It's Monday again, and as the events of the weekend fade into the background you grab a cup of your morning caffeine fix and fire up your workstation. The boot process finishes, and you see a security alert: A system has been infected with malware.
As you start to investigate, another alert hits, and another. What started as a single incident of malware on a system has spread through the network and hit a large number of systems. Your network has fallen victim to a worm — a type of malware that propagates across networks and can wreak havoc on local networks and across the internet.
Worms exploit the connected nature of networks that makes the internet possible, sometimes to disastrous effect. They also came about not long after what eventually became the internet was established, maturing along with it.
In 1971, the first known malware was written, called Creeper. It was a worm that moved through ARPANET simply outputting the message "I'M THE CREEPER : CATCH ME IF YOU CAN." While it didn’t significant impact, it did result in the first antimalware software, which was written specifically to catch it.
The Morris Worm, written in 1988, had far more impact and even resulted in a felony for its author. Taking advantage of a sendmail bug to propagate, coupled with a buffer overflow in the utility finger and weak passwords being used for shells, the Morris Worm managed to rapidly infect over 2,000 computers (not an insignificant number given how few computers there were at the time). Further, because it did not check if there was already an instance of itself on a computer, it reinfected many computers and rendered them unusable via unintentional denial of service.
A worm is a type of malware that copies itself to other devices using network protocols, thus it describes a propagation method. It might propagate via email by sending itself to all contacts it finds on the infected systems, or it might use an exploit in a networking protocol like WannaCry.
By propagating automatically, a worm can maximize the number of systems infected with less work on the part of the attacker. While the first worms simply aimed to infect systems, the age of malware as an experiment is long over, and today's worms have a purpose as well. This might be to create a backdoor on the system that the attacker can use later, to steal information, to act as a bot polling a command-and-control server for commands, or to download an additional payload once a system has been infected.
Given the rapid propagation of most worms, they tend to be higher profile as security professionals aim to stop the spread and protect systems from becoming infected. Worms can occasionally fly under the radar for some time, however, as was the case with Mirai.
Mirai was a botnet that mainly targeted routers, as well as some internet-of-things (IoT) devices such as smart home systems. It scanned and targeted devices with a particular processor running a reduced version of Linux, which is very common on routers and IoT technologies, and then gained access using default credentials, which unfortunately are often not changed by the user on setup or in some cases are hard-coded by developers. Once access was gained, the device was infected with Mirai to become part of the botnet and continue the search for new devices while awaiting commands from the command-and-control infrastructure.
Mirai broke its stealth when its operators decided to launch a distributed denial of service (DDoS) attack using the botnet against Dyn, a DNS provider. Proving the "person wearing a hoodie in a dark room" hacker trope wrong, Mirai was actually written by college students who were aiming to increase interest in their DDoS protection business by DDoSing their intended customers, namely Minecraft server providers.
After discovering that Dyn was providing DNS services for these "customers," the authors decided it would be more effective to target Dyn rather than individual providers. However, they did not account for Dyn providing DNS services to a significant percentage of the rest of the internet, and they managed to cripple access to many major sites on the internet in the process ? effectively going down in infamy for what was originally intended to be shady business marketing practices.
While infecting devices that typically had no malware protections in place allowed Mirai to stay out of news headlines for a while, Stuxnet included a worm component that was aimed at stealth. Stuxnet is believed to have been developed jointly by U.S. and Israeli intelligence agencies. It used stealth as well as four separate zero-day exploits to spread because its objective was singular and very specific — to infect SCADA systems that were part of Iran's nuclear program and destroy the centrifuges being used to enrich uranium into weapons-grade material.
While Stuxnet spread to many devices and SCADA systems, it was carefully crafted to only damage the specific systems being used by the nuclear program. It was successful and made its own news headlines as a result; however, Stuxnet also had unintended fallout as parts of the code and the exploits were used by cybercriminals for years afterwards.
Like Mirai, Stuxnet shows that worms can occasionally remain relatively stealthy until damage is done, and the objective and impact is far more newsworthy than the actual spread. This makes worms that do manage a degree of stealth quite dangerous as they have the time to spread to more machines, and ultimately the number of systems a worm can infect is its most dangerous attribute.
By Jonathan Tanner
This article originally appeared on Journey Notes, the Barracuda blog.
Back