Print this article

What is an internet worm?

An earthworm

A computer program that copies itself to other computers across the internet is called a worm. Worms are often used to infect large numbers of broadband-connected computers with remote-control software. There are ways, however, of protecting your computer from such an attack.

Mike Barwise | 9th September 2010

An internet worm is a program that spreads across the internet by replicating itself on computers via their network connections.

In the 1980s, researchers were seeking ways of managing the growing internet remotely, using programs that could distribute themselves automatically across it.

In the US, on 2 November 1988, a Cornell University student called Robert Morris released an experimental self-replicating program onto the internet to find out how many computers were currently connected to it. The program spread rapidly, installing itself on an estimated 10% of the computers then connected.

Morris had no malicious intent, but a bug in his program caused many of the computers the worm landed on to crash. He was prosecuted and expelled from Cornell, but worms had come of age and have since evolved into an effective way of attacking systems connected to the internet.

What do worms do?

Most internet worms are now malicious. As well as using the computers they land on to spread themselves further, they're designed to take control of them, either to steal confidential user information or to convert them into remote-controlled 'zombies' or 'bots'.

Networks of these - 'bot nets' - are then rented out by organised crime for sending spam email or attacking business and government computer systems. It's estimated that at any one time there are several million ‘zombie’ computers on the internet.

Worms often infect computers by exploiting bugs in legitimate software. Typically, a high-profile, trusted web page may be tampered with so it transmits (often invisibly) a carefully corrupted document file to the user when the page is viewed.

The corrupted file causes the viewer program to crash, opening a door for the injection of a malicious program. To help hide the infection, the malicious program is usually a 'downloader' - a very small program that later connects to a remote computer over the internet to download a more substantial piece of malicious software.

How to prevent worm infections

A good anti-virus program can protect you to some extent, but it's not enough on its own as it's hard to keep it up to date. Many modern worms change hourly and it can take a day or more to create and distribute an anti-virus update.

You also need a firewall to help block the worm's communications, and you should always browse the web with restricted rights - as a 'user', never as an 'administrator'.

But the most effective way to prevent worm infection is to turn off JavaScript for normal web browsing. JavaScript is a powerful tool that makes websites interactive, and it's increasingly relied on by web designers. But it's also the most common entry point that worms use to infect your computer.

So there's a trade-off. Turning off JavaScript for normal web browsing will limit your access to many websites, but it's the best form of protection against worm infection. To put this in perspective, between 5,000-10,000 websites (large and small) are tampered with every day and visiting any of these might infect you with a worm - but around a third of mainstream websites now require JavaScript. The choice is yours.

Mike Barwise

Mike Barwise

Mike Barwise is a veteran information security consultant. He has participated in the definition of standards, legislation and policy on computer and internet security, and has lectured on policy development and consultancy practice.