Chapter 41 Β· Concepts

Viruses and Worms β€” Concept Maps

Virus types, fileless attack chains, the virus vs. worm distinction, and worm containment controls.

Virus vs. Worm β€” The Critical Distinction

Virus
  • Requires user interaction to activate (run a program, open a document, click a link, boot from infected media)
  • Attaches to a host file or program to replicate
  • Spreads through file systems, shared drives, email attachments, removable media
  • Speed of spread depends on how often users share or open files
  • Stopped by: antivirus signatures, not opening suspicious files, disabling macros
User must take action to trigger
Worm
  • No user interaction required β€” self-propagates entirely autonomously
  • Does not need a host file β€” spreads independently via the network
  • Exploits network-facing vulnerabilities to install itself on remote systems
  • Speed of spread is limited only by network bandwidth and number of vulnerable hosts
  • Stopped by: firewalls, IDS/IPS, network segmentation, patching
No user action needed β€” spreads automatically

The Four Virus Types

Virus TypeWhere It HidesWhen It RunsHow It SpreadsClassic Example
Program Virus Attached to an executable file (.exe, .com, application binary) When the infected program is launched by the user Injects code into other executables on local drives and network shares Jerusalem virus, CIH/Chernobyl
Boot Sector Virus Boot sector of a storage device (hard drive, USB drive) At power-on, before the OS loads β€” OS security tools are not yet running Copies itself to boot sector of any connected storage device Stoned, Michelangelo
Script Virus Script embedded in web page, email, or OS script file (JS, VBScript, PowerShell) When the browser or OS executes the script Via compromised web pages, email messages, shared script files ILOVEYOU (VBScript), Anna Kournikova
Macro Virus Macro embedded in document file (Word .doc/.docm, Excel .xls/.xlsm) When the document is opened and macros execute Via shared documents, email attachments, shared templates (e.g., Normal.dot) Melissa, Concept

Fileless Virus β€” Step-by-Step Infection Chain

No malicious file is ever written to disk until Step 6. Traditional antivirus scanning disk files sees nothing at Steps 1–5.

πŸ–±οΈ
Step 1: Initial Trigger
User clicks a malicious link in email or on a web page β€” loads a compromised or attacker-controlled site
↓
πŸ•³οΈ
Step 2: Exploit Fires in Browser
Page exploits an unpatched vulnerability in the browser, plugin (Flash, Java), or OS β€” all execution occurs in memory; nothing written to disk
↓
⚑
Step 3: PowerShell Launched In-Memory
Exploit code calls legitimate Windows PowerShell β€” passes a malicious script as a command-line argument; script runs in RAM, not from disk
↓
πŸ“₯
Step 4: Additional Scripts Downloaded
PowerShell downloads further scripts from attacker's server and runs them in memory β€” keyloggers, data exfiltration routines, credential harvesters
↓
πŸ“€
Step 5: Malicious Activity Executes
In-memory scripts perform actions: steal credentials, exfiltrate files, install additional payloads, open backdoors β€” all in RAM
↓
πŸ”‘
Step 6: Registry Autostart Added (Minimal Disk Artifact)
A single Windows registry key is written to re-trigger the PowerShell chain at next startup β€” the only disk-resident artifact; looks like a legitimate system command

Why Fileless Malware Evades Antivirus

Signature-Based Antivirus (What It Does)
  • Scans files on disk (executables, scripts, documents)
  • Compares file contents against known malware signatures
  • Quarantines files that match known patterns
  • Monitors new files written to storage

Against fileless malware: Nothing to scan. No files are written to disk. Antivirus reports clean. The entire infection is invisible to disk-based scanning.

Ineffective against fileless attacks
Behavioral Detection / EDR (What It Does)
  • Monitors process behavior in memory (not just files on disk)
  • Flags anomalous actions: PowerShell making outbound network calls, unusual parent-child process relationships, scripts running without a corresponding file
  • Detects suspicious registry modifications (autostart entries)
  • Generates alerts based on behavior patterns regardless of file presence

Against fileless malware: Detects the in-memory execution chain, unusual PowerShell activity, and registry modifications even with no suspicious disk files present.

Effective against fileless attacks

Worm Propagation Model

PhaseWhat the Worm DoesSpeed / Scale
1. Initial Infection Worm reaches the first host via an exploit, email, removable media, or existing backdoor Single system
2. Vulnerability Scan Worm scans local network for other systems listening on the target port or running the target service Scans hundreds of IPs per second
3. Exploitation Worm sends exploit code to each discovered vulnerable system; installs itself autonomously No user action on any target needed
4. Replication Each newly infected host begins its own scan β€” exponential growth on a flat network Doubles with each scan cycle; network-speed propagation
5. Payload Delivery Worm delivers its payload to each infected system (ransomware, backdoor, botnet enrollment, data exfiltration) Simultaneous across all infected hosts

Controls That Stop Worm Spread

ControlHow It Stops WormsLimitation
Patching Closes the vulnerabilities worms exploit β€” a fully patched system is not a viable target Requires timely application; zero-day worms exploit unpatched vulnerabilities before patches exist
Perimeter Firewall Blocks inbound traffic on ports worms use to probe and infect; prevents internet-based worms from reaching internal systems Does not stop worm spread once it is already inside the network
Host-Based Firewall Blocks the specific traffic a worm uses even between internal hosts Must be configured and enabled on every endpoint; may interfere with legitimate services
IDS/IPS Detects the characteristic scan patterns and exploit traffic of worm propagation; IPS blocks it in real time Requires worm signatures or behavioral rules; new worm variants may evade detection initially
Network Segmentation Limits blast radius β€” a worm in one segment cannot auto-reach other segments without crossing a controlled boundary Does not stop spread within a segment; only contains it between segments

WannaCry Attack Chain

πŸ’»
Patient Zero
First system infected β€” running unpatched Windows with SMB exposed; worm reaches it via internet or internal network
↓
πŸ”
EternalBlue Scan
Worm scans for systems with SMB port 445 open and unpatched against MS17-010; no user interaction required on targets
↓
πŸšͺ
Backdoor Installation
EternalBlue exploit fires; DoublePulsar backdoor is installed on each newly infected system
↓
πŸ’£
Ransomware Payload Delivered
Ransomware pulled down via the backdoor; encrypts all user data files; ransom demand displayed β€” OS left functional
↓
🌍
Worm Continues Propagating
Each infected machine begins EternalBlue scanning from its own vantage point β€” 200,000 systems in 150 countries within days

The patch that would have stopped everything: MS17-010 β€” released by Microsoft on March 14, 2017. WannaCry launched May 12, 2017. Every organization that applied the patch in that 58-day window was fully immune. Every organization that did not was both a victim and an unwilling vector.