A worm is a type of malware or malicious software that can replicate rapidly and spread across devices within a network. As it spreads, a worm consumes bandwidth, overloading infected systems and making them unreliable or unavailable. Worms can also change and delete files or introduce other malware.
No. A worm is not a virus, although like a virus, it can severely disrupt IT operations and cause data loss. A worm is actually much more serious than a virus because once it infects a vulnerable machine, it can “self-replicate” and spread automatically across multiple devices.
Software vulnerabilities provide a path for worms to infect machines. Spam email or instant message (IM) attachments are also a delivery method. The messages use social engineering to get users to think the malicious files are safe to open. Removable drives, like USB drives, can also deliver worms.
Worms self-replicate automatically. They spread by using automatic file sending and receiving features that have been enabled, intentionally or not, on network computers. Once a worm has infected a computer, it installs itself in the device’s memory and can then transfer itself to other machines.
The 3 stages of a worm attack
The initial phase of a worm attack occurs when the worm is first installed on a vulnerable machine. The worm may have been transmitted through a software vulnerability. Or, it may have arrived through a malicious email or IM attachment or a compromised removable drive.
Once a worm is installed on a vulnerable device or system, it begins to self-replicate automatically. Through propagation, the worm makes its way to other new targets in the network—consuming bandwidth and hard-drive space and undermining device and system performance as it spreads.
In the last stage of a worm attack, the malicious actor behind the campaign tries to increase their level of access to the targeted system. Over time, they could gain access rights equivalent to those of a system administrator. From there, the adversary can cause significant damage, including data theft, and potentially gain access to multiple systems.
Once a worm has propogated throughout a device or system, it continues to spread automatically, using vulnerabilities in other systems attached to the system initially targeted. This is how malicious actors gain access to multiple systems. Some cyber criminals will even go on to use these systems in a botnet—a network of infected computers that can send spam, steal data, and more.
4 steps to respond to a worm attack
The first step in mitigating a worm attack is to move swiftly to contain the spread of the worm and determine which machines are infected, and whether these devices are patched or unpatched. Infected machines must be isolated from machines that are not yet infected.
Once it is clear which parts of the network the worm has infected, and those parts have been contained, other vulnerable systems must be scanned and patched. Patching the vulnerabilities the worm is using to spread will help contain the attack.
In this third step of worm mitigation, infected machines are isolated and then disconnected and removed from the network. If removal is not possible, then the infected machines need to be blocked from connecting to and accessing the network.
This last step in the worm mitigation process involves remediating from the attack as well as addressing any other necessary patching of machines and systems. Depending on the severity of the attack, infected systems may need to be reinstalled entirely to ensure a thorough cleanup from the event.
Containing worm attacks requires coordination among everyone responsible for network management. Without a coordinated response, mitigating worm attacks can be even more challenging—if not impossible. Even very small small IT teams should have a clear, systematic plan in place for mitigating worm attacks.
Businesses of all sizes should be prepared to respond to a worm attack. According to Cisco network consulting engineers, preparation includes taking inventory of all primary business and IT resources as well as determining who will authorize business decisions throughout an incident.
Preparation for a worm attack also includes establishing open lines of communication and compiling a list of key contacts. It is also important to maintain updated contact details for relevant ISPs (Internet service providers).
Another strategy for worm attack preparation is to collect links to Internet sites that provide current, reliable details of security threats and Internet worm activity. Some examples of these sites are www.dshield.org and www.securityfocus.com, which manages the Bugtraq electronic mailing list.
Identification is about confirming that the incident is, in fact, a worm attack. And classification involves categorizing the worm—for example, is the worm an Internet worm or an email worm?
This refers to a type of reverse engineering process for tracing the source of the worm.
Reacting to a worm attack involves isolating and repairing targeted systems.
After a worm attack, the entire process used to respond to and recover from the event should be documented and analyzed.
This exercise is about more than preparing to respond effectively to future attacks. It’s also about determining what can be done to avoid another attack. For example, if the worm penetrated a network, what vulnerability did it use to obtain access and has that vulnerability been fully addressed?
The worm attack post-mortem is a step that is frequently forgotten or overlooked. But it is critical to both preventing exposure to and defending effectively against future worm attacks, making it well worth the time and effort.
Our resources are here to help you understand the security landscape and choose technologies to help safeguard your business.
These tools and articles will help you make important communications decisions to help your business scale and stay connected.