Self-propagating worms are malicious computer programs, which, after being released, can spread throughout networks without human control, stealing or erasing hard drive data, interfering with pre-installed programs and slowing, even crashing, home and work computers. Now a new code, or algorithm, created by Penn State researchers targets the "stealthiest" of these worms, containing them before an outbreak can occur. Yoon-Ho Choi, a postdoctoral fellow in information sciences and technology, Penn State, and his colleagues' algorithm defends against the spread of local scanning worms that search for hosts in "local" spaces within networks or sub-networks. This strategy allows them access to hosts that are clustered, which means once they infect one host, the rest can be can be infected quickly. There are many types of scanning worms, but Choi calls these worms the stealthiest because they are the most efficient and can evade even the best worm defences. Read more
Drives such as USB sticks infected with the virus trick users into installing the worm, according to researchers. The "Autoplay" function in Vista and early versions of Windows 7 automatically searches for programs on removable drives. However, the virus hijacks this process, masquerading as a folder to be opened. When clicked, the worm installs itself. It then attempts to contact one of a number of web servers, from which it could download another program that could take control of the infected computer.
A computer virus attacking Microsoft Windows has infected almost nine million machines and is spreading faster than ever before. Experts say the worm has "skyrocketed" in recent days. It is sweeping through thousands of offices in the UK and has affected computers at the Ministry of Defence. The virus - known variously as Conficker, Kido or Downadup - burrows deep into the operating system and tricks the machine into running the infected program. Once the worm is running on the computer it automatically starts to download more malicious programs from hackers' websites, with devastating effects.
WORMS, the enemy of PC owners and IT departments everywhere, are about to become a force for good. Beneficial worms will spread rapidly through networks and patch machines before a malicious worm can attack.
Since the first computer worm appeared in 1988, researchers have dreamed of deploying good worms to fight the bad ones. These would be programmed to invade a computer by exploiting the same weak points that bad worms use. But instead of delivering malicious software, the worms would close up the weak spot and so render the computer impervious to further attack.
"We're talking about fighting fire with fire" - David Aitel, programmer at the firm Immunity in Miami, Florida, who developed the worm.
These so-called "patching worms" have previously been used by virus-writing gangs to try to stop the spread of worms deployed by their rivals. Legitimate users have been wary of unleashing patching worms because they are difficult to control, raising fears that the originator would be liable if one were to crash computers it was not designed to patch.
"Even if your intentions are good you are altering the behaviour of someone's machine without their consent" - Jose Nazario, security firm Arbor Net.
Aitel claims to have overcome this problem by programming the beneficial worms to visit only computers on a particular network. The worms, which he calls "nematodes", are programmed with a map of the network that tells them the range of IP addresses of all the machines they are allowed to invade. The first thing they do when they contact a potential beneficiary is to check whether the computer is in their range. If so they will invade; if not, they look for a new host.
Alternatively, the "polite" worms can be programmed to ask a central server for permission to invade. To ensure the infected computer always has access to that central server, Aitel suggests using the domain name system (DNS) server, which is responsible for translating domain names into their numerical IP address. All computers on the network must have access to the DNS server at all times, as they contact it each time they visit a web page. If equipped with suitable software, it could also tell the worm whether it was allowed to invade a machine with a particular IP address.
To allow programmers with no worm-writing experience to assemble their own worm, Aitel has developed a programming language called Nematode Intermediate Language (NIL), which breaks a worm down into smaller software modules. He presented it last week at the Black Hat Briefings federal conference in Washington DC.
The company hopes to start selling NIL modules within the next four years.