Worms

Question 1

What is a worm in cybersecurity?

Answer 1

A self-replicating malware that spreads autonomously across networked devices, often exploiting vulnerabilities.

Question 2

Name three characteristics of worms.

Answer 2

1. Self-replication.
2. Network-based spread.
3. Exploitation of vulnerabilities.

Question 3

What was the BRAIN virus, and how did it spread?

Answer 3

The first IBM PC virus, spread by copying itself into the boot sector of floppy disks and marking the sector as faulty.

Question 4

What made the Morris Worm notable?

Answer 4

It propagated aggressively due to a bug, using buffer overflow attacks and caused damages of $10-100 million.

Question 5

How did CodeRed propagate and what were its payloads?

Answer 5

Exploited MS-IIS server overflow, defaced websites, and later launched DDoS attacks.

Question 6

Why was SQL Slammer so effective?

Answer 6

It exploited a connectionless UDP service, fit entirely in a single packet, and infected 75,000 hosts in 10 minutes.

Question 7

What was unique about STUXNET?

Answer 7

It targeted industrial control systems, disrupting Iran’s nuclear centrifuges with sophisticated zero-day exploits.

Question 8

What are the key steps in worm propagation?

Answer 8

1. Identify a vulnerable target (e.g., via IP scanning).
2. Exploit the vulnerability.
3. Transfer and execute the worm code on the target.

Question 9

How did CodeRed V1 propagate?

Answer 9

By randomly scanning the entire 32-bit IP address space with the same pseudorandom number seed.

Question 10

Name two advanced worm propagation techniques.

Answer 10

1. Localized scanning: Preferentially targeting nearby IP addresses.
2. Hit-list scanning: Starting with a predefined list of likely-successful targets.

Question 11

How is worm spread modeled?

Answer 11

Using the “Susceptible-Infectible” (SI) model with parameters:
N: Population size.
S(t): Susceptible hosts at time t.
I(t): Infected hosts at time t.
β: Contact rate.

Question 12

What influences the contact rate β?

Answer 12

Scanning speed.
Target population size.
Prevalence of vulnerabilities.

Question 13

How can worm activity be measured?

Answer 13

By monitoring indiscriminate network scanning behavior.

Question 14

What are rootkits and how do they work?

Answer 14

Malicious code that hides from detection by intercepting system calls or patching the kernel.

Question 15

How can rootkits be detected?

Answer 15

Using tools like rootkit revealers that compare disk state offline versus through system calls.

Question 16

What was the impact of STUXNET?

Answer 16

It damaged 1,000 of Iran’s 5,000 nuclear centrifuges and is considered the first prominent example of cyber warfare.

Question 17

What techniques did STUXNET use?

Answer 17

Exploited four zero-day vulnerabilities.
Installed signed device drivers to avoid detection.
Overwrote programmable logic boards.

Question 18

How are worms used in DDoS attacks?

Answer 18

They propagate widely to create botnets that overwhelm targets with traffic.

Question 19

How have worms influenced economic pursuits?

Answer 19

Zero-day exploits are now commodities sold in markets, influencing cybercrime and cyber warfare.

Question 20

Why are worms described as “The Wild West”?

Answer 20

The constant technological arms race between detection and evasion.