Malware 191
The Functioning of Computer Worms
Worms are an advanced form of malware, compared to viruses, and have different goals
in many cases. One of the main characteristics of worms is their inherent ability to
replicate and spread across networks extremely quickly, as the previous Slammer example
demonstrated. Most worms share certain features that help define how they work and what
they can do:
■ Do not require a host application to perform their activities
■ Do not necessarily require any user interaction, direct or otherwise, to function
■ Replicate extremely rapidly across networks and hosts
■ Consume bandwidth and resources
Consuming bandwidth and resources may or may not indicate a worm.
Any such slowdown needs to be investigated further to determine if it is
caused by a worm.Worms can also perform some other functions:■ Transmit information from a victim system back to another location specified by the
designer.■ Carry a payload, such as a virus, and drop off this payload on multiple systems rapidly.
A Closer Look at Slammer
At the peak of its activity, Slammer was doubling the number of infected systems every
8.5 seconds. This heretofore unheard-of replication rate was 250 times faster than that of
the previous record holder, Code Red.
Slammer was able to spread so quickly thanks to a number of factors related to how it
was constructed and the environment into which it was deployed. Many systems were
left unpatched, despite the availability of a fix, resulting in a fertile environment for
exploitation. Many routers on the Internet buckled and crashed under the intense traffic
that resulted from the worm. As a result of routers failing, traffic was rerouted, and
routing tables updated on other routers, which resulted in additional failures. Finally, the
entire worm (376 bytes) could be contained within a single User Datagram Protocol (UDP)
packet, allowing it to quickly replicate and be sent to other victims.