11.1 Internet Worms Flashcards
Virus
“Infection” of an existing program that results in modification of behavior
Typically require user action to spread, for example, opening an attachment on an email or running a executable file that a friend gave you on a USB key
Require user activity
spreads manually
Worm
Code that propagates/replicates across the network
Is spread by exploiting flaws in existing programs or open services
Propagate automatically
spreads automatically
Parasitic (Type of Virus)
infects executable files
Memory-resident (Type of Virus)
infect running programs
Boot-sector (Type of Virus)
spreads when system is booted
Polymorphic (Type of Virus)
encrypt part of virus program using a randomly generated key
What is the main difference between a worm and a virus?
Worms can spread automatically
Worm Lifecycle
- Discover/ “scan” for vulnerable hosts
2. Infect vulnerable machines via remote exploit
What are the 3 steps in a worm’s “life cycle”?
- Scanning for vulnerable hosts
- Infect vulnerable host
- Remaining undetectable
Increasing Initial Compromise Rate
- Hit List: List of vulnerable hosts
2. Permutation scanning: shared permutation of IP address lists. Start from own IP + work down
What allowed Slammer to spread quickly?
UDP/connectionless transport
Could fit in a single packet
