Chapter 12  Worms, Bots, and Botnets – GCIH GIAC Certified Incident Handler All-in-One Exam Guide


Worms, Bots, and Botnets

In this chapter you will learn about

•   Worms

•   Bots/botnets

Although there are various malware types, this chapter focuses on worms, bots, and botnets (as per the GCIH exam prerequisites). Bots and botnets were also discussed in Chapter 8, but some additional details will be covered in this chapter.


Common techniques used by attackers to transfer a worm to victims include phishing e-mails, drive-by downloads, and using other malware on a victim’s machine, which can copy a worm to it. Once a worm is present on a machine, its first task will commonly be to identify other machines that it can infect and copy itself to them for propagation. Unpatched systems, inadequate hardening, and vulnerable services can all be used to a worm’s advantage as it tries to infect target machines. When a worm is present on a machine, resources like CPU, memory, and hard disk input/output operations greatly increase. In addition, network resources, like bandwidth and network share space, are also affected.

EXAM TIP   Worms self-propagate within a network and require no host program, in contrast to viruses, which do require a host program.

Worm Examples

It seems that worms constantly become more sophisticated while gaining an ability to infect additional platforms like tablets and mobile phones. Table 12-1 contains a summary of famous worm examples dating back to 2000 and a short description about their operation.

Table 12-1  Worm Examples Dating Back to 2000

There are various types of worms, including

•   Benign

•   Autorun

•   Scanning

•   Zero-day

•   Polymorphic

•   Metamorphic

Let’s see how each of these works.

Benign Worms

You can think of this as the white hat hacker equivalent of a worm. These types of worms can be used to identify vulnerable devices with the goal of removing malicious code and applying security patches and updates so they are not susceptible to further attacks. This can work in a similar way to its malicious counterpart but without having any malicious functionality.

Autorun Worms

Removable devices are the primary goal of autorun worms. That means that when a removable device is inserted on a machine that has autorun enabled, the worm automatically starts copying itself on the machine and to the rest of the network. This is a good reason to disable autorun and also not constantly use an administrator or root account while accessing a system, as that may limit the worm’s capability.

Scanning Worms

Such worms (for example, the Slammer worm) can perform rapid scanning of thousands or even millions of IP addresses to identify hosts that are vulnerable to a specific exploit. A scanning worm usually performs random IP address scanning to identify its targets. If the target ports are used by the victim network, such a worm can significantly degrade the network’s performance.

Zero-Day Worms

Zero-day vulnerabilities are what keep security researches and CISOs awake at night. You can do lots of things to protect from attackers, but how do you protect from an unknown threat? A zero-day worm takes advantage of any zero-day vulnerability that exists on a target system. Basically, exploitation is weaponized in the form of a worm that rapidly propagates and tries to take advantage of as many machines as possible that may be susceptible to it.

Polymorphic Worms

Polymorphic worms are a very interesting category, as they are able to change their code to evade detection. The worm’s functionality is the same, but its code changes each time it propagates so it can evade detection on other machines. That makes static detection much harder because you need to deploy multiple signatures to identify its different variations. This usually becomes a cat-and-mouse game between malware authors and security companies, where the latter try to catch up by obtaining various malware samples, reversing the code, and deploying AV signatures while the malware author keeps adding more variations to his worm so it can roam freely within target networks. Polymorphic worms have a mutation engine that allows them to change the source code and generate various obfuscated outputs.

TIP   Decrypted code in memory is the same across different worm propagations, as the worm still performs the exact same function. However, encrypted code changes between propagations, so it can’t be detected.

Examples of obfuscation techniques include instruction substitution, XOR operations, dead-code addition, function reordering, and instruction alteration. The more sophisticated a polymorphic worm’s engine is, the less similar various samples are. Security researchers will often take a large number of those samples and try to statistically analyze them for similarities in order to deploy signatures that may be able to detect the different worm versions. Remember the examples provided in Chapter 6, when MSFvenom was used to encode a payload? Different AV vendors always have varied levels of success when trying to detect malware. Polymorphism just adds to that complexity.

Metamorphic Worms

Metamorphic worms are malware game changers. They can alter their whole operation, in addition to the underlying code, which makes detection really challenging. The worm’s engine still uses obfuscation, so each time the worm mutates, it produces a brand-new variant (different in both appearance and functionality). This can happen in a variety of instances, for example, specific times the author has set the mutation engine to morph the worm or even every single time it copies or propagates itself to other machines. Since it’s really difficult to achieve detection, security researchers have started taking cutting-edge approaches, like applying Markov model profiling, statistical analysis, and graph theory.

Other Worm Types

Worms can use various methods that allow them to infect target machines:

•   E-mail worms focus on propagating via e-mails and have increased substantially due to the spread of social engineering using phishing e-mails to lure victims to download attachments or browse to URLs, which can allow the worm to propagate.

•   Instant messaging worms base their propagation on instant messaging applications like IRC.

•   File sharing worms use file servers and pirated material (like songs and movies) as their propagation vectors.

As attackers evolve, newer techniques constantly emerge. An example is using the Warhol method. When this is used, speed of vulnerable host identification is paramount so the worm can use those as later targets. The attacker’s goal is to identify a collection of multiple vulnerable targets, which can then be used for simultaneous propagation and infection—something that will substantially increase the attacker’s efficiency.

More sophisticated attackers may try to develop worms that target multiple operating systems or devices, which increases the number of compromised systems. The success of this technique heavily depends on the type of exploit the worm is attempting to leverage. For example, if it’s targeting something that is operating system dependent, then it can’t be effective on other systems. However, if an application is targeted, which may be present in multiple operating systems, then the worm can affect all of them (multiplatform). Recent malware trends show an increase in worms targeting mobile devices and also using various exploits to achieve this, all in an effort to increase the success rate.


Bots and botnets were briefly mentioned in Chapter 8, where their use in DDoS attacks was discussed. As a refresher, bots are compromised machines under the control of an attacker. Some type of malware is commonly copied on vulnerable target systems, or an exploit is used to allow the attacker to control them and make them act as bots. For example, the attacker might place malware on a web server and entice a victim to download it, using a phishing e-mail. Botnets can do all sorts of things, like promote fake ads to victims and entice them to click on advertisements, send spam e-mails, perform brute-force attacks on target accounts, launch DDoS attacks, tamper with target files (add/remove content), scrape content from web pages, perform web form injection, perform URL/DNS spoofing, and many other activities. The attacker can harness the power of his bots to perform anything that would normally take a substantial amount of time to do on a single or handful of machines. For example, if he needs to brute-force account passwords or perform cryptocurrency mining, thousands of machines can be used to speed things up.

Botnet Topologies

The most common botnet topologies are

•   Star (also known as centralized)  A single CnC server is used to communicate and issue commands to all bots. This is very simple and quick to set up and maintain, while it allows for flexible communication between the server and compromised machines.

•   Decentralized  Multiple CnC servers are used to control the bots. This allows for botnet robustness and resiliency, since even if some of the servers go down, the botnet can still work properly.

•   P2P  P2P networks are used in an effort to make the botnet as resilient as possible, since there’s no single point of failure that can interrupt its operation. Each of the compromised machines has a connection to the rest of them, and any of them can function as a bot or CnC server.

Issuing Commands

The most common method of issuing commands to compromised hosts is by using an IRC channel, which allows the command and control server(s) to issue instructions to all the bots. However, most organizations block that type of traffic at the perimeter. As such, attackers try to blend in and use alternative protocols that are allowed on the corporate network, like ICMP, TCP, UDP, SMB, HTTP, and DNS. In fact, encryption is also commonly used in an effort to make detection harder, which is why you need to always pay attention to any encrypted traffic you are not expecting on your network. Since the encrypted payload can’t be inspected for anything malicious, it makes detection really difficult.

Some botnet CnC examples include

•   Adwind using HTTPS

•   Conficker using HTTP, SMB, TCP, and UDP

•   Slapper using UDP

•   Phatbot using IRC

•   Stuxnet using HTTP, TCP, and SMB

•   Zeus using UDP, TCP, and HTTP

TIP   There’s a great paper located at that contains in-depth detail about botnet communication protocols, how commands can be issued using those, and how particular botnets operate.

It’s also worth mentioning that attackers use fast flux to ensure specific components that their botnet requires to operate are always reachable by victims. To do this, they map a specific domain to multiple IP addresses. Once any of the victims tries to browse to the malicious domain, any of those IP addresses can be used, depending on the configuration. In a simple attack (with no fast flux being used), a victim can flag a malicious domain (mapping to a specific IP address) with the intent of performing a takedown (usually by reaching out to the hosting provider or law enforcement). However, when that domain maps across various IP addresses, that won’t be possible because even if some of those servers are taken down, others will still be available to serve victim requests.

Apart from open-source botnets, there also kits on the dark web that allow botnet creation. Prices vary depending on complexity and size but usually are within the range of $3,000 to $10,000. Sophisticated approaches can also be used by botnets, like honeynet IP address blacklisting and sandbox evasion, that make malware analysis more difficult, since sample collection becomes more challenging.

Defending Against Worms, Bots, and Botnets

Worms and bots/botnets still try to leverage vulnerabilities in host defenses to perform initial installation and propagation. As such, ensure that you have implemented adequate host protection. Use AV, HIPS, and EDR tools, which will allow adequate protection at a host level, and in the event something malicious happens, you can get prompt notification.

Appropriate hardening (including operating system updates and the latest patches being applied) also helps greatly, as you reduce the machine’s attack surface and limit what an attacker can leverage.

Supplement these with suitable network defenses, like NIDS/NIPS, firewalls, proxies, and behavioral analysis. The combination of those tools can give you enough data to identify any ongoing malicious activity while also help respond to it quite efficiently by blocking any malicious traffic that’s identified. Appropriate network design with careful segregation is also highly recommended. In addition, memory analysis can aid significantly in the case of polymorphic worms. That’s because the worm’s decrypted code will be present in memory and stays unaltered between different propagations (once a polymorphic sample is decrypted in memory, its code is the same), which can be used for further analysis.

If you manage to trace any CnC traffic to a specific server the attacker owns, you can always try passing that information to your service provider and law enforcement and allow them to pursue any takedown (if feasible). In addition, you can use your network perimeter devices to block any malicious traffic to that, which will not allow any instructions to be issued to compromise machines. You can then start isolating those hosts and perform further investigations for root cause analysis or reimage them to a clean state, if you want to start recovering from the incident.

Chapter Review

Worms can use various methods to infiltrate a machine, depending on their types. They don’t require any human intervention to replicate on a network and rapidly consume system and network resources, including memory, CPU, hard disk, and network shares. The more sophisticated worms can exploit zero-day vulnerabilities in addition to changing their code while maintaining functionality (polymorphic worms) or even change both their code and the functions being performed (metamorphic worms). As technology progresses, worms will be seen targeting a variety of platforms in an effort to achieve maximum penetration across target networks.

Botnets are composed of various bots (usually thousands of compromised devices) in a variety of architectures, like star, decentralized, and P2P. Common protocols used to issue commands include ICMP, TCP, UDP, SMB, HTTP, and DNS, while botnets are capable of utilizing fast flux techniques to allow critical components to be constantly available and make attacks more efficient.


1.  Which of the following statements regarding worms is accurate?

A.  They use a host file for propagation.

B.  They require human intervention to propagate.

C.  They self-replicate in a network.

D.  They are always malicious in nature.

2.  Which of the following did Stuxnet target?


B.  Linux

C.  macOS

D.  Military personnel

3.  Which of the following worm types is known for the ability to change its code to evade detection while maintaining functionality?

A.  Metamorphic

B.  Polymorphic

C.  Benign

D.  Warhol

4.  Which of the following is not a botnet topology?

A.  Star


C.  Decentralized

D.  P2P

5.  Which of the following uses the Warhol technique?

A.  Conficker

B.  Stuxnet

C.  Petya

C.  Slammer

6.  Which botnet topology uses a single CnC server?

A.  Decentralized

B.  P2P

C.  Star

D.  Warhol

7.  Which of the following approaches would you recommend for performing reverse malware analysis on a polymorphic worm?

A.  Host memory analysis

B.  Network packet capture

C.  Firewall log review

D.  IPS log review

8.  Which of the following do botnets commonly use to allow malware delivery domains to be constantly available?

A.  Warhol

B.  Domain takedown

C.  Fast flux

D.  Phishing

9.  Which of the following communication protocols would make CnC traffic harder to detect?





10.  What is a worm that can identify vulnerable devices and aims to remove malicious worms called?

A.  White hat worm

B.  Ethical worm

C.  Benign

D.  None of the above


1.  C. Worms don’t need any human intervention or host files, as they self-replicate within a target network.

2.  A. Stuxnet targeted SCADA and PLCs and exploited various Windows zero-day vulnerabilities with the intention to affect Iranian nuclear reactors.

3.  B. Polymorphic worms are able to change their code to evade detection while functionality remains exactly the same.

4.  B. Although IRC is used by botnets to issue commands to compromised machines, it doesn’t constitute a botnet topology.

5.  D. Slammer took about 15 minutes to propagate worldwide due to using the Warhol method.

6.  C. The star topology uses a single CnC server to issue commands to all bots. This is very simple and quick to set up and maintain, and it allows for flexible communication.

7.  A. A polymorphic worm’s decrypted code will be present in memory and has the advantage of being the same between worm propagations (the decrypted code stays the same, while the encrypted code changes each time the worm propagates). As such, this can be used to analyze the malware to create an efficient memory-based signature.

8.  C. Fast flux allows mapping a specific domain to multiple IP addresses. Once one of the victims tries to browse to the malicious domain, any of those IP addresses can be used to deliver content (depending on the configuration). That allows the attacker to avoid having the botnet’s operation disrupted if any servers are taken offline by law enforcement or a hosting provider.

9.  B. HTTPS allows traffic encryption to be applied, which can make CnC detection quite harder, since most security tools are unable to decrypt and inspect that traffic.

10.  C. A worm that can identify vulnerable devices and aims to remove malicious worms present on them while can also apply operating system and application patches (in addition to other security countermeasures) is called benign.

References and Further Reading