Computer worm

from Wikipedia, the free encyclopedia
The hex dump of the Blaster worm displays a message the worm programmer for Microsoft - CEO Bill Gates .

A computer worm (worm for short in the computer context ) is a malicious program ( computer program or script ) with the property of reproducing itself after it has been executed once. In contrast to the computer virus , the worm spreads without infecting foreign files or boot sectors with its code.

Worms spread via networks or via removable media such as USB sticks . For this they usually (but not necessarily) need a utility program such as a network service or application software as an interface to the respective network; For removable media, you usually need a service that enables the worm to start automatically after the loaded medium is connected (such as autorun , and sometimes the active Windows desktop ).

Such a utility could, for example, be an e-mail program that the worm uses to distribute itself to all e-mail addresses entered there. Depending on the type of helper program, the worm code can sometimes even execute itself on the target systems, which is why there is no longer any need for interaction with the user in order to spread from there. Therefore, this method is both more effective and efficient when compared to the method of spreading a virus. However, the worm cannot, or at least not automatically, reproduce itself on systems that do not give the worm access to the required auxiliary program.

The worm belongs to the family of unwanted or harmful programs, the so-called malware , which requires protective measures against worms . In addition to the secret distribution, which ties up resources without being asked, a possible harmful function of the worm can make changes to the system that the user cannot control. There is a risk of compromising numerous networked computers .

Difference between worm, virus and trojan

What a virus and worm have in common is their ability to spread on computers. A virus does this by entering itself into the boot area of a data medium (boot sector virus) or by embedding itself in other files (file virus). Through the interaction of the user who connects an infected removable medium to another system (and reboots it in this state ) or opens an infected file, the virus code is also executed there, whereby other systems are infected with the virus. The virus is spread with the help of the user.

A worm spreads in a different way without infecting files or boot areas on the disk. It usually uses an existing infrastructure to automatically copy itself to other systems. To stay with the example of the introduction, the worm could send itself to all e-mail addresses managed by an e-mail program. On the target systems, interaction with the user who opens the e-mail attachment and thus executes the worm it contains is sometimes required. Once executed, the worm then in turn sends itself to all e-mail addresses administered by the new system and thus reaches other systems.

A Trojan horse, or Trojan for short, is a computer program or script that disguises itself as a useful application, but performs a different function in the background without the knowledge of the user. The simplest example of this is a malicious file, such as ich_zerstoere_Daten.exe, which is given a file name that suggests another function, such as lustiger_Bildschirmschoner.exe. It does not matter whether the "funny screen saver" actually displays a screen saver while it is destroying the data, or whether it is simply destroying the data. The use of the misleading file name is sufficient to classify the program as a Trojan horse.

In the example of the worm shown above, which wants the user to open it as an e-mail attachment, the worm likes to use the concealment techniques of the Trojan horse. Instead of using an attachment with the name “I am a worm”, it prefers to present itself as an “important document” (e.g. an “invoice”, although it is irrelevant whether this is genuine) so that the user can use it also opens the worm. It then forms a mixture of worms and Trojan horses.

Likewise, no one prevents the worm developer from using a second route, the virus route, to spread his program. The worm can also infect files on the system on which it is running with its code. Such a program then forms a mixture of worms and viruses.


Worms spread via networks or via removable media such as B. USB sticks.

Because the worm itself comes in the form of an executable program or script, it relies on being run on the target system. Either this is done by the user who opens the worm “manually”, or it is executed automatically on the target system when the worm code is received. The latter is also possible due to an error in the design of the utility program, a technical programming error (such as a buffer overflow ) or another security gap. Since security gaps known to the manufacturer will sooner or later be closed if the support is functioning, the spread of the worm through the convenience, ignorance and incorrect behavior of the user is of great importance by not updating the software of his system or starting the worm himself.

To start the worm “manually” see the example for the e-mail worm executed by the user .

Automatic execution

Morris worm source code disk in the Computer History Museum .

Robert T. Morris wrote a program in 1988 that uses, among other things, a remote shell to copy itself to other systems and to execute it there, with the aim of copying itself from there to other systems and executing it there. When his program got out of hand, the world was confronted with the first internet worm. His program tried to evade detection and analysis on the infected systems, but did not contain any explicit malicious routine. Its constantly working distribution routine paralyzed numerous systems. Modern worms sometimes still use such or similar automation mechanisms of a program, such as those provided by the remote shell , in order to copy their code to a remote system and execute it there.

The Morris worm also showed a way of exploiting programming errors to create such a mechanism in programs that normally do not provide for such automation ( command execution exploit due to an error in the network service finger via a buffer overflow in the function gets () ). As a further example, the Blaster worm uses an exploit in the RPC / DCOM interface of Windows 2000 and XP to search for and infect computers over networks on which the vulnerability exploited by the worm exists.

Alternatively, worms can also use security loopholes in the design of an application, for example if the application provides functions that increase the convenience of the application, but break the usual security restrictions. This includes a program code that can be integrated as an "object" in a website or an HTML email, and the like. With the latter, the worm code is started as soon as the e-mail is read, without having to open an attachment. Specifically, the use of ActiveX objects and the implementation of JScript and VBScript can enable a certain degree of user friendliness, but entails the risks mentioned. Ultimately, this led to certain functions that the developer actually wanted to be blocked again; the user must now explicitly activate it in his application if he still wants to use it. In contrast, there is the method of classifying certain sources as trustworthy with the help of digital certificates and allowing them access to otherwise blocked mechanisms. With all of these methods, from the software implementation of the blockade to the set of rules, errors occur every now and then, which are used in the spread of worms.

Specifically, there are, for example, a number of worms that exploit an error in an older version of the Microsoft Outlook Express e-mail program in the following form: Outlook Express usually sends attachments to HTML e-mails inline , i.e. directly in the message himself, shown. Alternatively, the source text of the e-mail can also contain a reference under which the relevant file is stored online and is then displayed in an inline frame . Within an HTML source text, file formats that do not correspond to the Internet standard and therefore cannot normally be integrated directly into an HTML page can be defined as "objects". For this purpose, the system is informed of the type of "object" and how the system should deal with it. The HTML parser mshtml.dll should now ask whether this type of "object" is known and may be executed. This query is the weak point of the system, since a certain incorrect query leads to a system error and then to the execution of the “object”, although the opposite would be expected. Just looking at the e-mail text started the malware without any further action on the part of the user. This error was corrected by updating the software. A similar security hole existed in the Eudora e-mail program .

Types of distribution

Email worms

Many worms use email to spread. Either the executable file or a hyperlink to the executable file is sent. The e-mails can be sent either by remote control of pre-installed programs such as Microsoft Outlook or by the worm's own SMTP sub-program. The recipient's email address is often found in preinstalled address books. However, other files on the hard drives (such as in temporary Internet files ) can also be used by the worm or e-mail addresses from special websites (such as online guest books ) can be used for the initial distribution . Well-known representatives of this type are Loveletter , which spread explosively by e-mail in May 2000, or Netsky .

Instant messaging worms

Instant messaging programs such as WhatsApp , ICQ , MSN Messenger or Skype are also susceptible to malware due to their web connection. This type of worm spreads by sending a link to a web page on a messenger that contains the worm. If the user clicks on the link, the worm is installed and executed on their computer, since the instant messenger mostly does not contain its own HTML parser, but uses the Internet Explorer parser. The worm then forwards the link from this computer to all registered contacts.

IRC worms

IRC clients are programs with which any user can exchange text messages with other users virtually in real time in the Internet Relay Chat . Most IRC programs use a special script to log into the IRC server , which is executed when the program is started. This script contains commands that the IRC program executes. These commands are, for example, logging on to a channel , writing messages, but also sending files. An IRC worm that has infected a computer looks for IRC programs that it can use to spread itself. When he has found such a program, he modifies the script, which is loaded automatically. The next time the IRC program is started, the worm is automatically sent to all users in a chat room. If a user accepts the download and opens the downloaded file, the process repeats itself. There are currently IRC worms ( mIRC , pIRCh, vIRC, dIRC and Xircon) for at least five IRC programs .

P2P worms

Peer-to-Peer is a form of network that connects computers in the network without a server . H. creates a direct connection between the individual users. Most file sharing sites on the Internet, such as Kazaa , Morpheus or BitTorrent systems, use peer-to-peer technology. There are basically three ways a worm can spread in a swap exchange:

The first possibility is for the worm to copy itself to the shared folder from which other users can download files. Correct naming is important for these types of worms, as more users download a file with an interesting name than a file with a random name. That is why there are worms that look for their names on special websites in order to be as credible as possible. This type of distribution in file sharing networks is simple, but not particularly effective, as file sharing networks are usually rather large in size and almost every file sharing program now has effective filters to exclude certain suspicious file formats.

With the second possibility of spreading, the worm offers the other users of the P2P network an infected file as a search result (hash set or. Torrent file) via a peer-to-peer protocol for each search query. The user then copies the worm to their computer as a supposedly wanted file and infects it when it is opened. This type of distribution is very effective provided that the worm's file size is approximately the size of the file it is looking for, but difficult to program and therefore rarely distributed.

The third method is an attack by the worm on a security hole in its neighbors in the P2P network. This method can be very efficient in its speed of propagation when no action is required on the part of the user (such as downloading a file and starting it on the computer). The worm then infects these systems in a fully automated manner. As soon as the worm is also able to view a list of its neighbors in the P2P network for each infected client, it can address them specifically. In this way, the worm can prevent detection, since it does not need to establish an excessive number of connections to other systems on the Internet, which is regarded as abnormal behavior and would be conspicuous. A P2P network is based on the fact that each user establishes many connections to other participants, which makes it much more difficult to identify the worm based on the data traffic it causes .

Removable Disk Worms

Removable media are removable media for computers, such as USB sticks . These worms copy themselves onto the data carriers in order to spread from one computer to another. In contrast to the species mentioned so far, this group does not use a network to spread. The program can make use of the automatic start of the data carrier.

In contrast, there are also worms that copy themselves to floppy disks without using any form of automatic start. They are the only worms that do not need an auxiliary program to spread, although they rely on the user to find them himself and start them "manually". However, since floppy disks are no longer widespread, such worms have no chance of spreading widely. In principle, this type of distribution is also possible with current media, such as a writable CD. However, copying the malicious code is more complicated here.

Small USB device worms

In addition to USB memory sticks, other small USB devices can also be used to spread worms. Such attacks do not depend on the autostart capability of a USB storage device, but rather simulate a keyboard with a small processor. From this fake keyboard, the attacking device injects commands into the system that appear to come from the real user. This starts the malware that is located on the built-in USB mass storage device.

All types of small USB devices that can be sent to the victim as a giveaway are suitable for this method of attack.

Cell phone worms

Part of the code from Caribe - the first cell phone worm - spreads via Bluetooth

Cell phone worms first appeared in June 2004. Antivirus manufacturers suspect that more and more viruses and worms will appear in this area, similar to the trend in the computer sector.

Current worms mostly spread via Bluetooth , a wireless connection between cell phones, printers or scanners with a range of around ten to 100 meters. Cell phone worms are currently mainly attacking the Symbian OS operating system and attempting to send themselves to all available Bluetooth receivers using Bluetooth. Since 2005 it has also been possible for these worms to spread through MMS .

Antivirus manufacturers therefore recommend their customers to disable Bluetooth by default.

Further distributions are possible via GPRS / UMTS as well as via WLAN. The first known iOS worm, which only on iPhones with jailbreak succeeded has which spread across the UMTS network (Australia), was the Ikee . Its successor was called iPhone / Privacy.A and is looking for its way over the WLAN.

Example: User-executed email worm

In this example, the worm is received as an email attachment. The recipient should now be prompted to open the attachment and thus trigger further spread of the worm. The methods used in the following are therefore aimed at the user of the IT system and not at the system itself.


The worm must camouflage itself in front of the user in order to be successful under the conditions described. This takes place under two complementary constellations:

  1. The recipient of the email must have a special interest in opening the attachment.
  2. The recipient must not become aware of the dangerousness of the attachment.

The first point aims at a technique known as “social engineering”, the mental influencing of the recipient on a social level. Here it refers to the text of the e-mail, which is intended to make a special impression on the user and thus induce them to do things that they would normally (possibly not) do, such as opening the attachment.

The second point makes use of the "Trojan horse" technique, which is used to output the email attachment itself not as a worm, but as a "harmless, useful file".

Camouflage related to the text of the email

Psychological influence on the recipient

The recipient's interest in the attachment is aroused if the content of the associated e-mail is intended to be particularly shocking, for example by threatening legal remedies up to and including criminal prosecution. Other accompanying texts try to arouse curiosity or desire by promising large amounts of money or offering supposedly private image files with or without pornographic content.

In any case, the recipient is referred to the attachment of the email, which should contain detailed information. The interest aroused in the file attachment naturally also dampens any security concerns.

Camouflage related to the email attachment

Duplicate filename extension

Some (especially older) e-mail programs for the Windows operating system adhere to the standard settings of the operating system and hide the file extension of known executable files. As a result, a worm can be masked as a file of any kind, so that a damaging file “ Musik.mp3.exe” is only Musik.mp3displayed to the user as “ ” and thus cannot be distinguished from a harmless MP3 music playback file at first glance .

However, the user could recognize the true file type if the displayed file symbol ( icon ) corresponds to the standard symbol of an application. However, whether this standard icon or the icon embedded in the application is displayed depends on the email program used. It is better to change the setting of the program so that extensions of known file types are no longer hidden so that the entire file name is displayed.

In principle, you should not open unsolicited files from external sources. E-mail attachments that you want to open should not simply be opened using the “open” option, but rather using the “open with” option. This offers the option of selecting a program that is to play the relevant file. An application for playing music files cannot play such a disguised executable file and responds with an error message, while the option "open" would have simply executed the file and thereby started the worm.

Allegedly harmless file types with unrelated content

Another possibility to hide executable code under a "harmless" file extension is offered by programs that analyze the file type independently of its extension and treat it according to its actual type. As an example, it is theoretically not possible to store executable macro code in an RTF file , since this file format does not support macros. However, a file called " ", which is renamed to " ", is recognized by Office as a DOC file based on the file content , whereupon the macro code stored in it is executed despite the file extension . gefährlich.docharmlos.rtf.rtf

Here, too, you can use the “open with” option to select a program from most e-mail programs with which the file will be opened. In order to prevent the worm from executing, it makes sense to select a program instead of the installed editing software (Office) that can display and print the file, but without supporting the possibility of executing macro code. The software manufacturer Microsoft offers free Windows applications such as Word viewers, Excel viewers and PowerPoint viewers for this purpose.

Non-executable file types that become executable through an exploit

A command execution exploit takes advantage of programming errors in a program to get its code to execute. However, the code can only be started if the infected file is actually opened with the program for which the exploit is intended.

Depending on the program whose vulnerability the exploit is based on, the executable code can be hidden in any file type, including files that are normally not executable. For example, there are options for storing executable code in a graphic file.

Since programs can use prefabricated mechanisms (shared libraries) from the manufacturer of the operating system, for example to display certain file types, errors in these mechanisms are also relevant for third-party applications. This applies in particular to security gaps that are known to exist in Internet Explorer. A security update of Internet Explorer closes the security gap for these programs at the same time.

Long filenames

The use of an unsuspicious but extremely long file name (such as “ private_bilder_meiner_familie_aus_dem_sommercamp_nordsee_2003.exe”) is intended to hide the file name extension. As soon as the file name is displayed in a relatively small window, the last part of the file name and thus the extension remain hidden (displayed as “ private_bilder_meiner_familie_aus_dem_sommercamp_nor…”).

This tactic can be expanded, for example by initially using a short, innocuous name with an incorrect file name extension as the file name, to which a large number of spaces are inserted before the real extension (such as “ lustiger_Elch.jpg            <noch zahlreiche weitere Leerzeichen…>         Checked by Antivirus.exe”). Two methods of obfuscation are used in combination: On the one hand, there is a high probability that the actual file extension will not be displayed to the user due to the length of the name and that the spaces used will not indicate the significantly longer file name. If the file name is displayed in full (depending on the e-mail program), the user can also interpret the text “Checked by Antivirus.exe” , which is far removed from the apparently complete file name, as a hint without it being directly related to the file type of the attachment.

Use of less common types of executable files

Since applications of the type .exeare relatively known as executable files, less common file types ( file formats ) are sometimes used , such as .com, .bat, .cmd, .vbs, .scr, .scf, .wfs, .jse, .shs, .shb, .lnkor .pif. The file extension .comis also suitable for simulating a link to a website (for example "").

Compression and encryption

By using compression formats such as the ZIP format, the file type of the worm embedded in it is obscured until it is unpacked, which fundamentally makes it difficult to apply automatic protection measures. Errors in the implementation of compression methods can even prevent the file from being scanned for malware. In addition, the file can be transmitted in encrypted form, which rules out an automated examination of such a file at a time before the user opens it.


According to a study by Sophos , a manufacturer of anti-virus software, in 2005 there was a 50 percent chance that a PC with Windows XP without a software update would be infected with malicious software on the Internet within 12 minutes. This is possible because certain worms exploited weaknesses and errors in network services that are not yet closed on a PC without appropriate updates . In particular by enabled by default in later versions of Windows desktop firewall and the increased use of SoHo - routers , both of which restrict remote access to network services, this risk has decreased.

Economic damage

The financial damage that computer worms can cause is greater than that of computer viruses . The reason for this is the considerable consumption of network resources solely due to the way a worm spreads, which can lead to failure of network participants due to overload. For example, if a company's server goes down, it can lead to a loss of work.

At the beginning of May 2004 a display board at Vienna-Schwechat airport suffered a short-term total failure due to the “Sasser” worm. SQL Slammer put such a strain on the Internet infrastructure in places that the connections in many places completely collapsed.

Cell phone worms that spread via MMS can cause further economic damage in the future . If such a worm sends dozens of chargeable MMS messages, a high financial loss can be expected.

Further financial damage can result from so-called distributed denial-of-service attacks. As can be seen from the example of W32.Blaster , even large companies such as SCO or Microsoft can be put into trouble.

Bounty on worm writers

In November 2003 Microsoft founded what is known as an anti-virus reward program to support the hunt for those responsible for the spread of worms and viruses around the world. When it was founded, the initiative received start-up capital of US $ 5 million, a portion of which has already been offered as a reward for the capture and conviction of current worm spreaders. Microsoft wants to support the responsible investigative authorities in the search for the perpetrators. Microsoft works with Interpol , the FBI , the Secret Service and the "Internet Fraud Complaint Center" because "malicious worms and viruses are criminal attacks on anyone who uses the Internet" .

The authors of the worms W32.Blaster , Sasser , Netsky and Sobig appeared on this “Wanted” list .

This program had its first success in May 2004 when the worm writer was arrested and convicted by Sasser and Netsky. The then 18-year-old student from Waffensen in the Rotenburg / Wümme district was reported by former friends because of the offered reward.

Protective measures

The following sections summarize parts of the article that relate to protection against worms. In addition, common software solutions from this area are dealt with.

Protection from social engineering

There is no technical protection against the psychological influence of the user ( social engineering ), for example through the text of an e-mail. The user can, however, be informed about the risks and methods of malware (see the example on E-mail worm executed by the user ). Education increases the inhibition threshold and makes it more difficult for a worm to persuade the user to open a contaminated file, such as an e-mail attachment or the like.

Handling e-mail attachments and other files from external sources

It is advisable not to open any unsolicited files from email attachments or other sources. Not even if they come from a sender who is known to the recipient. Even known senders are no guarantee of authenticity, as on the one hand the entry for the sender can be falsified and on the other hand even known senders can also become victims of worms. If in doubt, you should ask the sender.

Files that you want to open can be examined beforehand to determine whether they contain generally known malware (see the section on virus scanners below).

For files that belong to a certain application (such .mp3as music files or .jpggraphics files), you should not simply open them using the "Open" option, but rather using the "Open with" option under selection of the associated program (see the section entitled Duplicate file name extensions ).

Office documents in particular (including .doc, docx, .xls, .pptand .rtffiles) from external sources should not be opened with the installed office program if you just want to view them. Because the office program harbors the unnecessary risk for this purpose that a macro code stored in the document is executed. It is better to use an application that can display and print such a file without being able to execute macro code. The section Allegedly harmless file types with unrelated content goes into more detail with reference to a free alternative.

If you want to ensure that no malicious code is executed while the email is being read (see " Automatic execution " ), you can configure your email program so that it does not display HTML code, but only text.

Protection through software

Virus scanner

An online scanner finds the Santy worm, which is distributed due to a vulnerability in phpBB forums.

A virus scanner detects well-known viruses, worms and Trojan horses and tries to block and eliminate them.

Which speaks for the use of a virus scanner

If malware is detected by the virus scanner before the contaminated file is first executed on your own computer system, the protective mechanism is fully effective. Before a newly added file on the computer is executed / read into application software that comes from an external source (e.g. from removable media, from a website or from an e-mail), it is therefore advisable to have it checked by an updated To undergo antivirus software.

In order to rule out other ways of infection, the same also applies to files that are on a shared network drive, if an interim infection of such a file by one of the other systems cannot be ruled out (mixed forms between worm and virus).

In order to ward off computer worms that are not file-based, but rather spread through security holes, it is absolutely necessary to use anti-virus software components that recognize the behavior and are embedded in the operating system.


A virus scanner uses the “signature comparison” search method to only detect malware that it is aware of; He cannot recognize malware that is not (yet) known to him. In this way, he can only determine that a file, a data carrier or even the computer system is free of known malware. The programmer of a computer worm tries to keep the worm as hidden as possible or to change a known variant so much that it is no longer recognized; the virus scanner manufacturer tries to keep the signature database as up-to-date as possible - a "race".

Due to this principle of "chasing after" the antivirus software, it also contains components that monitor ongoing processes in the computer system for suspicious activities in order to detect malware even if it is not known to the virus scanner. Here, too, there is a race with the malware - not in terms of awareness of the malware itself, but in terms of the methods and procedures used by the malware.

Once malware has been run, it can be possible to deactivate the antivirus software or to manipulate the system in such a way that the malware can no longer be detected by the virus scanner (see rootkit ). Concerning. With file-based malware, the entire computer system can be better examined via a separate boot medium for possible malware infestation, such as that used on bootable live CDs ( e.g. Desinfec't , formerly Knoppicillin ). This prevents the scanner's own software environment from being burdened accordingly.

A malware that has already been executed (i.e. installed on the system) can only be reliably removed from the system to a limited extent by antivirus software. This is because the malware is usually recognized using a signature, which sometimes does not provide any precise information about the variant of the malware and its malicious routine. Some malware can also download components, mostly over the Internet. They then do not know what other malware they may have downloaded and what changes it has made to the system. These changes are then retained after the pest has been removed. In the best case scenario, however, the AV software can completely remove the malware and correct the changes made to the system. Under " Alternative solutions " a reliable way is shown how the pest can be completely removed.

What speaks against the use of a virus scanner

A virus scanner is a complex piece of software that is sometimes embedded very deeply in the computer system in order to be able to control certain processes. The more complex a software is, the more likely it is to contain errors that can affect the performance, stability and security of the computer system.

In order to ward off computer worms that are not file-based but spread via security holes, behavior-detecting components of the antivirus software that are embedded in your own system are essential.

Virus scanners do not offer absolutely reliable protection against malware, but are sometimes heavily advertised accordingly. Users could become careless and then act inadvertently.

See also: Verifiability of the source text

Alternative solutions to remove malware from the system

The streamlining of the system through the recording of the last "clean" image of the hard disk ( Image ) is a reliable way to get a malware quite safe from the computer system to remove. So you install the operating system, set up your software, adapt the system so that all personal files are stored on a different drive (they must not be on the same drive on which the operating system was installed). Then you create a copy of the drive (more precisely the system partition ) on which the operating system was installed and save it in an image file. If the system is later infected with malware, the saved software version can be restored using the image file, which usually removes the malware and all changes made in the meantime from your system.


  • In order to close security gaps, the operating system and applications should be refreshed with the latest updates. These should not be obtained via a network, as the system is then connected to it with gaps that still exist. The procedure is much more complex than using the usual online update methods.
  • Some application software must be registered with the manufacturer during installation - for this, too, the computer usually has to be connected to the Internet. Otherwise the software cannot be installed before the image file is created and is then not included in this.
  • If the update status in the image file is to be kept up-to-date, it must be recreated regularly, which can mean a considerable amount of work.
  • Keeping personal files poses a risk as the malware can also be stored in them. A “safe removal” cannot be guaranteed in this way. Antivirus software with an updated signature database should search there before continuing to work with personal documents.
  • All changes and settings that have been made on the system partition since the image was created will be lost.

See also: Write-protect the system partition

Personal firewall (also desktop firewall)

Only a network service or a started application with the corresponding functionality creates the possibility of accessing computer resources (such as files and printers) via the network. In addition, a security gap in a network service can provide the basis for carrying out actions on the computer beyond the normal access functions.

Firewall software installed locally on the computer is referred to as a personal firewall or desktop firewall . Their job is to prevent malicious and unwanted access to network services on the computer from outside. Depending on the product, it can also try to prevent applications from communicating with the outside world without the user's consent.

Which speaks for the use of a personal firewall

Worms that exploit a security flaw in a network service to spread can only infect the computer if the corresponding network service is available to the worm. Here a personal firewall can restrict remote access to the network service and thus make infection more difficult or even prevent it.

Such filtering is only required if a required network service is being operated on the computer and access to it is to be restricted to a few computers. Sometimes only the local system ( localhost , the so-called loopback interface should be able to use the service without the software being able to be configured accordingly. In all other cases, deactivation of the network services is preferable to blocking by a personal firewall.

In addition, the rules of the personal firewall can, in the best case scenario, prevent a secretly reactivated or installed service from being accessible from the network unhindered if, despite all caution, malware is activated on the system, for example via an e-mail attachment. Such a success of the firewall software is, however, highly dependent on the skill of the malware in question (specialist articles from Microsoft's TechNet Magazine and the c't warn that the personal firewall can only prevent unwanted network access if the malware does not make a great effort there to hide their activities). If you use the (possible) message from the firewall software to immediately remove reactivated services along with malware , the use of the personal firewall can have been worthwhile.


Personal firewalls or other network monitoring programs do not protect against the installation of malware that is based on the user opening a contaminated file. Under certain circumstances, however, you can draw attention to unauthorized network communication and thereby to the worm. As an additional measure, some personal firewall products also offer monitoring of the system's autostart entries, which may provide the user with an indication that the worm has been installed, although the firewall software can also be deactivated and outwitted by numerous malware.

What speaks against the use of a personal firewall

There are situations that can lead to a crash or even to the permanent deactivation of the firewall software, whereby unrestricted access to the previously filtered network services is possible without the user noticing.

Another problem with the concept is that the firewall software is positioned between the normal network implementation of the operating system and the outside world, which means that although the original network implementation is no longer directly vulnerable, the much more complex firewall software can be attacked. Experience shows that the more complex the software, the more errors and points of attack it contains. Since its components run (at least in part) with extended rights and as a rule even kernel components are installed, programming and design errors have a particularly devastating effect on the performance, security and stability of the system. In this way, attack and espionage opportunities can be created that would not exist without the installed firewall software. Personal firewalls, for example, can contain security loopholes that only provide a worm with approaches for remote access.

While an external firewall only has an effect on the network data throughput when communicating with the external network (Internet), a personal firewall has a negative impact on the entire network performance and also slows down the general working speed of the PC on which it was installed.

Alternative solutions to prevent the worm from remotely accessing network services

Deactivating all network services that are not required offers the best protection against unwanted remote access.

To prevent remaining network services from being accessed from the Internet, they should not be tied to the network adapter that is connected to the Internet. This task is not entirely trivial for a layperson, which is why the use of an intermediary device, such as a DSL router , makes sense. This device automatically ensures that no network service from the internal (private) network can be accessed directly from the Internet.

In this case, instead of your own computer, the DSL router is connected to the Internet, and your own PCs are networked with this device. The device forms the only interface between the external network (Internet) and your own (private) internal network. The private PCs now transmit their Internet inquiries to the DSL router, which accesses the Internet on behalf of the PCs. The target system therefore only sees the DSL router as the sender, which in turn forwards the response packets from the target system to the corresponding PC in the internal network.

Possible attacks from the Internet are now directed at the DSL router, which is predestined for this, and do not hit the internal PC directly. Someone from the Internet who searches for a network service (such as file and printer sharing) on ​​the network address of the DSL router will not find it, because the service runs on the PC and not on the DSL router. The DSL router cannot be attacked at this level, and the network services of the internal PCs cannot be accessed from the Internet.

Even malware that may secretly install a network service on the PC cannot change this state. The network service can only be accessed from the private network, but not from the Internet (after all, the malware cannot install a service on the DSL router, only on the PC).

However, this mechanism also has its limits: In order for a DSL router to work without permanent manual configuration, it must be able to create dynamic rules. These rules automatically allow all communication connections that were requested by the internal network (i.e. by the private PCs). So if the malware just installs a network service that waits for an external connection, the protection mechanism works quite well. However, if it establishes a connection to the Internet itself, the DSL router will allow the connection because it was requested from the internal network. A device configured in this way can only effectively prevent external connection requests. A personal firewall offers more options here, but is also easier to bypass and involves the risks mentioned above . A personal firewall is therefore not an equal substitute for such devices, but under certain conditions it can serve as a corresponding supplement.

Restricting access to the computer system

Restriction via sandbox and user rights

Even for operating systems that do not have their own rights management, there is the option of restricting the system access of an application via a sandbox . A program that is started from this sandbox can no longer write to important system directories, for example, at least as long as the program does not manage to break out of the sandbox.

Operating systems such as Mac OS , Linux , Windows (from NT , XP - but not the home version - and the following) inherently offer an environment that manages access rights to sensitive areas depending on the user ID and the associated groups. So if a user works under an ID that does not have the right to make changes in important system areas, this has a similar effect to the use of a sandbox: malware that is opened via an e-mail attachment, for example then restricted in its freedom of action, which can prevent a worm from spreading.

However, if users work with administrator rights , they override many of the operating system's security barriers. An accidentally or automatically started worm program (the same applies to viruses) can freely take control of many system functions. It makes more sense to use two differently configured user accounts, one for routine work with severely restricted user rights (especially with restricted software installation rights), the other account with administrator rights for installation and configuration work alone.


It applies to all operating systems that working with restricted user rights restricts the spread of computer worms, but cannot always prevent it. The reason for this is that every user should be able to send e-mails, for example, and malware has the same rights under the user's ID and can therefore do this.

Write protect the system partition

Early operating systems could also be started from a write-protected floppy disk, but subsequent versions soon had to be installed on a writable medium, the hard disk. Among other things , Windows 95 was one of these systems, because after the operating system was started it constantly tried to write to a registry , which would not be possible with a write-protected medium.

Nevertheless, there were also concepts for such systems to prevent changes to the system drive. However, there is only a detour. The detour called for the computer system to boot from a write-protected medium such as a CD-ROM drive. The software on the CD-ROM now creates a RAM disk , copies all files necessary for operation into it and starts the operating system from there. The ramdisk only exists in the main memory, but behaves like a normal drive. The applications can write into it. It is also possible for malware to be installed there. If the computer is restarted, however, this ramdisk disappears and with it all adjustments made in the meantime. The new ramdisk receives all the original files and settings from the CD-ROM. The system is automatically reset to the previous state every time the computer is started. A piece of malware, such as a worm, is unable to permanently embed itself in this system.

So-called “live systems”, which can be booted from a write-protected medium, work similarly to the concept described above for numerous other operating systems.


Naturally, possible files belonging to the user must be stored on a different drive than on the system drive so that they are not also reset. If malware also writes itself in these files (for example as macro code in Office documents), the system is reset every time it is restarted, but it infects itself anew every time the user opens a contaminated file.

Furthermore, this concept has the side effect that you have to recreate the boot medium for every little adjustment to the system. On the other hand, virtual operating environments also offer options for resetting the (virtualized) operating system with every restart, but they can also be prompted to adopt certain system adjustments. There are also alternative concepts beyond the live system for Windows XP, for example, in order to reset the operating system to a defined status with every restart. The operating system environment can be adapted here using an EWF filter driver. For example, if you find out that a software update is available while working on your PC, you restart the system, undoing all previously uncontrolled adjustments to the system. After the restart you deactivate the write protection via a menu, install the updates, restart the system again, give the system a few minutes to complete the process, and then switch the write protection back on. The PC is then ready for normal work again. All changes to this system are made in a controlled manner.


In 2005, safety researchers Susan Young and Dave Aitel introduced nematodes, another method for combating worms. A nematode uses the same vulnerabilities as the worm to be controlled to get onto infected systems. The worm is then deactivated or deleted.

The name is derived from the fact that nematodes can fight slugs and other pests.

In 2016, a nematode was proposed to combat the Mirai botnet , which paralyzed a large part of the internet infrastructure. In many countries such as the USA, the United Kingdom and Germany, the use of nematodes constitutes an intrusion into other computer systems and is prohibited by law.

Security vulnerabilities in applications

Applications are more prone to failure the more complex they are. Complex programs are even assumed to contain errors. Certain errors can be used to execute any commands in the form of external program code beyond the normal function of the application. For example, cleverly structured data in an .mp3 file could suddenly cause a faulty MP3 player to do things it normally wouldn't. This can also include worm or virus code, the deletion of important data or other malicious functions. However, the foreign code can only be started if the loaded file is actually opened with the program for which the file is intended. With another MP3 player, this “extension” of the .mp3 file would have no effect ( see also “ Non-executable file types that can be executed via an exploit ).

Many worms take advantage of vulnerabilities in outdated software versions of certain programs to spread. To provide effective protection against such security gaps, the user is required to pay a lot of attention: The software in your own system, from the operating system to the e-mail program, should be kept up to date. It is also important to find out whether the configuration used for the applications and the operating system is critical to security and how these gaps can be closed. Windows, for example, starts a large number of mostly unnecessary network services in the standard setting when the system is started . Several worms have already exploited vulnerabilities in these services. If unnecessary network services are deactivated, these infection routes are eliminated ( see also " Alternative solutions to prevent the worm from remotely accessing network services " ).

Verifiability of the source code

In the case of software products, free access to their source code is an aspect of computer security. Among other things, it is important to minimize the risk that a product may contain functionalities that the user should not be aware of. For example, there are some closed-source products from the field of personal firewalls that secretly send data to the manufacturer themselves, i.e. do exactly what some users are actually trying to prevent with the product.

Open-source software can be checked by the public to this effect and, in addition, examined for weaknesses using legally unobjectionable means, which can then be closed more quickly.

Open source software can be examined by anyone with the appropriate expertise for secret functionalities and weaknesses, but that does not mean that the mere availability of the source code is a guarantee that it has been adequately checked by the computer users. Long-term security gaps in open source software indicate this fact. In addition, even a cleverly built back door is sometimes difficult to recognize, even with well-founded specialist knowledge. The time required for an analysis is often considerable with complex programs. In contrast, at least a check of the source text is possible here.

It is often difficult for the user to determine whether the executable program obtained from an external source was actually created with the published source code. Here, too, it applies that at least one check is possible with the appropriate expertise.



In 1971 the experimental network worm Reaper got out of control and spreads in ARPANET . It is considered the first known worm, as well as the first malware in-the-wild . To stop Reaper, a second worm follows, which removes it from the infected systems and then deletes itself later.

1975 the concept of Internet, computer viruses and network worms in is science fiction -Buch The Shockwave Rider (dt. The Shockwave Rider ) by John Brunner described. The term "worm" for a self-replicating program established itself in the computer scene thanks to the well-known book.

In 1987 the VNET is completely paralyzed by the XMAS EXEC for a short time.

In 1988 , on November 2nd, to be precise, Robert Morris programmed and released the first computer worm for the Internet. The so-called Morris worm spreads using some Unix services, such as B. sendmail , finger or rexec and the r protocols. Although the worm has no direct damage routine, it still paralyzes around 6,000 computers due to its aggressive spread - at that time that corresponds to around 10% of the global network.

The development of computer worms almost stopped until the mid-1990s. The reason for this is that the Internet is not yet as extensive as it is today. Until then, computer viruses can spread faster.

Mid 90s to 2000

During this period of time, computer worms become more important among malware.

In 1997 the first email worm, known as ShareFun, spreads . It was written in the macro language WordBasic for Microsoft Word 6/7. In the same year, the first worm that can spread via IRC is discovered . He uses the script.inifile of the program mIRC for this . Homer , a worm that was the first to use the FTP transfer protocol for its propagation , appears. From this point it became clear that network protocols can also be exploited by worms.

In 1999 , the Melissa macro virus, often mistaken for an e-mail worm, spreads worldwide via Outlook . Melissa received a lot of media attention. Complex worms appear like Toadie (which infects both DOS and Windows files and spreads via IRC and email) and W32.Babylonia (which is the first malware to update itself).

In 2000 , one worm came into the public eye in particular: with its massive appearance, the I-love-you -email worm inspires many imitators.

2001 until today

In 2001 the first worms appeared with their own SMTP engine. From this point on, worms are no longer dependent on Microsoft Outlook (Express). In addition, the first worms are discovered that can spread via ICQ or peer-to-peer networks. The Code Red worm is becoming widespread by exploiting a security hole in Microsoft's Internet Information Services . By exploiting weak points in network services, the first fileless worms can now also appear. They spread through security holes and only stay in RAM , so they do not nestle on the hard drive.

In 2002 , the Slapper worm, the currently most widespread malware for the Linux operating system, was written.

In 2003 , the SQL Slammer worm spread rapidly by exploiting a security hole in Microsoft SQL Server . Until then, private users were spared these types of worms. That changed in August 2003 when the W32.Blaster worm exploited a security hole in the Microsoft Windows operating system.

In 2004 , the Sasser worm also exploited a security hole in the Windows operating system and thus attacks private users' computers. The Mydoom worm is sighted for the first time. The rapid spread of the worm leads to an average of 10 percent slowdown in Internet traffic for a few hours and an average increased loading time of the websites of 50 percent. SymbOS.Caribe is the first mobile phone worm to spread using Bluetooth network technology on smartphones with the Symbian OS operating system . It was developed by a member of Virus Writing Group 29A and its source code is being published. Therefore, several variants of the worm are discovered in the following months . Mass infections from Bluetooth worms occur again and again, especially at large events.

In 2005 , SymbOS.Commwarrior appears, the first worm that can send itself as an MMS. The spread of cell phone worms is now reported by several antivirus program manufacturers.

In 2006 , more precisely on February 13th, the first worm for Apple's macOS operating system was published via a forum on a US rumor site. So far, the Apple community is not sure whether this worm is actually a worm (type of distribution) or a virus (infection of executable program code and hiding in it). The naming of the worm is also not clear. The company Sophos calls it OSX / Leap-A, Andrew Welch (wrote the first technical description of the "damage routines") calls it OSX / Oomp-A (after the check routine that is supposed to protect the worm from reinfection). In March, a Dutch research group led by university professor Andrew Tanenbaum published the first computer worm for RFID radio chips. The 127-byte program can propagate independently through an SQL injection in the Oracle database program.

In 2008 the United States Strategic Command issued a directive prohibiting the use of personal USB sticks and other portable storage media in its own computer network in order to protect it from computer worm attacks. The reason for this is the spread of the Agent.btz worm .

In 2010 , the Stuxnet worm (also known as LNK worm) was discovered, which uses four zero-day exploits for Windows to take control of WinCC , SCADA software from Siemens . In addition, this worm stands out due to its unusually high complexity, which is also reflected in the file size and makes a state origin probable.

See also


  • John Biggs: Black Hat - Misfits, Criminals, and Scammers in the Internet Age. Apress, Berkeley Cal 2004, ISBN 1-59059-379-0 (English)
  • Ralf Burger: The great computer virus book. Data Becker, Düsseldorf 1989, ISBN 3-89011-200-5
  • Peter Szor: The Art Of Computer Virus Research And Defense. Addison-Wesley, Upper Saddle River NJ 2005, ISBN 0-321-30454-3 (English)

Web links

  • RFC 4949 : Internet Security Glossary, Version 2 (including definition of Worm; English)
  • VX Heavens - library with specialist literature on malware, code collection, etc. (English)
  • Journal in Computer Virology - scientific magazine on computer viruses and worms

Individual evidence

  1. ^ Definition of computer worm from
  2. What is a worm? ( Memento of November 24, 2010 in the Internet Archive ) from, excerpt: “Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file [...] "
  3. a b c Definition of a computer worm from the IT lexicon of
  4. a b c USB stick worms with autorun : Sophos warns of a new family of worms that specialize in portable drives ( memento of March 3, 2012 in the Internet Archive ) from; Downadup is a USB worm from, January 27, 2009; W32.USBWorm from, May 2007
  5. a b c Floppy worm without autorun : W32 / Trab.worm from McAfee, March 28, 2003; W32 / Winfig.worm from McAfee, October 4, 2001
  6. Floppy worm with autorun over the active Windows desktop : Worm Propagation Via Floppies, Revisited by, McAfee Labs Blog, Rodney Andres , December 12, 2007
  7. Computer viruses ( Memento from December 7, 2011 in the Internet Archive ) (PDF; 72 kB) by Baowen Yu ,, November 13, 2002
  8. Description of how an e-mail worm works ( memento from June 19, 2010 in the Internet Archive ) from
  9. Trojan horses  ( page can no longer be accessed , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. , a brief description from the BSI@1@ 2Template: Toter Link /  
  10. Definition of computer worms ( memento from December 7, 2011 in the Internet Archive ) in the IT lexicon of
  11. a b Excerpt from “Applied IT Security” (PDF; 111 kB) from page 73, by Prof. Dr. Felix Freiling , lecture in the autumn semester 2006, University of Mannheim
  12. F-Secure: When is AUTORUN.INF really an AUTORUN.INF?
  13. Attack of the computer mouse c't news report from June 29, 2011
  14. Word viewer from, display of office documents without executing macro code
  15. Excel - Viewer , from, display of office documents without executing macro code
  16. PowerPoint - Viewer , from, display of office documents without executing macro code
  17. ^ First exploit for errors in the published Windows source code from, Jason Curtis , February 17, 2004
  18. Security researchers warn of malware hidden in ZIP files , by, Elinor Mills and Stefan Beiersmann , April 15, 2010
  19. Top ten viruses in the first half of 2005 from, July 1, 2005
  20. network storage housing to equip yourself for home and office
  21. Sasser-Wurm: Small cause, big effect ,, Martin Leyrer , May 4, 2004
  22. Ben Schwan: Microsoft should pay for Internet attack . ( Memento from March 11, 2012 in the Internet Archive ) In: , February 4, 2003
  23. Microsoft lets attack by Lovsan / W32.Blaster run nowhere , heise security on, by Jürgen Schmidt , August 16, 2003
  24. Stern: The worm from the Wümme
  25. ↑ The false security of virus scanners ( Memento from March 25, 2010 in the Internet Archive )
  26. a b c Melanie Ulrich: Software with errors and their consequences .  ( Page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. (PDF) US magazine Wired , January 14, 2007@1@ 2Template: Toter Link /  
  27. Mcafee anti-virus software paralyzes computers; Computer crashes worldwide ., German Press Agency (dpa), April 23, 2010
  28. Security holes in the virus scanner ClamAV ( Memento from May 4, 2007 in the Internet Archive ) from, April 26, 2007
  29. ^ Deconstructing Common Security Myths , by Microsoft TechNet Magazine , Jesper Johansson and Steve Riley , May / June 2006
  30. ^ ZoneAlarm im Kreuzfeuer , Heise online , Jürgen Schmidt , January 24, 2006; The spy who came from within. Why personal firewalls fail as a detective , c't - Issue 17 ( Memento of October 16, 2007 in the Internet Archive ), pages 108–110, Jürgen Schmidt , August 7, 2006; Protection against viruses under Windows Answers to the most frequently asked questions ( Memento from October 16, 2007 in the Internet Archive ) , c't issue 18, Daniel Bachfeld , page 196
  31. Personal Firewalls, Part 2 ( Memento from February 12, 2010 in the Internet Archive ) by, Alexander Bernauer
  32. Disable bagle worms Windows Firewall ,, message from October 31, 2004
  33. Personal Firewalls, Part 1 ( Memento from April 15, 2011 in the Internet Archive ) by, Alexander Bernauer
  34. Witty worm penetrates ISS security products through a hole , by, Daniel Bachfeld , March 22, 2004
  35. a b Deactivate network services on a Windows system: win32sec from (graphical), svc2kxp.cmd from (batch)
  36. Boot CD for Windows 95/98 / Me ( Memento of the original from December 5, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. (PDF) from, Manfred Kratzl , from The Windows Consultant , January / February 2003 edition @1@ 2Template: Webachiv / IABot /
  37. Windows XP with write protection ,, Andreas Dumont , issue: com !, issue 4/2009, pages 22 to 31
  38. PC write protection against malware with the help of the EWF driver,, August 6, 2007
  39. ^ Susan Young, Dave Aitel: The Hacker's Handbook: The Strategy behind Breaking into and Defending Networks . Ed .: Auerbach Publications. 2005, ISBN 0-8493-0888-7 .
  40. Fabian A. Scherschel: DDoS record botnet Mirai could be fought - albeit illegally. Heise online , November 2, 2016, accessed on November 3, 2016 .
  41. Holger Bleich: DDoS attack paralyzes Twitter, Netflix, Paypal, Spotify and other services. Heise online , October 21, 2016, accessed on November 3, 2016 .
  42. Firewall calls home , Personal Firewall Zone Alarm sends encrypted data to the home server, magazine com! , Edition 4/2006, page 12
  43. The open source IRC server UnrealIRCd contained a backdoor from November 2009 to June 2010 , which allows strangers to execute commands with the rights of the UnrealRCd user on the server - report by heise Security , author Reiko Kaps , June 12, 2010
  44. On May 13th, 2008 the Debian project announced that the OpenSSL package of the distributions since September 17th, 2006 (version 0.9.8c-1 to 0.9.8g-9) contained a security hole.
  45. Malware anniversary: ​​20 years of Internet worms ,, Thomas Pichler , October 1, 2008
  46. RFC 1135 The Helminthiasis of the Internet
  47. Is Your Cat Infected with a Computer Virus?
  48. US military: USB sticks are banned due to worm attacks,, November 21, 2008; Under worm attack, US Army bans USB drives ,, Ryan Naraine , November 20, 2008
  49. Windows LNK gap: the situation is getting worse . In: heise online , July 20, 2010
  50. ^ Gregg Keizer: Is Stuxnet the 'best' malware ever? ( Memento from December 5, 2012 in the web archive ) September 16, 2010
  51. Trojan "stuxnet": The digital first strike has taken place . In: FAZ , September 22, 2010
This version was added to the list of excellent articles on October 19, 2005 .