Computer Worms, Detection, and Defense

Abstract

Since the first widespread Internet worm incident in 1988, computer worms have become a major Internet threat and a subject of increasing academic research. This worm, known as the Morris Worm, was written by Cornell University student Robert Morris. Morris’s worm infected Sun Microsystems Sun 3 and VAX hosts running versions of 4 BSD UNIX by exploiting flaws in several standard services. Although there is no strong consensus as to the definition of a worm (Kienzle & Elder, 2003), the general notion of a worm can be understood by way of contrast with viruses. A virus is a program that can ‘infect’ another program through modification to include a copy of itself (Cohen, 1984). Worms, in contrast, are often characterized as not requiring another program for execution or another agent for activation?that is, a worm can execute and propagate itself autonomously (Spafford, 1988). This characterization of worms as malcode that does not require human intervention for propagation is, however, not universally accepted. For example, Kienzle and Elder (2003) define worms as malicious code that propagates over a network, either with or without human intervention. Such a definition includes e-mail-based mass-mailer viruses, a category that would be largely excluded if the need for human intervention is excluded from the definition of a worm.