How does a Worm Propagate
Worms are a program that takes advantage of the defenselessness of applications to propagate. Since their propagation behavior is exponential, usually, detection comes when it has already spread on different parts of the world. Its major characteristics are it is self-propagating making it distinct from a virus, self-replicating and usually propagates across network connections (Stallings, 2011).
Because of the considerably short life-span, worm writes focus on ensuring fast propagation and maximizing connection speeds on a network. Among the several documented worm propagation behaviors documented before that led to the generalization of their behaviors are the Code Red worms and Slammers. Worms can propagate by attaching themselves from one mail hosts to another. They are triggered when the mail is opened. This has the slowest rate of propagation but with the widest coverage due to the fact different mail servers are listed in the contact lists of email users giving the worm access to different networks. (Chen, 2006)
Worms relying on a propagation method called root-to-braches uses TCP and UPD networks and has a faster rate of propagation. This particular method they infect the first host and then follow through to every network connected with it. However, propagation is affected by the extent of congestion of the network. In particular, propagation utilizing UPD is as much as three times faster since it is treated as a payload on the UDP connectionless packets. Moreover, network congestions has no bearing, thus to ensure delivery to the next host, multiple copies are sent. (Sans Institute, 2010)
Worms generally propagate by searching for host addresses, attempting to establish connection with the host and finally, copying itself to the host if the attempt for connection was successful. The diverse forms of worms adds to the difficulty of detection as a worm can be in the form of an application, a process or even renames itself. (Stalling, 2011)
Several defensive mechanisms to prevent worms from propagation and affecting one system have been implemented. Application of IP address defensive traps is one way where the worm is made to face the predicament of discontinuing self-replication to avoid detection or taking the risk of facing defensive traps. Traffic pattern attack, on the other hand, compares the normal traffic to an unusual traffic pattern to look for possible worm attack. (Das, 2010)
References:
Chen, Zecheng (2006). Worm Propagation Models. Retrieved from http://www.mathaware.org/mam/06/Chen.pdf
Das, Sajal (2010). Handbook on securing Cyber-Physical Critical Infrastructure. Retrieved from http://books.google.com.ph/books?id=MftTeQivgA0C&pg=PA90&lpg=PA90&dq=worm+propagation+and+countermeasures&source=bl&ots=bsWIEQ5TZc&sig=QCBPqHjZGoVb6maez0iLEzPLwN4&hl=fil&sa=X&ei=UwxHUYXwCq-fmQXQiYHwCg&ved=0CHcQ6AEwCA#v=onepage&q=worm%20propagation%20and%20countermeasures&f=false
Faghani, Mohammad (2010). Effects of Security Solutions on Worm Propagation. Retrieved from http://www.faghani.info/effects-of-security-solutions-on-worm-propagation.pdf
Stallings, William (2011). Cryptography and Network Security: Principles and Practice. Retrieved from http://www.google.com.ph/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CDUQFjAB&url=http%3A%2F%2Fwww.cs.iit.edu%2F~cs549%2Flectures%2FCNS-1.pdf&ei=_548UYWABbCaiAf9r4CoCA&usg=AFQjCNFctUEp0nDK0QnU2SU29dVMnngJQw&bvm=bv.43287494,d.aGc
Sans Institute (2010). Worm Propagation and Countermeasures. Retrieved from http://www.sans.org/reading_room/whitepapers/malicious/worm-propagation-countermeasures_1410
Yu, Wei (2010). Self-Disciplinary Worms and Countermeasures: Modeling and Analysis. Retrieved from http://epmesc.umac.mo/rectors_office/docs/weizhao_cv/pub_refereed_journals/2010_ref_journals/TDSC-2008-01-0018-R1.pdf
