Computer worms and viruses are typically grouped together as infectious agents that replicate themselves and spread from system to system. However, they have different properties and capabilities. In some cases these differences are subtle, and in others they are quite dramatic. Network worms must be differentiated from computer viruses if we are to understand how they operate, spread, and can be defended against. Failure to do so can lead to an ineffective detection and defense strategy. Like a virus, computer worms alter the behavior of the computers they infect. Computer worms typically install themselves onto the infected system and begin execution, utilizing the host system’s resources, including its network connection and storage capabilities. Although many of the features of each are similar, worms differ from computer viruses in several key areas:
◗ Both worms and viruses spread from a computer to other computers. However, viruses typically spread by attaching themselves to files (either data files or executable applications). Their spread requires the transmission of the infected file from one system to another. Worms, in contrast, are capable of autonomous migration from system to system via the network without the assistance of external software.
◗ A worm is an active and volatile automated delivery system that controls the medium(typically a network)used to reach a specific target system.Viruses, in contrast, are a static medium that does not control the distribution medium. ◗ Worm nodes can sometimes communicate with other nodes or a central site. Viruses, in contrast, do not communicate with external systems.
When we speak of computer worms we are referring to both the instance of a worm on a single system, often called a node on the worm network, and the collection of infected computers that operate as a larger entity. When the distinction is important, the term node or worm network will be used.
In the colorful argot of computers, a “worm” is a program that travels from one computer to another but does not attach itself to the operating system of the computer it “infects.” It differs from a “virus,” which is also a migrating program, but one that attaches itself to the operating system of any computer it enters and can infect any other computer that uses files from the infected computer.
This definition, as we will see later, limits itself to agents that do not alter the operating system. Many worms hide their presence by installing software, or root kits, to deliberately hide their presence, some use kernel modules to accomplish this. Such an instance of a worm would not be covered by the above definition. For the purposes of this book, we will define a computer worm as an independently replicating and autonomous infection agent, capable of seeking out new host systems and infecting them via the network. A worm node is the host on a network that operates the worm executable, and a worm network is the connected mesh of these infected hosts.
◗ Both worms and viruses spread from a computer to other computers. However, viruses typically spread by attaching themselves to files (either data files or executable applications). Their spread requires the transmission of the infected file from one system to another. Worms, in contrast, are capable of autonomous migration from system to system via the network without the assistance of external software.
◗ A worm is an active and volatile automated delivery system that controls the medium(typically a network)used to reach a specific target system.Viruses, in contrast, are a static medium that does not control the distribution medium. ◗ Worm nodes can sometimes communicate with other nodes or a central site. Viruses, in contrast, do not communicate with external systems.
When we speak of computer worms we are referring to both the instance of a worm on a single system, often called a node on the worm network, and the collection of infected computers that operate as a larger entity. When the distinction is important, the term node or worm network will be used.
A formal definition
From the 1991 appeal by R. T. Morris regarding the operation of the 1988 worm that bears his name [1], the court defined a computer worm as follows:In the colorful argot of computers, a “worm” is a program that travels from one computer to another but does not attach itself to the operating system of the computer it “infects.” It differs from a “virus,” which is also a migrating program, but one that attaches itself to the operating system of any computer it enters and can infect any other computer that uses files from the infected computer.
This definition, as we will see later, limits itself to agents that do not alter the operating system. Many worms hide their presence by installing software, or root kits, to deliberately hide their presence, some use kernel modules to accomplish this. Such an instance of a worm would not be covered by the above definition. For the purposes of this book, we will define a computer worm as an independently replicating and autonomous infection agent, capable of seeking out new host systems and infecting them via the network. A worm node is the host on a network that operates the worm executable, and a worm network is the connected mesh of these infected hosts.