How Things Work: Computer worms

Computer worms like Conficker take advantage of computer vulnerabilities. With weak password protection, computer worms can easily navigate through the computer to replicate itself and infect other files. (credit: Courtesy of Wikimedia Commons) Computer worms like Conficker take advantage of computer vulnerabilities. With weak password protection, computer worms can easily navigate through the computer to replicate itself and infect other files. (credit: Courtesy of Wikimedia Commons)

Since its detection in November 2008, the Conficker worm — also known as Downadup, Downup, and Kido — has spread and infected between 9 and 15 million computers, according to reports from CNN and United Press International. This makes it the largest computer worm infection since the SQL Slammer from 2003, which slowed down Internet traffic considerably.

A virus is a piece of harmful code that replicates itself and attaches itself to existing programs when infecting a computer. It usually affects certain files on the target computer. Computer worms, on the other hand, are self-replicating computer programs capable of transmitting copies of themselves over a network to other targets. These worms might also carry with them a payload program, which is capable of more malicious attacks than simple self-replication and transmission. Most malicious attacks are targeted at certain vulnerabilities of programs or operating systems. Creators of worms exploit these vulnerabilities and program their worms to multiply and transmit copies to all reachable computers that have the same vulnerabilities.

The Conficker worm exploited the MS08-067 vulnerability in the Windows Server and XP operating systems. he vulnerability allows computers to transmit information between each other. Microsoft has since issued various patches to fix the problem. However, all unpatched computers are still vulnerable.

The worm has evolved over the 15 months it has been known to exist. Today there are five different variants of this worm, making it more difficult to identify the total number of infected computers or to eradicate the worm entirely. While the first variants relied solely on network transmission of copies of the worm itself, the newer variants are capable of replicating and transferring themselves to other computers via removable flash media. These two means of worm propagation have enabled the Conficker worm to infect a large numbers of computers in two years. That the Conficker worm can gain control over computers on a network with weak passwords has enabled it to infect computers in supposedly high-security networks as well. The list of infected computers includes some in the United Kingdom Ministry of Defense and the unified armed forces of Germany.

Studies by Felix Leder and Tillmann Werner at the University of Bonn in Germany have shown that once settled in a computer, the worm will try to download updates to its software from any of a number of randomly generated IP addresses. This program might also contain code that causes the infected “zombie” computers to perform some action. What this action might be is not yet known, but theoretically it can have catastrophic effects on national defense and finance, among other things. The newer versions of the worm also appear to patch the underlying operating system vulnerability so it cannot be fixed as easily by updates or software, keeping the computer open to reinfection. Anti-virus company Symantec has shown that the two latest variants of Conficker also use peer-to-peer communication to check for infected computers before communicating with them and downloading updates. All of these techniques ensure the survival of the worm within an infected computer by downloading updates to the worm’s existing software.

Independent studies by SRI International and Symantec have enumerated the self-defense mechanisms that the Conficker worm has in place to protect itself once inside an infected machine. The first variant of this worm had no self-defense mechanisms, and the next few variants only prevented the computer from updating itself and thereby prevented patching of the vulnerabilities. The latest variants disable auto-update, disable safe mode, prevent the operation of anti-malware tools, and also restrict access to anti-malware sites, effectively rendering the computer completely helpless.

While it may seem difficult to clean an infected computer, most anti-virus companies offer a free download of the Conficker removal tool which can be run from a flash drive. It is true that the Conficker worm cannot infect a computer that has been cleaned and patched to cover the particular vulnerability that it exploits. icrosoft has issued this patch, and it is available as a free download to all users of genuine Windows operating systems. This leaves all pirated versions of Windows still vulnerable to the worm, and this is a particularly pressing problem in third-world countries where most operating systems are pirated.

While this computer worm uses advanced malware techniques that are well-known and researched, its use of multiple techniques has made the worm particularly hard to eradicate. The creators of the Conficker worm have not yet been identified, and Microsoft has issued a $250,000 reward for any information leading to their arrest and conviction. So far, Ukraine is most likely the origin of the worm, although no hard evidence has been produced. In the meantime, the only possible way to completely eradicate the worm is to disinfect infected computers and then patch them.