Worms, how do they do it?

This might be more suitable for some other branch in Saloon, but am not sure which one!
Lately, we all were reading and responding to the latest Worm threats in the cyberspace, CodeRed and SoBig.F and what not! I wonder how do they write these worms? Whats a worms architecture?
Some googling gave me details about another breed of super worms, which could be even more dangerous, by spreading the Internet by coordinated infection. (War hole worms).
So, does anyone know anything about how they write these worms?
Thanks in advance!

Geez :roll: , and I thought that you were talking about sex

.
From http://lhsfoss.org/fossweb/teachers/materials/plantanimal/earthworms.html

Like all animals earthworms have effective strategies for begetting their own kind. With earthworms it is not a matter of boy meets girl, but rather a simpler matter of worm meets worm. All worms carry two sets of sexual organs, but they cannot fertilize their own eggs�mating is still a necessary part of reproduction. Mature earthworms have an enlarged band some distance from the head. This enlarged clitellum plays an important role in reproduction.
In mating, two worms approach each other nose to nose. With their bodies touching, they slide past each other until their heads are a bit past the clitellum. Both worms pass sperm through an opening located between the head and the clitellum, into a temporary holding receptacle in the other worm. The two worms separate. The clitellum secretes a liquid that solidifies into a flexible tube. As the tube lengthens, the worm backs out of it. Soon the tube covers the front part of the worm. The worm lays a few eggs inside the tube, deposits some of the stored sperm, and withdraws from the tube, leaving the eggs and sperm inside the tube. The ends of the tube pinch off to form a cocoon, and the whole thing shrinks to a tidy package about the size of a fat grain of rice. The cocoon is left alone sitting on or just under the surface of the soil. The worm continues to produce cocoons until the sperm is used up. Cocoons are durable, can overwinter in cold climates, and can wait out hot dry spells in arid environments. After 3 weeks (ideal conditions) or longer the cocoon opens, and out sallies the next generation.

Cindy is so funny.

Hi
I guess there are only two kind of people who can help here,
1. one who write those worms
2. one who writes patches for those worms
Anybody like that? I'm sure none is going to admit the 1st role even if they have it

Just babbling in MD...
Regards
Maulin

Originally posted by Maulin Vasavada:

2. one who writes patches for those worms

Patches for Worms!!

No - I am not going to touch that one

.

Actually, you might want to contac McAfee or Symantics regarding this question. I mean, they are the ones creating all the worms and viruses. It's how they stay in business and it's how they find a solution to the problems so fast.

Hello,
This is what I suspect for a long time because if there is no physical war, create pen war soon you will have a physical war. I paraphase from the art of war by Shin Zhu. These companies apply it to the science.
Regards,
MCao

Well Ashok, on the serious side :roll: , if you want to learn about the Internet species of worms, pick you up a copy of Hacking Exposed. While it doesn't specifically adress worms in particular, it shows how any form of hacking vermin can compromise your security. Usually the exploit involves buffer overflows, something we Java hackers can't do. The basic attack scheme is to pass a parameter into a method that overflows the allocation provided by the developer. The bytes passed in have to be carefully crafted so that the part that overflows is actually native machine code. The number of bytes are important too so that at the end of the method the exploit will cause the instruction pointer to jump to the beginning of your carefully crafted overflowed bytes. Unfortunately there are still millions of lines of code out there that potentially have these problems. The good news is the ones with the expertise to do all this usually don't, that's why most internet worms don't do a tremendous amount of damage, they are coded by amateurs who acquired the base exploit from a chat board somewhere.

Originally posted by Cindy Glass:
Patches for Worms!!

No - I am not going to touch that one

.
"Since using worm patches I'm down to just 3 worms a day! Thanks Worm Patch!"

Very informative indeed, Cindy! Looks like worms have loads of sex in their life!

But I am really curious to know how computer worms does it (not how real worms does ""it""

).
Thanks a lot for all the comments so far, but I just can't accept some one or the other in the whole Internet does not publish worm design or architecure. Everything is in the net these days and there's no way information on such a popular topic is not discussed or published on the net! Come on, we know everyone who are interested in worms not necessarily hackers! I am sure coders at anti-virus software firms, network admins, security specialists and a lot more people would want to know how worms are written! Also there are tens of thousands of wannabe-hackers or wannabe-super-villians a.k.a 'average geeks' looking for info on these, and am sure if someone sets up a page with some useful info, they would get thousands of page-hits every hour!
Meanwhile, I do remember reading about Worm Architecture from the net, back in 2000. I just cant locate it now!

(

Originally posted by Cindy Glass:
Geez :roll: , and I thought that you were talking about sex .
From http://lhsfoss.org/fossweb/teachers/materials/plantanimal/earthworms.html
"This enlarged clitellum plays an important role in reproduction."

I bet most male worms can't even find the clitellum.
[ August 27, 2003: Message edited by: Tim Allen ]

But each worm is both sexes

.
That brings the possibilities to a whole new level!!

Notice the ad at the top? 1500+ free Ladybugs! How do they separate the Lady bugs from the Gentleman bugs?

Originally posted by Cindy Glass:
and I thought that you were talking about sex .

sex .. always in the mind

Ashok Krishnan
On a serious side, I personally will not lead people to information that may cause serious problems for me, my friends, my family, and/or colleagues and their computer systems.
If you want to learn about such things, I would suggest a different site all together. I thought that with the humerous babble thus far, you might have gotten the hint.

Originally posted by Gregg Bolinger:
Ashok Krishnan
If you want to learn about such things, I would suggest a different site all together. I thought that with the humerous babble thus far, you might have gotten the hint.

Ashkok, I have an excellent site that explains what to install on a computer to make it entirely unreliable and useless:
http://www.microsoft.com

Originally posted by Tim Allen:

Ashkok, I have an excellent site that explains what to install on a computer to make it entirely unreliable and useless:
http://www.microsoft.com

You got me wrong there, Gregg!

I wasn't trying to find out how to code a worm and to write one and to enjoy others misery, but I was thinking of an informative discussion, where people share their knowledge about how worms work and infect. I think knowing this would ultimately help to prevent infection.
IHMO, learning a threat in detail is the best way to tackle this, than ignoring it and expecting it to go away. However, I agree this tread in Javaranch/MD didn’t turn out to be as informative as I thought it would be. So, I guess I'll take it elsewhere!
Thanks!!

Ashok,
check this

a similar article
http://amm.grc.com/dos/grcdos.htm

Thanks a million, both of you!
I have read that Steve Gibson's DOS article before. It was up for dissection in slashdot once, and general opinion was, that he kinda dramatizes everything and makes it all look like end-of-the-world espionage or something even more serious! It's very informative though.

As I walked to work this morning, I had a troubling (and probably controversial) thought:
We responded to Ashok's request for information on how worms were written with humor, and in some cases with gentle but firm warnings that implied that he should not pursue this. There were only a few direct responses. There was an unwritten message: we thought Ashkok was going to use the answers to his question to write destructive worms and launch them maliciously, and we didn't want to be his accomplices.
Here is the troubling question: Did we respond to Ashkok's request this way because he was named "Ashok Krishnan", which does not appear to be an Western name? Would we have responded more positively if the asker had been named "John Hammonds" and had been known to us to be a 47 year old systems administrator from Pittsburgh?
It seems that our profile (remember when "profiling" became a buzzword for police-brutality?) for destructive crackers has changed. Before they were 13 year old bored white American (or maybe German) kids with modems. Now the profile is that they are easterners, perhaps motivated by either terrorist or corporate interests.
Am I totally out of line here, or were we being, well, racist?
I know this is inflammatory: it's been inflaming my head all morning. I don't want to cause trouble, but I am interested in peoples' responses to this. Thanks in advance. -tim

Maybe we could ask Map to set up a poll?

Originally posted by Tim Allen:
Here is the troubling question: Did we respond to Ashkok's request this way because he was named "Ashok Krishnan", which does not appear to be an Western name? Would we have responded more positively if the asker had been named "John Hammonds" and had been known to us to be a 47 year old systems administrator from Pittsburgh?

Ignoring the inflammatory part (as I really dont have enough time to explain my thoughts about that at this moment), I personally think the lack of responses for the actual question, only shows the lack of understanding of the issue. Apart from the reading and talking about a bunch of basic varieties - bootloader, trojan etc, most of us developers don't have a clue how a virus or a worm does what it is does. Everyone knows how damaging they can be, and how to update anti-virus patches in their machines and to forward chain mails about virus outbreaks, and that makes some people among us believe that they are on top of the issue, and hence invincible.
No one, except a few like Micheal Morris, who knew their stuff contributed their knowledge in the subject, with out being paranoid about me writing a virus and then planning to taking over the world - because he/they knew thats not how things work!

Oh, and I didn't think Cindy was warning me about it when she posted that link!

How come it is said that linux cant have virus.
One can always write a program to be loaded in memory at startup for linux also.
Any linux guru here ??

Originally posted by Ashok Krishnan:

No one, except a few like Micheal Morris, who knew their stuff contributed their knowledge in the subject, with out being paranoid about me writing a virus and then planning to taking over the world - because he/they knew thats not how things work!
Oh, and I didn't think Cindy was warning me about it when she posted that link!

I suspect she probably was because as a Sheriff here she is very aware that there are a LOT of people who read these pages, not just you and those who post.
You have to remember that any information posted here is available to anyone who chooses to access it.
I think most people realised that YOU weren't the threat, but we don't know who else is reading.
[ September 01, 2003: Message edited by: Angela Poynton ]

Originally posted by Tim Allen:
As I walked to work this morning, I had a troubling (and probably controversial) thought:
We responded to Ashok's request for information on how worms were written with humor, and in some cases with gentle but firm warnings that implied that he should not pursue this. There were only a few direct responses. There was an unwritten message: we thought Ashkok was going to use the answers to his question to write destructive worms and launch them maliciously, and we didn't want to be his accomplices.
Here is the troubling question: Did we respond to Ashkok's request this way because he was named "Ashok Krishnan", which does not appear to be an Western name? Would we have responded more positively if the asker had been named "John Hammonds" and had been known to us to be a 47 year old systems administrator from Pittsburgh?
It seems that our profile (remember when "profiling" became a buzzword for police-brutality?) for destructive crackers has changed. Before they were 13 year old bored white American (or maybe German) kids with modems. Now the profile is that they are easterners, perhaps motivated by either terrorist or corporate interests.
Am I totally out of line here, or were we being, well, racist?
I know this is inflammatory: it's been inflaming my head all morning. I don't want to cause trouble, but I am interested in peoples' responses to this. Thanks in advance. -tim

No. The same question has been asked multiple times. It is not the policy of this site to encourage things like this. The same would hold true for questions about cracking software.

Originally posted by R K Singh:
How come it is said that linux cant have virus.
One can always write a program to be loaded in memory at startup for linux also.
Any linux guru here ??

who said that???
linux was also attacked
i forgot the name somename starting with top ramen noodles soemthing like that. i think win32.winux virus attacked linx ( i may be wrong)

I think Asok just want to know how worms work not how to write. He didnt ask to give the source code. Am i rt?

Personally, I'm not worried about Ashok Krishnan even if he did ask for the source. I'm worried about the thousands who read threads here at JavaRanch. Perhaps one would be interested in seeing if he would succeed in writing a worm that was as "successful" as MSBlaster or Sobig.F

I don't want to take that chance.

And now I get to show my true bias...
When it comes to worms and viruses, one word: OS/400
ZERO documented worms or viruses in OS/400 (the operating system for the IBM iSeries). Ever. The iSeries has never had a virus or worm of any kind. And that includes its predecessor systems back to the System/3 in the 70's.
You CAN install viruses on the disk these days since it shares with other systems, but those viruses will not run natively on the machine and cannot replicate without Windows or some other carrier on the network.
Joe

I don't think anyone is being racist. I cannot tell from a person's displayed name what country they are from or what country they now call home. So my not posting is not because of who asked it.
My concern is more in two areas:

someone (like Ashok) may decide to build a worm / virus "just to see how it works". Some of the earliest worms were created as research projects (often on computers not connected to the internet) then they escaped into the wild without the author being aware of it.

someone else who happens to find the instructions may decide to build a worm / virus with malicious intent.

In either case, I would not want to support this.
I think the big cracker club in Germany (cannot remember the name at present) does give information on how to build such applications, and on cracking in general. But they generally only give the information when they are aware of who is asking, and they ensure that they feed all information to the firewall / anti-virus manufacturers.
There are also organisations that offer "white-hat" trainging: teaching people how to crack into systems so that they can then harden their systems against cracking. Again this information is not freely given out: you have to register and physically attend a seminar to learn this stuff.

How come it is said that linux cant have virus.

Any operating system could potentially get a virus or a worm or a trojan or ....
But it is much harder to write such software for Linux than for Microsoft operating systems.
Buffer overruns are less of a problem with Linux because

the source code is usually published, so experts get to spot potentials for buffer overruns and fix the problems early in the distribution cycle.

patches become available very quickly, and Linux users are more likely to upgrade their applications than a Microsoft user (and it is usually easier to do so in Linux).

services are not usually run as "root" (or adminstrator) so even if you did exploit a buffer overrun, you will get very few (if any) priviledges on a Linux system.

Likewise virus' are harder to propogate. Many viruses target Microsoft Windows simply because it is easy and because it is the predominant desktop (for now

). If one of those Microsoft virus' gets to my Linux box, it will not be able to run.
Many viruses target Outlook / Outlook Express, again because of how commonly they are used. People using Eudora or some other email client are usually safe from most viruses that abound today. When you start looking at Linux there is no one standard email client, so it is much harder to target email clients.
But certainly a DDOS doesnt care what OS you are running. And a virus, worm, or trojan dedicated to running under Linux could attack Linux.
Regards, Andrew

Originally posted by Tim Allen:
As I walked to work this morning, I had a troubling (and probably controversial) thought:
Here is the troubling question: Did we respond to Ashkok's request this way because he was named "Ashok Krishnan", which does not appear to be an Western name? Would we have responded more positively if the asker had been named "John Hammonds" and had been known to us to be a 47 year old systems administrator from Pittsburgh?
...
Am I totally out of line here, or were we being, well, racist?
...

I think this is a very courageous mindset. I think we are all a little bit racist (such a broad label!). Oftentimes, it is almost impossible to realize that we are racist (ie, ignorant) and we reject anyone who challenges us. But having an open mindset that allows you to be racist also empowers you to CHOOSE to not be one.

Oftentimes, it is almost impossible to realize that we are racist (ie, ignorant) and we reject anyone who challenges us. But having an open mindset that allows you to be racist also empowers you to CHOOSE to not be one.
Indeed, -- I am yet to meet a person who is not a racist. I would also venture a thought that patriotism is a form of institutionalized and legitimized racism. But let's save it for another thread.
The original topic actually reminds me of the "race" topic in the sense that some people may feel that it's best not to talk about the specifics so that no one gets hurt or offended. The alternative approach is to publicly expose all the known security holes with the intent to put pressure on the software makers to patch them. Here is an example of such an attempt: Unpatched IE security holes
It's simply amazing what the hackers can do while you are just browsing through the site with your IE, -- switching security zone, arbitrary command execution, automatic email-borne command execution, unintended disclosure of private information, delivery and installation of an executable, arbitrary local file reading, etc.
The site documents many known IE security holes and even lists the source code as demo exploits. And while the fundamentalists may argue that watching the "Natural Born Killers" could push someone to commit murder, so could reading the Koran, could it not?
Incidentally, it was in the news recently that FBI arrested the Blaster.B virus suspect. The kid faces a maximum of 10 years in prison and a $250,000 fine if convicted. Apparently, the FBI simply let the virus live on their own experimental machine and watched it connecting to the suspect-owned web site.
[ September 02, 2003: Message edited by: Eugene Kononov ]

Originally posted by Tim Allen:

Am I totally out of line here, or were we being, well, racist?

Personally, I was just thinking about sex.

Thanks a lot, Andrew, Eugene and others!