Year of the Worm
Software worms have become the weapons of choice for vandals to spread their latest creations, surpassing all malicious-code predecessors in popularity.
| Fast-spreading code is weapon of choice for Net vandals
By Robert Lemos Four hours. That's how long it took for a glamorous tennis player to become the talk of the Net, for countless companies to shut down their e-mail gateways, and for a new virus to spread across the Atlantic.
"It blew up that day," said Mark Sunner, chief technology officer of the Gloucester, U.K., company. "We saw a bell curve around the working hours...It sat in a critical mass of in-trays and, when people came to work, it kicked off." Computer worms are not ordinary viruses. Their ability to spread quickly across the Internet has made worms the weapon of choice for malicious vandals to spread their latest creations. Furthermore, the programs can be easily copied and changed, and point-and-click tools to create complex worms are readily available. In fact, of the annual 10 most widespread infections, worms accounted for half in 2000, sharing the No. 1 honors with macro viruses, according to security site SecurityPortal. And early indications in January and February suggest that worms will account for at least eight of the top 10 slots in 2001, with AnnaKournikova, Hybris and LoveLetter variants leading the list. Though creating such programs in the past may have required some technical knowledge and, possibly, a mentor in the virus-writing underground, today anyone can download applications from the Internet to do the work for them. The VBS Worm Generator--the program responsible for creating the AnnaKournikova virus--has been downloaded more than 15,000 times from one popular site, VX Heavens, according to that site's administrator. "These kits are very easy to use and can be found by anyone who knows how to use a search engine," said Max Vision, a security-conscious hacker who edits the security site Whitehats. The worms created with such generators can vary from benign mass mailers that clog e-mail gateways to vicious code that is the equivalent of the Ebola virus to computers. What differentiates these two extremes is what the author throws into the mix. Yet no matter the payload, worms deliver quickly.
Originally coined in a 1982 paper by researchers John Shoch and Jon Hupp of the Xerox Palo Alto Research Center, the term "worm" is derived from "The Shockwave Rider," a 1972 science-fiction novel about the downfall of an Orwellian society caused, to some degree, by a "tapeworm" program that liberated data as it proliferated through networks. Shoch and Hupp had needed a way to automate the installation of Ethernet-performance measuring tools on more than 100 computers at Xerox PARC, so they turned to a class of programs that could send and install themselves across the network. The programs installed quickly, could be updated and ran automatically. "What we called the worm is a kind of distributed computation that is a really interesting and powerful thing," said Shoch, now a general partner at venture capital firm Alloy Ventures in Palo Alto, Calif. But to the pair's dismay, when their program developed a bug, the bad code automatically spread across the network as well. "The worm would quickly load its program into (the computer); the program would start to run and promptly crash, leaving the worm incomplete--and still hungrily looking for new (computers)," Shoch and Hupp wrote in a 1982 paper on the experiments with that and other self-spreading programs. "The embarrassing results were left for all to see: 100 dead machines scattered about the building." The computer worm was born. Worm evolution The Christmas Tree virus was perhaps the first worm on a worldwide network, spreading across BITNET--an IBM-only precursor to the Internet--in December 1987. Many of today's worms, such as Melissa, LoveLetter and AnnaKournikova, take a page from the Christmas Tree book. Other worms need no human interaction, infecting computers that have certain security flaws and then using the new host to scan for more computers with the same flaw. These worms are modeled after the Cornell Internet Worm, which overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet, in November 1988. The worm, which exploited flaws in Unix systems, was written and released by Robert T. Morris, a Cornell University graduate student. Two recent worms, W95/Bymer and the Linux Ramen worm, can spread to other computers without any person's interaction. And worms are getting trickier with each incarnation. Hybris uses encrypted plug-ins to update itself and monitors the infected computer's network connection to find e-mail addresses to which it can send itself. The Linux Ramen worm, formed of several hacking tools, spreads much like the Cornell Internet Worm by taking advantage of holes in servers.
Such tricks will become standard fare as toolkit writers incorporate these tactics into the latest worm generator application. At least one author of such a program, [K]alamar, the 18-year-old Argentinian programmer who created the VBS Worm Generator, hopes that others will learn from his toolkit. "I've made that tools coz i've learned to code," he said in a recent e-mail to CNET News.com. "...and i want other people to learn like me." [K]alamar refused to remove the tool from his site, despite the spread of the AnnaKournikova worm, and has since released a second version of the program. Previously, another virus writer--who also used the name Kalamar and had the tool on his site--claimed to be the author of the code. Toolkits such as [K]alamar's are a long tradition in the virus-exchange, or VX, underground. As a result, techniques for creating the latest worms are quickly being passed between writers. Another factor: Many worms are written in one of several scripting languages, which can be read by even semi-knowledgeable virus writers and changed to release variants mere hours after a major virus epidemic. Virus writers latched onto LoveLetter, for example, which struck in May 2000, and have cranked out more than 40 variants to date. Putting up a fight Companies will typically filter e-mail attachments at their gateways--the corporate connections to the Internet. A common part of this defense is to try to beat worms at their own game by distributing new virus detection faster than the viruses can spread. However, if a new virus does not match any of the types contained in the filtering software's definitions, the scanner will not flag the attachment as malicious code. To address this problem, Symantec and IBM have teamed to create what they call a "Digital Immune System." By responding to the first new infection and pushing any new scanning definitions and software to all their customers, the companies hope to protect computers before a worm attack can peak. Other efforts, which hope to catch worms at an even earlier stage, seek to block the malicious behavior of computer viruses. But these efforts have a long way to go. The AnnaKournikova virus, a worm written in Visual Basic Script, spread worldwide despite being quite similar to LoveLetter and other recent, lesser-known worms. One independent antivirus researcher, who asked not to be named, said the worm was so effective because some antivirus manufacturers--most notably Symantec--failed to detect the creation of the VBS Worm Generator right away. The fact that worms can spread so easily should have every person using the Internet just a little paranoid, said Whitehats' Max Vision. "Although most worms are benign, they demonstrate serious vulnerabilities," he said. "There are many worms propagating through the networks constantly." That's not the only worry, said Cary Nachenberg, chief researcher for Symantec. With so many worms on the Internet, the chance that they could start interacting with each other has grown. "These sorts of complex systems can create their own emergent behavior," he said. "Many have already caused effective denial-of-service attacks because of bandwidth consumption." What's next? Nachenberg doesn't know, but he said it won't be good.
"It's the sort of thing that scares me," he said. |  | | |   Hardly a day goes by without a new virus, worm or Trojan horse popping up to worry the average Net surfer. As a group, such programs are called "malicious code," and only a few guidelines exist to determine the classification of any particular program. Moreover, classifying malicious code is not always clear-cut. Many programs can be classified as all three. For example, the original Melissa virus infects files (making it a virus), but also uses e-mail to spread itself to other computers (making it a worm) and appears to be a list of porn sites (making it a Trojan horse). The classification of malicious code is not a comment about how dangerous or destructive the code can be. A virus, worm or Trojan horse may only spread itself or it may erase a computer's hard drive, or anything in between. Here are the main types of malicious code: Virus (Infector filus)
Standard viruses will spread only when an infected file is transferred from one computer to another. CIH--sometimes called the Chernobyl virus--is a prime example of a standard virus. Worm, mass mailer (Cestoidea emailus)
Known as mass mailers due to the technique of spamming themselves to every address in the e-mail address book, such worms generally require a person's action to spread. Typically, that means opening an attachment in the infected e-mail. By scamming people, such mass-mailing worms are similar to Trojan horses. A good example of a mass mailer is the recent AnnaKournikova worm. Worm, network-aware (Cestoidea network)
While defense against mass-mailing worms only requires someone to passively reject any e-mail attachments and employ antivirus software, defense against network-aware worms requires a computer's owner to patch security holes, assign passwords to systems and use a personal firewall. The Linux Ramen worm and W95/Bymer are two examples of network-aware worms. Trojan horse (Equus chameleus)
Modified programs that open a back door into a system or a program hidden inside of a humorous animation are typical examples of Trojan horses. Yet some have broadened the definition to include commercial software that collects data on the person running the program and sends it back to the company without adequate warning to that person. Many mass-mailing worms are considered Trojan horses because they have to convince someone to open them. The SubSeven server--software that lets an attacker remotely control any computer on which it is installed--is an example of a program typically embedded in a Trojan horse. -RL
Gnutella worm finds new way to squirm into PCs Browser hijackings upset security pundits Late "Valentin" could delete files "Anna" virus toolkit pulled from Net FBI probes virus outbreak after "Anna" arrest Microsoft uncloaks new security software Anna virus author comes forward | ||||||||||||||||||||
New viruses worming into PCs
