The Making of Malware

We dissect what makes up a worm. They're arguably more evil than viruses or trojans.

It’s a fitting title for computer viruses to be named after their real-world counterparts. For the most part, viruses on computers have similar intentions and infiltrate by similarly obtuse means. By definition viruses infect programs and partitions, but aren’t designed to spread across networks. That privilege belongs to worms.

The primary goal of a worm is to proliferate, and although capable of carrying malicious payloads and behaving very much like viruses, this isn’t necessarily the case – legend has it that the first worm ever written was by a team at Xeroc PARC in 1978 that was made to find idle processors on a network and dole out tasks, all in the name of aiding efficiency. And the Welchia worm, in 2003, went around downloading the latest security updates from Microsoft on the machines it infected, in the process plugging the same hole it exploited to enter the system.

Today, worms are largely malicious in nature and use a variety of mechanisms to infiltrate computers and spread across networks, especially the Internet. To make matters worse they often act as trojans, spyware, and mass-mailers for spam, making the damage they can do as diverse as the worms themselves.

A worm’s playground
The networked world we live in today is a veritable playground for worms, and has made them the number one most wanted on the malware hit list. And with good reason – there are hundreds of new worms every year, and the particularly nasty ones can cause billions of dollars of damage due to lost productivity for businesses. These are the outbreaks that usually make the news.

The worm’s primary goal is to spread, and it will do this in a variety of means, but not all of them technical. As Kevin Mitnick is famous for demonstrating, the weakest link in a system’s security is the fleshbag sitting between keyboard and chair.

While worms often spread by taking advantage of legitimate system services or holes in software, they almost always get a foothold first thanks to social engineering – frequently people clicking on programs or opening attachments they really shouldn’t. The first recorded malicious worm that spread on the Internet was ‘Melissa’ in 1999, and came embedded in a Word document that had to be opened to run as a macro virus.

In fact worms are, essentially, programs just like any other on your system – only with a different agenda than rendering you a webpage. As programs they have as much reign on a system as any other application – which is to say a lot, as Windows defaults users to Administrator privileges.

All worms, however, can be broken down into two parts: propagation and payload.

Propagation
Unlike viruses which are traditionally executable, and work by injecting their code into other executables, worms can be an executable, a script, a macro or any other interpreted or compiled language that allows the author to exploit flaws in a system.

The first public abuse of buffer overruns, which are all the rage these days, was the Morris worm in 1988 that took advantage of a buffer overrun vulnerability in BSD. It’s also the first known worm to spread via the Internet.

Regardless of the code used to construct them, worms are designed to spread through multiple means that include but are not limited to:
• Email
• Instant messengers
• P2P software
• Open network shares
• Exploitation of system services
• Websites (JavaScript and browser vulnerabilities)
• Back doors (sometimes left by previous worms)

How these services are exploited is as varied as the worms themselves:
• The well-known Sasser worm in 2004 exploited a buffer overflow in the LSASS (Local Security Authority Subsystem Service), hence the name, and spread through TCP port 445 and 139 (commonly related to Windows file sharing).
• The ILOVEYOU worm of 2000, also known as the ‘Love Bug’, enjoyed success thanks to email and socially engineered subject lines.
• In 2003 the Slammer worm became famous for injecting code into running services, while the Spida worm was able to login to Microsoft’s SQL servers.
• Then there’s the Jitux worm, which while written in Visual Basic, was smart enough to spread via MSN Messenger. And Axam hooked onto P2P software, copying itself to the shared directories of KazaA, Morpheus, BearShare, eDonkey and Limewire, in addition to mass-mailing through Outlook.

And in the case of Nimda (‘admin’ backwards), almost all of the above mechanisms were employed, spreading via email, websites through JavaScript, shared drives, IIS servers and backdoors left by other worms.

In the case of spreading via email, worms usually include their own Simple Mail Transfer Protocol (SMTP) code to directly email copies of themselves to addresses in the host system’s address book. They are smart enough to ignore addresses to ‘root’ or ‘admin’, and to transmit from a variety of common names like ‘adam’ or ‘julie’. Some even send emails in more than one language.

When it comes to ports, worms will look for and try to penetrate through open ports for services they know they can exploit (often through services or applications with known and unpatched vulnerabilities). Often, it’s the rapid and high volume of network traffic that a worm causes that first alerts system administrators to their presence.