Hubbry Logo
Computer wormComputer wormMain
Open search
Computer worm
Community hub
Computer worm
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Computer worm
Computer worm
Computer worm
View on Wikipedia
from Wikipedia
Hex dump of the Blaster worm, showing a message left for Microsoft CEO Bill Gates by the worm's creator
Spread of Conficker worm

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers.[1] It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behavior will continue.[2] Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time.[3] Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Many worms are designed only to spread, and do not attempt to change the systems they pass through. However, as the Morris worm and Mydoom showed, even these "payload-free" worms can cause major disruption by increasing network traffic and other unintended effects.

History

[edit]

The first ever computer worm is generally accepted to be a self-replicating version of Creeper created by Ray Tomlinson and Bob Thomas at BBN in 1971 to replicate itself across the ARPANET.[4][5] Tomlinson also devised the first antivirus software, named Reaper, to delete the Creeper program.

The term "worm" was first used in this sense in John Brunner's 1975 novel, The Shockwave Rider. In the novel, Nichlas Haflinger designs and sets off a data-gathering worm in an act of revenge against the powerful people who run a national electronic information web that induces mass conformity. "You have the biggest-ever worm loose in the net, and it automatically sabotages any attempt to monitor it. There's never been a worm with that tough a head or that long a tail!"[6] "Then the answer dawned on him, and he almost laughed. Fluckner had resorted to one of the oldest tricks in the store and turned loose in the continental net a self-perpetuating tapeworm, probably headed by a denunciation group "borrowed" from a major corporation, which would shunt itself from one nexus to another every time his credit-code was punched into a keyboard. It could take days to kill a worm like that, and sometimes weeks."[6]

Xerox PARC was studying the use of "worm" programs for distributed computing in 1979.[7]

On November 2, 1988, Robert Tappan Morris, a Cornell University computer science graduate student, unleashed what became known as the Morris worm, disrupting many computers then on the Internet, guessed at the time to be one tenth of all those connected.[8] During the Morris appeal process, the U.S. Court of Appeals estimated the cost of removing the worm from each installation at between $200 and $53,000; this work prompted the formation of the CERT Coordination Center[9] and Phage mailing list.[10] Morris himself became the first person tried and convicted under the 1986 Computer Fraud and Abuse Act.[11]

Conficker, a computer worm discovered in 2008 that primarily targeted Microsoft Windows operating systems, is a worm that employs three different spreading strategies: local probing, neighborhood probing, and global probing.[12] This worm was considered a hybrid epidemic and affected millions of computers. The term "hybrid epidemic" is used because of the three separate methods it employed to spread, which was discovered through code analysis.[13]

Features

[edit]

Independence

Computer viruses generally require a host program.[14] The virus writes its own code into the host program. When the program runs, the written virus program is executed first, causing infection and damage. A worm does not need a host program, as it is an independent program or code chunk. Therefore, it is not restricted by the host program, but can run independently and actively carry out attacks.[15][16]

Exploit attacks

Because a worm is not limited by the host program, worms can take advantage of various operating system vulnerabilities to carry out active attacks. For example, the "Nimda" virus exploits vulnerabilities to attack.

Complexity

Some worms are combined with web page scripts, and are hidden in HTML pages using VBScript, ActiveX and other technologies. When a user accesses a webpage containing a virus, the virus automatically resides in memory and waits to be triggered. There are also some worms that are combined with backdoor programs or Trojan horses, such as "Code Red".[17]

Contagiousness

Worms are more infectious than traditional viruses. They not only infect local computers, but also all servers and clients on the network based on the local computer. Worms can easily spread through shared folders, e-mails,[18] malicious web pages, and servers with a large number of vulnerabilities in the network.[19]

Harm

[edit]

Any code designed to do more than spread the worm is typically referred to as the "payload". Typical malicious payloads might delete files on a host system (e.g., the ExploreZip worm), encrypt files in a ransomware attack (e.g., the WannaCry worm), or exfiltrate data such as confidential documents or passwords.[20]

Some worms may install a backdoor. This allows the computer to be remotely controlled by the worm author as a "zombie". Networks of such machines are often referred to as botnets and are very commonly used for a range of malicious purposes, including sending spam or performing DoS attacks.[21][22][23]

Some special worms attack industrial systems in a targeted manner. Stuxnet was primarily transmitted through LANs and infected thumb-drives, as its targets were never connected to untrusted networks, like the internet. This virus can destroy the core production control computer software used by chemical, power generation and power transmission companies in various countries around the world - in Stuxnet's case, Iran, Indonesia and India were hardest hit - it was used to "issue orders" to other equipment in the factory, and to hide those commands from being detected. Stuxnet used multiple vulnerabilities and four different zero-day exploits (e.g.: [1]) in Windows systems and Siemens SIMATICWinCC systems to attack the embedded programmable logic controllers of industrial machines. Although these systems operate independently from the network, if the operator inserts a virus-infected drive into the system's USB interface, the virus will be able to gain control of the system without any other operational requirements or prompts.[24][25][26]

Countermeasures

[edit]

Worms spread by exploiting vulnerabilities in operating systems. Vendors with security problems supply regular security updates[27] (see "Patch Tuesday"), and if these are installed to a machine, then the majority of worms are unable to spread to it. If a vulnerability is disclosed before the security patch released by the vendor, a zero-day attack is possible.

Users need to be wary of opening unexpected emails,[28][29] and should not run attached files or programs, or visit web sites that are linked to such emails. However, as with the ILOVEYOU worm, and with the increased growth and efficiency of phishing attacks, it remains possible to trick the end-user into running malicious code.

Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files at least every few days. The use of a firewall is also recommended.

Users can minimize the threat posed by worms by keeping their computers' operating system and other software up to date, avoiding opening unrecognized or unexpected emails and running firewall and antivirus software.[30]

Mitigation techniques include:

Infections can sometimes be detected by their behavior - typically scanning the Internet randomly, looking for vulnerable hosts to infect.[31][32] In addition, machine learning techniques can be used to detect new worms, by analyzing the behavior of the suspected computer.[33]

Helpful worms

[edit]

A helpful worm or anti-worm is a worm designed to do something that its author feels is helpful, though not necessarily with the permission of the executing computer's owner. Beginning with the first research into worms at Xerox PARC, there have been attempts to create useful worms. Those worms allowed John Shoch and Jon Hupp to test the Ethernet principles on their network of Xerox Alto computers.[34] Similarly, the Nachi family of worms tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system by exploiting those same vulnerabilities.[35] In practice, although this may have made these systems more secure, it generated considerable network traffic, rebooted the machine in the course of patching it, and did its work without the consent of the computer's owner or user. Another example of this approach is Roku OS patching a bug allowing for Roku OS to be rooted via an update to their screensaver channels, which the screensaver would attempt to connect to the telnet and patch the device.[36] Regardless of their payload or their writers' intentions, security experts regard all worms as malware.

One study proposed the first computer worm that operates on the second layer of the OSI model (Data link Layer), utilizing topology information such as Content-addressable memory (CAM) tables and Spanning Tree information stored in switches to propagate and probe for vulnerable nodes until the enterprise network is covered.[37]

Anti-worms have been used to combat the effects of the Code Red,[38] Blaster, and Santy worms. Welchia is an example of a helpful worm.[39] Utilizing the same deficiencies exploited by the Blaster worm, Welchia infected computers and automatically began downloading Microsoft security updates for Windows without the users' consent. Welchia automatically reboots the computers it infects after installing the updates. One of these updates was the patch that fixed the exploit.[39]

Other examples of helpful worms are "Den_Zuko", "Cheeze", "CodeGreen", and "Millenium".[39]

Art worms support artists in the performance of massive scale ephemeral artworks. It turns the infected computers into nodes that contribute to the artwork.[40]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Computer worm

View on Grokipedia
from Grokipedia
A computer worm is a self-replicating malware program that spreads across computer networks by exploiting vulnerabilities in operating systems or applications, without requiring attachment to a host file or user intervention to propagate. Unlike computer viruses, which depend on infecting executable files and human actions to spread, worms operate autonomously, often consuming system resources and enabling further attacks such as denial-of-service or data exfiltration. The first major instance, the Morris worm of 1988, exploited flaws in Unix systems to infect approximately 6,000 machines—about one-tenth of the early internet—demonstrating the potential for widespread disruption through unchecked replication. Notable later examples include the Conficker worm, which from 2008 onward targeted unpatched Windows systems via a critical RPC vulnerability, infecting millions of computers worldwide and establishing persistent botnets despite international mitigation efforts. Worms have evolved to incorporate advanced evasion techniques, underscoring ongoing challenges in network security where empirical evidence from incidents reveals systemic failures in timely patching and vulnerability management as primary causal factors in outbreaks.

Definition and Fundamentals

Core Definition

A computer worm is a standalone program that self-replicates to propagate across computer networks without requiring attachment to a host file or user intervention. Unlike viruses, which depend on infecting files or documents, worms operate independently, exploiting vulnerabilities in operating systems, network services, or protocols to scan for and infect susceptible systems. This autonomy enables rapid dissemination, as the worm generates copies of itself and transmits them to new targets, often consuming bandwidth and computational resources in the process. Key characteristics include self-contained code that executes directly upon infection, network-oriented propagation methods such as email attachments, peer-to-peer sharing, or direct vulnerability exploitation (e.g., buffer overflows in services like SMB), and potential payloads that may delete files, install backdoors, or launch denial-of-service attacks. Worms do not alter host files for replication but may modify system configurations to facilitate further spread, such as opening backdoor ports or disabling security features. Their design prioritizes evasion and persistence, often incorporating polymorphic techniques to mutate code and avoid detection by signature-based antivirus tools. Empirical evidence from incidents demonstrates worms' capacity for widespread disruption; for instance, they leverage unpatched software flaws to achieve , with replication rates determined by and vulnerability prevalence rather than . This distinguishes them causally as network-centric threats, where velocity correlates directly with exploitable surface area in interconnected systems. A computer worm differs from other primarily in its standalone nature and autonomous propagation: it is a self-contained program that replicates and spreads across networks without attaching to a host file or requiring user intervention, exploiting vulnerabilities to infect remote systems directly. In contrast, a requires integration with a legitimate host program or file, such as an or , and spreads only when the infected host is executed by a user, often via attachments or shared media. This host dependency limits viruses to slower, user-mediated dissemination, whereas worms achieve rapid, exponential spread independent of , as seen in their exploitation of network services like servers or RPC vulnerabilities. Trojans, by , do not self-replicate; they disguise themselves as benign software to trick users into installation, relying entirely on social engineering for initial infection and lacking any inherent propagation mechanism beyond the payload's potential to download additional components. Unlike worms, which prioritize replication to maximize reach, trojans focus on for on a single system, such as granting backdoor access, without autonomously seeking new hosts. Other related malware exhibit further distinctions: rootkits emphasize concealment by modifying operating system components to hide activities, but they neither replicate nor propagate independently, often serving as enablers for worms or trojans rather than standalone spreaders. , while capable of self-propagation if worm-like traits are incorporated (e.g., WannaCry's 2017 exploitation of ), is classified by its extortion payload—encrypting files for monetary demands—rather than replication as a core trait, with many variants spreading via rather than network autonomy. Bots, which assemble infected machines into command-and-control networks, frequently result from worm infections but derive their identity from coordinated post-infection , not the initial self-replicating spread.
Malware TypeHost DependencyReplication MechanismPrimary Propagation MethodExample Impact Focus
WormNone (standalone)Self-contained duplicates full instancesNetwork exploits (e.g., buffer overflows, weak auth) without user actionResource exhaustion, backdoor installation via mass infection
VirusRequires attachment to host file/programModifies host to insert viral User-executed hosts (e.g., opening infected files)Corruption of files/systems upon host activation
TrojanNone, but mimics legit softwareNo inherent replicationUser download/execution via deceptionStealthy access, data theft without spread
RootkitOften embeds in kernel/OSMinimal or none; focuses on hidingManual installation or bundled with other Evasion of detection, enabling persistence
These distinctions underscore worms' unique : their independence enables geometric growth rates, overwhelming networks faster than host-bound or non-replicating , as evidenced by historical outbreaks where worms infected millions of systems in hours. However, hybrid threats blurring lines—such as viruses with worm-like network components—have emerged, though pure worms remain defined by full per standards like NIST.

Historical Development

Origins in Early Computing

The theoretical foundations for self-replicating programs, akin to computer worms, trace back to mathematician 's work on self-reproducing automata. In a series of lectures delivered between 1948 and 1953 at the University of Illinois, von Neumann explored mathematical models of cellular automata capable of universal construction and replication, drawing analogies to biological reproduction. These ideas, compiled and published posthumously in 1966 as Theory of Self-Reproducing Automata, provided the conceptual basis for programs that could autonomously copy and propagate themselves, though no practical digital implementations followed immediately due to hardware limitations of the era. The first experimental realization of such a program emerged in 1971 with Creeper, developed by engineer Bob Thomas at Bolt, Beranek and Newman (BBN) Technologies. Written for the TENEX operating system on ARPANET—the U.S. Department of Defense's precursor to the modern internet—Creeper was an innocuous test to demonstrate a program's ability to traverse networked computers. Initially, it moved from machine to machine, displaying the message "I'm the creeper, catch me if you can!" on infected terminals, without altering files or causing harm. A subsequent enhancement by BBN colleague Ray Tomlinson enabled Creeper to copy itself rather than merely relocate, marking the first instance of true self-replication across a network of about 20-30 DEC PDP-10 systems. In response, Tomlinson created , a companion program deployed the same year to seek out and delete Creeper instances. Like Creeper, replicated across to ensure comprehensive removal, functioning as an early form of automated countermeasure without user intervention on each host. These experiments highlighted the feasibility of autonomous in distributed systems but remained confined to controlled research environments, with no malicious intent or widespread disruption reported. No prior practical worms are documented in pre-1971 , as isolated mainframes lacked the networked for replication.

Proliferation in the Internet Era (1980s-2000s)

The proliferation of computer worms accelerated in the 1980s and 1990s as the evolved into the broader , enabling rapid self-replication across interconnected networks. Early instances exploited nascent vulnerabilities in Unix-based systems, marking a shift from isolated experiments to widespread disruptions. The , released on November 2, 1988, by Cornell graduate student , became the first to achieve significant scale, infecting approximately 6,000 machines—about 10% of the 's estimated hosts at the time—primarily through buffer overflow exploits in services like fingerd and . This event caused widespread slowdowns and crashes due to resource exhaustion, rather than direct payload damage, and prompted the creation of the first (CERT) at . During the 1990s, worm activity remained sporadic amid growing but still limited adoption, with most threats manifesting as hybrid or viruses rather than pure autonomous worms. The decade saw increased awareness post-Morris, yet vulnerabilities persisted, setting the stage for exponential growth in the early 2000s as became ubiquitous and Windows systems dominated consumer computing. The worm, unleashed on May 4, 2000, exemplified this escalation by spreading via mass-mailed Visual Basic Script attachments disguised as love letters, infecting over 45 million computers in 24 hours and affecting roughly 10% of -connected devices globally. It overwrote critical files, stole passwords, and caused an estimated $10 billion in cleanup and lost productivity costs, primarily targeting /98/NT systems. Network-targeted worms further intensified proliferation by exploiting server-side flaws without user interaction. Code Red, detected on July 15, 2001, leveraged a in IIS web servers, infecting over 359,000 hosts in under 14 hours through random scanning for vulnerable systems. Its defaced websites with "Hacked by Chinese!" messages and launched denial-of-service attacks against targets like the IP, generating $2.6 billion in global damages before self-terminating on August 20, 2001. Similarly, the Blaster worm, activated on August 11, 2003, propagated via the DCOM RPC vulnerability in unpatched /XP systems, infecting at least 100,000 machines and peaking at millions of attempts per day by August 16. Blaster's triggered system reboots and DDoS floods against a update server, incurring millions in remediation costs and underscoring the risks of delayed patching in an increasingly broadband-enabled era. These incidents highlighted causal factors in worm proliferation: unpatched software vulnerabilities, uniform operating system adoption, and scalable propagation vectors like and port scanning, which allowed exponential spread modeled by epidemiological dynamics. By the mid-2000s, such worms had infected tens of millions of devices, disrupted , and catalyzed institutional responses, including mandatory vulnerability disclosures and coordinated takedowns, though availability often enabled variants. Empirical data from these events revealed rates doubling every few hours in susceptible populations, with total damages exceeding tens of billions cumulatively, driven by indirect effects like over direct destruction.

Contemporary Worms and Variants (2010s-2025)

, discovered in June 2010, represented a in worm sophistication, targeting systems in Iran's uranium enrichment facility by exploiting four zero-day vulnerabilities in Windows and Step7 software to manipulate programmable logic controllers, causing physical damage to approximately 1,000 centrifuges while concealing alterations through techniques. Attributed to a joint U.S.-Israeli operation, it spread primarily via USB drives and network shares, infecting over 200,000 computers globally but activating payloads only on specific air-gapped targets, demonstrating worms' potential for precision cyber-physical disruption over indiscriminate damage. Follow-up variants like , identified in September 2011, extended Stuxnet's modular architecture for , stealing certificates and from industrial targets in and using similar kernel exploits to maintain persistence. , uncovered in May 2012, introduced advanced modularity with over 20MB of code, including propagation and screenshot capture, primarily affecting systems in the for intelligence gathering, with capabilities to or mimic legitimate updates. , deployed in August 2012 against , functioned as a destructive wiper worm, overwriting master boot records and on 35,000 workstations via shared networks, rendering 75% of the company's systems inoperable and highlighting worms' role in asymmetric industrial . In the late 2010s, worms integrated with for rapid propagation, as seen in WannaCry's May 2017 outbreak, which leveraged the exploit in unpatched Windows SMBv1 to self-replicate across 150 countries, encrypting data on over 200,000 systems and demanding ransoms totaling around $140,000 before a halted spread. NotPetya, launched in June 2017, masqueraded as but primarily wiped data through and credential dumping for lateral movement, disrupting Ukrainian infrastructure and global firms like , with estimated damages exceeding $10 billion due to its aggressive network traversal mimicking worm autonomy. The 2020s saw worms targeting software supply chains, exemplified by the Shai-Hulud worm detected in September 2025, which self-replicated across repositories by hijacking developer accounts, injecting malicious files into workflows to exfiltrate secrets and propagate via automated commits, compromising hundreds of packages in a ecosystem-specific . Emerging concepts like AI worms, which hypothetically leverage for adaptive evasion and propagation without traditional exploits, reflect ongoing evolution toward intelligent, less detectable variants, though real-world instances remain limited to proof-of-concepts as of 2025. Overall, contemporary worms have trended from broad internet-scale outbreaks to targeted, state-linked or profit-driven operations exploiting zero-days and unpatched legacy systems, with reduced emphasis on pure mass replication due to enhanced endpoint detection.

Technical Mechanisms

Self-Replication and Autonomy

A computer worm's begins with the execution of its core code on an infected host, which triggers routines to generate identical copies of the worm's binary or script . These copies are created by leveraging calls for file duplication or memory allocation, ensuring the replica includes all necessary components for independent operation, such as propagation logic and evasion techniques. Upon successful transfer to a new host via network protocols like TCP or UDP, the replica exploits the target's environment to self-install, often by writing to temporary directories or modifying startup processes, thereby initiating its own replication cycle without external dependencies. Autonomy in worms manifests as their capacity to operate as self-contained programs that make propagation decisions algorithmically, independent of user intervention or attachment to legitimate files. This contrasts with viruses, which require human-executed hosts to activate; worms instead exploit inherent network connectivity and vulnerabilities autonomously, using embedded scanning algorithms to identify targets and execute transfers. For instance, the worm's code may incorporate generators for selection or predefined hit-lists for efficiency, allowing it to persist and replicate across diverse systems without manual propagation. Such independence enables exponential spread, as each instance acts as both victim and vector, amplifying rates through recursive execution.

Propagation and Exploitation Methods

Computer worms propagate primarily through autonomous scanning of spaces to identify and infect vulnerable hosts, exploiting software flaws to deliver payloads without user intervention. Common scanning strategies include random scanning, where target IP addresses are selected uniformly at random from the available space, leading to in infections until vulnerable hosts are depleted; hit-list scanning, utilizing a pre-compiled directory of targets for rapid initial spread; and permutation scanning, which systematically traverses the in a pseudo-random order to avoid redundancy. Exploitation typically involves remote code execution vulnerabilities, such as , where malformed input overflows allocated memory to overwrite execution control structures and inject malicious code. For instance, the Code Red worm, released on July 15, 2001, exploited a in IIS index server by sending a long string of repeated 'N' characters to trigger the vulnerability, enabling execution for . Similarly, the of November 2, 1988, targeted Unix systems via in the fingerd daemon, a debug mode in , and weak in rsh/rexec services assuming trusted host relationships. These techniques allow worms to gain sufficient privileges to copy themselves, often masking propagation through methods like "hook-and-haul" to obscure entry points. Beyond pure network scanning, worms employ hybrid vectors including dictionary attacks on weakly protected network shares, as seen in (first detected November 2008), which brute-forced SMB shares alongside exploiting the MS08-067 RPC vulnerability; removable media autorun exploits for local network hopping; and social vectors like attachments or that trigger upon execution. efficiency depends on factors like scan rate limits to evade detection, topological awareness from infected hosts' routing tables, and fallback to multiple exploits for resilience against patches. Such methods enable worms to achieve infection rates of millions of hosts rapidly, as with infecting up to 15 million systems by early 2009.

Payload Execution and Effects

Once a computer worm successfully to a target system—typically via exploitation of software vulnerabilities such as buffer overflows or weak —the executes autonomously, often as an integrated module within the worm's codebase or as a separately downloaded component triggered post-infection. This execution leverages the gained privileges, such as system-level access obtained through the initial exploit, to perform actions beyond mere replication; for instance, injected during may decode and run the main , which then modifies system files, registries, or processes without requiring further user interaction. Payload effects range from resource denial to data manipulation and remote control establishment, calibrated by the worm's design objectives, which may prioritize disruption, , or . Resource exhaustion occurs when payloads spawn excessive processes or network traffic, as exemplified by the on November 2, 1988, which, due to a replication bug, infected approximately 6,000 Unix systems (about 10% of the at the time), forking processes that consumed up to 99% of CPU cycles and rendered machines unresponsive for days. In contrast, distributed denial-of-service (DDoS) payloads coordinate infected hosts into botnets for targeted flooding; the Blaster worm (discovered August 11, 2003) exploited Windows DCOM RPC vulnerabilities to infect over 500,000 systems, executing a that queued UDP SYN packets at 50 per second to windowsupdate.com starting August 16, 2003, while displaying an anti-Microsoft message on infected screens. Backdoor and persistence mechanisms enable ongoing control, often by disabling defenses and phoning home to command-and-control (C2) servers; (first detected November 21, 2008) infected millions of Windows machines via MS08-067 exploits, executing a that disabled , Windows Defender, and antivirus services, then used to fetch additional for botnet operations like spam or further attacks. Data theft or alteration payloads exfiltrate sensitive information or corrupt files, though some worms like Code Red (July 13, 2001) focused on symbolic disruption by temporarily defacing IIS web servers with "Hacked By Chinese!" messages before restoring content after roughly 10 hours and attempting DDoS on . Advanced payloads achieve physical impacts through targeted manipulations; Stuxnet (discovered June 2010) exploited multiple zero-days in Windows and PLC to infiltrate Iran's uranium enrichment facility, where its subtly altered speeds—accelerating to 1,410 Hz then decelerating to 2 Hz or halting—causing over 1,000 IR-1 centrifuges to fail prematurely between late 2009 and early 2010, while falsifying sensor data to evade detection via techniques. Such effects underscore payloads' potential for cascading failures, where initial execution amplifies into systemic overload or targeted destruction, often evading immediate notice through stealth features like anti-forensic measures.

Impacts and Consequences

Direct Harms and Empirical Damages

Computer worms inflict direct harms primarily through resource exhaustion, unauthorized data access, encryption or deletion of files, and disruption of critical systems, leading to measurable operational and recovery costs. These effects stem from the worm's , which consumes bandwidth and processing power, often causing denial-of-service conditions without requiring user interaction. Empirical data from notable incidents quantify these damages in billions of dollars globally, encompassing cleanup expenses, lost , and hardware strain. The Code Red worm, propagating in July 2001, exemplifies rapid direct impact by exploiting vulnerabilities in IIS servers, infecting over 250,000 systems within nine hours and generating defacement payloads alongside massive traffic floods. This resulted in widespread server crashes and network overloads, with economic losses exceeding $2.4 billion, including $1.1 billion in remediation and $1.5 billion in productivity halts across affected enterprises. The worm in January 2003 further demonstrated bandwidth saturation harms, spreading to hundreds of thousands of instances in under 10 minutes via UDP packets, triggering outages at banks, airlines, and ISPs without a destructive beyond the propagation itself; damages totaled over $750 million in direct cleanup and downtime costs. More recent worms combining propagation with payloads have amplified data-centric harms. , emerging in November 2008, infected approximately 11 million Windows machines by exploiting unpatched RPC flaws and weak passwords, enabling backdoor access that facilitated further deployment and system instability; potential direct losses reached $9.1 billion, including specific incidents like a local authority's £1.4 million recovery expenditure. NotPetya, deploying in June 2017 via worm-like exploits initially targeting Ukrainian systems but spreading globally, encrypted master boot records and files, rendering machines inoperable and causing over $10 billion in verified damages to firms like Merck ($1.7 billion in lost inventory and production) through irrecoverable and operational halts. Similarly, WannaCry's May 2017 outbreak encrypted data on over 200,000 systems in 150 countries, directly crippling healthcare providers like the 's NHS—where 19,000 appointments were canceled—and incurring global remediation and downtime costs estimated at $4 billion. These cases highlight causal links between worm autonomy and harms: self-replication overwhelms infrastructure, while payloads enforce data unavailability, with costs empirically tied to scale and sector rather than indirect factors. Early worms like Morris in 1988 caused less quantified financial damage—around $100 million in cleanup for 6,000 infected machines—primarily via resource denial without encryption, underscoring evolution toward more destructive mechanisms. Recovery universally demands manual intervention, patching, and sometimes full system wipes, amplifying direct empirical burdens on unpatched environments.

Broader Systemic and Geopolitical Effects

The deployment of sophisticated computer worms by state actors has reshaped geopolitical rivalries, enabling covert sabotage of adversaries' capabilities without traditional military engagement. , first identified in June 2010 and attributed to a collaborative effort by U.S. and Israeli intelligence agencies, infiltrated Iran's nuclear facility, causing approximately 1,000 enrichment centrifuges to fail through manipulated programmable logic controllers, thereby delaying Tehran's nuclear program by up to two years. This operation, which exploited four zero-day vulnerabilities in Windows and software, marked a precedent for cyber weapons achieving physical destruction, but its escape into the wild infected non-target systems globally, heightening tensions over attribution and retaliation norms in . Subsequent worms have amplified strategies, blending cyber disruption with conventional conflicts. In June 2017, NotPetya—believed to originate from Russia's Sandworm group amid the crisis—initially masqueraded as but propagated via Ukrainian tax software updates, exploiting the vulnerability to encrypt data worldwide. The attack paralyzed 's power grid, airports, and banks while inflicting collateral damages exceeding $10 billion across global firms like and Merck, disrupting international shipping and pharmaceutical production for weeks. Such spillover effects strained diplomatic relations, with the U.S. and EU imposing sanctions on implicated Russian entities, underscoring worms' role in proxy escalations that challenge sovereignty and economic interdependence. WannaCry, unleashed in May 2017 and linked to North Korea's , leveraged the same exploit to encrypt files on over 200,000 systems across 150 countries, demanding ransoms that yielded minimal returns but exposed regime funding motives. It halted operations at Britain's —cancelling 19,000 appointments and costing £92 million—and , while prompting a White House attribution to that intensified U.S. sanctions and cyber diplomacy efforts. These incidents collectively eroded trust in shared digital ecosystems, fueling debates on offensive cyber restraint, as evidenced by stalled UN Group of Governmental Experts talks on applying to state-sponsored intrusions. On a systemic level, worms exploit interconnected infrastructures to trigger cascading failures, amplifying localized exploits into economy-wide shocks that reveal inherent fragilities in unpatched, legacy-dependent networks. NotPetya and WannaCry, by leveraging NSA-derived tools leaked via in 2016, demonstrated how proliferation of nation-state exploits undermines global stability, with aggregate losses from such events estimated in tens of billions and prompting regulatory mandates like the EU's NIS Directive updates. These outbreaks have spurred systemic responses, including heightened private-sector investments—reaching $150 billion globally in 2023—and national strategies emphasizing supply-chain security, as worms' autonomy bypasses perimeter defenses to propagate via routine updates and protocols. Persistent threats like , infecting up to 15 million machines since 2008, further illustrate long-tail risks to botnet recruitment for DDoS or , eroding resilience in financial and utility sectors without direct geopolitical intent.

Countermeasures and Mitigation

Detection and Analysis Techniques

Detection of computer worms relies on a combination of signature-based, anomaly-based, and behavioral methods tailored to their self-propagating nature. Signature-based detection scans network traffic, system logs, or files for predefined patterns associated with known worms, such as specific byte sequences in payloads or propagation code. This approach achieves low false-positive rates but requires prior knowledge of the worm and struggles against variants that mutate signatures. Anomaly-based intrusion detection systems identify deviations from baseline network or host , such as sudden spikes in outbound scanning traffic indicative of worm . Behavioral techniques focus on the inherent patterns of worms, distinguishing them from benign traffic. Behavioral footprinting profiles a worm's sessions—sequences of scan, exploit, and replication actions—by extracting features like timing intervals, packet structures, and response dependencies from captured traffic traces. This method has been evaluated on real worms including Code Red and variants, enabling detection without relying on content signatures. Systems like vEye apply algorithms to match observed patterns against worm behavioral templates, capturing self-propagation even in obfuscated samples. (EDR) tools monitor for abnormal host activities, such as rapid file creation or unauthorized network connections, which signal autonomous replication. Machine learning enhances detection by modeling worm scanning behaviors; for instance, ensemble classifiers combine features from network packets to identify self-propagating scans with high accuracy in simulated environments. The SWORD detector targets core worm traits like target generation and exploitation attempts, using sequential testing to confirm without evasion by polymorphism. Analysis of captured worm samples involves static and dynamic to dissect replication mechanisms and payloads. Static analysis examines binaries without execution, headers, strings, and calls to reveal logic, such as exploits or network protocols used. Tools like disassemblers convert to assembly for identifying self-replication routines, as applied to worms like , which required x86 expertise to uncover zero-day exploits. Dynamic analysis executes samples in isolated sandboxes to observe runtime behavior, including attempts and payload activation, while logging system calls and network interactions. Forensic techniques trace worm artifacts, such as modified registry entries or droppers, to reconstruct infection chains and assess damage potential. These methods, often combined, enable attribution and signature generation for broader defenses, though evasion via packing or anti-analysis code necessitates iterative refinement.

Preventive Measures and Best Practices

Applying security patches promptly addresses known vulnerabilities exploited by worms, such as the in the SMB protocol targeted by the 2008 worm, which affected millions of Windows systems before patches were widely deployed. Antivirus and anti-malware software with real-time scanning and automatic updates detect self-replicating code and infections before propagation, as recommended for desktop and server environments. Firewalls, both host-based and network-level, block unauthorized inbound connections and filter traffic on vulnerable ports, mitigating worms that scan for open services like those used by the 1988 Morris worm.
  • Software updates and patch management: Automate updates for operating systems, applications, and firmware to close exploits; for instance, unpatched systems remain primary vectors for worms years after vulnerability disclosure.
  • Endpoint protection platforms: Deploy tools with behavioral analysis to identify anomalous replication patterns beyond signature-based detection.
  • Network segmentation: Isolate critical systems using VLANs or micro-segmentation to limit lateral movement, containing outbreaks like those observed in enterprise networks.
  • Email and web filtering: Scan attachments and links for malicious payloads, blocking domains known for worm distribution; disable AutoRun features to prevent execution from removable media.
  • Access controls: Enforce least privilege principles, strong authentication including multi-factor where feasible, and monitor for privilege escalation attempts.
  • User training: Educate on recognizing phishing vectors, avoiding unverified downloads, and reporting anomalies, as human error facilitates initial infections in over 90% of malware incidents per industry analyses.
  • Regular backups and testing: Maintain offline backups of critical data, tested for restorability, to enable recovery without paying ransoms or yielding to destructive payloads.
Application whitelisting restricts execution to approved software, preventing unauthorized worm binaries from running even if introduced. For organizations, integrating these into a layered defense , including intrusion detection systems, aligns with NIST guidelines for prevention.

Incident Response Protocols

Incident response protocols for computer worms emphasize rapid action to curb self-propagation, following frameworks like the NIST lifecycle of , eradication, recovery, and post-incident activities. Worms demand high-priority handling due to their potential for exponential spread across networks in minutes to hours, necessitating immediate isolation to limit damage. Containment begins with short-term measures to halt dissemination, such as disconnecting infected hosts from networks, segregating them into isolated VLANs, or blocking specific IP addresses, ports, and protocols exploited by the worm via firewalls or intrusion prevention systems (IPS). Long-term containment involves disabling vulnerable services, applying interim patches, and monitoring anomalous traffic patterns with network behavior analysis tools to detect ongoing propagation attempts. These steps preserve evidence for analysis while balancing service availability and potential triggers that could exacerbate harm, such as data overwrites upon disconnection. Eradication requires comprehensive scanning and removal of worm instances using updated antivirus signatures or specialized tools, often combined with system rebuilds for deeply embedded variants like rootkits. causes, including unpatched vulnerabilities, must be addressed through software updates and configuration hardening to prevent reinfection, with phased remediation prioritizing critical assets. Recovery entails restoring operations from verified clean backups or images, verifying system integrity, and gradually lifting while enhancing monitoring for residual threats. Organizations validate normal functionality before full reconnection, minimizing downtime from worm-induced disruptions. Post-incident activities include documenting the event chronology, assessing damages, and conducting lessons-learned reviews to refine detection tools, patching cadences, and coordination with external entities like US-CERT for threat intelligence sharing. This phase identifies systemic weaknesses, such as outdated , to bolster future resilience against similar autonomous threats.

Experimental and Constructive Applications

Historical Examples of Beneficial Worms

The program, developed in 1972 by at BBN Technologies, was the first known example of a worm designed to eradicate another self-replicating program. It targeted the experimental Creeper worm, created by Bob Thomas in 1971 to demonstrate network propagation on the , by seeking out and deleting Creeper instances without causing additional harm. Although Reaper successfully contained Creeper's spread across the limited ARPANET nodes, it highlighted early risks of uncontrolled replication, as both programs consumed computational resources during propagation. In response to the Code Red worm, which exploited a in IIS web servers starting July 15, 2001, and infected an estimated 359,000 hosts within 14 hours, a German released CodeGreen in September 2001. CodeGreen used the same IIS vulnerability to access infected systems, apply Microsoft's security patch, and delete Code Red remnants, aiming to automate remediation across vulnerable networks. However, its propagation generated significant network traffic, leading to disruptions and criticism for potentially exacerbating denial-of-service effects similar to Code Red's. The Welchia (or Nachi) worm emerged in August 2003 to counter the Blaster worm, which exploited a DCOM RPC vulnerability in and XP, infecting over 1 million systems and causing widespread reboots. Welchia scanned for the same vulnerability, downloaded and installed Microsoft's patch from windowsupdate.com, removed Blaster if present, and then self-deleted, infecting primarily unpatched machines to enforce remediation. Despite its intent, Welchia caused through ICMP pings and file operations, affecting systems like the U.S. State Department's infrastructure and prompting antivirus vendors to treat it as . These cases illustrate the concept of "anti-worms," but shows they often traded one form of disruption for another, underscoring challenges in benevolent self-propagation without centralized control.

Ethical Debates and Research Implications

The release of experimental computer worms has sparked debates over researcher accountability, particularly when unintended consequences cause widespread disruption without user consent. The 1988 , developed by as a demonstration of vulnerabilities, exploited weaknesses in Unix systems like fingerd and , leading to uncontrolled replication that slowed or crashed approximately 6,000 machines, or about 10% of the at the time. This incident prompted ethical scrutiny of proportionality in vulnerability testing, as Morris's intent was gauging system security rather than harm, yet it resulted in the first conviction under the U.S. , with a sentence of three years' probation, 400 hours of community service, and a $10,050 fine. Critics argued that such experiments bypass and risk cascading failures, while proponents viewed it as a necessary wake-up call, influencing the creation of the (CERT) to coordinate defenses. Benevolent worms, designed to propagate patches or anti-censorship tools, intensify ethical tensions by blurring lines between remediation and intrusion. Following the 2003 Blaster worm, which exploited a Windows DCOM RPC vulnerability to infect over 1 million systems, the worm emerged to automatically install patches on vulnerable machines but also gathered system without authorization, raising concerns over unauthorized modifications and potential for . Conceptual proposals for "good" worms, such as those disseminating or evading in restrictive regimes like , face opposition for violating user autonomy and legal norms against self-replicating code, even if payloads are benign, as they exploit the same propagation mechanisms as malicious variants. Ethical analyses emphasize that such tools, while theoretically advancing public goods like equity, often fail causal tests of net benefit due to unpredictable spread and the precedent they set for vigilante interventions, potentially eroding trust in . Research on computer worms has empirically advanced cybersecurity through propagation modeling and forensic techniques, yet imposes dual-use risks that necessitate stringent ethical protocols. Studies of worms like , which combined dictionary attacks, networks, and to infect millions starting November 2008, have informed epidemic models treating networks as susceptible-infected-recovered () systems, enabling predictive simulations for containment. These insights have shaped preventive architectures, such as anomaly-based detection and patch management, but underscore the need for contained experimentation to avoid real-world spillover, as evidenced by post-Morris reforms prioritizing ethical review in vulnerability disclosure. Implications include heightened calls for community standards in security research, including pre-release peer audits and legal safeguards against misuse, balancing innovation against the causal reality that worm code can be repurposed for attacks with minimal modification.

References

  1. https://csrc.nist.gov/glossary/term/worm
  2. https://www.cisa.gov/news-events/news/virus-basics
  3. https://cs.stanford.edu/people/eroberts/cs181/projects/2003-04/security/worms_def.html
  4. https://www.fbi.gov/history/famous-cases/morris-worm
  5. https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir4545.pdf
  6. https://www.cisa.gov/news-events/alerts/2009/03/29/conficker-worm-targets-microsoft-windows-systems
  7. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=win32%252Fconficker
  8. https://www.fbiic.gov/public/2011/jan/conficker_working_group_lessons_learned_17_June_2010_final.pdf
  9. https://www.nist.gov/document/test-assertions-vvsg...
  10. https://www.us-cert.gov/publications/virus-basics
  11. https://www.crowdstrike.com/en-us/cybersecurity-101/malware/computer-worm/
  12. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf
  13. https://www.huntress.com/cybersecurity-101/topic/what-is-computer-worm-cybersecurity-guide
  14. https://www.fortinet.com/resources/cyberglossary/worm-virus
  15. https://www.us-cert.gov/ncas/tips/st05-006
  16. https://www.fortinet.com/resources/cyberglossary/malware-vs-virus-vs-worm
  17. https://sec.cloudapps.cisco.com/security/center/resources/virus_differences
  18. https://www.kaspersky.com/resource-center/threats/types-of-malware
  19. https://www.sentinelone.com/cybersecurity-101/cybersecurity/types-of-malware/
  20. https://www.crowdstrike.com/en-us/cybersecurity-101/malware/types-of-malware/
  21. https://www.titanfile.com/blog/types-of-computer-malware/
  22. https://us.norton.com/blog/malware/what-is-a-computer-worm
  23. https://www.varonis.com/blog/what-is-a-computer-virus-and-computer-worm
  24. https://www.infosecinstitute.com/resources/malware-analysis/history-malware-part-one-1949-1988/
  25. https://usa.kaspersky.com/resource-center/threats/a-brief-history-of-computer-viruses-and-what-the-future-holds
  26. https://www.historyofinformation.com/detail.php?entryid=2860
  27. https://isc.sans.edu/diary/27208
  28. https://smartermsp.com/the-creeper-and-the-reaper-make-cybersecurity-history/
  29. https://corewar.co.uk/creeper.htm
  30. https://pandorafms.com/blog/creeper-and-reaper/
  31. https://alumni.cornell.edu/cornellians/morris-worm/
  32. https://www.orangecyberdefense.com/global/blog/ethical-hacking/legendary-hacks-1-the-morris-worm
  33. https://www.history.com/articles/i-love-you-computer-worm
  34. https://www.kaspersky.com/blog/cybersecurity-history-iloveyou/45001/
  35. https://cyber.tap.purdue.edu/blog/articles/the-iloveyou-worm-a-global-crisis/
  36. https://www.caida.org/archive/code-red/coderedv2_analysis/
  37. https://news.sophos.com/en-us/2021/07/15/the-code-red-worm-20-years-on-what-have-we-learned/
  38. https://faculty.cc.gatech.edu/~mbailey/publications/IEEE_Security_Privacy_Blaster_Final.pdf
  39. https://www.cybereason.com/blog/what-is-the-blaster-worm
  40. https://georgewbush-whitehouse.archives.gov/news/releases/2003/08/20030814.html
  41. https://www.cs.ucf.edu/~czou/research/codered.pdf
  42. https://www.secpoint.com/top-10-worms.html
  43. https://www.security.org/antivirus/worst-viruses/
  44. https://www.csoonline.com/article/562691/stuxnet-explained-the-first-known-cyberweapon.html
  45. https://www.adminbyrequest.com/en/blogs/10-high-tech-malware-attacks-that-changed-cybersecurity-forever
  46. https://www.csoonline.com/article/572911/11-infamous-malware-attacks-the-first-and-the-worst.html
  47. https://www.kaspersky.com/blog/five-most-notorious-cyberattacks/24506/
  48. https://unit42.paloaltonetworks.com/npm-supply-chain-attack/
  49. https://www.paloaltonetworks.com/cyberpedia/ai-worm
  50. https://www.esecurityplanet.com/threats/computer-viruses-and-malware-history/
  51. https://www.techtarget.com/searchsecurity/definition/worm
  52. https://www.sciencedirect.com/topics/computer-science/computer-worms
  53. http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/paxson-worm-taxonomy03.pdf
  54. https://www.cisco.com/site/us/en/learn/topics/security/what-is-a-worm.html
  55. https://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1020&context=computer_eng_pub
  56. https://people.cs.vt.edu/~kafura/cs6204/Readings/Context-Problems/WormTaxonomy.pdf
  57. https://www.infosectrain.com/blog/computer-worms-understanding-fundamental-concept/
  58. https://www.ndss-symposium.org/wp-content/uploads/2017/09/An-Effective-Architecture-and-Algorithm-for-Detecting-Worms-with-Various-Scan-Jiang-Wu.pdf
  59. https://www.giac.org/paper/gsec/1000/code-red-dew/101919
  60. https://www.cs.umd.edu/class/fall2023/cmsc614/papers/morris-worm.pdf
  61. https://www.usenix.org/legacy/event/leet09/tech/full_papers/porras/porras_html/index2.html
  62. https://support.microsoft.com/en-us/topic/virus-alert-about-the-win32-conficker-worm-73e7df59-ec59-d474-bbe8-1f06b7caef60
  63. https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2035.pdf
  64. https://www.giac.org/paper/gcih/470/blaster-worm-exploiting-windows-dcom-rpc-vulnerability/104383
  65. https://www.summithq.com/the-11-worst-computer-viruses-that-impact-businesses/
  66. https://www.information-age.com/microsoft-prepares-for-ms-blaster-attack-22823/
  67. https://www.giac.org/paper/gcih/489/blasting-windows-analysis-w32-blaster-worm/105435
  68. https://www.kaspersky.com/blog/history-lessons-code-red/45082/
  69. https://www.caida.org/archive/code-red/
  70. https://isis-online.org/uploads/isis-reports/documents/stuxnet_FEP_22Dec2010.pdf
  71. https://www.sciencedirect.com/topics/computer-science/stuxnet
  72. https://www.gao.gov/products/gao-01-1073t
  73. https://www.chron.com/business/technology/article/Code-Red-worm-damage-costs-at-2-6-billion-2019043.php
  74. https://avasant.com/report/slammer-worm-worst-virus-in-over-a-year/
  75. https://web-assets.esetstatic.com/wls/2012/11/EsetWP-ConfickerByNumbers.pdf
  76. https://www.welivesecurity.com/2016/11/21/odd-8-year-legacy-conficker-worm/
  77. https://cyberranges.com/how-did-notpetya-cost-businesses-over-10-billion-in-damages/
  78. https://www.ibm.com/think/insights/merck-settlement-affect-insurance-industry
  79. https://www.seqrite.com/blog/what-can-be-the-estimate-losses-caused-by-the-recent-it-outage-caused-by-faulty-crowdstrike-update/
  80. https://www.dsolutionsgroup.com/top-10-most-dangerous-malware-of-all-time/
  81. https://cisre.egr.uh.edu/wp-content/uploads/2023/09/slammer.pdf
  82. https://www.captechu.edu/blog/cyber-security-impact-30th-anniversary-of-morris-worm
  83. https://theconversation.com/five-notorious-cyberattacks-that-targeted-governments-230690
  84. https://www.fortinet.com/resources/cyberglossary/most-notorious-attacks-in-the-history-of-cyber-warfare
  85. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
  86. https://assets.lloyds.com/media/0926f9be-0f3d-49cc-9960-52accc888aad/Lloyds_Shifting_%2520Powers_Physical_%2520Cyber_Risk_Final_2906.pdf
  87. https://carnegieendowment.org/research/2020/02/cyberspace-and-geopolitics-assessing-global-cybersecurity-norm-processes-at-a-crossroads?lang=en
  88. https://www.klgates.com/The-Collapse-of-UN-Talks-on-the-Application-of-International-Law-in-Cyberspace-Why-It-Matters-to-US-Businesses-05-24-2018
  89. https://carnegieendowment.org/research/2022/03/systemic-cyber-risk-a-primer?lang=en
  90. https://onlinelibrary.wiley.com/doi/10.1111/risa.13715
  91. https://www.iiisci.org/journal/pdv/sci/pdfs/QI505RM.pdf
  92. https://inria.hal.science/hal-01481505/
  93. https://dl.acm.org/doi/10.1145/1179542.1179547
  94. https://www.cs.purdue.edu/homes/dxu/pubs/WORM06.pdf
  95. https://link.springer.com/article/10.1007/s10115-008-0137-3
  96. https://su-plus.strathmore.edu/server/api/core/bitstreams/c8c4f7dc-c569-4e0c-8612-259c514a1575/content
  97. https://ieeexplore.ieee.org/document/9846892/
  98. https://www.securebrain.co.jp/eng/blog/malware-analysis/
  99. https://spectrum.ieee.org/the-real-story-of-stuxnet
  100. https://www.cisa.gov/resources-tools/services/malware-analysis
  101. https://westoahu.hawaii.edu/cyber/forensics-weekly-executive-summmaries/worm-malware-forensic-analysis/
  102. https://ieeexplore.ieee.org/document/10031698/
  103. https://www.mcafee.com/learn/what-is-worm/
  104. https://www.cisa.gov/news-events/news/recovering-viruses-worms-and-trojan-horses
  105. https://csrc.nist.rip/publications/nistir/threats/subsubsection3_3_2_2.html
  106. https://www.cisco.com/site/us/en/learn/topics/security/how-to-prevent-malware-attacks.html
  107. https://www.cisa.gov/news-events/news/protecting-against-malicious-code
  108. https://www.cisa.gov/news-events/news/handling-destructive-malware
  109. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
  110. https://www.itprotoday.com/it-management/code-red-turns-codegreen
  111. https://www.theregister.com/2001/09/05/code_red_busting_code_gets/
  112. https://www.giac.org/paper/gcih/517/welchia-worm/105720
  113. https://www.f-secure.com/v-descs/welchi.shtml
  114. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Nachi
  115. https://www.cnn.com/2003/TECH/internet/09/24/state.dept.virus/index.html
  116. https://smartermsp.com/tech-time-warp-was-the-welchia-worm-well-intended/
  117. https://www.cs.cornell.edu/courses/cs1110/2009sp/assignments/a1/p706-eisenberg.pdf
  118. https://www.schneier.com/essays/archives/2008/05/the_ethics_of_vulner.html
  119. https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet-110218
  120. https://www.csoonline.com/article/513351/data-protection-a-good-worm-is-hard-to-find.html
  121. https://dl.acm.org/doi/10.1145/1361255.1361256
  122. https://www.researchgate.net/publication/228193818_%27Good%27_Worms_and_Human_Rights
  123. https://pmc.ncbi.nlm.nih.gov/articles/PMC4433115/
  124. https://faculty.cc.gatech.edu/~mbailey/publications/dittrich-2009-CCS-Abstract.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.