Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May


Active

This one is the most dangerous worm, as it doesn't require any sort of user interaction at all. It also requires the highest level of skill to write. Active worms spread by scanning the internet for one or more types of vulnerabilities. Once a vulnerable target is found, an exploit attempt is made that, if successful, results in the uploading of the worm to the attacked site where propagation can continue in the same form. These worms are usually spotted first by an increasing number of hosts scanning the internet, most often scanning for a single port. These worms also usually exploit weaknesses that are well-known to the public for hours, days, weeks or months. Examples of this type of worm include the Wank worm, Code Red, Sadmind, SQL Slammer, Blaster, Sasser and others. As the use of firewalls and NAT routers increases, and as anti-exploit techniques like the one employed by Windows XP SP2 become more common, these worms will find less hosts to infect. To this point, from the time of this writing, it's been a while since the last big active worm hit the net.

Other active infection vectors include code spreading via unset or weak passwords on CIFS2.1 shares, IRC and instant messaging networks, Usenet, and virtually every other data exchange protocol.