Worms: best known for fishing, feeding birds, and the need for taking your pets to the vet.
For your business, though, there’s one that’s far more crippling: the computer worm.
Computer worm attacks are a very real, very dangerous threat to businesses everywhere.
In fact, four Microsoft patches this month address potentially “wormable” vulnerabilities in the Network File System, Remote Procedure Call (RPC), and Windows Server Message Block (SMB) protocols.
It raises the very simple question: what is a worm attack, how does it work, and how do you stop one?
What Are Worm Attacks?
To put it simply, worms are a sub-category of viruses.
Though viruses typically require people to trigger an executable file which contains the virus, worms don’t require human interaction.
Attackers actually program worm malware to make copies of themselves, spread those copies, and remain active on an infected system.
Worm attacks perform these tasks quickly and automatically because the worm program itself launches more worms.
The good news is that antivirus and endpoint detection and response (EDR) solutions recognize and address older worm attacks.
However, new worm attacks take advantage of operating system, networks, and other software vulnerabilities to spread before the anti-malware solution catches up.
In the beginning, the first worms simply replicated themselves until systems and networks crashed.
But, newer worms often are combined with more stealthy or malicious malware payloads such as file stealers, remote access trojans (RAT), backdoors, ransomware, and wiper attacks.
How Do They Work?
Security companies classify worms based upon their methods of spreading.
Examples include: email-worms, net-worms (networks), or P2P-worms (peer-to-peer systems).
The most dangerous part of worms is their ability to continuously make copies of themselves, sending those copies to other devices through networks, emails, etc.
Sure, in small network, this is a pain. It might take a while, but infected machines can be manually disconnected, sanitized, and returned to the network after cleaning.
But, in a huge enterprise network, this method is simply too expensive in terms of operational costs and man-hours.
Additionally, a cleaned computer in a big, infected network cannot simply be reattached to the network unless all infected machines are disconnected.
Just when you think you’ve dealt with it all, an infected computer somewhere else on your network sends a copy of the worm back to the recently cleaned computer.
And thus, the cycle repeats.
NotPetya, WannaCry, and other examples of Computer Worm Attacks
Worm attacks are either OS or vulnerability dependent.
However, just because a worm doesn’t affect your system directly doesn’t mean it’s not infected.
For example, the Stuxnet malware propagated as a worm, but didn’t affect most systems, lying dormant through most.
However, when Stuxnet found a PC operating the Siemens Step7 industrial control system software, it modified the code to introduce unexpected commands to destroy the industrial equipment run by the controllers.
Two other infamous examples include the NotPetya attack and WannaCry attacks, which spread quickly through networks worldwide and encrypted data with ransomware or fake-ransomware attacks.
Though worm attacks aren’t making the headlines currently, several active attacks have been detected:
- The DirtyMoe malware combines botnet and worm capabilities to deliver cryptojacking and distributed denial-of-service (DDoS) attacks. This malware attacks vulnerabilities related to ThinkPhP, Oracle’s Weblogic Server, Java Deserialization, and Windows.
- Russian attacks on Ukrainian systems include the HermeticWiper which included a wormable HermeticWizard module, though the capabilities of the worm were not disclosed.
- The SMB vulnerability in the Windows Remote Procedure Call protocol patched this month could permit worms, with a scan finding several thousand vulnerable systems in Australia alone.
And, keep in mind that attacks don’t need to be modern.
For example, the WannaCry virus struck hard in 2017, but faded fast, since most companies patched their systems or implemented protecting controls.
However, in 2018, Taiwan Semiconductor Manufacturing Company became infected out of nowhere.
All it took was an unwitting employee who attached a PC infected by the WannaCry virus to the Operational Technology (OT) portion of their network to perform system updates.
Though the PC was unaffected by WannaCry, the attack soon ravaged unpatched Windows 7 devices controlling OT, costing the company $170 million in downtime.
How to Stop Worm Attacks
As with any malware, the same basic cybersecurity steps can help block worm attacks.
- patching and updating (to block propagation, direct attack)
- strong firewalls (to block external attack)
- email security solution (to block external attack)
- updated endpoint protection (to block direct attack)
A modern managed EDR solution might not automatically stop a zero-day worm, but unlike antivirus (which is completely passive), EDR will send alerts.
From there, a cybersecurity monitoring team can analyze the alert push out a block to the worms’ processes and stop the attack throughout your organization.
Bringing It Together
While some cyberattacks, such as ransomware, rely on making themselves known, worm attacks are often a bit more sneaky.
Sometimes hiding in the very systems you’re using, they rely on invisibility. That is, until, they need to make themselves known, spreading from system to system.
But, with the right procedures, you don’t need to let yourself fall prey to worm attacks.
To secure your organization against worms or any other fast-moving attacks, contact Blue Bastion at 412-349-6680, or fill out the form below for a no-obligation consultation.
Our experts will provide an overview of the options for vulnerability scanning, managed EDR solutions, and cybersecurity monitoring that fits your needs.