as well as infection of worms. These worms are more sophisticated to take inventory of the client’s network resources and spread the infection. Interesting there is no need of actual file transfer but a mere visit to the site can do the harm.
Another way is that the worms scan the Internet for machines still open for exploitation i.e. not patched. Data packets or requests will be send which install the worm or a worm downloader. If succeeded the worm will execute and there it goes again!

Malicious chats
The excitement at the chat rooms can have a price to pay if the exchanged links or files which lead to worm infected sources. No one can say for certain that a mere link can be harmful, but the fact a friend’s reference to a link makes anyone visit the site as a useful referral. But file exchange can be controlled to some extend as the recipient has to accept to receive the transferred file.

P2P infection
In a Peer-to-Peer environment, where users form a network through software like Kazaa and Limewire for sharing files, the worms sit as innocent code on the shared folder and are ready to replicate during downloads. The entire p2p network can get infected with no single source to identify and clean to begin with.

Mobile malware
The year 2006 was almost declared as the year of the mobile malware and the threat continues to grow in 2007 as well. According to McAfee, mobile malware is in the rising with 83 percent of mobile operators surveyed have been hit by mobile-device infections and that the number of security incidents in 2006 was more than five times as high as in 2005.

Attacks on the mobile phone are more financially rewarding may be because of the billing credit system they have unlike in the computers. Sometimes pranks can worse when mobile worms activate the microphones on an infected smart phone.

McAfee, also found that the time mobile operators spent in 2006 dealing with these threats has increased by 700 percent to 1,000 hours when compared with 2005. Approximately eighty-five percent of survey respondents plan to increase their mobile security budgets to address network intrusion, mobile viruses, denial-of-service attacks, spam and mobile phishing.

Wireless worm
The world’s first mobile wireless worm is Cabir. It replicates over Bluetooth connections, arriving in a phone messaging inbox as a file called ‘caribe.sis’ that contains the worm. When the user clicks the file and chooses to install the .sis file, the worm activates and starts looking for new devices to infect over Bluetooth.

If the worm is activated, it writes ‘Caribe’ on the screen, and will become active each time the phone is turned on. The infection spreads very quickly, usually before a user can disable Bluetooth from the system settings.
The greatest threats to mobile phones are in the seven areas namely text messages, contacts, video, phone transcriptions, call history, documentation and buffer overflows. Text messaging can be very deceptive and make people respond with messages or calls and this open the chances for phishing attacks.

Malware can read your contact, call history and misuse this information. Modern pocket pcs and smart phone have office applications like word, spread sheets, presentation, pdf, etc which are also vulnerable to infection just like in the pc environment. Plenty of protection can be taken by disabling the Bluetooth and wi-fi connections of the mobile phones when they are not in use. Use diligence in responding to suspicious emails or short messages. As additional precaution do not carry un-encrypted files relating to business in your mobile phones.

Words of caution
Worms spread by exploiting vulnerabilities in operating systems. Vendors normally supply regular security updates and if these are installed to a machine then the majority of worms are unable to infect it.

Users need to be wary of opening unexpected email, and should not run attached files or programs or visit web sites that are linked in such emails. Just like the case of I Love You worms, be aware of phishing attacks and do not respond. Just in case you are infected, isolate the media or the system and use verified cleaning tools from the Internet. The motto of this digital era seems to be ‘Be aware and beware’.