Worms Flashcards
What is a worm in cybersecurity?
A self-replicating malware that spreads autonomously across networked devices, often exploiting vulnerabilities.
Name three characteristics of worms.
- Self-replication.
- Network-based spread.
- Exploitation of vulnerabilities.
What was the BRAIN virus, and how did it spread?
The first IBM PC virus, spread by copying itself into the boot sector of floppy disks and marking the sector as faulty.
What made the Morris Worm notable?
It propagated aggressively due to a bug, using buffer overflow attacks and caused damages of $10-100 million.
How did CodeRed propagate and what were its payloads?
Exploited MS-IIS server overflow, defaced websites, and later launched DDoS attacks.
Why was SQL Slammer so effective?
It exploited a connectionless UDP service, fit entirely in a single packet, and infected 75,000 hosts in 10 minutes.
What was unique about STUXNET?
It targeted industrial control systems, disrupting Iran’s nuclear centrifuges with sophisticated zero-day exploits.
What are the key steps in worm propagation?
- Identify a vulnerable target (e.g., via IP scanning).
- Exploit the vulnerability.
- Transfer and execute the worm code on the target.
How did CodeRed V1 propagate?
By randomly scanning the entire 32-bit IP address space with the same pseudorandom number seed.
Name two advanced worm propagation techniques.
- Localized scanning: Preferentially targeting nearby IP addresses.
- Hit-list scanning: Starting with a predefined list of likely-successful targets.
How is worm spread modeled?
Using the “Susceptible-Infectible” (SI) model with parameters:
N: Population size.
S(t): Susceptible hosts at time t.
I(t): Infected hosts at time t.
β: Contact rate.
What influences the contact rate β?
Scanning speed.
Target population size.
Prevalence of vulnerabilities.
How can worm activity be measured?
By monitoring indiscriminate network scanning behavior.
What are rootkits and how do they work?
Malicious code that hides from detection by intercepting system calls or patching the kernel.
How can rootkits be detected?
Using tools like rootkit revealers that compare disk state offline versus through system calls.
What was the impact of STUXNET?
It damaged 1,000 of Iran’s 5,000 nuclear centrifuges and is considered the first prominent example of cyber warfare.
What techniques did STUXNET use?
Exploited four zero-day vulnerabilities.
Installed signed device drivers to avoid detection.
Overwrote programmable logic boards.
How are worms used in DDoS attacks?
They propagate widely to create botnets that overwhelm targets with traffic.
How have worms influenced economic pursuits?
Zero-day exploits are now commodities sold in markets, influencing cybercrime and cyber warfare.
Why are worms described as “The Wild West”?
The constant technological arms race between detection and evasion.
