Thursday, November 24, 2005

Damage Assessment

Just how much damage do worms cause? The answer is that it varies, depending upon the design of the worm and the environment in which it is unleashed. Basically, the amount of harm a worm does relies on three factors: how likely the worm is to be activated, how likely it is to spread to other systems, and how destructive its payload is.
Let’s look closer at each of these factors. First, what influences how likely a worm is to become activated? In the case of a passive worm, its level of activation relies upon the quality of its social engineering, as we discussed in the previous section. In the case of an active worm, its level of activation depends upon the number of systems it encounters that have the vulnerability the worm needs to exploit.
The next factor is how likely the worm is to spread to other systems. This depends on chance and the way in which the worm’s code works. If a worm propagates by finding email addresses in recipients’ address books, how quickly it spreads depends upon the number of addresses users of infected systems store in their address books. If a worm propagates by trying to send itself to various IP addresses, how much it spreads depends on how many IP addresses it locates in which systems have the necessary vulnerability.
Finally, the amount of damage a worm does depends upon its payload. Worms contain at least one payload that lets the worm replicate. Frequently, however, worms carry a second payload: the code that directly causes damage.
Some worms cause damage simply through propagation. These worms send multiple copies of themselves through a system in a relatively short period of time, which might cause infected servers to slow down, or maybe even shut down. This is generally the case with a DoS (denial of service) attack.
Other worms not only cause damage through propagation, but also through the additional code they include. For instance, a worm might contain a payload that vandalizes web sites, forwards private files to other recipients, or damages files on recipients’ computers.
What is important to remember, however, is that a worm’s payload is only part of the equation. Even if a worm has a highly destructive payload, it will not cause widespread worldwide damage unless it also is widely activated and quickly propagated. Even if the payload could bring down huge servers, it will not cause any damage if it doesn’t find systems with the necessary vulnerabilities and the ability to efficiently propagate to other systems.


Post a Comment

<< Home