Knowlegde Through Fun Welcome To Mady's Site.

Recent years have brought a continued increase in both the importance
of security in networked systems and the difficulty of securing them.
The Internet has continued to expand, its connections have become
nearly pervasive, and its protocols and services have grown more
complex. Beyond the basic need for integrity, confidentiality and
privacy, security has become essential toward providing reliability,
safety, and freedom from liability. One of the greatest threats to
security has come from automatic self-propagating attacks. These
attacks include both viruses and worms. While the presence of these
attacks is by no means new, the damage that they are able to inflict
and the speed with which they are able to propagate has become
paramount. Further increases in connectivity and complexity only
threaten to increase their virulence.
A computer worm is a self-replicating computer program,
similar to a computer virus. A virus attaches itself too, and becomes
part of, another executable program; however, a worm is self-contained
and does not need to be part of another program to propagate itself.
They are often designed to exploit the file transmission capabilities
found on many computers. The main difference between a computer virus
and a worm is that a virus can not propagate by itself whereas worms
can. A worm uses a network to send copies of it to other systems and
does so without any intervention. In general, worms harm the network
and consume bandwidth, whereas viruses infect or corrupt files on a
targeted computer. Viruses generally do not affect network
performance, as their malicious activities are mostly confined within
the target computer itself.
In addition to replication, a worm may be designed to do any
number of things, such as delete files on a host system or send
documents via e-mail. More recent worms may be multi-headed and carry
other executables as a payload. However, even in the absence of such a
payload, a worm can wreak havoc just with the network traffic
generated by its reproduction. Mydoom, for example, caused a
noticeable worldwide Internet slowdown at the peak of its spread. A
common payload is for a worm to install a backdoor in the infected
computer, as was done by Sobig and Mydoom. These zombie computers are
used by spam senders for sending junk email or to cloak their
website's address. Spammers are thought to pay for the creation of
such worms, and worm writers have been caught selling lists of IP
addresses of infected machines. Others try to blackmail companies with
threatened DoS attacks. The backdoors can also be exploited by other
worms, such as Doomjuice, which spreads using the backdoor opened by
Mydoom.

1.1 Typical worm spreading logic:
Most worms use random IP address generation for spreading to
different computers. The worm sends its code as an HTTP request to the
target computer. Then depending on the specific worm, it exploits the
known vulnerability in it. For example, the CodeRed worm sends a HTTP
request to exploit a buffer-overflow vulnerability, which allows the
worm to run on that computer. The malicious code is not saved as a
file, but is inserted into and then run directly from memory. There is
no particular strategy used by the different worms for intrusion. One
typical strategy used by W32-Blaster worm is given below.
It generates an IP address and attempts to infect the computer that
has that address. The IP address is generated according to the
following algorithms:
• For 40% of the time, the generated IP address is of the form
A.B.C.0, where A and B are equal to the first two parts of the
infected computer's IP address. Once the IP address is calculated, the
worm will attempt to find and exploit a computer with the IP address
A.B.C.0. The worm will then increment the 0 part of the IP address by
1, attempting to find and exploit other computers based on the new IP
address, until it reaches 254.
• With a probability of 60%, the generated IP address is completely random.
• To avoid looping back to infect the source computer, the worm will
not make HTTP requests to the IP addresses 127.*.*.*.
• Some fixed characteristics of the TCP and IP headers are:

1. IP identification = 256
2. Time to Live = 128
3. Source IP address = a.b.x.y, where a.b are from the host ip and x.y
are random. In some cases, a.b is random.
4. Destination IP address = dns resolution of "windowsupdate.com"
5. TCP Source port is between 1000 and 1999
6. TCP Destination port = 80
7. TCP Sequence number always has the two low bytes set to 0; the 2
high bytes are random.
8. TCP Window size = 16384