It's time to reacquaint ourselves with this threat, and re-examine the ways in which IT managers can protect their applications against it.
Worms are self-replicating programs that infect files without human intervention. These programs are often designed to disrupt the operation of a specific server or client application, or to launch massive distributed denial of service (DDoS) attacks.
Over the past several years, worms disseminated over the Internet have wreaked havoc on corporate operations and revenue-generating applications around the world. These disruptions make headlines on a weekly basis.
Worms typically use several alternative entry points to penetrate networked applications. They either propagate through the organization's Internet gateway or they are carried into the organization by company employees who bring infected laptop computers into the office. Salespeople, who are frequently out of the office, are often the unwitting "zombie" carriers of worms.
Once the worm is inside the network, it is unimpeded and is able to spread quickly, replicating itself at an exponential rate. Corporate resources such as servers, firewalls, switches, routers, and even end stations become unavailable, and business grinds to a halt as the worms ultimately bring down critical applications.
Self-propagating worm -- A self-propagating worm typically uses a random IP address generation technique (e.g. network scanning) in order to locate a vulnerable host to infect. When a vulnerable host is identified, the worm immediately executes its code on this host, thereby infecting the vulnerable application with the worm's malicious code. At this point, both infected hosts initiate similar scanning techniques and infect other hosts. In this way, the worm propagates exponentially.
Other Propagation Methods -- In addition to programs that were designed to propagate themselves, worms are often spread via applications such as e-mail services, Instant Messenger and peer-to-peer applications. Since these services depend on human intervention, for example opening an e-mail attachment or clicking on a hyperlink, these worms usually spread more slowly1.
Another relatively new worm propagation technique, called the "Google worm," uses Google to search sites that include a certain server's application version that is known to be vulnerable to the worm's code. Using the search results, the worm automatically sends itself to these servers. In this way the worm doesn't need to identify if a server is vulnerable or not, but rather lets Google sort it out.
The following graph illustrates a typical worm's propagation phases:
Worm Propagation Phases
A worm's activities and impact can be mapped into three aggregative phases:
- Low-scale phase – In this phase the number of infected hosts is small, resulting in only low- rate, preliminary, spreading activities. During this phase the major impact of the worm will be on the individual user (client) that will notice different types of disruptions, depending on the worm's characteristics. The worm will utilize the hosts' CPU and memory resources in order to continue and spread and/or use the host, later on, as one of the zombies in a controlled DDoS attack.
- Mid-scale – In this phase the number of infected hosts is already large. During this phase the major impact of the worm will be on the servers. Public servers, such as Web, mail, and FTP, even if they are not vulnerable to the worm's code, are exposed to the rapid infection attempts that misuse their application resources.
- After the outbreak – This phase starts at the outbreak point. In this phase the number of infected hosts is huge. From this point forward, the major impact of the worm will be on the network's infrastructure. Corporate network components such as firewalls, switches, and routers become unavailable, and business grinds to a halt.
Protecting your network and applications from worms is a great challenge, as evidenced by the questions below:
- How do you detect new and unknown worms? Increasingly, worms are spreading faster than security device vendors can "tag" them, so security products cannot always depend on predefined attack signatures as a detection technique. This is why most worms are defined as zero-day attacks.
- How do you block worms from propagating without obstructing legitimate traffic? Because worms are often well-disguised enough so as to appear like normal application traffic, this is no easy task. If you set protection levels too high, legitimate traffic will be blocked…to the consternation of end users and network administrators. If you set the protection too low, worms will continue to spread.
Another worm detection technology is the signature-based engine that is usually utilized by Network Intrusion Prevention Systems. A signature-based detection engine product matches individual or a few consecutive data packet contents to a pre-defined set of known attack "fingerprints," in a manner similar to that employed by anti-virus products. In this case, the attack signatures need to include the most updated worm fingerprints. To allow signature-based and manual or active patching to perform properly (without excessive amounts of false positives and misdetections), these technologies must be continuously updated with the most recent attack signatures, operating systems and application vulnerabilities.
As mentioned before, worms usually spread faster than security device vendors can "tag" them (i.e., create a signature of the worm), therefore reactive methods and signature-based technologies provide only a partial solution.
To complete the prevention solution for worms, a proactive technology should also be used. Proactive technologies include behavioral analysis techniques that can detect abnormal traffic activities. In the case of self-propagating worms, the proactive technology will statistically learn the normal behavior of users and applications in the network. Typical behavioral parameters can be, for example, the number of e-mail recipients that the user usually includes in an e-mail, the number of connections that each user establishes in a time frame, the type of applications that the user usually uses, hosts that the user usually tries to connect to, etc.
The behavioral analysis techniques are responsible for detecting deviations from the adapted normal baselines and accurately characterizing the abnormal traffic, i.e., worm spreading patterns. If the characterization is accurate, corresponding prevention measures can accurately target the worm's spreading behavior, without interfering with legitimate network traffic.
One technology alone cannot quash today's worms. In order to have an effective containment of worms, multiple technologies should be involved. These include proactive/behavior-based, reactive and signature-based technologies.
The proactive technology should mitigate the impact the worm has on the applications and network, granting the system administrator more time to update his attack signature databases. This additional time will also allow for reactive procedures that can contain all of the infected hosts through system upgrades and patches.
1 It should be noted that some security experts define a worm as a self-replicating malicious code, and define a virus as a malicious code that is disseminated via human interaction.
About the author: Amir Peles is chief technical officer at Radware.
This was first published in June 2006