Computers are gifts of technology to mankind. With the advancement of technology came advanced software and the internet; the whole world got connected in a wink of an eye and accessibility of distant information and knowledge became a child’s play. But as technology brings hazards with itself when handled with bad intention, software became ‘Malware’ in the hands of some people with no good intention and with the help of the internet they started spreading to all the computers connected in the network (Zhang and Ma 573-586).
They have attacked several times till today and will do that in the future also as epidemics had been spread and will be spread by germs to bring disease in the human body. “Malicious software, or malware, is software that enters a computer system without the owner’s knowledge or consent.……….conceal the malware’s malicious actions, or bring profit from the action that it performs” (Ciampa 41). Malware is of various types, as for example, virus, spam, Trojan horse, worm, etc.
One such malware is a worm. A worm is “a program that is designed to take advantage of a vulnerability in an application or an operating system in order to enter a system” (Ciampa 63). One notorious worm that had infected a huge number of computers running Microsoft IIS Web Server through the internet was the Code Red worm. It was first discovered on July 13, 2001, by eEye Digital Security persons Mark Maiffret and Ryan Permet. By July 19, the worm had infected 359,000 hosts (Zhang and Ma 573-586).
The worm works by sending its code in the place of an HTTP address. It takes advantage of a vulnerability of the computer running Microsoft IIS called the Buffer Overflow through which it gets entry into the host computer. “A buffer overflow occurs when a process attempts to store data in random access memory ….This extra data overflows into the adjacent memory locations and under certain conditions may cause the computer to stop functioning” (Ciampa 85). The worm used the vulnerability by running a long string of the repeated character ‘N’ to get entry to the computer. The code gets inserted in a file instead of being saved as one and operates from the memory.
The malicious code checks for the availability of the file C: Notworm and if found the thread does not run. It goes to an indefinite sleep. But if the file C:Notworm is not there and the date is before the 20th of the month the thread creates new threads and attempts to infect new IP addresses in a random manner. While infecting the thread avoids looping back to the source computer (Zhang and Ma 573-586).
There is one more feature of the worm. It causes websites to appear defaced if the default language of the computer is American English. On these computers, the thread creates further threads and runs a function responding to HTTP requests after staying inert for two hours. The correct website is not returned and instead, the own HTML code of the worm is returned. The defaced website looks as below:
“Hacked By Chinese!” (Lemos 1)
This infection stayed on the computer for 10 hours and then was removed. But there was always the fear of repeat infection by other threads. When the date of the month is between 20th and 28th the threads tried to impart a Denial of Service attack on a particular IP address. The website of Whitehouse was affected and had to be changed. Finally, after the 28th of the month, the threads stopped working and went to an indefinite sleeping state (Zhang and Ma 573-586).
There is another version of the worm which was first found on August 4, 2001, called the Code Red II. It was actually a new worm that did not cause the defacing of the websites. Though the worm had created havoc it is not that it can be taken precaution against. Symantec Security Response has devised guidelines for both home and corporate users to prevent the worm from entering computers. A few of them are:
- Complex password systems decrease the vulnerability of a computer to a great extent.
- File sharing should only be turned on when absolutely necessary. If necessary anonymous access should be prevented by using ACLs and complex passwords.
- Unnecessary auxiliary services installed by many operating systems are vulnerable to threads. They must be removed to lessen the chances of attack.
- vbs,.exe,.bat,.pif,.scr extensions might be indicators of threat. These must be blocked by email servers when present as an attachment.
- For corporate offices, it is necessary for the employees to avoid opening unexpected attachments and running downloaded software before scanning them.
- Patch levels need to be updated.
- If a computer appears infected it should be separated and re-installed only after further analysis (Borders 102-113).
Thus, threats keep on changing their appearance and ways of operation. But by adopting security measures it is possible to lessen the chances of infection and threats to the computers.
References
Borders, Kevin. Malnets: large-scale malicious networks and compromised wireless access points.” Security and Communication Networks 3.2-3 (2010): 102-113.
Ciampa, Mark. Security+ Guide to Network Security Fundamentals. Ed 3. NY: Cengage Learning, 2008.
Lemos,Robert. “Code Red worm claims 12,000 servers.” CNET News. CNET News, 2001. Web.
Zhang, Yunkai and Jianfeng Ma. “Modeling and analysis of a self-learning worm based on good point set scanning.” Wireless Communications and Mobile Computing 9.4 (2009): 573-586.