Computer worm

Types of distribution

Email worms

Many worms use email to spread. Either the executable file or a hyperlink to the executable file is sent. The e-mails can be sent either by remote control of pre-installed programs such as Microsoft Outlook or by the worm's own SMTP sub-program. The recipient's email address is often found in preinstalled address books. However, other files on the hard drives (such as in temporary Internet files ) can also be used by the worm or e-mail addresses from special websites (such as online guest books ) can be used for the initial distribution . Well-known representatives of this type are Loveletter , which spread explosively by e-mail in May 2000, or Netsky .

Instant messaging worms

Instant messaging programs such as WhatsApp , ICQ , MSN Messenger or Skype are also susceptible to malware due to their web connection. This type of worm spreads by sending a link to a web page on a messenger that contains the worm. If the user clicks on the link, the worm is installed and executed on their computer, since the instant messenger mostly does not contain its own HTML parser, but uses the Internet Explorer parser. The worm then forwards the link from this computer to all registered contacts.

IRC worms

IRC clients are programs with which any user can exchange text messages with other users virtually in real time in the Internet Relay Chat . Most IRC programs use a special script to log into the IRC server , which is executed when the program is started. This script contains commands that the IRC program executes. These commands are, for example, logging on to a channel , writing messages, but also sending files. An IRC worm that has infected a computer looks for IRC programs that it can use to spread itself. When he has found such a program, he modifies the script, which is loaded automatically. The next time the IRC program is started, the worm is automatically sent to all users in a chat room. If a user accepts the download and opens the downloaded file, the process repeats itself. There are currently IRC worms ( mIRC , pIRCh, vIRC, dIRC and Xircon) for at least five IRC programs .

P2P worms

The first possibility is for the worm to copy itself to the shared folder from which other users can download files. Correct naming is important for these types of worms, as more users download a file with an interesting name than a file with a random name. That is why there are worms that look for their names on special websites in order to be as credible as possible. This type of distribution in file sharing networks is simple, but not particularly effective, as file sharing networks are usually rather large in size and almost every file sharing program now has effective filters to exclude certain suspicious file formats.

With the second possibility of spreading, the worm offers the other users of the P2P network an infected file as a search result (hash set or. Torrent file) via a peer-to-peer protocol for each search query. The user then copies the worm to their computer as a supposedly wanted file and infects it when it is opened. This type of distribution is very effective provided that the worm's file size is approximately the size of the file it is looking for, but difficult to program and therefore rarely distributed.

The third method is an attack by the worm on a security hole in its neighbors in the P2P network. This method can be very efficient in its speed of propagation when no action is required on the part of the user (such as downloading a file and starting it on the computer). The worm then infects these systems in a fully automated manner. As soon as the worm is also able to view a list of its neighbors in the P2P network for each infected client, it can address them specifically. In this way, the worm can prevent detection, since it does not need to establish an excessive number of connections to other systems on the Internet, which is regarded as abnormal behavior and would be conspicuous. A P2P network is based on the fact that each user establishes many connections to other participants, which makes it much more difficult to identify the worm based on the data traffic it causes .

Removable Disk Worms

Removable media are removable media for computers, such as USB sticks . These worms copy themselves onto the data carriers in order to spread from one computer to another. In contrast to the species mentioned so far, this group does not use a network to spread. The program can make use of the automatic start of the data carrier.

In contrast, there are also worms that copy themselves to floppy disks without using any form of automatic start. They are the only worms that do not need an auxiliary program to spread, although they rely on the user to find them himself and start them "manually". However, since floppy disks are no longer widespread, such worms have no chance of spreading widely. In principle, this type of distribution is also possible with current media, such as a writable CD. However, copying the malicious code is more complicated here.

Small USB device worms

In addition to USB memory sticks, other small USB devices can also be used to spread worms. Such attacks do not depend on the autostart capability of a USB storage device, but rather simulate a keyboard with a small processor. From this fake keyboard, the attacking device injects commands into the system that appear to come from the real user. This starts the malware that is located on the built-in USB mass storage device.

All types of small USB devices that can be sent to the victim as a giveaway are suitable for this method of attack.

Cell phone worms

Part of the code from Caribe - the first cell phone worm - spreads via Bluetooth

Cell phone worms first appeared in June 2004. Antivirus manufacturers suspect that more and more viruses and worms will appear in this area, similar to the trend in the computer sector.

Current worms mostly spread via Bluetooth , a wireless connection between cell phones, printers or scanners with a range of around ten to 100 meters. Cell phone worms are currently mainly attacking the Symbian OS operating system and attempting to send themselves to all available Bluetooth receivers using Bluetooth. Since 2005 it has also been possible for these worms to spread through MMS .

Antivirus manufacturers therefore recommend their customers to disable Bluetooth by default.

Further distributions are possible via GPRS / UMTS as well as via WLAN. The first known iOS worm, which only on iPhones with jailbreak succeeded has which spread across the UMTS network (Australia), was the Ikee . Its successor was called iPhone / Privacy.A and is looking for its way over the WLAN.

Example: User-executed email worm

In this example, the worm is received as an email attachment. The recipient should now be prompted to open the attachment and thus trigger further spread of the worm. The methods used in the following are therefore aimed at the user of the IT system and not at the system itself.

camouflage

The worm must camouflage itself in front of the user in order to be successful under the conditions described. This takes place under two complementary constellations:

1. The recipient of the email must have a special interest in opening the attachment.
2. The recipient must not become aware of the dangerousness of the attachment.

The first point aims at a technique known as “social engineering”, the mental influencing of the recipient on a social level. Here it refers to the text of the e-mail, which is intended to make a special impression on the user and thus induce them to do things that they would normally (possibly not) do, such as opening the attachment.

The second point makes use of the "Trojan horse" technique, which is used to output the email attachment itself not as a worm, but as a "harmless, useful file".

Camouflage related to the text of the email

Psychological influence on the recipient

The recipient's interest in the attachment is aroused if the content of the associated e-mail is intended to be particularly shocking, for example by threatening legal remedies up to and including criminal prosecution. Other accompanying texts try to arouse curiosity or desire by promising large amounts of money or offering supposedly private image files with or without pornographic content.

In any case, the recipient is referred to the attachment of the email, which should contain detailed information. The interest aroused in the file attachment naturally also dampens any security concerns.

Camouflage related to the email attachment

Duplicate filename extension

However, the user could recognize the true file type if the displayed file symbol ( icon ) corresponds to the standard symbol of an application. However, whether this standard icon or the icon embedded in the application is displayed depends on the email program used. It is better to change the setting of the program so that extensions of known file types are no longer hidden so that the entire file name is displayed.

In principle, you should not open unsolicited files from external sources. E-mail attachments that you want to open should not simply be opened using the “open” option, but rather using the “open with” option. This offers the option of selecting a program that is to play the relevant file. An application for playing music files cannot play such a disguised executable file and responds with an error message, while the option "open" would have simply executed the file and thereby started the worm.

Allegedly harmless file types with unrelated content

Here, too, you can use the “open with” option to select a program from most e-mail programs with which the file will be opened. In order to prevent the worm from executing, it makes sense to select a program instead of the installed editing software (Office) that can display and print the file, but without supporting the possibility of executing macro code. The software manufacturer Microsoft offers free Windows applications such as Word viewers, Excel viewers and PowerPoint viewers for this purpose.

Non-executable file types that become executable through an exploit

A command execution exploit takes advantage of programming errors in a program to get its code to execute. However, the code can only be started if the infected file is actually opened with the program for which the exploit is intended.

Depending on the program whose vulnerability the exploit is based on, the executable code can be hidden in any file type, including files that are normally not executable. For example, there are options for storing executable code in a graphic file.

Since programs can use prefabricated mechanisms (shared libraries) from the manufacturer of the operating system, for example to display certain file types, errors in these mechanisms are also relevant for third-party applications. This applies in particular to security gaps that are known to exist in Internet Explorer. A security update of Internet Explorer closes the security gap for these programs at the same time.

Long filenames

The use of an unsuspicious but extremely long file name (such as “ private_bilder_meiner_familie_aus_dem_sommercamp_nordsee_2003.exe”) is intended to hide the file name extension. As soon as the file name is displayed in a relatively small window, the last part of the file name and thus the extension remain hidden (displayed as “ private_bilder_meiner_familie_aus_dem_sommercamp_nor…”).

This tactic can be expanded, for example by initially using a short, innocuous name with an incorrect file name extension as the file name, to which a large number of spaces are inserted before the real extension (such as “ lustiger_Elch.jpg            <noch zahlreiche weitere Leerzeichen…>         Checked by Antivirus.exe”). Two methods of obfuscation are used in combination: On the one hand, there is a high probability that the actual file extension will not be displayed to the user due to the length of the name and that the spaces used will not indicate the significantly longer file name. If the file name is displayed in full (depending on the e-mail program), the user can also interpret the text “Checked by Antivirus.exe” , which is far removed from the apparently complete file name, as a hint without it being directly related to the file type of the attachment.

Use of less common types of executable files

Since applications of the type .exeare relatively known as executable files, less common file types ( file formats ) are sometimes used , such as .com, .bat, .cmd, .vbs, .scr, .scf, .wfs, .jse, .shs, .shb, .lnkor .pif. The file extension .comis also suitable for simulating a link to a website (for example " www.example.com").

Compression and encryption

By using compression formats such as the ZIP format, the file type of the worm embedded in it is obscured until it is unpacked, which fundamentally makes it difficult to apply automatic protection measures. Errors in the implementation of compression methods can even prevent the file from being scanned for malware. In addition, the file can be transmitted in encrypted form, which rules out an automated examination of such a file at a time before the user opens it.

Danger

According to a study by Sophos , a manufacturer of anti-virus software, in 2005 there was a 50 percent chance that a PC with Windows XP without a software update would be infected with malicious software on the Internet within 12 minutes. This is possible because certain worms exploited weaknesses and errors in network services that are not yet closed on a PC without appropriate updates . In particular by enabled by default in later versions of Windows desktop firewall and the increased use of SoHo - routers , both of which restrict remote access to network services, this risk has decreased.

Economic damage

The financial damage that computer worms can cause is greater than that of computer viruses . The reason for this is the considerable consumption of network resources solely due to the way a worm spreads, which can lead to failure of network participants due to overload. For example, if a company's server goes down, it can lead to a loss of work.

At the beginning of May 2004 a display board at Vienna-Schwechat airport suffered a short-term total failure due to the “Sasser” worm. SQL Slammer put such a strain on the Internet infrastructure in places that the connections in many places completely collapsed.

Cell phone worms that spread via MMS can cause further economic damage in the future . If such a worm sends dozens of chargeable MMS messages, a high financial loss can be expected.

Further financial damage can result from so-called distributed denial-of-service attacks. As can be seen from the example of W32.Blaster , even large companies such as SCO or Microsoft can be put into trouble.

Bounty on worm writers

In November 2003 Microsoft founded what is known as an anti-virus reward program to support the hunt for those responsible for the spread of worms and viruses around the world. When it was founded, the initiative received start-up capital of US $ 5 million, a portion of which has already been offered as a reward for the capture and conviction of current worm spreaders. Microsoft wants to support the responsible investigative authorities in the search for the perpetrators. Microsoft works with Interpol , the FBI , the Secret Service and the "Internet Fraud Complaint Center" because "malicious worms and viruses are criminal attacks on anyone who uses the Internet" .

The authors of the worms W32.Blaster , Sasser , Netsky and Sobig appeared on this “Wanted” list .

This program had its first success in May 2004 when the worm writer was arrested and convicted by Sasser and Netsky. The then 18-year-old student from Waffensen in the Rotenburg / Wümme district was reported by former friends because of the offered reward.

Protective measures

The following sections summarize parts of the article that relate to protection against worms. In addition, common software solutions from this area are dealt with.

Protection from social engineering

There is no technical protection against the psychological influence of the user ( social engineering ), for example through the text of an e-mail. The user can, however, be informed about the risks and methods of malware (see the example on “ E-mail worm executed by the user ” ). Education increases the inhibition threshold and makes it more difficult for a worm to persuade the user to open a contaminated file, such as an e-mail attachment or the like.

Handling e-mail attachments and other files from external sources

It is advisable not to open any unsolicited files from email attachments or other sources. Not even if they come from a sender who is known to the recipient. Even known senders are no guarantee of authenticity, as on the one hand the entry for the sender can be falsified and on the other hand even known senders can also become victims of worms. If in doubt, you should ask the sender.

Files that you want to open can be examined beforehand to determine whether they contain generally known malware (see the section on virus scanners below).

For files that belong to a certain application (such .mp3as music files or .jpggraphics files), you should not simply open them using the "Open" option, but rather using the "Open with" option under selection of the associated program (see the section entitled “ Duplicate file name extensions ” ).

Office documents in particular (including .doc, docx, .xls, .pptand .rtffiles) from external sources should not be opened with the installed office program if you just want to view them. Because the office program harbors the unnecessary risk for this purpose that a macro code stored in the document is executed. It is better to use an application that can display and print such a file without being able to execute macro code. The section “ Allegedly harmless file types with unrelated content ” goes into more detail with reference to a free alternative.

If you want to ensure that no malicious code is executed while the email is being read (see " Automatic execution " ), you can configure your email program so that it does not display HTML code, but only text.

Protection through software

Virus scanner

An online scanner finds the Santy worm, which is distributed due to a vulnerability in phpBB forums.

A virus scanner detects well-known viruses, worms and Trojan horses and tries to block and eliminate them.

Which speaks for the use of a virus scanner

If malware is detected by the virus scanner before the contaminated file is first executed on your own computer system, the protective mechanism is fully effective. Before a newly added file on the computer is executed / read into application software that comes from an external source (e.g. from removable media, from a website or from an e-mail), it is therefore advisable to have it checked by an updated To undergo antivirus software.

In order to rule out other ways of infection, the same also applies to files that are on a shared network drive, if an interim infection of such a file by one of the other systems cannot be ruled out (mixed forms between worm and virus).

In order to ward off computer worms that are not file-based, but rather spread through security holes, it is absolutely necessary to use anti-virus software components that recognize the behavior and are embedded in the operating system.

Limits

A virus scanner uses the “signature comparison” search method to only detect malware that it is aware of; He cannot recognize malware that is not (yet) known to him. In this way, he can only determine that a file, a data carrier or even the computer system is free of known malware. The programmer of a computer worm tries to keep the worm as hidden as possible or to change a known variant so much that it is no longer recognized; the virus scanner manufacturer tries to keep the signature database as up-to-date as possible - a "race".

Due to this principle of "chasing after" the antivirus software, it also contains components that monitor ongoing processes in the computer system for suspicious activities in order to detect malware even if it is not known to the virus scanner. Here, too, there is a race with the malware - not in terms of awareness of the malware itself, but in terms of the methods and procedures used by the malware.

Once malware has been run, it can be possible to deactivate the antivirus software or to manipulate the system in such a way that the malware can no longer be detected by the virus scanner (see rootkit ). Concerning. With file-based malware, the entire computer system can be better examined via a separate boot medium for possible malware infestation, such as that used on bootable live CDs ( e.g. Desinfec't , formerly Knoppicillin ). This prevents the scanner's own software environment from being burdened accordingly.

A malware that has already been executed (i.e. installed on the system) can only be reliably removed from the system to a limited extent by antivirus software. This is because the malware is usually recognized using a signature, which sometimes does not provide any precise information about the variant of the malware and its malicious routine. Some malware can also download components, mostly over the Internet. They then do not know what other malware they may have downloaded and what changes it has made to the system. These changes are then retained after the pest has been removed. In the best case scenario, however, the AV software can completely remove the malware and correct the changes made to the system. Under " Alternative solutions " a reliable way is shown how the pest can be completely removed.

What speaks against the use of a virus scanner

A virus scanner is a complex piece of software that is sometimes embedded very deeply in the computer system in order to be able to control certain processes. The more complex a software is, the more likely it is to contain errors that can affect the performance, stability and security of the computer system.

In order to ward off computer worms that are not file-based but spread via security holes, behavior-detecting components of the antivirus software that are embedded in your own system are essential.

Virus scanners do not offer absolutely reliable protection against malware, but are sometimes heavily advertised accordingly. Users could become careless and then act inadvertently.

See also: Verifiability of the source text

Alternative solutions to remove malware from the system

The streamlining of the system through the recording of the last "clean" image of the hard disk ( Image ) is a reliable way to get a malware quite safe from the computer system to remove. So you install the operating system, set up your software, adapt the system so that all personal files are stored on a different drive (they must not be on the same drive on which the operating system was installed). Then you create a copy of the drive (more precisely the system partition ) on which the operating system was installed and save it in an image file. If the system is later infected with malware, the saved software version can be restored using the image file, which usually removes the malware and all changes made in the meantime from your system.

Problems:

• In order to close security gaps, the operating system and applications should be refreshed with the latest updates. These should not be obtained via a network, as the system is then connected to it with gaps that still exist. The procedure is much more complex than using the usual online update methods.
• Some application software must be registered with the manufacturer during installation - for this, too, the computer usually has to be connected to the Internet. Otherwise the software cannot be installed before the image file is created and is then not included in this.
• If the update status in the image file is to be kept up-to-date, it must be recreated regularly, which can mean a considerable amount of work.
• Keeping personal files poses a risk as the malware can also be stored in them. A “safe removal” cannot be guaranteed in this way. Antivirus software with an updated signature database should search there before continuing to work with personal documents.
• All changes and settings that have been made on the system partition since the image was created will be lost.

See also: Write-protect the system partition

Personal firewall (also desktop firewall)

Only a network service or a started application with the corresponding functionality creates the possibility of accessing computer resources (such as files and printers) via the network. In addition, a security gap in a network service can provide the basis for carrying out actions on the computer beyond the normal access functions.

Firewall software installed locally on the computer is referred to as a personal firewall or desktop firewall . Their job is to prevent malicious and unwanted access to network services on the computer from outside. Depending on the product, it can also try to prevent applications from communicating with the outside world without the user's consent.

In 2002 , the Slapper worm, the currently most widespread malware for the Linux operating system, was written.

In 2003 , the SQL Slammer worm spread rapidly by exploiting a security hole in Microsoft SQL Server . Until then, private users were spared these types of worms. That changed in August 2003 when the W32.Blaster worm exploited a security hole in the Microsoft Windows operating system.

In 2004 , the Sasser worm also exploited a security hole in the Windows operating system and thus attacks private users' computers. The Mydoom worm is sighted for the first time. The rapid spread of the worm leads to an average of 10 percent slowdown in Internet traffic for a few hours and an average increased loading time of the websites of 50 percent. SymbOS.Caribe is the first mobile phone worm to spread using Bluetooth network technology on smartphones with the Symbian OS operating system . It was developed by a member of Virus Writing Group 29A and its source code is being published. Therefore, several variants of the worm are discovered in the following months . Mass infections from Bluetooth worms occur again and again, especially at large events.

1. ^ Definition of computer worm from computerlexikon.com
2. ↑ What is a worm? ( Memento of November 24, 2010 in the Internet Archive ) from symantec.com, excerpt: “Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file [...] "
3. ↑ ^{a b c} Definition of a computer worm from the IT lexicon of Wissen.de
4. ↑ ^{a b c} USB stick worms with autorun : Sophos warns of a new family of worms that specialize in portable drives ( memento of March 3, 2012 in the Internet Archive ) from info-point-security.com; Downadup is a USB worm from f-secure.com, January 27, 2009; W32.USBWorm from spywareguide.com, May 2007
5. ↑ ^{a b c} Floppy worm without autorun : W32 / Trab.worm from McAfee, March 28, 2003; W32 / Winfig.worm from McAfee, October 4, 2001
6. ↑ Floppy worm with autorun over the active Windows desktop : Worm Propagation Via Floppies, Revisited by avertlabs.com, McAfee Labs Blog, Rodney Andres , December 12, 2007
7. ↑ Computer viruses ( Memento from December 7, 2011 in the Internet Archive ) (PDF; 72 kB) by Baowen Yu , tu-muenchen.de, November 13, 2002
8. ↑ Description of how an e-mail worm works ( memento from June 19, 2010 in the Internet Archive ) from viruslist.com
9. ↑ Trojan horses  ( page can no longer be accessed , search in web archives )  Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. , a brief description from the BSI@1@ 2Template: Toter Link / www.bsi-fuer-buerger.de  
10. ↑ Definition of computer worms ( memento from December 7, 2011 in the Internet Archive ) in the IT lexicon of masterscripts.de
11. ↑ ^{a b} Excerpt from “Applied IT Security” (PDF; 111 kB) from page 73, by Prof. Dr. Felix Freiling , lecture in the autumn semester 2006, University of Mannheim
12. ↑ F-Secure: When is AUTORUN.INF really an AUTORUN.INF?
13. ↑ Attack of the computer mouse c't news report from June 29, 2011
14. ↑ Word viewer from microsoft.com, display of office documents without executing macro code
15. ↑ Excel - Viewer , from microsoft.com, display of office documents without executing macro code
16. ↑ PowerPoint - Viewer , from microsoft.com, display of office documents without executing macro code
17. ^ First exploit for errors in the published Windows source code from zdnet.de, Jason Curtis , February 17, 2004
18. ↑ Security researchers warn of malware hidden in ZIP files , by zdnet.de, Elinor Mills and Stefan Beiersmann , April 15, 2010
19. ↑ Top ten viruses in the first half of 2005 from sophos.de, July 1, 2005
20. ↑ heise.de:NAS-Potpourri network storage housing to equip yourself for home and office
21. ↑ Sasser-Wurm: Small cause, big effect , wcm.at, Martin Leyrer , May 4, 2004
22. ↑ Ben Schwan: Microsoft should pay for Internet attack . ( Memento from March 11, 2012 in the Internet Archive ) In: netzeitung.de , February 4, 2003
23. ↑ Microsoft lets attack by Lovsan / W32.Blaster run nowhere , heise security on heise.de, by Jürgen Schmidt , August 16, 2003
24. ↑ Stern: The worm from the Wümme
25. ↑ The false security of virus scanners ( Memento from March 25, 2010 in the Internet Archive )
26. ↑ ^{a b c} Melanie Ulrich: Software with errors and their consequences .  ( Page no longer available , search in web archives )  Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. (PDF) US magazine Wired , January 14, 2007@1@ 2Template: Toter Link / www.senioren-in-lohmar.de  
27. ↑ Mcafee anti-virus software paralyzes computers; Computer crashes worldwide . handelsblatt.com, German Press Agency (dpa), April 23, 2010
28. ↑ Security holes in the virus scanner ClamAV ( Memento from May 4, 2007 in the Internet Archive ) from buerger-cert.de, April 26, 2007
29. ^ Deconstructing Common Security Myths , by Microsoft TechNet Magazine , Jesper Johansson and Steve Riley , May / June 2006
30. ^ ZoneAlarm im Kreuzfeuer , Heise online , Jürgen Schmidt , January 24, 2006; The spy who came from within. Why personal firewalls fail as a detective , c't - Issue 17 ( Memento of October 16, 2007 in the Internet Archive ), pages 108–110, Jürgen Schmidt , August 7, 2006; Protection against viruses under Windows Answers to the most frequently asked questions ( Memento from October 16, 2007 in the Internet Archive ) , c't issue 18, Daniel Bachfeld , page 196
31. ↑ Personal Firewalls, Part 2 ( Memento from February 12, 2010 in the Internet Archive ) by copton.net, Alexander Bernauer
32. ↑ Disable bagle worms Windows Firewall , winfuture.de, message from October 31, 2004
33. ↑ Personal Firewalls, Part 1 ( Memento from April 15, 2011 in the Internet Archive ) by copton.net, Alexander Bernauer
34. ↑ Witty worm penetrates ISS security products through a hole , by heise.de, Daniel Bachfeld , March 22, 2004
35. ↑ ^{a b} Deactivate network services on a Windows system: win32sec from dingens.org (graphical), svc2kxp.cmd from ntsvcfg.de (batch)
36. ↑ Boot CD for Windows 95/98 / Me ( Memento of the original from December 5, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. (PDF) from computerwissen.de, Manfred Kratzl , from The Windows Consultant , January / February 2003 edition @1@ 2Template: Webachiv / IABot / www.computerwissen.de
37. ↑ Windows XP with write protection , commagazin.de, Andreas Dumont , issue: com !, issue 4/2009, pages 22 to 31
38. ↑ PC write protection against malware with the help of the EWF driver, windowspage.com, August 6, 2007
39. ^ Susan Young, Dave Aitel: The Hacker's Handbook: The Strategy behind Breaking into and Defending Networks . Ed .: Auerbach Publications. 2005, ISBN 0-8493-0888-7 . 
40. ↑ Fabian A. Scherschel: DDoS record botnet Mirai could be fought - albeit illegally. Heise online , November 2, 2016, accessed on November 3, 2016 . 
41. ↑ Holger Bleich: DDoS attack paralyzes Twitter, Netflix, Paypal, Spotify and other services. Heise online , October 21, 2016, accessed on November 3, 2016 . 
42. ↑ Firewall calls home , Personal Firewall Zone Alarm sends encrypted data to the home server, magazine com! , Edition 4/2006, page 12
43. ↑ The open source IRC server UnrealIRCd contained a backdoor from November 2009 to June 2010 , which allows strangers to execute commands with the rights of the UnrealRCd user on the server - report by heise Security , author Reiko Kaps , June 12, 2010
44. ↑ On May 13th, 2008 the Debian project announced that the OpenSSL package of the distributions since September 17th, 2006 (version 0.9.8c-1 to 0.9.8g-9) contained a security hole.
45. ↑ Malware anniversary: ​​20 years of Internet worms , pressetext.at, Thomas Pichler , October 1, 2008
46. ↑ RFC 1135 The Helminthiasis of the Internet
47. ↑ Is Your Cat Infected with a Computer Virus?
48. ↑ US military: USB sticks are banned due to worm attacks, gulli.com, November 21, 2008; Under worm attack, US Army bans USB drives , zdnet.com, Ryan Naraine , November 20, 2008
49. ↑ Windows LNK gap: the situation is getting worse . In: heise online , July 20, 2010
50. ^ Gregg Keizer: Is Stuxnet the 'best' malware ever? ( Memento from December 5, 2012 in the web archive archive.today ) September 16, 2010
51. ↑ Trojan "stuxnet": The digital first strike has taken place . In: FAZ , September 22, 2010

This version was added to the list of excellent articles on October 19, 2005 .