In this month’s Real-life threat protection for merchants, we look at Worms. This type of malware relies on self-replication instead of human interaction (explained below), making it an incredibly unique and dangerous enemy for computer users.
In this case, our merchant, a small florist with two business computers in operation unfortunately came into contact with a Worm. Fortunately, our Endpoint protection took control and prevented the spread of the Worm before it had a chance to infect the merchant’s computers.
Our SOC (Service Operations Centre) team encountered and was alerted to this piece of malware because it was one of the many automatic security actions our endpoint software took. The Worm we look at today, Win32.Worm.VB appeared in the top 5 infections last month.
Note: An automatic security action is when our security tools directly deal with the malicious file by detecting, blocking, or quarantining the file. SOC team interventions are when our SOC team manually quarantines the file as it has gotten past the first check from our security tools.
This month, the merchant we look at is subscribed to our Proactive Data Security (PDS) service, and therefore receives real-time threat protect from our SOC team. When a threat is detected, our SOC team will reach out and advise on the situation. On this call, our agent speaks with the small business owner who has unfortunately come into contact with this specific worm called Win32.Worm.VB, which uses computer resources to make copies of itself, then distributes the copies to other connected computers or devices.
Note: A worm, according to Kaspersky, installs itself on a victim’s computer and then looks for a way to spread to other computers.
What is a worm?
Worms are a specific type of malware that do not require any human interaction or execution to begin an attack. Outcomes of attacks can be the same as a normal computer virus, but the worm’s unique skill of self-replication is what separates them.
Our agent called the merchant and let them know we had automatically prevented a Worm from infecting their devices. After explaining the dangers of this malware, the merchant said:
“That sounds pretty dangerous, thanks for sorting this out and letting us know!”
How will a worm get on a computer?
The usual course of infection does not apply to Worms. The process of becoming infected with a normal computer virus looks something like this:
However, with a Worm you can remove the middle step, ‘Execute the file’ as Worms do not need human interaction. Why is this?
Worms are really their own host and do not rely on latching onto executable files. They are specially written to contain their own strings of malicious code. This way once downloaded or placed onto a device, their attacks will begin.
What will worms do?
Once on the targeted device, the worm will begin to exploit software vulnerabilities. Software vulnerabilities can be created by not keeping up to date with your computer’s updates.
By exploiting these vulnerabilities, the Worm will be able to spread to other computers on the network. This is the key feature of Worms.
Once exploited, the Worm will now be present on multiple different devices and capable of carrying out multiple attacks:
Resource depletion – Worms will begin to replicate themselves over and over, causing them to eat up the resources on a device and deem it unusable. For everyday personal users, this can be seen as annoyance that may lead them to buying a brand-new computer. However, for business computers this can really affect day to day operations. Programmes used for taking orders and stock checking could stop working due to the resources being taking up by the worm, causing serious financial losses for the business.
File modification/deletion – The end goal for most viruses is disruption. Worms will often spread form computer to computer and modify or delete files so that certain programmes will cease to function. In some cases, like 2017’s WannaCry attack a ransom will be demanded for the return of functionality.
Infect with other malware – Often worms can be used to ‘drop off’ other pieces of malware such as Spyware (used to monitor users’ behaviour) and Ransomware (encrypts files and demands a ransom for their decryption).
The main danger of becoming infected with a Worm is that they can spread from one device to another through software vulnerabilities.
Note: To avoid having a Worm easily make its way from device to device, exploiting software vulnerabilities. It is extremely important to turn on automatic security updates for your device. This will limit the number of vulnerabilities a worm can exploit.
Now, we can look at the specific Worm our merchant has come into contact with.
In our merchant’s case, they were infected with a Worm called Win32.Worm.VB. Worms will often originate and spread using different methods including:
Email – A variety of a phishing email which will contain a link or a file. Once this is clicked the worm will have spread to the device
Website – Some Worms will target and infect websites with bad security. When a user visits this website, they too risk the chance of becoming infected.
Instant Messaging – Similar to email, this worm will target the users list of IM targets and spread through messages sent to these contacts.
One of the most popular ways for a worm to spread is through P2P (peer to peer) file sharing, which is how this Worm will spread.
Note: P2P describes a network of computers which are connected without needing resources/privileges from a server. P2P file sharing is the ability to access and send files from one of these connected computers to the other.
How will this happen?
This is one of the easiest ways for a worm to spread as it doesn’t rely on the social engineering method, like email or instant messaging. Instead, this Worm will target weaknesses in the file sharing protocol (a shared folder which can be accessed by each computer in the P2P network).
Note: Social engineering is a tactic often used by cyber criminals to trick or deceive a victim into sharing confidential information or downloading harmful files.
Once the Worm places itself on this folder it will easily spread to other computers that are on this P2P network.
What will Win32.Worm.VB do?
This worm will try to overload a device and shut down applications. For a small business like this, losing the use of two business computers could be detrimental.
This Worm can also disable applications entirely by changing or deleting essential files completely. These applications can be essential for small businesses to continue operating.
As a Proactive Data Security merchant, with access to premium grade anti-virus there was no cause for concern for this to materialise. Win32.Worm.VB was quarantined the moment it attempted to enter the merchant’s computer.
Note: To quarantine a file is to place it into a secure location on the device where it has no interaction with any other file or location on the host device. Our software provides its own quarantine location.
What’s the cost?
With premium grade anti-virus installed severe costs may have been avoided:
Halting day to day business – In today’s age a lot of business is done over a computer. Everything from sending emails to managing accounts is all done digitally. If you strip these functions away from a business unfortunately it will be left in limbo. This is what a Worm will do if it’s not caught in time.
Monetary loss – This is something that can always occur if a piece of malware isn’t stopped. If a business’s operations are halted, then financial losses from sales and services will be lost. If the situation gets too bad, computers may need to be replaced or some businesses will hire external IT (Information Technology) support to help the resolve the issues.
Open to more cyber attacks – Depending on the Worm, you may be leaving yourself open to more varieties of cyber-attacks. Worms are known to drop off different viruses. Ransomware and Spyware are other knock-on effects of being infected with a Worm. These types of attacks can lead to serious implications like identity theft and information being stolen with a ransom demand for its return.
A key aspect of our calls with merchants is to ‘future proof’ them by educating them on the dangers of having these types of files and malware present on a computer.
Our agent explains what we came across and the quarantine process. Ensuring the merchant that anything that is placed in the quarantine does not have the ability to harm the device in anyway.
We explained that Worms are different to computer viruses as they require less human interaction to spread. The following information was provided to the merchant so that an incident like this could be prevented in the future:
Look out for odd looking emails or instant messages. Not only are these routes a Worm can spread through, it’s also where they can originate from. We advise to look out for obvious spelling mistakes, feigned urgency and links which don’t match the subject/sender.
Be wary of websites visited. Websites with poor security can be targeted by Worms and will latch onto computers that visit these websites. Try only visiting reputable websites.
Worms will usually target devices with poor security, as it makes them easier targets. Always ensure automatic updates are turned on for your device. This makes it harder for the Worm to exploit weaknesses in your OS.
Action Taken by SOC
The merchant informed us they may have clicked a link on an email they later realised wasn’t legitimate.
The link downloaded the Worm Win32.Worm.VB, a piece of malware that will spread through a computer network without the need for human interaction
This specific worm spreads through found weaknesses in file sharing programmes.
The anti-virus protection noticed this file may be potentially dangerous, immediately quarantined the file and sent an alert to the SOC team.
The SOC team investigated the application and deemed it high risk.
The merchant received a phone call explaining what had happened and that the file has been placed into quarantine on the computer.
The merchant agreed to remove this file completely from their device.
The SOC agent then ‘future proofed’ the merchant advising how to potentially avoid putting their computer at risk going forward.
The merchant’s device is now malware free.
This piece of malware is just a small percentage of the unique pieces of malware our security tools and SOC team have successfully identified this month. On top of this, more and more merchants have decided to opt into the excellent real-time virus protection service we offer.
If you missed our last piece on the SOC team, we discussed a call we had with a merchant who’s antivirus had prevented a password stealer from operating on their device. You can read this here.