ViruS ComPuTeR

Benevolent Worms

Various software developers are looking for ways to better distribute useful pieces of information to their users. This information would mainly consist of software updates and patches for known vulnerabilities. Instead of being downloaded from a central server, these updates would be distributed similar to malicious codes and function just like a computer worm.

Computer worms spread themselves by self-replication. Unlike a virus, a worm does not require action on part of the victim to be executed. After one computer is infected, they probe a network in search of a new host, which is basically their primary function. Worms tend to more harmless than viruses, although some have inflicted a considerable amount of damage.

Why Benevolent Worms are Enticing

The widespread use of benevolent worms is a tempting idea for many reasons. One can view it as a way of fighting off the malicious coders with their own weapons. It could also possibly solve all of those vulnerabilities made visible by the internet, automatically securing the end-user's system. This could prove to be very useful as today's patching-system isn't effective as it should be. The fact is that several people, especially home users, simply do not make use of them. In all honesty, efficient all-around patching involves a lot of time and labor, something many of us wouldn't find much enjoyment in.

How Benevolent Worms Can Enhance Your Security...or Not

A good worm could be something that turns a security problem into a challenging experience. It would certainly make an interesting project for developers looking to get all the kinks out of the code and properly distribute it. Users would no longer have to worry about the technical details involved with installing updates and patches. However, these same benefits are just what could make the benevolent worm a bad move.

Although it would probably help considerably, patching a user's machine without consent isn't a good practice. The worm has been dealt a bad rep for much more than its payload. The propagation techniques of a viral strain aren't necessarily harmful, yet distributing a beneficial payload may not be the best route. When considering how it functions, it's hard to image the worm as tool that could be used without stirring up some controversy.

In order to be truly beneficial, a benevolent worm would have meet the following criteria:

-The end-user can choose to have it installed

-Installation is specifically adapted to the machine its running on

-The installation can be cancelled

-Tt's easy to locate on the system

-The program can be easily removed

The main task would be altering the worm's behavior, as they are designed to run without user intervention or consent. After settling in, it begins to propagate and spread until being fully eradicated. These characteristics are not very compatible and do not leave much room for error. If a worm were able to give users more of an option with installation flexibility and easy uninstallation functions, propagating would be much harder, essentially making it uneffective.

While there are several hopeful in one day using the worm for good, many more critics stand firm in their disapproval and view it as a bad way to distribute software.

Two of the Latest Types of Computer Worms

With malicious programs like spyware and Trojan horses on the steady incline, others tend to fall out of discussion while remaining prominent and quite dangerous. Just like viruses, computer worms are still around, raising just as much havoc as before.
Recent Types of Worms
Panda Security announced the discovery of two new infections in January of 2008: Valentin E and Nuwar OL. These worms employ social engineering techniques using the topic of Valentine's Day to trick users into opening an infectious email attachment. While these attempts seem to be made year after year around the same time, it also indicates that malicious coders are still getting users to fall into their trap.
Nuwar OL Worm
Nuwar OL is delivered to a user's inbox with subjects like "You Are In My Dreams," "I Love You So Much," "Inside My Heart Is You," etc. The contents of the message contains a website link, which downloads the malicious code when accessed. To disguises its activity, the worm redirects you to simple web page with the theme of a romantic greeting card. Once the computer is infected, the infection spreads by sending messages to names in the user's contact folder. The most severe impact of the Nuwar OL is slowing down the performance of a single computer or a network. Once detected, it is generally easy to remove.
Valentin E Worm
Similar to the Nuware Worm, Valentin E is distributed via email. It contains subjects like "True Love," "Searching for True Love," and "Love Of My Life." The worm also includes an attached file titled "FRIENDS4U." When the targeted user opens the attachment, a copy of the worm is downloaded onto their computer. Its malicious code is installed onto the machine as a file with an SCR extension. If the user runs the file, Valentin E. displays a new desktop background to distract them, all while it propagates itself on the host machine. It then distributes email messages with copies of itself attached to further spread the infection to other computers.
Both Nuware and Valentin E are basically employing the same techniques used in may forms of malware, particularly worms and viruses. They send emails with attractive subjects, colorful Valentine's Day e-Cards, romantic desktop themes and more. This is all done to bait the user into running the attachment and unknowingly launching malware onto their systems.
Preventing Worm Infections
In order prevent the infection of worms, viruses and other malicious programs, we strongly suggest the following the tips below:
- Avoid opening emails originating from unknown senders. Beware of emails containing holiday themes, relating to money or any of your accounts.
- Never click on links in an email message, even if they appear to come from a reliable source. Your best bet would be to copy and paste them into your address bar.
- Never open email attachments from unknown senders.
- Be careful of the sites you visit online as many of them are designed to deliver malware
- Install a firewall application to prevent intruders from loading malicious content on your computer.
- Defend you computer with security software with the ability to detect known and evolving strains of malware.

The Nimda Worm

Nimda is another one of many worms to infect the vulnerable Windows operating system. Its method of propagation is rather unique, as it can be distributed via email or a malware infected website. Nimda also seeks out vulnerable web servers to upload malicious code, giving it the ability to infect an entire network. What makes it more complex is the fact that it is the first worm to behave like a virus by infecting other files. The normal behavior of a worm is to only replicate itself and propagate throughout a hard drive or to other machines via email. Nimda is able to spread quickly inserting it's code into EXE. (executable) files on local drives.

How Nimda Works

Nimda's tendency to seek out exploitable servers is something that could possibly create network traffic jam on the internet, similar to the infamous SQL Slammer worm. In some cases, the results of this worm causes a server to completely fail, a condition more commonly known as DoS (denial-of-service) attack. Every computer infected by Nimda increases network traffic all while seeking other systems to infect.

Similar to most worms, Nimda's most common method of distribution is email, usually targeting the Outlook and Outlook Express applications. It arrives in a user's inbox with a file attachment named "README.EXE" which holds the infection, though it can also be contracted just by viewing the preview pane. In older versions of Microsoft Internet Explorer, this worm has the ability to spread the infection simply by reading the message. Although these vulnerabilities were resolved by Microsoft some time ago, several users have still not applied the necessary patches, enabling Nimda to keep spreading.

The Nimda worm mainly targets the Outlook programs, but other email clients have been infected as well. The major difference is that users have to open the attachments for the malicious code to be executed. Sadly, it is a fact that some recipients cannot resist the urge to open these tempting files, thus powering the epidemic of malware. Once infected with Nimda, it will dig into the email addresses in your contact list and recruit others to participate in a DoS attack.

Misconceptions about Nimda

Misconception #1: "Nimda does not infect PC users running Windows 95, 98 or ME." This is not true. The worm can infect any 32-bit system, including Windows 95, 98, ME, 2000 and NT.

Misconception #2: "Nimda is not distributed through mail clients such Eudora and Netscape Mail." This is not true either. An infected email can still be sent to those mail servers. If the attachment is opened, the worm will be executed.

Misconception #3: "Anti-virus software will catch all strains of Nimda." This is partly true, yet many vendors were unable to detect it when first released. It is likely that variants of this worm will be continuously developed, meaning your anti-virus program should be updated on a daily basis.

Prevention

Anti-virus software is always essential when it comes to fighting off worms. More importantly, you should keep your system updated with the latest patches by downloading them from the Microsoft website. Remaining weary of emails is important, as well as cautiously surfing the web. While malware like the Nimda worm are often complex, a few preventive measures will help you elude the best of them.

The History of Worms


Malware with self-replicating capability has been an issue in the world of computing for several years, dating back to the first self-replicating code created by Ken Thompson in 1984. Over the past few years, both worms and viruses have become major problems, mainly due to widespread use of the internet. This wide open platform enables these infections to spread rapidly with no geographic restrictions. Worms in particular are becoming more sophisticated as malicious coders have learned from their mistakes and successes as well.
In this article, we will take brief glance at the history of computer worms and how they have impacted the current state of computing.
Early Infections
Self-replicating applications date back to the early days of the Unix operating system. Ken Thompson's code was essentially a compiler modification that manipulated login procedures and the compiler itself. The conventional virus became a common plague in the era of the Apple II system. This infection moved rather slowly, yet provided the means of distributing some of the most known viruses, such as Chernobyl and Michelangelo.
The first Internet infection that required no human intervention to propagate was the Morris Worm, discovered in 1988 and released by Robert Morris. It spread very quickly, infecting a number of vulnerable computers in a matter of hours. The Morris Worm infected various machines and also used multiple exploits including buffer overflows, debugging routines in mail components, password sniffing, and other streams of execution to improve its ability to attack other computers.
Although released on accident, the benign concept doesn't really apply to the Morris Worm, as it had a significant amount of impact because of the bug in its code. When reinfecting a computer, there remained the possibility that the new infection would be persistent, allowing other worms to run and terribly impact system performance. However, this caused the worm to be noticed instantly, and therefore, quickly contained.
Modern Worms
Active computer worms have returned to prominence in recent times. The first one to cause an eruption was Code Red. This infection proved how quickly a simple self-replicating program could spread via the internet's current infrastructure. Code Red exploited a buffer flow condition in the Microsoft IIS (Internet Information Server). It was able to propagate quickly because of the "always on" nature of IIS and many versions of the Windows operating system. Code Red was also equipped with scanning capabilities that improved its throughput and gave it the ability to elude numerous IP address security features.
Once a system has been compromised by a worm, there is actually little that can be done to mitigate the damage aside from removing it as quickly as possible. Just as everyone should devise a continency plan in case of a fire, one should also create a strategy to elude worm exploits. While there is no perfect solution, there are many steps that can be taken to prevent damage and reduce the spread of infection. Anti-virus software and firewalls are a must these days, two powerful weapons that will keep you one step ahead of a worm outbreak. It is also critical to conduct routine backups of your data as these infections can easily corrupt or completely overwrite existing files. When it comes to the disruption of worms and other malware, it's much better to be safe than sorry.

Lupper Worm 101

Malicious coders are very persistent these days. Windows is no longer alone in being attacked, as they have recently learned to exploit systems such as the Mac OS X and Linux, platforms known for their high-level of security. Many of them have been virus programs that take advantage of vulnerabilities in XML-RPC for PHP, a widely used open-source component found in many web-based applications.

Applications vulnerable to the newer viral strains are b2evolution, Drupal, PHPGroupWare, PostNuke, Tiki Wiki, WordPress and Xoops. While most of these applications have been updated to address the vulnerabilities, un-patched Linux systems remain vulnerable to Linux.Plupii, more commonly termed as the Lupper worm.

How the Worm Functions

The Lupper worm spreads by exploiting Apache web servers using PHP/CGI scripts, a programming language known to be more vulnerable than others. This infection is said to be a variant of the Linux Slapper and BSD Scalper worms due to similar propagation techniques. It attacks a web server by transmitting malicious HTTP (Hypertext Transfer Protocol) requests to open ports. The worm downloads and executes itself when the targeted server is running vulnerable scripts at a particular URL. This is enabled by configurations that permit remote file downloads in PHP/CGI and external shell commands. It's most alarming function involves creating a backdoor on the compromised server. The worm then generates URLs, which initiates a scan to seek out other machines for infection. Additionally, the Lupper worm has the ability to harvest email addresses as well.

Protecting against the Lupper Worm

Lupper was spotted rather quickly and doesn't seem to be spreading at the rate of the Slapper worm. Being that worm exploits on the Linux system are rare in comparison to the Windows environment, security experts suggest that this malicious program is worth keeping an eye on. Representatives from McAfee state that Lupper's intent of infection is to form a global network of compromised machines based on the peer-to-peer communication principle. This creates a robust network capable of distributing DDoS (distributed denial-of-service) attacks and other exploits because of its remote command. The security vendor also fears that the worms ability to extract email addresses may lead to new methods of infection.

The good thing is that most large corporations aren't running applications scripted in PHP/CGI. What may pose a continuous threat are unofficial sites established from within an or outside of an organization and web hosting companies that use a variety of different scripts. Since the Lupper worm seems to use an IP-based method of propagation, it is less likely that it will locate servers using vulnerable scripts, limiting the chance of infection. This worm would be much more difficult to contain if it was distributed via infected hosts found in the results of a search engine, a common trait of Windows-based malware.

Security experts have recommended many ways to deal with this infection; one is to only grant trusted users access to an FTP server. Symantec Corporation reports the Lupper worm as having a medium level of damage and distribution rate. McAfee labeled it as a low-risk threat for both home and corporate users.

The Slapper Worm

Unknown to some, Linux is one of the most reliable operating systems on the market. This platform is built with numerous security features, making the threat of malware insignificant to many users. Even though Linux hasn't been as prone to infection as Windows, the system has had seen its share of worms and viruses.
Staog was the first virus written for Linux, trailed a few years later by Bliss. While they raised a bit of concern in the industry, these two infections were far from devastating and quickly resolved with patches and user intervention. Worm infections, on the other hand, posed a significant threat to personal users and network administrators alike. One of the most notorious of was was the Slapper worm.
The Dangers of the Slapper Worm
The Slapper worm was first discovered in September 2002 on Friday the 13th. It employed a source code propagating method used in the infamous Morris Worm, the first computer infection to be labeled as a "blended threat." This program spread so quickly that it infected thousands of servers throughout the world within a matter of days. The Slapper worm took advantage of vulnerabilities in older versions of Apache web servers using peer-to-peer protocol.
Aside from propagating to other machines, the worm has the ability to act as a backdoor on the host computer. This enables a potential intruder to run system commands and launch multiple attacks against other computers, practically giving them complete control of the system. Once created, the backdoor accepts a large number of commands, which may include flooding remote systems with various network packets, downloading binary from a remote system and executing it, sending emails, and reporting data on the compromised machine.
Patching Linux Security
Over the weekend of September 13th, F-Secure's anti-virus lab found a way to reverse engineer the protocol the Slapper worm used to exploit the Linux system. This allowed F-Secure to access the Slapper network attack by posing as an infected Apache server. The false server gave them the ability to specify the exact amount of infected computers, along with their IP addresses.
F-Secure worked in conjunction with 14 CERT organizations in the process of warning administrators about their infected servers. This approach was received well by many companies, enabling the industry to rebound quickly and contain the worm.
The Slapper worm that once posed a significant threat to the Linux operating has since been neutralized by specialists at F-Secure. In what is said to the first move of this kind by any anti-virus company, F-Secure successfully located the root of the problem and warned the industry in just enough time. The company followed up their efforts by offering a free version of their anti-virus software so that Linux users could remove the infection from their systems.
Linux remains as one of the safest systems on the market. However, the Slapper worm is an example that this reliable system can indeed be infected by malicious software. While not recommended by all, a Linux system can achieve a greater level of security with anti-virus software.

Computer Worms and Viruses: What's the Difference?

We have all been infected with a virus at one time our lives, whether it was a common cold or something more severe such as the flu. In recent times, more of us are being plagued by another type of infection - the computer virus.

Just as a biological virus injects its own genetical makeup into a cell and interferes with the normal functions of the human body, a computer virus is written to interfere with the normal functions of an infected machine. It has the ability to damage various programs, overwrite and delete files, reformat hard drives and perform other harmful operations.

Common Characteristics

In order to be classified a computer virus, a program must meet two qualifications. First, it must be able to execute itself by inserting its malicious code in the execution path of another application. Secondly, it must be able to self replicate by replacing existing files with copies of files containing the viral code. Similar to how a biological virus needs to find a host cell, a computer virus must find an infected host file to propagate itself and further spread the infection.

Viruses have become very common in the world of computing, infecting millions of machines since their inception. However, the virus is not alone, as it has another destructive partner: the computer worm. A worm is very similar to a virus, yet quite distinctive as well. Unlike a virus, the computer worm does not require a host file in order to propagate itself. It is able to enter a computer through system vulnerabilities and uses those flaws to propagate.

The typical computer virus must be activated by way of user intervention. This may include double-clicking on a website link or opening the attachment of an email message. A worm bypasses user intervention by releasing a document containing the infected macro and distributing itself from computer to computer. A computer virus is generally the most harmful of the two, although worms have been known to cripple entire networks due to multiple infections.

Protecting against Viruses and Worms

While viruses and worms have become common, there are a few ways to avoid these nasty infections. You can begin by purchasing a reliable anti-virus program. This type of software features a scanner equipped with the technology required to detect and eradicate viruses, worms and other members of the malware family. Since new virus and worm programs are often written on a daily basis, these security solutions function best when regularly updated by the vendor's database. It is also recommended that you purchase an anti-virus program with real-time scanning capability to monitor your incoming emails. This will enable you to scan an attachment to make sure it's safe before opening.

Another solid option is a firewall. These components often come as features of anti-virus software or as stand-alone applications. A firewall application will keep unauthorized users from accessing your system and secretly installing malicious content. By implementing these two security solutions, you can stay one step ahead of the busy coders scripting viruses and worms.

Linux and Viruses

You are sure to hear much fuss about the threat of viruses these days. Computer viruses come in many different forms, from infections that are programmed to attack programs and files to those designed to the corrupt the critical sectors of your hard drive. What you seldom hear is what platforms these infections target. Microsoft Windows, the most popular operating system, is the number one target for most virus writers.

Linux is perhaps the biggest rival of the Windows operating system. While it isn't as widely used, Linux has established a reputation for being much more reliable and secure. This is true for several reasons, most of which experienced Linux users are already familiar with. For those of you new to the system, this article detail how Linux stacks the deck against a typical computer virus.

How Viruses Attack Linux Systems

In order for a virus to infect binary executables on a Linux system, those files must be written by the user attempting to execute the infection. This situation in itself is very unlikely. In most cases, these programs are controlled by the root user and being run from a non-privileged account. In a Linux environment, a user with the least experience is less likely to control an executable program. Because of this, the users with little knowledge about viruses are less likely to have home directories susceptible to infection.

Most Linux networking programs are specifically designed without the high-level macros which have allowed many Windows-based viruses to spread at such a rapid rate. This is not an inherent feature, but simply a reflection of the major differences between the two system,s as well as differences in the products aimed at those platforms.

Linux Bliss

Although Linux has been known for its high level of security, there have been a few notable outbreaks. One such threat was Bliss, the second virus written for the Linux platform. Like most viruses, Bliss attempted to attach itself to executables, files regular users typically do not have access. It has been speculated that this infection was scripted simply to prove that Linux could be compromised. However, the Bliss virus doesn't have the ability to propagate with efficiency due to the complex structure of the user privilege system. Though it is one of the only Linux viruses to be seen in the wild, Bliss never reached widespread popularity.

Upon being released, many anti-virus companies distributed a number of reports stating that Linux users should implement anti-virus software due to the Bliss outbreak. This practice never caught on, as Bliss never caused any major damage.

Experts believe that the reason we haven't witnessed a true Linux virus outbreak is because an infection cannot reach its full potential in the system's hostile environment. At the same time, there is always the possibility that the virus coders will get it right one day. It does, however, speak highly of the system's well-crafted design, indicating that a virus must be rather sophisticated to thrive on the Linux platform.

The First Linux Virus


From the outside looking in, one would believe that viruses were an equal threat to all computer users. While this is true in a sense, some users are much more vulnerable than others. For years, Linux has been known as the more secure option for an operating system. Although the Windows platform is designed with many useful features, Linux was designed with security in mind, making the system superior in the minds of its users.
Even though Linux isn't a prime target for malicious coders, it has been successfully exploited by a few computer infections. Staog was the first virus ever scripted for the Linux operating system. It was initially detected in the fall of 1996, with the exploited vulnerabilities being discovered shortly thereafter. Considering the system's strong design, experts in the software security industry were stunned.
Staog was able to exploit Linux despite the system's design which calls for users and applications to login before any questionable operations can occur. The virus functioned by exploiting vulnerabilities in the kernel, which enabled it to stay resident in the memory. From there, it infected executable binary files. Because it mainly relied on bugs, software upgrades made the system immune to the virus. This factor, along with its weak method of distributing itself, made Staog fairly easy to manage.
Staog was written by VLAD, a well known group from the hacking community. This Australian-based group is also responsible for scripting Boza, the first virus written for Windows 95. The first Linux virus has not been listed in the wild since the initial outbreak. Despite that brief threat of Staog, viruses typically have limited ability to change or severely impact the system.
The Truth about Linux Viruses
One the biggest vulnerabilities of the Linux system are the users who have the misconception that it cannot be infected by computer viruses. Several people believe that any non-Windows system is secure and doesn't need the aid of additional software to ward off viruses. This is far from the truth and a major reason why more viruses are being written for the system.
Many security experts believe that the growth in Linux malware is the result of its evolution and popularity, particularly as a desktop system. Shane Coursen, a senior technical consultant for Kasperky Lab, believes that more users are turning to Linux because of the interest in learning how to write malware for the system.
Most viruses written for Linux pose a potential, yet minimal threat to the system. If a virus infected binary file is run, the entire system could be infected. The distribution of the infection depends on which particular user with what level of privileges executed the binary. A binary run under the systems root account would have the ability to infect the entire system.
There are many other solutions for protecting Linux other than anti-virus software. For instance, software repositories greatly reduces the chance of viruses and other malware. These repositories are throughly checked before distribution to ensure that they are malware free.
Just like with any system, the best protection against common threats is prevention. This includes carefully surfing the web and handling emails on your Linux computer.