What type of attack is worm?

The primary difference between a virus and a worm is that viruses must be triggered by the activation of their host; whereas worms are stand-alone malicious programs that can self-replicate and propagate independently as soon as they have breached the system. Worms do not require activation—or any human intervention—to execute or spread their code.

Índice Show

How Do Computer Viruses and Worms Spread?
How to Protect All Your Devices from Viruses and Worms
Step 1: Enabling vulnerability
Step 2: Automatic replication
Step 3: Payload delivery
Repeating the process
Step 1: Containment
Step 2: Inoculation
Step 3: Quarantine
Step 4: Treat
Reaction time is critical, so have a plan
Identification and Classification
Post-mortem

Viruses are often attached or concealed in shared or downloaded files, both executable files—a program that runs script—and non-executable files such as a Word document or an image file. When the host file is accepted or loaded by a target system, the virus remains dormant until the infected host file is activated. Only after the host file is activated, can the virus run, executing malicious code and replicating to infect other files on your system.

In contrast, worms don't require the activation of their host file. Once a worm has entered your system, usually via a network connection or as a downloaded file, it can then run, self-replicate and propagate without a triggering event. A worm makes multiple copies of itself which then spread across the network or through an internet connection. These copies will infect any inadequately protected computers and servers that connect—via the network or internet—to the originally infected device. Because each subsequent copy of a worm repeats this process of self-replication, execution and propagation, worm-based infections spread rapidly across computer networks and the internet at large.

How Do Computer Viruses and Worms Spread?

Viruses and worms are a subcategory of malicious programs, aka malware. Any program in this subcategory malware can also have additional Trojan functions.

Viruses

Viruses can be classified according to the method that they use to infect a computer

File viruses
Boot sector viruses
Macro viruses
Script viruses

Worms

Worms often exploit network configuration errors or security loopholes in the operating system (OS) or applications

Many worms use multiple methods to spread across networks, including the following:

Email: Carried inside files sent as email attachments
Internet: Via links to infected websites; generally hidden in the website’s HTML, so the infection is triggered when the page loads
Downloads & FTP Servers: May initially start in downloaded files or individual FTP files, but if not detected, can spread to the server and thus all outbound FTP transmissions
Instant Messages (IM): Transmitted through mobile and desktop messaging apps, generally as external links, including native SMS apps, WhatsApp, Facebook messenger, or any other type of ICQ or IRC message
P2P/Filesharing: Spread via P2P file sharing networks, as well as any other shared drive or files, such as a USB stick or network server
Networks: Often hidden in network packets; though they can spread and self-propagate through shared access to any device, drive or file across the network

How to Protect All Your Devices from Viruses and Worms

Viruses, worms and malware most often exploit security vulnerabilities and bugs. For this reason, it is crucial to keep current with all OS and application updates and patches. Unfortunately, keeping current with updates and being vigilant simply are enough. There are many exploits and vectors that can get viruses and worms into a network or onto a computer or mobile device.

These days, comprehensive cyber security is mandatory for all your devices—desktops, laptops, tablets and smartphones. To be effective, cyber security solutions must provide real-time protection for all your activities, from emails to internet browsing, not just periodic hard drive scans. Furthermore, today’s best security software products are not static one-time installations with periodic updates. A quality cyber security product is provided as a service, known as SaaS (Software-as-a-Service). This means that in addition to monitoring your devices in real-time, the software itself is updated in real-time with the most current information about existing and emerging threats, how to prevent them and how to repair their damage.

Kaspersky

Virus vs Worm: Viruses are dormant until their host file is activated. Worms are malware that self-replicate & propagate independently once in the system.

The 3 stages of a worm attack

Step 1: Enabling vulnerability

The initial phase of a worm attack occurs when the worm is first installed on a vulnerable machine. The worm may have been transmitted through a software vulnerability. Or, it may have arrived through a malicious email or IM attachment or a compromised removable drive.

Step 2: Automatic replication

Once a worm is installed on a vulnerable device or system, it begins to self-replicate automatically. Through propagation, the worm makes its way to other new targets in the network—consuming bandwidth and hard-drive space and undermining device and system performance as it spreads.

Step 3: Payload delivery

In the last stage of a worm attack, the malicious actor behind the campaign tries to increase their level of access to the targeted system. Over time, they could gain access rights equivalent to those of a system administrator. From there, the adversary can cause significant damage, including data theft, and potentially gain access to multiple systems.

Repeating the process

Once a worm has propogated throughout a device or system, it continues to spread automatically, using vulnerabilities in other systems attached to the system initially targeted. This is how malicious actors gain access to multiple systems. Some cyber criminals will even go on to use these systems in a botnet—a network of infected computers that can send spam, steal data, and more.

4 steps to respond to a worm attack

Step 1: Containment

The first step in mitigating a worm attack is to move swiftly to contain the spread of the worm and determine which machines are infected, and whether these devices are patched or unpatched. Infected machines must be isolated from machines that are not yet infected.

Step 2: Inoculation

Once it is clear which parts of the network the worm has infected, and those parts have been contained, other vulnerable systems must be scanned and patched. Patching the vulnerabilities the worm is using to spread will help contain the attack.

Step 3: Quarantine

In this third step of worm mitigation, infected machines are isolated and then disconnected and removed from the network. If removal is not possible, then the infected machines need to be blocked from connecting to and accessing the network.

Step 4: Treat

This last step in the worm mitigation process involves remediating from the attack as well as addressing any other necessary patching of machines and systems. Depending on the severity of the attack, infected systems may need to be reinstalled entirely to ensure a thorough cleanup from the event.

Reaction time is critical, so have a plan

Containing worm attacks requires coordination among everyone responsible for network management. Without a coordinated response, mitigating worm attacks can be even more challenging—if not impossible. Even very small small IT teams should have a clear, systematic plan in place for mitigating worm attacks.

Businesses of all sizes should be prepared to respond to a worm attack. According to Cisco network consulting engineers, preparation includes taking inventory of all primary business and IT resources as well as determining who will authorize business decisions throughout an incident.

Preparation for a worm attack also includes establishing open lines of communication and compiling a list of key contacts. It is also important to maintain updated contact details for relevant ISPs (Internet service providers).

Another strategy for worm attack preparation is to collect links to Internet sites that provide current, reliable details of security threats and Internet worm activity. Some examples of these sites are www.dshield.org and www.securityfocus.com, which manages the Bugtraq electronic mailing list.

Identification and Classification

Identification is about confirming that the incident is, in fact, a worm attack. And classification involves categorizing the worm—for example, is the worm an Internet worm or an email worm?

Traceback

This refers to a type of reverse engineering process for tracing the source of the worm.

Reaction

Reacting to a worm attack involves isolating and repairing targeted systems.

Post-mortem

After a worm attack, the entire process used to respond to and recover from the event should be documented and analyzed.

This exercise is about more than preparing to respond effectively to future attacks. It’s also about determining what can be done to avoid another attack. For example, if the worm penetrated a network, what vulnerability did it use to obtain access and has that vulnerability been fully addressed?

The worm attack post-mortem is a step that is frequently forgotten or overlooked. But it is critical to both preventing exposure to and defending effectively against future worm attacks, making it well worth the time and effort.