Worms: Understanding the Behavior and Operation

In this video, we’re going to talk about worms and their ability to self-replicate themselves through a network. And in this first video, we’re going to discuss the capabilities, behaviours, and operations of a worm. So what is a worm? A worm is a class of malware that’s similar to a virus in functionality, but it can spread without the use of user interaction. And what do we mean by that? When we talked about viruses in the last video, we mentioned that in order for a virus to infect a machine, there were several things that would have to happen. The user would first have to download, obtain, install this malicious piece of software.

And this was definitely something you saw back in the old days with large media sharing places like Piratebay, or something like that. Once they would’ve installed the application and they would execute it, the malicious code that was embedded inside would execute, and that would infect the machine. That’s how viruses worked. With worms, part of that is taken away because, in the case of a virus, once that machine was infected, it was just that machine. You couldn’t go anywhere else without another user then going and installing something. In the case of worms, it’s different. Once on a machine, it can begin to propagate itself through a network without user interaction.

So it does require, and this is the next bullet point here, or enters a computer through vulnerability or social engineering, that initial foothold, that initial compromise, does require user interaction, typically– at least somewhere in the chain. We’ll talk about some examples where that may not have been the case. But for the most part, there definitely has to be a vulnerability present, or some sort of social engineering attack. A social engineering attack is those email attachments that we talked about. The email says it saw this thing, or click here for xyz thing to happen. You click there, you execute the malicious payload, and now you’ve been infected.

Once on a system, a worm can leverage network protocols and additional vulnerabilities to propagate itself. And this is really where a worm separates itself from what a viruses is. A worm is able to, once they have a foothold on a network, look for other machines that it can communicate with, and then either look for vulnerabilities, take advantage of vulnerabilities that are present, or just use network protocols to move itself around. And by network protocols, we’re talking about SMB, or SSH, or something along those lines, and we’ll see more about this as we start talking about more malware. More advanced forms leverage encryption, wipers, and ransomware to attack their hosts. And what do we mean by that?

It means that when a worm’s talking to another replication of itself, it can be using encryption on the data streams, it can encrypt the host that it’s on to make it so that the users can’t do anything with it, like a ransomware attack. Or it may not even do that. It may be way more destructive than that and actually delete all the data off the disc, just so that it’s unrecoverable and there’s no forensic footprint other than its indicators that anyone can do anything with. So the big takeaway here is that worms can spread without user interaction. That is a significant difference between a worm and a virus.

And then this next video, we’re going to talk about probably one of the most famous worms, if not the most famous worm of all time– that’s Stuxnet. It came out around 2010, or at least it was discovered in 2010, and it has a really interesting history. So we’re going to talk about the next.