What is a worm?

Is a worm a virus?

No. A worm is not a virus, although like a virus, it can severely disrupt IT operations and cause data loss. A worm is actually much more serious than a virus because once it infects a vulnerable machine, it can “self-replicate” and spread automatically across multiple devices.

How do worms infect computers?

Software vulnerabilities provide a path for worms to infect machines. Spam email or instant message (IM) attachments are also a delivery method. The messages use social engineering to get users to think the malicious files are safe to open. Removable drives, like USB drives, can also deliver worms.

How do worms spread?

Worms self-replicate automatically. They spread by using automatic file sending and receiving features that have been enabled, intentionally or not, on network computers. Once a worm has infected a computer, it installs itself in the device’s memory and can then transfer itself to other machines.

Steps of a worm attack

The 3 stages of a worm attack

Step 1: Enabling vulnerability

The initial phase of a worm attack occurs when the worm is first installed on a vulnerable machine. The worm may have been transmitted through a software vulnerability. Or, it may have arrived through a malicious email or IM attachment or a compromised removable drive.

Step 2: Automatic replication

Once a worm is installed on a vulnerable device or system, it begins to self-replicate automatically. Through propagation, the worm makes its way to other new targets in the network—consuming bandwidth and hard-drive space and undermining device and system performance as it spreads.

Step 3: Payload delivery

In the last stage of a worm attack, the malicious actor behind the campaign tries to increase their level of access to the targeted system. Over time, they could gain access rights equivalent to those of a system administrator. From there, the adversary can cause significant damage, including data theft, and potentially gain access to multiple systems.

Repeating the process

Once a worm has propogated throughout a device or system, it continues to spread automatically, using vulnerabilities in other systems attached to the system initially targeted. This is how malicious actors gain access to multiple systems. Some cyber criminals will even go on to use these systems in a botnet—a network of infected computers that can send spam, steal data, and more.

Steps to worm mitigation

4 steps to respond to a worm attack

Step 1: Containment

The first step in mitigating a worm attack is to move swiftly to contain the spread of the worm and determine which machines are infected, and whether these devices are patched or unpatched. Infected machines must be isolated from machines that are not yet infected.

Step 2: Inoculation

Once it is clear which parts of the network the worm has infected, and those parts have been contained, other vulnerable systems must be scanned and patched. Patching the vulnerabilities the worm is using to spread will help contain the attack.

Step 3: Quarantine

In this third step of worm mitigation, infected machines are isolated and then disconnected and removed from the network. If removal is not possible, then the infected machines need to be blocked from connecting to and accessing the network.

Step 4: Treat

This last step in the worm mitigation process involves remediating from the attack as well as addressing any other necessary patching of machines and systems. Depending on the severity of the attack, infected systems may need to be reinstalled entirely to ensure a thorough cleanup from the event.

Reaction time is critical, so have a plan

Containing worm attacks requires coordination among everyone responsible for network management. Without a coordinated response, mitigating worm attacks can be even more challenging—if not impossible. Even very small small IT teams should have a clear, systematic plan in place for mitigating worm attacks.

Types of response methodologies

Helpful practices: 6 response methodologies

Preparation

Businesses of all sizes should be prepared to respond to a worm attack. According to Cisco network consulting engineers, preparation includes taking inventory of all primary business and IT resources as well as determining who will authorize business decisions throughout an incident.

Preparation for a worm attack also includes establishing open lines of communication and compiling a list of key contacts. It is also important to maintain updated contact details for relevant ISPs (Internet service providers).

Another strategy for worm attack preparation is to collect links to Internet sites that provide current, reliable details of security threats and Internet worm activity. Some examples of these sites are www.dshield.org and www.securityfocus.com, which manages the Bugtraq electronic mailing list.

Identification and Classification

Identification is about confirming that the incident is, in fact, a worm attack. And classification involves categorizing the worm—for example, is the worm an Internet worm or an email worm?

Traceback

This refers to a type of reverse engineering process for tracing the source of the worm.

Reaction

Reacting to a worm attack involves isolating and repairing targeted systems.

Post-mortem

After a worm attack, the entire process used to respond to and recover from the event should be documented and analyzed.

This exercise is about more than preparing to respond effectively to future attacks. It’s also about determining what can be done to avoid another attack. For example, if the worm penetrated a network, what vulnerability did it use to obtain access and has that vulnerability been fully addressed?

The worm attack post-mortem is a step that is frequently forgotten or overlooked. But it is critical to both preventing exposure to and defending effectively against future worm attacks, making it well worth the time and effort.