5. Malware: Viruses and Worms

Malware is malicious software designed to damage systems, steal data, spread, or create future attack opportunities.

5.1 Virus versus Worm

Virus

A virus usually attaches itself to a host file or document and propagates when that host is executed.

Examples of hosts:

  • executable files,
  • boot sectors,
  • macro-enabled documents.

Worm

A worm is self-propagating malware that spreads from host to host over networks without needing a host file in the same sense as a virus.

5.2 Key Properties of Viruses

A virus typically includes:

  • replication logic,
  • infection logic,
  • avoidance of reinfecting the same file,
  • and optionally a payload.

Signatures and markers

Viruses often mark infected files so they do not grow indefinitely by repeated reinfection.

Mutating behavior

Some viruses alter themselves during propagation to make detection harder.

Encrypted viruses

More advanced viruses may encrypt most of themselves while keeping a stable decryptor stub.

5.3 Educational Value of Simple Virus Examples

Even very simple virus code teaches important lessons:

  • self-replication is not difficult,
  • file I/O is enough for basic infection,
  • harm often comes from small extensions to simple code,
  • and security depends on permissions, execution policies, and user behavior.

5.4 Worms and Autonomous Spread

Worms differ in that they typically:

  • scan for reachable hosts,
  • identify targets or vulnerabilities,
  • replicate remotely,
  • and may spread very quickly.

Because worms act over networks, they are often associated with large-scale outbreaks.

5.5 Famous Worms

Morris worm

A landmark early internet worm that demonstrated how quickly self-replicating code could disrupt networked systems.

Slammer worm

Known for extreme propagation speed.

Conficker

Illustrates:

  • worm-like propagation,
  • password-related attacks,
  • command and control sophistication,
  • and defensive countermeasures.

Stuxnet

Notable for:

  • targeted industrial sabotage,
  • stealth,
  • multi-stage design,
  • and strategic cyber-physical implications.

WannaCry

Combined:

  • worm propagation,
  • ransomware behavior,
  • and exploitation of vulnerable Windows systems.

It also highlighted the role of:

  • unpatched systems,
  • exploit reuse,
  • and backdoor mechanisms such as DoublePulsar.

5.6 Why Worms are Dangerous

A worm combines two powerful features:

  • exploitation,
  • and automatic spread.

This means defenders are not only dealing with one compromised machine, but potentially with a rapidly growing set of compromised hosts.

5.7 Defensive Principles

  • patch exposed services,
  • disable unnecessary services,
  • segment networks,
  • limit lateral movement,
  • use endpoint detection,
  • inspect abnormal scanning behavior,

  • and monitor for rapid repeated failures or exploit signatures.

Page Navigation

← Buffer Overflow Attacks Reconnaissance, Scanning, Sniffing, IDS, and Penetration Testing →

Back to top

Educational material for undergraduate network security students.

This site uses Just the Docs, a documentation theme for Jekyll.