What’s Internet Worms ? part 1

You still remember the ad on television a few years ago, "Son your worms?". Related to the worm, this paper discusses the different forms of worms. Worms-worms on the Internet (Worms) is Intrusion Autonomous agents are able to perform self-multiplication and spread by using the weaknesses security (security flaws) on the services of general use. Worm is not a new phenomenon, spreading first found in 1988. Worms have become a threat that shut down the Internet, although most of the cases that occurred in a specific system based on Windows. Some types of worms using the latest electronic mail (e-mail) as a distribution medium.

Activation Method and Distribution Mechanism
The difference between the worm and virus is located on how they require user intervention to do penggandaandiri and spread menginfeksi computer system. The virus is slow in comparison to the spread of the worm. However, the virus has more ability to avoid detection of anti-virus program that seeks to identify and control the spread of the virus on sistimkomputer. However, the practice of spreading.

The virus can be a worm. To facilitate discussion, we limit the terms of worms and viruses to the activation method performed by a wormóproses made a worm to execute on a system komputeródan mechanism that allows the spread of a worm roam from one host to another host.

Activation Method
Understanding of how the worm can be active on a host closely related wormuntuk with the ability to spread itself, a number of worms can be arranged directly to active (activated nearly immediately), while others can wait a few days, weeks or even months to be able to teraktivasi and then spread itself

Activation with user intervention
Activation process is slow because most require user intervention to execute the worm, the better we realize or not by the user. But as the socialization of the danger incentive do worms and viruses, users can be more careful not to execute the program or open a foreign e-mail attachments from people who do not dikenalnya, this will certainly slow the process of activation worm. But the worm does not despair with the condition that they perform social engineering techniques, such as that done by the Melissa virus that seems to send important information from people who have been known by the victim or personal messages sent by other ILOVEYOU virus. While Melissa is a macro virus in Word programMicrosoft user intervention, but with the spread of Melissa on the Internet had become the most frightening threat.

Activation scheduled
Method of activation worm more quickly is to use the system on a scheduled (Scheduled system proces). There are many programs that run on desktop and server environment for the process in accordance with the schedule provided. This method still requires intervesi human intervention, but this time the attacker is required. For example, the program auto-update of the system to make the process of updating the server vendor. With the update to the remote host as a master, an attacker can take advantage of the jockey is to spread the worm to the first or the remote host on the network gateway or on the Internet and change the file or menginfeksi needed update on the process with the worm code.

Self-activation
Activation method is a method of self-fastest in menggandakandiri worm, spread, and host menginfeksi victims. This most popular method used by the worm author. Generally, the worm uses this method using the weakness of security (security flaw) in the service of general use. For example, the CodeRed worm exploit IIS webserver. Worm will include himself in the service daemon is already dikuasainya or execute commands with the same privileged with that used by the daemon. The process of execution will take place when the worm finds Vulnerable service and exploitation of the service.

The distribution mechanism
Worm menginfeksi victim host and enter the code programó as part of the program in wormóke. Program code can be machine code, or routine to run other programs that already exist on the victim host. In the process of spreading, worm victims must find new and menginfeksi victim with a copy of itself. Distribution process can take place as the process of distribution (from one host to another host) or as the mass distribution (from one host to many hosts).

The process of consideration as the distribution of mass distribution of the fastest method with the assumption that the restrictions of time is used.

There are several mechanisms used by the spread of worms to find candidates with the victims do scanning, searching for victims based on the target list have been prepared beforehand by the author based on the list or worm that is found on the victim and the system in metaserver, and the passive monitoring.

Scanning
Scanning method involves probing a number of addresses on the Internet and then identify the host Vulnerable. Two simple format of a sequential scanning method (try to identify a block address from the beginning to the end) and random (random).

The spread of worms with the method of scanning both sequential and random, the comparative slow it can be said, however, if combined with the activation automatically, worms can spread more rapidly again. Worm using scanning method usually exploit security holes that have been identified previously, so only a relatively menginfeksi will host a number of course.

Method of scanning the other is considered quite effective with the use of bandwidth-limited routine (as used by CodeRed, is to limit the target with a latency of the connection system is already infected with the victims of the new candidates), which defines the target, there are only at the local address (such as dalamsebuah LAN or WAN), and permutation on the search process.

Scanning the worm is not specific to the application so that the attacker can add a new exploit on a worm that is known. For example, the Slapper worm exploit to get cargo and make a new wormbaru the Scalper.

In general, the scanning speed is limited to a combination of factors such as the number of machines Vulnerable, the design of the scanner, and the ability of the network monitoring system that is able to identify the existence of the worm with the increased traffic that is quite significant.

Target Lists
A worm can have a target list that has been previously determined by the worm author. With a target list that is determined to make a first worm dalammenyebar more quickly, but of course the distribution is very limited because the target based on a number of addresses on the Internet that have been determined.

In addition, the worm can find a list of victims is required on the host that is dikuasainya, this list is generally used by the worm spreading method based on network topology. The information obtained is an example IP address system and the worm develop into a subnet on WAN or LAN.

Target list is also available at metaserver (the server that provides a number of servers that have the same service). For example, metaserver Gamespy have a list of servers that provide online game service. A worm that utilizes metaserver will do a query first to know of the existence of a new target. This method can also accelerate the spread of a worm that attacks the webserver, worms can use Google or other search engines as metaserver to find the target.

Monitoring the Pasif
Worm does not seek passive victims, but the worm will be waiting for potential victims of candidates and then menginfeksinya. Although this method is slower but passive worm does not produce anomalous traffic patterns so that their presence will be difficult. For example, "antiworm" CRClean not require user activation, this worm waiting CodeRed worm attacks and turunannya, and then make a response to the counter-attack. If the counter-attack was successful, CRClean will remove the CodeRed and menginfeksi with the victim on the machine itself. So CRClean can spread without the process of scanning.

Motivated attacks
Although it is very important to know the technology used by Internet worms, but to be able to understand the threats that come from a worm in the need to understand the motivation of the intruders (such as a worm author), and if possible to identify the intruder who actually is.
There are a lot of motivation that causes a worm made but here is the motivation that underlie common worm attacks.

Pride and Power
Intruder (also creator of the worm) motivated to get the power and show-off their damage with a host of others. Intruders were generally not well organized and find a random target. If they find a system that is weak and Vulnerable against an attack, they will perpetuate the system is on the attack.

Commercial Benefits
In connection with the development of world economy that increasingly depends on the day the performance computer to run the operations day-to-day business, electronic attack directed to a domain can seriously disrupt the transaction is in progress. A worm attacks can be done to get the profit to manipulate the financial limit or space-jerk competition.

Extortion
Because a worm can be made for an attack DOS (Denial of Service) without stopping, extortion against a company can do, and new attacks can be terminated in case of payment transactions in accordance desired by the attacker. Motivation is more terorganisi individual or group.

Protest
Someone with enough knowledge to write a worm can be an attack if he felt wronged by a party tertentuk. He was asked to make a protest with the worm spread on the Internet. Protests can also be a negative impact on the institution that became a target, such as SCO and Microsoft recently have DOS attacks directed to him. Political protests can also become a cargo of worm attacks. For example, the Mail Yaha worm created as a tool of political protest that claimed to be pro-India and DOS attack on the Pakistan government websites.

Terrorism
Objectively, worms can be used by terrorist groups. Because there are many computer systems to the Internet terhubungkan located in developed countries, a worm attacks can be as terrorism. Attacker can include cargo Al-Qaeda terror groups or anti-globalization to attack other.

Cargo (payload)
In connection with the distribution of motivation, there is a load on a worm can vary. Here is a load that is often found in the worm.

No cargo or non-functional
A worm that has a bug in the code that relate the distribution method usually failed to spread, but it has a bug on wormyang capacious still can spread and cause serious effects such as increased network traffic or to identify the active hosts Vulnerable.

Backdoor
CodeRed II worm creates a backdoor on the victim host that allows all people can execute the program on a victim's browser. It also triggered an increase of anti-CodeRed worm that tries to exploit backdoor.

Remote DOS
General cargo from the worm is the ability to perform DoS attacks (Denial of Service). Worm has a tool that can make the attack against a target that is determined depending on the command or someone who is able to make it perform DDoS attacks (Distributed Denial of Service).

Update
A number of tools such as worm W32/Sonic have to update its cargo. W32/Sonice make the process a number of queries to the website to get the code for the new program itself. This capability can be used by the DDoS tool to update the programs become zombie. If the control to do the update still continues eksploit then a module can be included so that the worm can spread more quickly and get more victims.

Spionasme and Data Collection
Worm can be done as a tool to do spionasi and data collection with the search for a specific keyword, such as credit card numbers or other important information on the documents stored on the host that has become a victim.

There are many viruses and worms that make pengerusakan data, such as Chernobyl and Klez, which has perintahperintah deletion of data. Because the worm can spread quickly, they can begin to manipulate or delete data from the beginning of the infection process.

Although most of the BIOS has the ability to prevent reflashing process, some have a worm that is capable of doing routine pengerusakan against certain types of BIOS.

Coercion
With loads of coercive, a worm does not damage menimbukan unless worm is disturbed. As the worm that gives the user the option: allow the worm to stay on the system and do not pengerusakan, or remove the worm but the bad effects caused by damage to the system.
Detecting Internet Worms

A firewall has been developed as a tool to detect the anomaly traffic coming from the Internet and the logfile warned that a worm attack with a port as a target. Firewalls can do blocking access to the administrator to do the analysis and recovery if needed.

Problems commonly found in the automatic response is to accurately detect and analyze a worm that is currently being operated and menginfeksi to a network. This section discusses strategies that have been new and exist in detecting the existence of a worm.

Detector can be a computer or other device that stands alone, located in the DMZ (De-Militarized Zone), or on a backbone, which has the ability to detect locally or centrally. Any room used to be sensitive in a large-scale network to reduce false positives and false negatives. Cable can be said if it is able to successfully detect the occurrence of several types of anomalies worm, incident anomalies can be discovered from the pattern of traffic generated as a consequence of the spread of worms these techniques.

read more in part 2

loading...