How Worms Work
Although worms perform many if not all the same tasks as an installed virus, they don't rely on anyone or anything to propagate. Well, almost no one. As you will see in this section, negligence on someone's part is very often the reason a worm finds its way around your network.
Figure 2 is a conceptual diagram of a business or home office network. The network is behind three standard perimeter defense components: a firewall, a Web filter and an intrusion prevention system (IPS). A detailed explanation of how these controls work is beyond the scope of this article. For more information, click on the links provided. Let's assume, however, that a worm would have a hard time getting into this network from the Internet. Not impossible, just difficult. Then there is the laptop user.
In our example, a laptop user is attached to a coffee shop wireless hotspot. Although firewall, Web filtering, and IPS software are available for end-user devices, this organization does not use any of them. Further, the anti-virus software is not running the latest malware signature update. Therefore, when the worm waiting at a visited Web site saw the laptop, there was nothing to stop it from checking for the system vulnerability it was designed to exploit. Since the laptop was not patched for the vulnerability, the worm happily crawled across the network connection and made itself comfortable--without the user doing anything more than connecting to the site. It also started scanning any other computers the laptop detected in the coffee shop looking for other places to replicate.
Figure 3 shows how malware works when the laptop user visited the corporate office. Since the laptop connected to the internal network, behind the perimeter controls, the worm had no difficulty in beginning a scan for vulnerable computers. In this example, a server and a PC were unpatched with out-of-date anti-virus software. The worm discovered these vulnerabilities in minutes and quickly spread to these unprotected computers. Note the protected PC was unaffected.
This is common way a worm finds a home in a network, but it is not the only way. Laptop users are not always the cause. Any user can go to the wrong place and pick up a worm even if using a desktop system. Once on a system, a worm begins its scanning.
Scanning by the worm, and all its replicas, can cause serious performance issues for network users. This is often the way an organization or individual discovers the infestation.