The following report intends to depict, where possible graphically all components of a typical worm attack. It also aims to explain in detail the intricacies of a real-world worm attack.
Computer worms have become the epidemic of the internet and has the potential to cause massive monetary damage in hours if not minutes. Worms have come a long way, from a simple hypothetical theorem to a real and serious danger to computer networks (Fosnock, 2005).
The conficker worm of 2008 caused a vast scale of infections in just a few days and possessed the power to spread to a large number of computers in a very little amount of time. The worm has been very difficult to contain and control because of its utilisation of several different complex techniques and the fact that it is still active on the internet today together fronts some serious fears about such an attack type (Burton, 2010).
Occasionally, a worm’s only purpose is only to replicate itself over and over so as to deplete system resources, for example hard disk space, bandwidth etc. by overloading a network or a group of networks. Worms are also used for data theft, initiating backdoors and allowing unauthorised access to a computer and its data (2001 CERT Advisories, 2001). Advanced worms are known to use encryption, data wipers and ransomware technologies to cause damage to their intended targets (Keshavarzi & Ghaffary, 2020).
Lifecycle of a typical worm
A worm program tries to find common, accessible and interoperable systems on the network that will receive and run the duplicate of the worm program (Amoroso, 2011). Worms can initiate on a host computer as part of a malicious attachment to an email and may also initiate without any user interaction. For example, it has the ability to corrupt files or disable anti-virus (Syed, 2009).
Propagation & Distribution Phase: How does it spread?
A worm can either spread itself from one machine to another or can be transported as part of a communication platform such as email, instant message, sharing on files etc (Moore et al., 2002). After successfully copying itself a worm replicates the same actions that it did on the original host (Syed, 2009).
Activation Phase: What is it intended to do?
There are several different types of worms that are in use today and each with their own method of infecting hosts (Weaver et al., 2003).
The Conficker Worm (2008)
The conficker worm which is currently limited to windows machines was first detected on 21 November 2008 by Microsoft Malware Protection Centre and utilised a flaw in the operating system. The worm exploited a windows vulnerability (MS08-67) that the company had actually issued a patch for 29 days prior to the start of the attack (Giles, 2009).
Conficker uses autorun-worm techniques, spreading via removable storage devices such as thumb drives. Once it has infected a computer, it tries to access Network Shares and also tries to crack local account passwords. If the worm compromises an admin user account, it takes advantage of the Windows Task Scheduler service to spread itself to all non-infected computers. Since these computers receive the task from an “admin” account, the worm is executed without further confirmation from the user (Hypponen, 2009).
The worm also has multiple versions with each exhibiting different attack methods (Lawton, 2009).
- Global spreading – probing computers using random IP addresses over the Internet
- Local spreading – probing computers on the Local Area Network (LAN) using the same IP address prefix\
- Neighbourhood spreading – probing computers in ten neighbouring LAN’s using smaller consecutive IP address prefixes
The version A, B & B++ initially utilised clever social engineering techniques for a secondary attack via autorun files in external storage devices such as USB drives etc. (see Figure 2.1). It then spread across using network shares and flooding the network with NetBIOS traffic. Version C of the conficker worm replaced the above spreading functionality with a peer-to-peer (P2P) distribution system (Fitzgibbon & Wood, 2009).
The conficker worm is known to be one of the fastest and largest malware infections of all time and has reported to infect some 15 million devices across 190 countries. Although it initially caused fright due to its extreme virulence and capability to attack large targets such as national defence networks, healthcare systems, medical devices etc. it did not destroy or steal data, instead it simply infected systems and tried to spread across the maximum number of computers as possible (Giles, 2009).
The worm infected machines at various significant organisations such as UK’s Ministry of Defence & Germany’s unified armed forces in Bundeswehr (Wilde, 2009). It costed Manchester City Council $2.4 million in clean-up costs and separately French Navy had to ground their entire fighter plane fleet as they were unable to access their flight plans (Willsher, 2009).
The monetary impact of conficker attack has been estimated at approx. 9.1 billion USD around the world. The attack gained widespread media coverage and led to a complete transformation on how similar threats were perceived across education, health, corporate and government sectors (Ranger, 2015).
Post Attack actions
Department of Homeland Security in the US funded and formed the Conficker working group with leaders in the industry such as Microsoft, CISCO, ICANN and others relatively early in the outbreak that rendered the worm and the botnet it created useless (Sattler, 2019). The company also announced a $250,000 reward for information that would result in apprehension of the worms’ author (Ranger, 2015). The vulnerability was also patched in all future releases of Windows.
The working group worked with Internet Domain Registrars from countries all around the world to block the domain addresses which the worm was trying to communicate to. In doing this, the worms’ usability to be used for criminal activities is greatly reduced (Hypponen, 2009).
The diagram below shows the aim(s) of security that were breached along with examples of the real-world consequences of the conficker worm.
Timeline of the attack
Worms have the capability to chew through large amounts of bandwidth and networking resources. They spread aggressively and can be impossible to control. The conficker worm and other worms of similar nature have a very high potential to cause harm which can range from simple fraud and theft to a coordinated information warfare attack by either an individual or a state-based actor that could interrupt the internet itself and cause huge financial loss worldwide.
The conficker worm had spread to over 9 million computers at one point, had penetrated governments organizations, banking, and other services, as well as having access to remotely download and upload information. This could have effectively brought entire sectors down in countries across the globe if the worm was instructed to do something nefarious, such as putting information on the dark web, releasing military secrets etc (Burton, 2010).
Conficker worm detections are still active to this day and information security community continue to monitor its activity.