What is a computer worm? How this self-spreading malware wreaks havoc
- 06 August, 2019 20:00
A worm is a form of malware (malicious software) that operates as a self-contained application and can transfer and copy itself from computer to computer.
It's this ability to operate autonomously, without the need for a host file or to hijack code on the host computer, that distinguishes worms from other forms of malware.
As TechTarget puts it, "worms often use parts of an operating system that are automatic and invisible to the user," which can make them both very difficult to detect and particularly dangerous. They generally target pre-existing vulnerabilities in the operating system of the computers they attempt to infect. Many of the most widespread and destructive forms of malware have been worms.
Is a worm a virus?
Worm vs. virus — You'll often see word virus used in a generic sense to refer to any kind of malware, but that's strictly speaking not correct. A computer virus, like its biological counterpart, cannot reproduce or spread on its own accord; instead, it injects its malicious code into existing applications and uses their functionality in order to carry out its mission.
The name worm is meant to indicate that a computer worm is a step up on the ladder of life from a virus. Like a real-life worm, it may be a particularly small and gross life form in its ecosystem, but it contains within itself all the functionality it needs make copies of itself and move around the environment.
Worm vs. Trojan — A worm is also different from a Trojan, a third form of malware, which needs to trick users into launching an application in order to operate; once a worm has installed itself on your computer, it doesn't need your help to do what it plans to do.
These distinctions are important if you want to stay strictly correct, and we'll aim to use all three names correctly here and elsewhere on CSO. But be aware that many people use virus in an overly broad sense, and so you might see worms referred to as viruses, or even as "worm viruses." Remember: if it can reproduce and copy itself on its own, it's a worm.
How do worms work?
Computer worms make use of some of the deepest and most dangerous vulnerabilities in a victim's computer. Whereas a Trojan uses social engineering techniques trick you into activating it, and a virus exploits holes in application code to piggyback a ride, a worm finds seams in the computer's operating system that allow it to install and make copies of itself. In order to propagate itself further, it will then follow known holes in networking and file transfer protocols.
As How To Geek explains, this can be a double-edged sword for cybercriminals who want to use worms to do their dirty work. Because worms exploit vulnerabilities in a computer's operating system, a successful infection can offer unparalleled access to the compromised machine's inner workings. But because those vulnerabilities are so serious, they are often patched by operating system vendors fairly quickly, which means that a worm written to take advantage of them might have a relatively short lifespan of usefulness. Still, the sheer number of enterprises and individuals who fail to keep their OSes up to date usually provides a fertile ground for worms to do their work.
How do computer worms spread?
The NotPetya worm, which rampaged across computer systems around the world in 2017, offers a good case study of how worms spread. NotPetya got its first foothold in the world via a backdoor planted in M.E.Doc, a ubiquitous Ukrainian accounting software package; it's widely believed NotPetya was installed via this backdoor by state-sponsored hackers working for Russia as an attack on Ukraine.
But once NotPetya was installed on the computers of M.E.Doc users, it began, like all worms, to reproduce and seek out new victims on its own accord. Once installed on a computer, it took stock of all the other computers its victim had interacted with in the past and figured out how to connect. It spread from computer to computer within networks by taking advantage of EternalBlue and EternalRomance, two exploits developed by the NSA and later stolen by unknown hackers. EternalBlue and EternalRomance broke Microsoft networking security protocols, and while Microsoft had updated its OSes to patch the hole long before 2017, many systems had not been updated. To spread beyond the walls of individual corporate networks, NotPetya used Mimikatz, an exploit that extracts username/password pairs from parts of Windows' memory where they're supposed to be safely hidden.
What damage can a computer worm cause?
A worm may not do any damage at all: in the early days of computing, worms were sometimes designed as larks or proofs of concept to exploit security holes, and did nothing more to infected computers than reproduce themselves in the background. Often the only way to know anything had gone amiss came when the worm made too many copies of itself on a single system and slowed down its operations.
But as OS security improved and writing a worm that could crack it got harder and took more and more resources, worms became a means to an end. Today, worms almost inevitably include payloads — code that carries out some larger mission beyond the reproduction and propagation of the worm itself. For instance, the Mydoom worm, which spread across the internet in 2004, opened up a backdoor that its creators could use to seize control of the infected system. This is a common use for worms: they serve as the thin edge of the wedge that attackers use to gain total access to their victims' machines.
There are many types of computer worms that do all sorts of different kinds of damage to their victims. Some turn computers into "zombies" or "bots" that launch DDoS attacks; others scour their hosts for banking logins or other sensitive financial information; some encrypt the victim’s hard drive and demand a ransom in bitcoin from the user before it will restore their data to a usable state. (NotPetya presents itself as being a ransomware attack of this type, but while it encrypts files and demands payment, it actually has no capacity to decrypt data: it's essentially destroying your data while masquerading as a hostage taker.) In truth, though, these types of payloads aren't unique to worms and can be transmitted by any kind of malware. Petya, a predecessor to NotPetya, is a Trojan, not a worm.
Another way to categorize different types of worm is via their infection vector. These categories include email worms, IM and IRC worms, file-sharing worms, and internet worms that look for ways to spread by any means necessary.
How to remove a computer worm
Once a worm has installed itself on your computer, the process of removing it is similar to that of removing any other kind of malware — but that isn't easy. CSO has information on how to remove or otherwise recover from rootkits, ransomware, and cryptojacking. We also have a guide to auditing your Windows registry to figure out how to move forward.
If you're looking for tools for cleansing your system, Tech Radar has a good roundup of free offerings, which contains some familiar names from the antivirus world along with newcomers like Malwarebytes.
What was the first computer worm?
The first computer worm with a real-world impact was the Morris Worm, which is widely regarded as the first significant malware of any type. Unleashed in November of 1988, the worm was created by and named after Robert Morris — a graduate student at Cornell University at the time, but he launched it from servers at MIT, perhaps to cover his tracks or imply that he was associated with its prestigious computer science department.
Morris claims the worm was meant as an intellectual exercise, and as a way to highlight the Unix security flaws that it exploited; unfortunately, as written, the worm made multiple copies of itself on each machine that it infected, and all of that executing worm code ground many of them to a halt, which Morris says was not his intention. At the height of the infection wave, the Morris Worm was running on nearly 10 percent of all internet-enabled computers at the time. Morris ended up as the first person convicted under the 1986 Computer Fraud and Abuse Act, though he did community service and paid a fine rather than go to prison; somewhat ironically, he eventually became a tenured professor at MIT.
A short list of famous computer worms
Some of the most famous and high-profile malware attacks have been worms. We've already discussed Mydoom and NotPetya; others include:
- SQL Slammer, a tiny 376-byte worm that brought down most of the world's SQL servers;
- Blaster, a Windows worm that launched DDoS attacks against Microsoft's own servers and infected as many as two billion computers in 2003;
- Conficker, a 2008 worm that infected millions of computers and created vast botnets; and
- Stuxnet, a worm developed by US and Israeli intelligence in 2010 that targeted Iran's nuclear program and set it back years.
One thing some of the most famous worm attacks have in common is their almost shocking virulence and ability to spread. In fact, like the Morris Worm, many of the worms on this list far outpaced their creators' intentions or ability to control the situation. SQL Slammer was intended as a proof of concept by its creator. The Conficker worms creators never used the vast botnets they had created because the attack drew so much attention. Stuxnet was smuggled into Iran's Natanz research facility on a USB stick; because the lab was air gapped (not connected to the internet), the worm was never expected to see the light of day. NotPetya was probably created by Russia to wreak havoc in Ukraine, but spread throughout the world — including back to Russia. The truth is that many worms continue to reproduce on old and unpatched computers long after their creators had any use for them. All the more reason to keep your patches up to date.