Translated by
2020/06/29 12:31:08

Net worm

Worm (net worm) - type of the malware extending on network channels, the systems of protection, capable to autonomous overcoming, the automated and computer systems and also to creation and further distribution of the copies not always matching the original, to implementation of other harmful influence.


The main sign on which worms differ among themselves is the method of distribution of a worm. Other signs of distinction are methods of start of the copy of a worm on the infected computer, implementation methods in a system and also the polymorphism, "stealth" and other characteristics inherent and to other types of the malicious software (viruses and the Trojan programs).

Species of worms

Depending on ways of penetration into the operating system worms share on:

  • Mail worms (Mail-Worm) are the worms extending in e-mail message format. At the same time the worm sends or the copy in the form of an investment in the e-mail, or the link to the file located on any network resource (for example, URL on the infected file located on the cracked or hacker website). In the first case the code of a worm becomes more active when opening (start) of the infected investment, in the second — when opening the link to the infected file. In both cases the effect is identical — the code of a worm becomes more active.
  • IM worms (IM-Worm) are the worms using Internet pagers. The known computer worms of this type use the only way of distribution — mailing on the detected contacts (from a contact list) the messages supporting URL on the file located on any Web server. This acceptance almost completely repeats the similar method of mailing which is used mail worms.
  • P2P hearts (P2P-Worm) are hearts, extending by means of peer-to-peer (peer-to-peer) of file exchange networks. The mechanism of work of the majority of similar worms is rather simple — for implementation in P2P-network to a worm to copy itself enough in the directory of file sharing which is usually located by the local machine. The P2P-network undertakes all other work on spread of a virus — by search of files in network she will announce remote users this file and will provide all necessary service for downloading of the file from the infected computer. There are more difficult P2P-hearts which imitate the network protocol of a specific file exchange system and to search queries respond positively — at the same time the worm offers the copy for downloading.
  • Worms in IRC channels (IRC-Worm). This type of worms, as well as at mail worms, has two methods of distribution of a worm on IRC channels repeating the methods described above. The first consists in sending of the URL link to the copy of a worm. The second method — sending of the infected file to any net surfer. At the same time the attacked user should confirm acceptance of the file, then save it on a disk and open (to start on accomplishment).
  • Net worms (Net-Worm) are other net worms among whom it makes sense to select in addition net worms and LAN worms
    • Net worms are the worms using for distribution protocols the Internet. Mainly this type of worms extends using the wrong processing by some applications of basic packets of a stack of protocols of TCP/IP
    • LAN worms are the worms extending under protocols of local networks

Problem solving of security of ICS/SCADA

ICS includes a big segment of a multi-tier architecture of OT covering a set of different types of devices, systems, controls and networks which manage production processes. The most widespread of them are the SCADA systems and distributed control systems (DCS) [1].

Many years most the organizations implement measures for information security support, and here security of OT is a little new territory. With growth of extent of penetration of technologies of industrial Internet of Things (IIoT) and the subsequent convergence of IT/OT of production lost "air gap" which protected their OT systems from hackers and malware. As a result malefactors even more often begin to aim at the OT systems for theft of confidential information, interruption of transaction or commission of acts of cyberterrorism concerning critical infrastructure. Partly it occurs because the existing malware effectively work against the outdated systems unrolled in OT networks which were probably not corrected or updated, considering lack of additional resources on completion.

A number of calls played a role in evolution of cyber attacks which influenced the OT systems for many years. Among them:

  • Insufficiency of inventory of OT devices. The organizations cannot protect assets – whether it be by application of patches or conducting checks of security if they have no full control over Wednesday.
  • Insufficiency of remote access to network. The majority of the technologies which are the cornerstone of ICS are based on the limited physical access and the hidden components and ​​ protocols of communication.
  • Outdated hardware and software. Many ICS and SCADA systems use the outdated hardware or outdated operating systems which are incompatible or too delicate for support of modern technologies of protection. Such equipment in detail in environments where systems cannot be disconnected for correction or updating is frequent.
  • Bad segmentation of network. The OT environments, as a rule, function using installations of full confidence, such model is badly transferred to the new convergent IT/OT environments. Standard practice of safety of separation of networks into the functional segments limiting data and applications which can migrate from one segment in another in ICS in general is used not really often.
  • Limited access control and management of permissions. As earlier isolated or closed systems become interconnected, controls and processes which ordered access, often become tangled.

Fortunately, risks which lead to security risks for ICS/SCADA become more and more widely recognized and, as a result, more priority for many large organizations. Governmental bodies, including Group of response to computer emergencies (Control Systems Cyber Emergency Response Team – ICS-CERT) to the USA and the Center of protection of national infrastructure (Centre for Protection of National Infrastructure – CPNI) in Great Britain, publish recommendations and councils concerning use of advanced methods of security of ICS now.

The most considerable attacks on OT Wednesdays and ICS 1988-2019

Estimating the most considerable cyber attacks to the systems of industrial department (ICS) for the last decade, we can see, technological capabilities of criminals how far promoted. However, perhaps, even more anxious moment is their readiness to do harm not only digital infrastructure, but also physical, having negative effect on individual employees and the whole companies. Stuxnet, perhaps, one of the first in a series harmful attacks to ICS which showed to the organizations scales of influence of cyber attacks to physical infrastructure worldwide.

Emergence of new mechanisms of threats and the attacks radically changed specifics of functioning of the systems of industrial department (ICS) and SCADA. Further we will list some of the most noticeable cyber attacks to ICS which happened for the last decade and also we will describe their influence on modern strategy for security of crucial infrastructure.

  • BlueKeep (2019). In May, 2019 in operating systems of Windows vulnerability under the name BlueKeep which mentioned up to one million devices was detected. Vulnerability existed in the remote desktop protocol (RDP), and in a month after it was detected, experts in security began to detect attempts to use this vulnerability.

  • EternalBlue (2017). EtenernalBlue is the name of vulnerability in the Microsoft Server Message Block (SMB) protocol. This vulnerability became notorious in 2017 when it was used for carrying out the global attacks of the encoder of WannaCry. Computers more than in 150 countries of the world suffered from these attacks, and they caused total damage in the amount of 4 billion US dollars. This vulnerability was also used in the attacks of the encoder of NotPetya. By the way, the patch was available to closing of this vulnerability how it struck WannaCry.

  • The malware TRITON detected in 2017 was aimed at the systems of industrial security. In particular, it pursued the system of means of instrumental security (SIS), modifying the firmwares which are built in memory for adding harmful functionality. It allowed malefactors to read or change contents of memory and to activate native code, along with additional programming of safe shutdown, blocking or change of capability of industrial process to failure. TRITON is the first known malicious software which is specially developed for an attack on the systems of industrial security protecting human lives[2].

  • Havex (2013) is rather known trojan for remote access (Remote Access Trojan – RAT) for the first time detected in 2013[4]. Havex relating to group of threats of GRIZZLY STEPPE intends for the ICS systems and contacts the C2 server which can unroll modular payloads. Its target loading, specific to ICS, collected information on the server for the open platform of communication (OPC), including CLSID, server name, a program identifier, the version of OPC, information on the supplier, running state, the number of groups and capacity of the server and also was capable to count the OPC tags. Interacting with C2 infrastructure, the malware Havex posed a considerable threat in the context of the capability to send instructions which give enhanced and unknown capabilities to the malware.

  • The Hungarian researchers in the field of cyber security detected the malware identified as Duqu (2011) which on structure and design very much reminded Stuxnet. Duqu was developed for theft of information by masking of data transmission under normal HTTP traffic and transfers of the counterfeit JPG files. Understanding of importance of prospecting work for criminals became a key output from opening of Duqu – often malicious code for theft of information is the first cyberthreat from the planned series of the additional attacks[5].

  • Stuxnet (2010) worm. In June, 2010 cyber attack of Stuxnet managed to destroy centrifuges on the Iranian nuclear power station. Though it is considered that Stuxnet got to the systems of power plant via the removable device, for distribution it used four vulnerabilities of zero day and also the same vulnerabilities which were used by Conficker.

  • Conficker (2008) worm. Conficker is a worm who was for the first time detected in November, 2008. He used several vulnerabilities, including one of them - in a network service which can be found in different versions of Windows, such as Windows XP, Windows Vista and Windows 2000. In process of distribution of Conficker used the infected computers for creation of a botnet. By estimates, it infected from 9 to 15 million computers. Despite rather wide circulation, Conficker did not cause extensive damage.

  • Zotob (2005). This worm who infected systems running different operating systems of Microsoft corporation including Windows 2000, operated different vulnerabilities, including vulnerability of MS05-039 in services Plug & Play. As a result of it the infected machines constantly rebooted, and every time at reset of the computer the new copy of Zotob was created. Though he did not mention a large number of computers, but nevertheless managed to have a serious impact on the victims: according to the experts, the affected companies spent on average 97,000 US dollars for cleaning of malware from the systems on what about 80 hours were required to cure the systems.

  • SQL Slammer (2003). SQL Slammer is another worm who in 2003 infected about 75,000 machines in only ten minutes. It led to failure in service at some Internet service providers that sharply slowed down Internet traffic. So quickly to extend, SQL Slammer used vulnerability of buffer overflow in the Microsoft SQL Server. By the way, for half a year prior to this incident the Microsoft corporation released a patch for correction of this error.

  • Morris (1988) worm. To see one of the first examples of a computer virus which used the known vulnerabilities we should return in 1988, in two years prior to the invention of the World Wide Web. The Morris worm was one of the first computer worms who extended via the Internet. He used the known vulnerabilities in Unix Sendmail, rsh/rexec and also weak passwords. Though the creator was not going to cause any damage, and emphasized weak points in a security system rather, nevertheless, resulted his child in damage in the amount of 100,000 up to 10,000,000 US dollars.

Market of safety of an APCS

See Also