by Michael Shuff, PA & 7Safe marketing lead
What are they?
Worms are stand-alone malicious programs that can self-replicate from system to system without the need for a human to execute a file or send the infection elsewhere. They spread via the network or internet connection infecting any inadequately-protected computers and servers on the network. Worms being developed today typically use more than one method in order to spread copies via networks, taking advantage of security weaknesses such as unpatched systems or open services.
Why are they a threat?
Worms can cause significant disruption to computer systems, degrading performance and putting data integrity and information security at risk. Some typical symptoms of a worm attack include:
- Slow computer performance;
- Programs opening and running automatically;
- Irregular web browser performance;
- Redirection of your browser to malicious websites;
- Adverts appearing on websites that you don’t expect to see;
- Unusual computer behaviour (messages, images, sounds, etc);
- Unusual network activities/flows and network connections;
- Firewall warnings;
- Missing/modified files;
- Appearance of strange/unintended desktop files or icons;
- Operating system errors and system error messages;
- Emails sent to contacts without the user’s knowledge. [Source: AppSec Knowledge Base]
However, beware complacency: a modern, well-behaved worm will be stealthy and attempt to stay hidden, not drawing attention to itself.
How common is it?
Computer worms are among the most common types of malware threat.
Is there a financial impact?
Yes. Worms can be sophisticated modern malware that is used to steal commercially-sensitive information and State secrets. For example, the Flame worm discovered in May 2012 can record audio, screenshots, keyboard activity and network traffic. Flame can also record Skype conversations and can even turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. Worms have the ability to cause widespread disruption to industrial processes such as Uranium production. In June 2010, Stuxnet, an “unprecedentedly masterful and malicious piece of code” in the form of a 500-kilobyte computer worm, infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. First, it targeted Microsoft Windows machines and networks, repeatedly replicating itself. Then it sought out Siemens Step7 software, which is also Windows-based and used to program industrial control systems that operate equipment, such as centrifuges. Finally, it compromised the programmable logic controllers. In total, it is estimated that around 1,000 centrifuges were damaged beyond use. [Source: https://www.cyber.nj.gov/threat-profiles/ics-malware-variants/stuxnet]. Although this is (very probably!) a recent example of a State-sponsored attack with a political and/or military objective/s, sophisticated worm malware could be used against industrial processes to cause widespread disruption costing multiple millions of pounds. WannaCry, a Trojan with worming capability, did just that, resulting in estimated global financial losses of up to $4 billion and infecting 300,000 machines (Trend Micro’s security and threats report). Reputation damage over years, the cost of reparation to other affected parties (e.g. customers), regulatory fines (for example, the EU GDPR and the NIS Directive), and loss of confidence on the part of business partners could make the cost of worms much higher than initial estimates might suggest.
Can you defend against it?
Yes. Users can minimize worm threats by … patching operating system and other software to reduce the risk due to newly discovered vulnerabilities; segmenting networks in order to limit the propagation of worms; avoiding opening unrecognized or unexpected emails (worms can still spread this way!); using firewalls to reduce access to systems by malware; and regularly running reputable antivirus (AV) software to detect known worm signatures. And important for other reasons too: always backup essential data and test the restore procedures.
What should you do if it happens to you?
Isolate affected systems immediately but keep them switched on. Run AV software with updated malware definitions to scan your entire system and quarantine/remove any threats that this finds. Request help from a qualified incident response specialist like PA & 7Safe to forensically examine your system to (a) establish that the worm has been contained, (b) that any virus payload the worm delivered into your system is no longer a threat, and (c) investigate how the worm penetrated your defences (in order to fix security weaknesses and, if possible, identify the malicious actor involved).
You should carry out a damage assessment that includes a forensic examination of what data may have been acquired/damaged/created by the worm. This process should extend to assessing what impact the worm has had on the business, and also on other parties that are likely to be affected. For example, the passwords exfiltrated by the worm may not have been used to access your system, but could they be the same passwords used by individuals to access other services via the internet?
Who can best deal with it?
7Safe’s cyber experts can detect, isolate and remove worms from your computers and networks and conduct forensic investigations to establish how malicious code gained access and who put it there.
What 7Safe’s expert says:
Worms can be devastating, both to your computer systems and networks, and to those of other organisations that they spread to. Stuxnet is an infamous example. This worm has served as an inspiration to malicious actors the world over. WannaCry, Petya and NotPetya are ransomware variants that also spread like worms causing enormous levels of service disruption and associated financial costs. They are not technically ‘worms’, although they have the ability to self-replicate.”
# # #
It’s not a matter of if, but when. In 2017, 74% of British businesses said that cyber security is a high priority for their senior management, with 49% of those having experienced an attack or breach within that year. Despite this, only 11% have a formal cyber security incident management process or response capability in place.
We provide Cyber Security Incident Response (CSIR) services to organisations who would like to prepare for or are suffering from a cyber-attack or breach. We offer four-tiers of retained service to deliver peace of mind, and in the event that an incident is currently taking place we can be deployed on-demand. Our Cyber Threat Hunting (TH)services are integrated with our retained CSIR service tiers.