In the world of malware, there are two common types of spreading malware: with a computer virus and with a computer worm. A computer virus is more or less “controllable” by its creator which means it can be sent to specific targets by, for instance, spear phishing. A worm however is completely out of control once it is set loose infecting random targets who happen to be vulnerable. In other words: lots of collateral damage.
I have split up this post into two parts. The first part is a brief explanation of the most recent worm out there: Cyclops Blink and its creator. The next part shows the basics of how a computer worm works.
Cyclops Blink
A few days ago, a new piece of malware named Cyclops Blink (already been active since June 2019) has been exposed on networks. Cyclops Blink targets network devices, conscripting them into a botnet and exposing them to further infection. Specifically, this refers to WatchGuard devices (but there is a high probability that this exploit can also be applied to other systems) whose remote management is enabled. Something that is not a default setting. How the attackers gain access to the firewall is unknown. What is clear is that they use the legitimate update process to install rogue firmware.
According to the NCSC, the developers have clearly reverse-engineered the firmware update process of the WatchGuard Firebox and found a specific weakness in this process, namely the ability to recalculate the HMAC value used to verify a firmware update image. HMAC stands for Hash-based Message Authentication Code and is a specific type of message authentication code involving a cryptographic hash function and a secret cryptographic key. This normally protects your network but the weakness allows attackers to permanently infect the WatchGuard firewall since the infection is present in the firmware. According to the NCSC, Cyclops Blink is a professionally developed and highly sophisticated type of malware.
Organizations using WatchGuard firewalls should assume that all passwords on the device have been compromised. This means that you have to 1) disinfect your device and 2) change all your passwords. WatchGuard states that less than 1 percent of firewalls are believed to have been infected. For now, no data appears to have been stolen through the compromised firewalls. WatchGuard has developed a detection tool and provides more information on this page, instructing what organizations can do to detect and remove the malware on their devices.
Sandworm
Several National Security institutions like the United Kingdom’s National CyberSecurity Centre (NCSC), the US Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have identified the actor Sandworm / Voodoo Bear for using this malware. The Sandworm actor has been linked to the Russian General Staff Main Intelligence Directorate (GRU) Main Centre of Special Technologies (GTsST). Sandworm is a well-known example in the cybersecurity world as a nation-sponsored actor.
Sandworm is also known as Unit 74455 and it is believed that this team of Russian State hackers is responsible for the December 2015 Ukraine power grid cyberattack, the 2017 cyberattacks on Ukraine using the Petya malware, interference in the US 2016 and French 2017 presidential election, and the cyberattack on the 2018 Winter Olympics opening ceremony. In other words: a pretty impressive track record in my opinion.
What is a computer worm?
A computer worm is a type of malware that is designed to quickly spread across multiple devices while remaining active on each infected device. The main difference between a computer worm and a virus is that a worm can spread copies of itself to uninfected machines completely on its own. The computer worm is completely self-sufficient and can execute and multiply itself without any user interaction. You don’t even have to use your device for a worm to activate, replicate, and spread. When a computer worm enters your device, it can spread immediately.
A virus needs to “borrow” your computer’s programming or code to execute and replicate but worms are self-contained. A computer virus and a computer worm are completely different types of malware.
How do computer worms operate?
When a computer worm gains a foothold in a host device, it can freely spread throughout a network without external support or actions: worms don’t need to fool you into activating them by opening and running programs malware programs.
Worms use hidden vulnerabilities in an Operating System (OS). They are created in such a way that they can burrow themselves in the OS of the target. After that, they can start doing their work without the target knowing.
Years ago, worm malware could only enter a network in a physical way. A worm would then be copied on a floppy disk or a different kind of media drive (like a USB flash drive) and activated once a victim inserted it into their device. This is still done but not as much as in the past.
With the growth of the internet, the most common way to encounter computer worms is nowadays purely electronic like e-mail, instant messages, and file-sharing networks.
Types of computer worms
Computer worms can be sorted into different categories. Each category has a specific way to attack its target and to jump to its next system.
Internet worms
This is (in my opinion) the most dangerous worm of all. Internet worms don’t have to interact with their victims. An internet worm targets specific vulnerabilities in a given Operating System (OS) or other services or security flaws, like weak passwords.
A network worm scans the internet or a Local Area Network (LAN) for other computers with the same security weakness. After that, it spreads to those machines. Because a lot of internet worms exploit specific software, it is important to always update your Operating System, programs, and apps to the latest version as soon as they are available. I know it can sometimes be a hassle to immediately update but I advise you to update immediately once an update is available.
Email worms
An email worm “borrows” your device’s email client and sends the emails to everyone in your contact list. This way, the worm spreads to your contacts and after that through their contacts and so on. This leads to an exponential spread of the worm.
Some of the emails include attachments that execute and install the worm on the device of the receiver. Other email worms enclose links in the email to lead readers to malicious websites that automatically download the worm when the victim visits the website.
The best email worms use clever social engineering techniques to trick victims into downloading the attachment or clicking the desired links.
File-sharing worms
Streaming has been a very popular way of sharing files and has become a very important way for consumers to consume different forms of media (music, movies, TV shows, etc.). Next to legitimate (and more safe forms) of streaming, a lot of people still choose to source their own files (music, movies, TV shows, etc.) with a peer-to-peer file-sharing network.
This type of file-sharing (peer-to-peer) operates in an illegal and unregulated area. Including worms in high-demand files and spreading this peer-to-peer is a very popular tool for spreading worms quickly. After an infected file has been downloaded, the worm copies itself onto the device of the victim. After that, it continues its work. My advice: don’t be a cheapskate and just pay for a streaming service instead of illegally downloading your favorite movie or music album.
Instant messaging (IM) worms
IM worms burrow themselves into a messaging platform like Skype, Facebook Messenger, or WhatsApp and then send a message to all the contacts of an infected victim.
It uses the same social engineering strategy as an email worm: they try to convince victims to click on a specific link. However, when a victim clicks the link they are taken to an infected website. Meanwhile, the worm passes the message to every one of the victim’s contact and so on.
IM is a very popular worm for mobile phones. A lot of people don’t know that a phone can also be infected with a virus but it is. And also important to know: you can install a virus scanner on a phone.
Potential damage of device after infection
Computer worms don’t do immediate damage (unlike a computer virus). In most cases, they will only slow down your device. The biggest threat of a worm is that a malicious “payload” is attached to them. This is code that is designed to make your device vulnerable to other forms of malware. This can lead to a device becoming part of a botnet, losing sensitive information like your passwords, banking information, or suffering from other kinds of online attacks. A computer worm is most of the time part of a multiple strategy plan, executed by the same group of hackers.
How to prevent infection by a computer worm?
Like all viruses, acting vigilantly by being sensible and smart prevents you to become a victim of a computer worm. Below are tips that can help you with that:
- Don’t click on strange links. never open unfamiliar or unexpected links. Not even from someone you know (remember the worm that feeds from contact lists). No “funny” video or picture is worth the risk of malware infection. Just ignore the link.
- Don’t open weird email attachments. Opening an unfamiliar or unexpected email attachment is asking for trouble. Even from someone, you know: again remember the worm that feeds from contact lists. In case you think the file is legit, make sure to get in touch with the friend or family member that has to send the file to check if they send it themselves or if it was sent by a worm.
- Don’t use peer-to-peer (P2P) programs. Downloading movies and music for free might be tempting but just don’t do it. If it is legal, always use a VPN and “vet” the source.
- Use the most current software. A computer worm relies on outdated software so it can access your device. Counter this by always updating your Operating Systems and other programs as soon as a new security patch and a general update become available. Don’t wait: there is a reason why these patches are launched and a lot of times it’s security-related.
- Use strong and unique passwords. Some worms use default factory login credentials to infect devices. When you protect your phone, computer, tablet, or any other device with a powerful password that is hard to guess, these kinds of worms will fail in their attempt to infect your system. I recommend a password manager like KeePass. It is completely free and in this post, I explain how to set up this password manager step by step.
Don’t click on sketchy ads. There are worms out there that can infect websites and spread to your device when you click a contaminated ad. I advise using ad-blocking software to prevent this. In this post, I show you my top 5 free privacy protection apps that also include ad-blockers.
Final thoughts
Worms are probably the most damaging types of malware that are out there. Examples like MyDoom (€ 38 billion of damage), SoBig (€ 30 billion of damage), and Klez (19.8 billion of damage) had a lot of impact on our global economy. The financial damage of these three examples is comparable with the financial damage of some big natural disasters in 2020 like Hurricane Laura (€ 20 billion of damage) and Cyclone Amphan (€ 15 billion of damage).
Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, don’t forget to subscribe to receive a notification by email.
