Worms are relatively simple in design and function but are very dangerous because of the speed and effectiveness with which they spread. Most worms share certain characteristics that help define how they work and what they can do. The characteristics are as follows:

• They do not need a host program to function.

• They do not require user intervention.

• They replicate rapidly.

• They consume bandwidth and resources.

Worms can also perform some other functions, including the following:

• Transmitting information from a victim system

• Carrying a payload, such as a virus

Examining these characteristics in a bit more detail will help you understand how a worm works and the challenges worms pose to a security professional. Worms differ from viruses in two key ways:

• A worm can be considered a special type of malware that can replicate and consume memory but cannot attach to other programs.

• A worm spreads through infected networks automatically, whereas a virus does not.

One of the main characteristics of worms is that they do not need a host program to function, unlike their fellow malware viruses. Worms are designed to function by leveraging vulnerabilities on a target system that is generally unknown or unpatched. Once a worm locates one of these vulnerabilities, it infects the system and then uses the system to spread and infect other systems. A worm performs all these functions by using the system’s own processes to do its job, but it does not require any host program to run before starting the initial process.

Another characteristic that differentiates worms from other malware is their ability to run without user intervention. Viruses, for example, require a host program to be executed for the infection to begin; worms simply need the vulnerability to exist for the process to take place. In the case of worms, just having a system turned on and connected to the Internet is enough to make it a target. Combine this with the vulnerabilities, and the danger is obvious.

Since the first worm appeared, worms have possessed a feature that makes them a dangerous force to deal with, their ability to replicate very rapidly. One of the features of the Morris worm that even its creator did not expect was that it replicated so rapidly that it choked networks and quite effectively shut them down. This feature has been a characteristic of worms ever since. Worms can replicate so quickly that even their creators are sometimes caught off guard. This replication is made possible by a number of factors, including poorly maintained systems, networked systems, and the number of systems linked via the Internet.

Probably the most visible or dramatic feature of worms is their consumption of resources, which shows up as a side effect. Mix into this equation of speed and replication the number of computers on the Internet, and you have a situation that leads to bandwidth resources being consumed on a huge scale. Worms such as Slammer caused massive slowdowns on the Internet because of the scans it sent out looking for vulnerable systems and the way it moved its payload around. Additionally, the worm consumed resources on infected systems as it replicated off the system, using system resources to do so.

In recent years some new characteristics have been added to the behaviors of worms, one of which is the ability to carry a payload. Although traditionally worms have not directly damaged systems, worms that carry payloads can do all sorts of mischief. One of the more creative uses of worms has been to perform “cryptoviral extortion.” The worm drops off a payload that looks for specific file types (such as DOC or DOCX files) and encrypts them. Once this has taken place, the worm leaves a message for the user offering to reveal the encryption key after the user pays a certain amount of money. This type of malware has become so popular and pervasive, it now has its own name, ransomware.

At the core of the worm problem is operating systems that have overlooked or unpatched vulnerabilities. Operating system vendors and maintainers have made concerted efforts to release patches regularly to address issues in their operating systems, including vulnerabilities that worms could use to spread. The problem becomes one of knowing that patches are available for a system and applying them. This problem becomes even bigger when you realize that worms aren’t restricted just to corporate systems; they can also hit home users, who are more likely to miss patches. In some cases, patches are not yet released for a vulnerability. This leads to what is called a zero-day exploit, in which a hole can be exploited immediately.

Just like with viruses, education is key to stopping worms. Worms are frequently spread via email or other messaging applications with attention-getting subjects like ILOVEYOU, for example. These subjects prey on a user’s curiosity—the user opens the message and unknowingly runs the worm in the background. Add in attacks such as phishing, which further pique a user’s curiosity, and you have a problem that only education can address.

One of the primary lines of defense against worms is reputable anti-malware applications. Having an antivirus/anti-malware application on a system helps prevent a worm infection—but only if it is kept up to date. Modern and up-to-date antivirus/anti-malware applications can easily stop most worms when they appear.

Another way to stop worms is the firewall. The firewall is a valuable tool because it can block the scans to and from a system that worms use to spread the infection and deliver it from an infected system to other systems. Nearly all current operating systems include this feature as part of the core system.