Viral Worms

Introduction

Computer systems are usually affected by many security issues which have been on the rise in the last two decades. Some of these are as a result of human actions, such as hackers, people who write malicious programs which may result in harming computer systems. Some of this harmful code include Viruses, Trojans, and Worms. This document focuses on worms and how an example of a worm can attack and take over a system, their effects and how to avoid attacks by worms. Worms are programs that use host files to move from one computer to another. Mostly, they exist within other files. The file or document that has the worm is the one that moves from one computer to another, and which should be treated as the worm.

WannaCry Ransomware Worm

In the recent times, there has been an outbreak of a worm that takes over an entire computer system, such that users are denied access to their computers. This was as a result of work from a group of hackers who started the campaign. The worm responsible has been called by many names such as WannaCry, Wcry or Wanna. The attack targeted organizations, after which the hackers demanded a ransom before the systems can be returned to normal. The hackers leaked a weapon-grade exploit from the United States’ National Security Agency (NSA) that resulted to attacks to organizations worldwide (Goodin, 2017).

A couple hundreds of thousands of computers were affected by this worm in more than 150 countries. Like other worms, WannaCry moves from computer to computer after it gets into an organization. The hackers designed the worm in such a way that it majorly based on a vulnerability in Windows computers, which was later corrected by a patch from Windows. Some countries were more infected than others China and Russia leading the queue, with Russia recording the highest rate of infection from the attack (Goodin, 2017).

Exploitation

The main channel in which WannaCry spread was through Windows machines. This is majorly through the Server Message Block (SMB) by using ports 139 and 445 (Ernst & Young Global Limited, 2017). These are the ports that are used for communication over a network between file systems and Windows computers. After complete installation of the worm, it searches for less secure systems over the network and installs itself. This happens until the entire computers in the network are infected with the worm. After installation, WannaCry encrypts all the files in the system (machine of the victim) after which a message is displayed on the computer screen, demanding a ransom payment. The figures are $600 or $300 which is to be paid to the hackers through bitcoin. The worm then checks the IP address of the computer that it is running on, then proceeds to scan the IP address of the same subnet to try and find more machines to attack, machines that aren’t well secured ( Ernst & Young Global Limited, 2017). When WannaCry locates a vulnerable computer and connects to it, it transfers itself to that system, installation takes place, and the cycle repeats itself. This happens until all the machines on the network are infected unless the computers are shut down.

Impact of WannaCry

The worm affected organizations worldwide in more than 150 countries as mentioned before. Examples are National Health Service in the United Kingdom, Telefonica (a telecommunication company in Spain) and the Interior Ministry of Russia. The health service in the United Kingdom was hugely affected, which resulted in a cancellation of treatments, appointments, and surgery of the health service’s staff and patients. China was also majorly affected, with organizations affected statistics surpassing 40,000. From statistics, Russia was the country that suffered the biggest blow from the attack ( Ernst & Young Global Limited, 2017).

How the worm works and why it was successful

There was an earlier report that the worm originally started spreading from malicious emails, though spreading of the attack majorly takes place through a vulnerability that can be accessed publicly – Server Message Block (SMB) – spreading itself in computer systems over a network. Before the encryption starts, the malware – WannaCry – confirms if a uniform resource locator (URL) that’s hard-coded into the worm, which the worm communicate’s to (The Computer Emergency Response Team of Mauritius (CERT-MU), 2017). If no communication is received, encryption of files located in the infected computer begins after which access to the computer is lost completely. After file encryption begins, everything is encrypted, including any new files created.

On completion of file encryption, a message demanding payment (ransom) is displayed on the computer’s screen and instructions on how to pay the ransom and recover the lost files. Consequences for not complying are also displayed ( Ernst & Young Global Limited, 2017). The ransom demanded is of the values $600 or $300 which is to be paid in the form of bitcoin to an unknown account. The worm uses a resource from the United States NSA known as “Eternal Blue” released by a group of hackers calling themselves “Shadow Brokers” on the 14th of April 2017.

 

How the spread of the malware was stalled

After the worm has hit major organizations, research was launched to determine ways on how to stop or stall the spread of WannaCry. The malware was discovered to have a loophole by a researcher who was working on it. WannaCry was discovered to be trying to communicate to an unregistered domain. This allowed the malware to continue infecting systems because it could not get feedback from the domain it was trying to communicate to (The Computer Emergency Response Team of Mauritius (CERT-MU), 2017). The researcher had the domain registered, and this stopped the worm from infecting more new systems. This was because after establishing connecting to the domain, the malware assumed a state of running in an antivirus mode. The systems which were already infected could not be salvaged by this action and had to suffer the ransom or lose their files. The domain acted as a “kill switch”. Organizations that were using a proxy to access the internet still suffered a loss because, in this mode, the malware was still operational.

Mitigating the risk

Institutions, organizations, and companies can assist in reducing the risk of their systems being exposed by observing the following; ensuring that their systems are up-to-date with all vulnerabilities closed, always having a backup of their files and programs, use monitoring at endpoints, offline operating of systems that are considered sensitive and making sure that staff are trained on security awareness (The Computer Emergency Response Team of Mauritius (CERT-MU), 2017).

 

Conclusion

This document presents a discussion of computer security, and in this case, worms. A specific worm is discussed, how it is transferred from computer to computer, how the worm affects computer systems, ways to stop it and how to reduce the risk of getting affected by the worm. Just like viruses and Trojans, worms are also harmful to computer systems, some having far-reaching effects as WannaCry ransomware. It is a responsibility of all organizations, institutions, and companies to make sure that their daily practices work towards an environment that is free from such malware.