Primer: Network Worm

  • What is it? A small, self-replicating application— most often created by a vandal rather than a corporate spy—that infects a host computer and then copies itself to every other computer attached to the host. Most network worms can saturate a network in hours or days because they grow logarithmically—every infected computer represents not one but an array of other possible victims, so that 10 infections become 100, which become 1,000, which become 10,000, and so on.

    Isn’t this just a regular worm? Yes, but there is more than one meaning for “regular.”E-mail worms and viruses are designed to spread by using the e-mail system itself as a carrier. A network worm is more insidious. It might arrive via e-mail, but could also slip in attached to files in a portable hard drive, a flash-memory stick, a PDA or, increasingly, a cell phone.

    Why the distinction? Because it’s possible to screen out most, if not all, e-mail worms and viruses using virus scanners at the firewall or on the e-mail servers. But network worms can come in via pathways that become more numerous with every advance in mobile computing, wireless networks and smart phones. Many companies aren’t sufficiently aggressive about virus screening inside the firewall. So network worms not only have more ways to get into a corporate network, but once they’re in, they’re more likely to be free to operate uninterrupted.

    How does a network worm attack? Most simply copy themselves to every computer with which the host computer can share data. Most Windows networks allow machines within defined subgroups to exchange data freely, making it easier for a worm to propagate itself. Some worms can also lodge in the startup folder of a networked computer, launch when that computer is restarted and reinfect a network that may have already been cleaned out. A worm that lodges in a server can infect every user who logs on to that server.

    How can it affect cell phones? Russian cybersecurity firm Kaspersky Labs recently identified a network worm called Cabir that can infect a cell phone connected to the Symbian network by posing as a security utility. The worm can change the phone’s operating system so it is launched every time the phone is turned on, then propagate itself to other phones via Bluetooth wireless connections. No infections have been reported so far.

    How do you fix infected computers? Manually, by shutting down the network and going to each infected computer to delete the offending files, then erasing the System Restore data to make sure it won’t reinfect a cleaned machine. Or buy a sophisticated virus-scanning application that will sit on each computer and server and clean it of anything that resembles worm or virus code.

    What’s the solution? Pretty obvious: Buy a good enterprise virus-scanning utility that will monitor activity inside your network as well as data coming in through the firewall. Once they’ve cleaned out an existing infection, virus scanners continue to watch the network for other threats. Make sure you set all machines to download the most recent worm and virus filters automatically.