Skip to content

Understanding Common Worm Pattern In Cybersecurity

Types of Malware

End devices are especially prone to malware attacks. Therefore, the focus of this topic is on threats to end devices. Malware is short for malicious software or malicious code. It is code or software that is specifically designed to damage, disrupt, steal, or generally inflict some other “bad” or illegitimate action on data, hosts, or networks.
It is important to know about malware because threat actors and online criminals frequently try to trick users into installing malware to help exploit security gaps. In addition, malware morphs so rapidly that malware-related security incidents are extremely common because antimalware software cannot be updated quickly enough to stop the new threats.
A text box opens that reads “A virus is a malicious software which executes a specific unwanted, and often harmful, function on a computer”. As the animation continues to play the attacker at the PC on the left sends a worm attack on the network that travels over the network routers to the PC on the right.

A text box opens that reads “A worm executes arbitrary code and installs copies of itself in the memory of the infected computer. The main purpose of a worm is to automatically replicate itself and spread across the network from system to system”.


As the animation continues to play the attacker at the PC on the left sends a Trojan Horse attack on the network that travels over the network routers to the PC on the right. A text box opens that reads “A Trojan horse is a non-self-replicating type of malware.


It often contains malicious code that is designed to look like something else, such as a legitimate application or file. When an infected application or file is downloaded and opened, the Trojan horse can attack the end device from within”.



A virus is a type of malware that spreads by inserting a copy of itself into another program. After the program is run, viruses then spread from one computer to another, infecting the computers. Most viruses require human help to spread. For example, when someone connects an infected USB drive to their PC, the virus will enter the PC.
The virus may then infect a new USB drive, and spread to new PCs. Viruses can lay dormant for an extended period and then activate at a specific time and date.
A simple virus may install itself at the first line of code in an executable file. When activated, the virus might check the disk for other executables so that it can infect all the files it has not yet infected.
Viruses can be harmless, such as those that display a picture on the screen, or they can be destructive, such as those that modify or delete files on the hard drive. Viruses can also be programmed to mutate to avoid detection.
Most viruses are now spread by USB memory drives, CDs, DVDs, network shares, and email. Email viruses are a common type of virus.

Trojan Horses

The term Trojan horse originated from Greek mythology. Greek warriors offered the people of Troy (the Trojans) a giant hollow horse as a gift. The Trojans brought the giant horse into their walled city, unaware that it contained many Greek warriors.
At night, after most Trojans were asleep, the warriors burst out of the horse, opened the city gates, and allowed a sizeable force to enter and take over the city.
Trojan horse malware is software that appears to be legitimate, but it contains malicious code which exploits the privileges of the user that runs it. Often, Trojans are found attached to online games.
Users are commonly tricked into loading and executing the Trojan horse on their systems. While playing the game, the user will not notice a problem. In the background, the Trojan horse has been installed on the user’s system. The malicious code from the Trojan horse continues operating even after the game has been closed.
The Trojan horse concept is flexible. It can cause immediate damage, provide remote access to the system, or access through a back door. It can also perform actions as instructed remotely, such as “send me the password file once per week.” This tendency of malware to send data back to the cybercriminal highlights the need to monitor outbound traffic for attack indicators.
Custom-written Trojan horses, such as those with a specific target, are difficult to detect.

Trojan Horse Classification

Trojan horses are usually classified according to the damage that they cause, or the manner in which they breach a system, as shown in the figure.


Computer worms are similar to viruses because they replicate and can cause the same type of damage. Specifically, worms replicate themselves by independently exploiting vulnerabilities in networks. Worms can slow down networks as they spread from system to system.
Whereas a virus requires a host program to run, worms can run by themselves. Other than the initial infection, they no longer require user participation. After a host is infected, the worm is able to spread very quickly over the network.
Worms are responsible for some of the most devastating attacks on the internet. In 2001, the Code Red worm had initially infected 658 servers. Within 19 hours, the worm had infected over 300,000 servers.
The figure depicts the initial Code Red worm infection across the globe.
The initial infection of the SQL Slammer worm is known as the worm that ate the internet. SQL Slammer was a denial of service (DoS) attack that exploited a buffer overflow bug in Microsoft’s SQL Server. At its peak, the number of infected servers doubled in size every 8.5 seconds.
This is why it was able to infect 250,000+ hosts within 30 minutes. When it was released on the weekend of January 25, 2003, it disrupted the internet, financial institutions, ATM cash machines, and more.
Ironically, a patch for this vulnerability had been released 6 months earlier. The infected servers did not have the updated patch applied. This was a wake-up call for many organizations to implement a security policy requiring that updates and patches be applied in a timely fashion.

Other Malware

These are some examples of the varieties of modern malware:
Type of Malware Description
Spyware Used to gather information about a user and send the information to another entity without the user’s consent. Spyware can be a system monitor, Trojan horse, Adware, tracking cookies, and key loggers.
Adware Displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests by tracking the websites visited. It can then send pop-up advertising pertinent to those sites.
Scareware Includes scam software which uses social engineering to shock or induce anxiety by creating the perception of a threat. It is generally directed at an unsuspecting user and attempts to persuade the user to infect a computer by taking action to address the bogus threat.
Phishing Attempts to convince people to divulge sensitive information. Examples include receiving an email from their bank asking users to divulge their account and PIN numbers.
Rootkits Installed on a compromised system. After it is installed, it continues to hide its intrusion and provide privileged access to the threat actor.
This list will continue to grow as the internet evolves. New malware will always be developed. A major goal of cybersecurity operations is to learn about new malware and how to promptly mitigate it.

Common Malware Behaviors

Cybercriminals continually modify malware code to change how it spreads and infects computers. However, most produce similar symptoms that can be detected through network and device log monitoring.
Computers infected with malware often exhibit one or more of the following symptoms:
  • The appearance of strange files, programs, or desktop icons
  • Antivirus and firewall programs are turning off or reconfiguring settings
  • A computer screen is freezing or the system is crashing
  • Emails are spontaneously being sent without your knowledge to your contact list
  • Files have been modified or deleted
  • Increased CPU and/or memory usage
  • Problems connecting to networks
  • Slow computer or web browser speeds
  • Unknown processes or services running
  • Unknown TCP or UDP ports open
  • Connections are made to hosts on the Internet without user action
  • Strange computer behaviour

Note: Malware behaviour is not limited to the above list.


Action Point

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.


Leave a Reply

Your email address will not be published. Required fields are marked *