A computer worm is a type of malicious software that self-replicates, infecting other computers while remaining active on infected systems.
Worms can often go unnoticed until their uncontrolled replication process consumes system resources, halting or slowing the infected computer. Along with computing resources, networks can become congested by traffic associated with worm propagation.
What is the difference between a virus and a worm?
The term virus is often used as a generic, catch-all, reference to any type of malware, technically this is incorrect.
A virus, like its biological counterpart, does not reproduce or spread on its own. It is mutating program that injects malicious code into existing applications and uses their functionality or user action to spread.
In contrast, worms are self-replicating and require no human intervention to spread once started.
How do computer worms spread?
An early example is the Morris worm. The Morris worm was one of the first internet worms and was written to highlight security flaws rather than cause damage.
It spread by exploiting known vulnerabilities, like those that would now be listed on CVE, in Unix sendmail finger, rsh/rexec, as well as weak passwords. At its height, the Morris Worm was running on nearly 10 percent of all internet-enabled computers at the time.
However, the malicious code could infected a machine multiple times and each additional process would slow it down, eventually to the point of being unusable.
This mistake turned a potentially harmless intellectual exercise into a denial-of-service attack and caused its creator Robert Morris to be the first person convicted under the United States' 1986 Computer Fraud and Abuse Act.
WannaCry targeted versions of Microsoft Windows operating systems that used Server Message Block (SMBv1), an outdated resource sharing protocol.
Once the target system was infected, the worm infection would install a computer program that encrypted the user's files and requested ransom. It would then look for new victims by sending SMBv1 requests, responders would be infected by the self-replicating malware.
Another common method are email worms. Email worms create and send outbound emails to all addresses in a user's contacts. The messages contain a malicious email attachment that infects the new system when the recipient opens it. This type of malware can be used in conjunction with social engineering, like phishing or spear phishing, to greatly increase the probability of successful infection.
Before widespread use of computer networks, worms spread through infected external hard drives, CDs, floppy diskettes and USBs.
Stuxnet, one of the most notorious computer worms, spread through infected USBs. Stuxnet targets supervisory control and data acquisition (SCADA) systems which are commonly used by power utilities, water supply services, sewerage plants and other industrial environments. It is believed Stuxnet was a targeted cyber attack designed to sabotage Iran's nuclear weapon production.
What damage can computer worms cause?
It depends on the type of computer worm and the desires of its creator. Some worms are used to spread other types of malware for cybercrime like corporate espionage and others are used to highlight particular security vulnerabilities but do no real damage (minus network congestion).
Many of the first computer worms were proofs of concept designed to do nothing more than infect computers and reproduce themselves in the background. Often the only way to identify an infection was when a worm made too many copies of itself and caused the system to slow.
It's common to use the worm to gain initial access to a system and then use privilege escalation to gain further access to a system.
What are the different types of computer worms?
There are several types of computer worms:
- Worm virus hybrids: A piece of malware that spreads like a worm and modifies itself like computer viruses or contains another malicious payload like a trojan, spyware or rootkit.
- Bot worms: Designed to infect computers and turn them into zombies or bots, which can be used in coordinated distributed denial-of-service attacks (DDoS attacks) through botnets. Conficker, a 2008 worm, infected millions of computers and created vast botnets.
- Instant messaging worms: Spread through instant messaging services by installing a malicious software program that gains access to contact lists on victim computers. The first large IM worm outbreak was reported in the Netherlands and spread through MSN Messenger through a malformed WMF file called xmas-2006 FUNNY.jpg.
- Email worms: Spread through malicious email attachments that appear to be legitimate mail. The ILOVEYOU worm targeted victims who opened an infected email attachment and then sent itself to all the victim's contacts in Microsoft Outlook. Though it technically requires some level of user interaction, the virus reportedly infected as many as 45 million people by May 4, 2000 forcing many enterprises to shut down their email services.
- Ethical worm: Designed to propagate across networks and install patches for known security vulnerabilities like those listed on Common Vulnerabilities and Exposures.
- File-sharing worms: Take advantage of the fact that file-sharers don't know exactly what they are downloading. The worm copies itself into a shared folder and users unwittingly download the worm and it copies itself and repeats the process. "Phatbot" spread to millions of computers in 2004 was able to steal sensitive data like credit card details, as well as personally identifiable information (PII) and protected health information (PHI).
How to prevent computer worm infections
Common prevention mechanisms include:
- Using a network intrusion detection system.
- Keping operating systems and other software up to date to reduce the cybersecurity risk of newly discovered vulnerabilities.
- Using firewalls to reduce access to systems by malicious software.
- Installing an antivirus software to prevent malicious software from running.
- Encrypt sensitive data stored on computers, web servers and smartphones.
- Use DMARC to prevent email spoofing.
- Invest in cybersecurity awareness training and OPSEC to prevent social engineering attacks like phishing and spear phishing.
- Employ defense in depth
- Develop an information security policy
- Prevent domain hijacking with DNSSEC
- Educate staff about the importance of SSL certificates and the dangers of public Wi-Fi based man-in-the-middle attacks.
- Invest in a tool that can help combat typosquatting.
- Backup files to reduce the risk of ransomware worms.
In the end, preventing computer worms is about information risk management and education. Many worms continue to spread because of old and unpatched computers which should have been updated years ago, don't rely on digital forensics and IP attribution to clean up successful cyber attacks. Computer security should be focused on prevention.
With increased outsourcing and vendors with poor security standards comes increased worm infections, data leaks and data breaches. Even if your internal security is good, you can become infected with a computer worm via a secondary infection on an internal network that a third-party vendor has access to. This is known as third-party risk and fourth-party risk (the risk introduced by your vendor's vendors).
As much as possible, look for vendors with SOC 2 assurance and develop a third-party risk management framework and cybersecurity risk assessment process. If you're not sure where to start, see our vendor risk assessment template and learn to plan your vendor security questionnaire.
How to detect computer worms
Detecting a computer worm can be difficult, but there are some common symptoms:
- Degradation of computer performance
- Unexpected freezing or crashes
- Unusual system behavior
- Programs executing or terminating without user interaction
- Sudden appearance or disappearance of files
- Warning messages from your operating systems or antivirus software
- Email messages sent without user action
The April-June 2008 issue of IEEE Transactions on Dependable and Secure Computing described a new way to detect and combat internet worms. They suggest using software to monitor the number of scans a machine on a network sends out. When the machine starts to send out too many scans, it could be infected and administrators should be notified to take it offline and check for malware.
How to remove computer worms
If you can identify the particular worm that has infected the system, there may be specific instructions or tools designed to remove the infection.
During the removal process, disconnect from the Internet and remove any storage devices and scan them separately for the host file. Once the system has been disconnected, you can follow the instructions, run the tool or reformat the computer.
How UpGuard can improve your organization's cybersecurity
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.