Electronic worms (“worms”) are software programs, processes and/or computational entities that are designed to spread via self-propagation techniques throughout one or more computer networks. Such worms infect one or more computers in the network(s) and then probe for new targets to infect. When a vulnerable new target (e.g., computer) is located, the worm “infects” the new target by transferring a copy of itself into the new target. The copy of the worm at the newly-infected target then begins to probe for its own targets to infect. The targets may comprise, for example, any type of wireless or wired computing device.
Many worms are designed to search the computers that they infect for financial or other information (e.g., credit card numbers, bank account information, passwords, social security numbers, etc.). The worm may then transmit this information to, for example, the person who unleashed the worm to facilitate one or more fraudulent enterprises. Other worms are purely destructive in nature such as, for example, worms that are designed to propagate and then perform destructive actions to the machines that the worm has infected and/or to simultaneously send out large volumes of messages to overload a communications network. Numerous other types of worms also exist.
In propagating itself throughout a network of computers, an electronic worm may send one or more of a variety of different types of communications. For instance, a worm may first send out communications that are often referred to as “initial probes” that may be used to detect the presence of a target computer. These initial probes may, for example, try to connect to a port on the computer (i.e., find a port where the computer is listening to network traffic). Once such a potential target is detected, more detailed probing of the target may be performed to determine if the target is vulnerable to infection. For example, there may be known vulnerabilities in certain types of operating systems or other software that may leave a target computer susceptible to infection. The detailed probing may be used by the worm to detect whether or not the target computer includes such an operating system and/or software program. Often, the worm may probe for multiple vulnerabilities, such as a first vulnerability that may allow an initial infection and a second vulnerability that will facilitate a complete transfer of the worm to the target computer. Once a vulnerable target computer is identified, the worm may then attempt to perform an initial intrusion of the target. This is often accomplished by sending a small piece of the worm to the target by taking advantage of the known vulnerability. This small piece of the worm then attempts to take sufficient control of the target computer such that the target computer will accept one or more subsequent communications from the worm which transfer the entire worm to the target computer so as to complete the infection thereof. In addition, during any stage of the infection process signaling may occur between the computer seeking to infect a target computer and the target computer regarding the progress of the infestation. Additionally, an electronic worm may also send and/or receive communications from its creator.
Each infected target may become a new source of the worm contagion. As a result, worms may spread in an exponentially increasing fashion as more and more copies of the worm spread to additional computing devices and search for new targets to infect. Moreover, when actions are taken to slow or stop the spread of a worm, some worms may be designed to detect such countermeasures and respond by taking actions that may be harmful to the data and/or equipment associated with one or more of the infected computing devices. By way of example, immediately upon detecting that countermeasures are being applied to prevent a worm from spreading, the worm may alter or delete many or all of the data and/or files on the infected computing device. Alternatively, upon detection the worm may start altering and/or deleting the data and files at a slow rate, as, over time, this may allow the worm to inflict more damage over the entire network (since the rapid deletion of data and files is more likely to alert network security administrators who will act to stop the spread of the worm). Still other worms may cause mechanical actions to be performed on one or more infected computing devices such as, for example, continuous disk drive head manipulation, which can wear out or damage hardware resident on the target computing device. Worms also may act to delete data and/or damage equipment prior to detecting countermeasures. However, as such actions increase the likelihood that the worm will be detected and subsequently subjected to countermeasures, many worms do not act to alter or destroy data and/or attack hardware prior to detection.
Given their multi-sourced, self-propagating characteristics, certain worms can be difficult to safely contain using conventional approaches. The task of containing worms may become more difficult as more and more worms incorporate capabilities to retaliate by, for example, deleting data and/or damaging hardware in response to detection of efforts to block spread of the worm.