A worm is a self-propagating code execution attack that causes damage on each host that it infects. In less technical terms, a worm is a virus that causes damage, then finds another host to propagate to. This process repeats until it is stopped in its tracks by some effective mitigation, or until it cannot find any additional hosts to transfer to. Here are the key steps that attackers use to implement this type of attack.
The attacker searches for and/or develops a novel exploit against a broadly-installed software component / product such as the Windows operating system. The chosen exploit typically allows arbitrary code execution.
The attacker searches for and/or develops a novel exploit that allows the arbitrary code execution attack to proliferate/replicate to other hosts. This step is usually intricately tied with Step 1, since both steps are essential to designing a worm that executes arbitrary code and proliferates to other hosts.
After the hacker has created a code execution exploit and a replication exploit, the exploit is packaged in a manner that can be easily deployed to an initial host.
The exploit discovers additional reachable hosts, and infects them using its replication exploit. Each infected host executes the exploit, damaging each host, and propagates to damage additional hosts.
Some well-known "wormable" attacks include:
Many other worms have occurred throughout the years, but these three each have unique historic elements. Need help thinking through a strategy to defend against this type of attack? We're here to help.
Interested in more articles in our Threat Primer series? Continue here:
Any additional suggestions for article topics for our Threat Primer series? Drop us a note in the comments section below!