Skip the navigation

Anatomy of a worm

By Jose Nazario, Arbor Networks
September 15, 2004 12:00 PM ET

Computerworld - The economic impact of Internet worm attacks is staggering, with analysts reporting that the Bagle, Netsky and Mydoom worms combined caused several billion dollars in damage from lost productivity, business disruption, bandwidth consumption and manpower costs. While there were many worms in the past 18 months, there were only a few devastating ones, giving companies a somewhat false sense of comfort.
Now imagine a world where worm attacks frequently occur because hackers and rogue developers have access to "worm kits" or development tools that provide the basic building blocks for rapid worm development.
Historically, worms were basic clones of one another that didn't change after their original development. Simple mechanisms were used to propagate them, such as mass-mailing worms using a single subject line.
Today's worms are more sophisticated. They have the ability to mutate after development based on knowledge of how to thwart new security processes. For instance, an early worm, Code Red, attacked only Internet Information Server servers. The Nimda worm, which came later, expanded to include at least three additional attack methodologies: mail-based attacks, file-sharing-based attacks, and attacks against the Internet Explorer Web browser.
Worms become easier to create
The potential for this worm-a-day nightmare comes from several factors: the dozens of vulnerabilities that are ready to be exploited, the availability of worm source code, recycled exploits and the ease of editing existing worms.
Before a worm can be developed, a network vulnerability has to be identified. Recent research from Arbor Networks on the transition from vulnerability disclosure to worm release shows that there are dozens of vulnerabilities ready to be used as the propagation vector in Internet worms. However, only a handful are developed into worms every year, resulting in a large number of untapped vulnerabilities that attackers could use to spread their worms in the future.
All these vulnerabilities might not be a big deal if worms weren't getting so much easier to build. With available source code, worm authors can expand on these tools or recycle methods seen in successful worms. These code bases provide an excellent starting point for an aspiring worm author and drastically reduce development time.
Examples of techniques and resources hackers are using to expedite worm development include the following:

  • Agobot source code is available on the Internet. Mydoom had its source code distributed by a follow-up worm, and the Bagle and Netsky worms shared source code.

  • Opening a command shell on a network port and other widespread vulnerabilities can be used to download the executable file during propagation.

  • Re-releasing worms is becoming more common as hackers capture a spreading worm and modify it using a hex editor, usually to distribute a new payload.

  • By being able to recycle routines, techniques and code from previous worms, a worm author has less to develop and test and can reuse methods that have already proved successful.

All