Avinash Kak, in his lecture notes “Malware: Viruses and Worms“, aims to help a beginning students learn some of the basic concepts about malware. To accomplish this, Kak first starts out by describing computer viruses as self-propagating, malicious code that needs a host document (such as an executable file) to attach itself to. He then goes on to describe the various parts of a computer that can be hosts for viruses as well as describing how a virus propagates and remains undetected. An important piece of information is mentioned in this section and that is: “The virus code will only execute with the permissions that are assigned to you”. This is important because when a person buys a computer they usually leave it with one account that has administrator privileges so if a virus is downloaded it will run as an administrator and have full access to the system. This problem, as mentioned in the lecture notes, is more common on Windows operating systems. Next, to solidify the information he has covered, the author then gives an example virus written in Perl. This example virus serves to illustrate the basics of a virus: each time it runs it infects files ending in ‘.foo’ and does not infect files that are already infected. The example virus is harmless in its current state but, as mentioned in the notes, a few modifications could make it fairly dangerous.
The next section of these notes covers some basic material on computer worms. Kak first starts out by stating the main difference between a virus and a worm: “a worm does not need a host document”. A worm, instead, is self-contained and can send copies of itself over a network. An important thing to note is that while a harmless virus really won’t do anything (thus the name harmless), a harmless worm (such as one that just copies itself) can still “harm a network and consume bandwidth”. Kak then goes on to explain that worms are able to send copies of itself over a network by using “remote shell facilities (for example ssh), by cracking passwords (by, for example, using what is called the dictionary attack), and by using buffer overflow vulnerabilities in networking software”. Again, like for viruses, it is important to note that the damage the worm can cause is limited by the privileges of the account it is executing under.
The next four sections of the lecture notes contain short (introductory) descriptions of four worms: The Morris Worm, The Slammer Worm, The Conficker Worm, and Stuxnet. In each case Kak describes the worm, the ways of propagation, and links to various (much more in depth analysis) of the worm. Conficker and Stuxnet are two of the more recent worms that have recently affected computers and are important to understand. Conficker is important to understand since it uses encryption, hash, and digital signatures in order to keep the worm from being disassembled and examined (therefore it is harder to protect against). Another important aspect of Conficker is it uses peer-to-peer capabilities to update itself (by gaining new payloads, instructions, etc.). The importance for understanding Stuxnet comes from the fact that Stuxnet was not designed, such as other worms, to attack personal computers but rather “designed specifically to attack a particular piece of industrial software known as SCADA”. It is suspected that the purpose of Stuxnet was to “harm processes relate to the production of nuclear materials in certain countries”. If this is true, this would make Stuxnet the first known weapon made entirely out of code and thus even more important to understand.
Finally, Kak ends in a short description of “How afraid should we be of viruses and worms”. He gives the short answer of “very afraid” because malware can cause serious problems such as stealing information or shutting down an entire network. The long answer to the question, however, really depends on a person’s habits on the computer. Kak gives himself as an example showing that by having safe habits and going to trusted sites one can avoid a lot of malware. This is not to say that this will completely prevent malware from getting on your computer but it will help. Kak, next ends with a short discussion that while anti-virus software may help against known malware, any (smart) programmer who is making new malware would test their malware against the current anti-virus software to make sure it is undetectable before sending it out for the first time.
Kak’s notes on malware provide a good introduction to anyone interested in the topic and it includes four great examples of computer worms. If this summary got you interested I strongly suggest clicking the link above and reading the notes (especially the descriptions of the four worms).
