Year of the Worm

Software worms have become the weapons of choice for vandals to spread their latest creations, surpassing all malicious-code predecessors in popularity.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

Feb. 5, 2003 12:21 p.m. PT

10 min read

Fast-spreading code is weapon of choice for Net vandals

By Robert Lemos
Special to CNET News.com
March 15, 2001, 4:00 a.m. PT

Four hours. That's how long it took for a glamorous tennis player to become the talk of the Net, for countless companies to shut down their e-mail gateways, and for a new virus to spread across the Atlantic.

At the height of the barrage, the AnnaKournikova virus--which took the pernicious form of a "worm" attachment--was included in one of every 106 e-mails arriving at the gateway of MessageLabs. The e-mail service provider saw almost 20,000 copies of the worm in a week.

"It blew up that day," said Mark Sunner, chief technology officer of the Gloucester, U.K., company. "We saw a bell curve around the working hours...It sat in a critical mass of in-trays and, when people came to work, it kicked off."

Computer worms are not ordinary viruses. Their ability to spread quickly across the Internet has made worms the weapon of choice for malicious vandals to spread their latest creations. Furthermore, the programs can be easily copied and changed, and point-and-click tools to create complex worms are readily available.

In fact, of the annual 10 most widespread infections, worms accounted for half in 2000, sharing the No. 1 honors with macro viruses, according to security site SecurityPortal. And early indications in January and February suggest that worms will account for at least eight of the top 10 slots in 2001, with AnnaKournikova, Hybris and LoveLetter variants leading the list.

Though creating such programs in the past may have required some technical knowledge and, possibly, a mentor in the virus-writing underground, today anyone can download applications from the Internet to do the work for them. The VBS Worm Generator--the program responsible for creating the AnnaKournikova virus--has been downloaded more than 15,000 times from one popular site, VX Heavens, according to that site's administrator.

"These kits are very easy to use and can be found by anyone who knows how to use a search engine," said Max Vision, a security-conscious hacker who edits the security site Whitehats.

The worms created with such generators can vary from benign mass mailers that clog e-mail gateways to vicious code that is the equivalent of the Ebola virus to computers. What differentiates these two extremes is what the author throws into the mix. Yet no matter the payload, worms deliver quickly.

"Worms...can proliferate extremely fast through a network," said Ken Dunham, senior analyst for SecurityPortal. "This is especially true when one considers the fact that the average user knows very little (about) computer technology and commonly practices unsafe computing methods, such as blindly opening any attachment within an e-mail."

Originally coined in a 1982 paper by researchers John Shoch and Jon Hupp of the Xerox Palo Alto Research Center, the term "worm" is derived from "The Shockwave Rider," a 1972 science-fiction novel about the downfall of an Orwellian society caused, to some degree, by a "tapeworm" program that liberated data as it proliferated through networks.

Shoch and Hupp had needed a way to automate the installation of Ethernet-performance measuring tools on more than 100 computers at Xerox PARC, so they turned to a class of programs that could send and install themselves across the network. The programs installed quickly, could be updated and ran automatically.

"What we called the worm is a kind of distributed computation that is a really interesting and powerful thing," said Shoch, now a general partner at venture capital firm Alloy Ventures in Palo Alto, Calif.

But to the pair's dismay, when their program developed a bug, the bad code automatically spread across the network as well.

"The worm would quickly load its program into (the computer); the program would start to run and promptly crash, leaving the worm incomplete--and still hungrily looking for new (computers)," Shoch and Hupp wrote in a 1982 paper on the experiments with that and other self-spreading programs.

"The embarrassing results were left for all to see: 100 dead machines scattered about the building."

The computer worm was born.

Worm evolution
Later, worms quickly fell into two categories. Some camouflage themselves as interesting e-mail attachments. When such an attachment is opened, the worm executes, spreading itself in a burst of e-mail. Then the programs can infect systems and mail themselves to every name listed in the computer's address book.

The Christmas Tree virus was perhaps the first worm on a worldwide network, spreading across BITNET--an IBM-only precursor to the Internet--in December 1987. Many of today's worms, such as Melissa, LoveLetter and AnnaKournikova, take a page from the Christmas Tree book.

Other worms need no human interaction, infecting computers that have certain security flaws and then using the new host to scan for more computers with the same flaw.

These worms are modeled after the Cornell Internet Worm, which overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet, in November 1988. The worm, which exploited flaws in Unix systems, was written and released by Robert T. Morris, a Cornell University graduate student.

Two recent worms, W95/Bymer and the Linux Ramen worm, can spread to other computers without any person's interaction. And worms are getting trickier with each incarnation.

Hybris uses encrypted plug-ins to update itself and monitors the infected computer's network connection to find e-mail addresses to which it can send itself. The Linux Ramen worm, formed of several hacking tools, spreads much like the Cornell Internet Worm by taking advantage of holes in servers.

New viruses worming into PCs
Roger Thompson, researcher, TruSecure

W95/Bymer spread by finding unprotected shared drives on Windows computers. Once it infected a computer, it would run a distributed computing client to take part in a contest hosted by Distributed.net to break an encryption code. A second variant entered the contest as a different user, and the two worms would fight over computer systems.

Such tricks will become standard fare as toolkit writers incorporate these tactics into the latest worm generator application. At least one author of such a program, [K]alamar, the 18-year-old Argentinian programmer who created the VBS Worm Generator, hopes that others will learn from his toolkit.

"I've made that tools coz i've learned to code," he said in a recent e-mail to CNET News.com. "...and i want other people to learn like me."

[K]alamar refused to remove the tool from his site, despite the spread of the AnnaKournikova worm, and has since released a second version of the program. Previously, another virus writer--who also used the name Kalamar and had the tool on his site--claimed to be the author of the code.

Toolkits such as [K]alamar's are a long tradition in the virus-exchange, or VX, underground. As a result, techniques for creating the latest worms are quickly being passed between writers.

Another factor: Many worms are written in one of several scripting languages, which can be read by even semi-knowledgeable virus writers and changed to release variants mere hours after a major virus epidemic. Virus writers latched onto LoveLetter, for example, which struck in May 2000, and have cranked out more than 40 variants to date.

Putting up a fight
Companies and antivirus software makers are looking for answers to stave off future worm attacks.

Companies will typically filter e-mail attachments at their gateways--the corporate connections to the Internet. A common part of this defense is to try to beat worms at their own game by distributing new virus detection faster than the viruses can spread. However, if a new virus does not match any of the types contained in the filtering software's definitions, the scanner will not flag the attachment as malicious code.

To address this problem, Symantec and IBM have teamed to create what they call a "Digital Immune System." By responding to the first new infection and pushing any new scanning definitions and software to all their customers, the companies hope to protect computers before a worm attack can peak.

Other efforts, which hope to catch worms at an even earlier stage, seek to block the malicious behavior of computer viruses. But these efforts have a long way to go.

The AnnaKournikova virus, a worm written in Visual Basic Script, spread worldwide despite being quite similar to LoveLetter and other recent, lesser-known worms. One independent antivirus researcher, who asked not to be named, said the worm was so effective because some antivirus manufacturers--most notably Symantec--failed to detect the creation of the VBS Worm Generator right away.

The fact that worms can spread so easily should have every person using the Internet just a little paranoid, said Whitehats' Max Vision.

"Although most worms are benign, they demonstrate serious vulnerabilities," he said. "There are many worms propagating through the networks constantly."

That's not the only worry, said Cary Nachenberg, chief researcher for Symantec. With so many worms on the Internet, the chance that they could start interacting with each other has grown.

"These sorts of complex systems can create their own emergent behavior," he said. "Many have already caused effective denial-of-service attacks because of bandwidth consumption."

What's next? Nachenberg doesn't know, but he said it won't be good.

"It's the sort of thing that scares me," he said.

Hardly a day goes by without a new virus, worm or Trojan horse popping up to worry the average Net surfer. As a group, such programs are called "malicious code," and only a few guidelines exist to determine the classification of any particular program.

Moreover, classifying malicious code is not always clear-cut.

Many programs can be classified as all three. For example, the original Melissa virus infects files (making it a virus), but also uses e-mail to spread itself to other computers (making it a worm) and appears to be a list of porn sites (making it a Trojan horse).

The classification of malicious code is not a comment about how dangerous or destructive the code can be. A virus, worm or Trojan horse may only spread itself or it may erase a computer's hard drive, or anything in between.

Here are the main types of malicious code:

Virus (Infector filus)
A virus is a program that spreads itself by infecting files. When it runs, a virus will essentially wrap a file's data in its own code. When the file is opened, the virus runs its program first and then opens the file as initially requested.

Standard viruses will spread only when an infected file is transferred from one computer to another.

CIH--sometimes called the Chernobyl virus--is a prime example of a standard virus.

Worm, mass mailer (Cestoidea emailus)
Worms, unlike viruses, don't infect files, but entire disks or computer systems. Because worms can't rely on file-to-file transfers to spread their code, they need to have a way of sending themselves to other computer systems. Perhaps the most common way today is via e-mail.

Known as mass mailers due to the technique of spamming themselves to every address in the e-mail address book, such worms generally require a person's action to spread. Typically, that means opening an attachment in the infected e-mail.

By scamming people, such mass-mailing worms are similar to Trojan horses.

A good example of a mass mailer is the recent AnnaKournikova worm.

Worm, network-aware (Cestoidea network)
Some worms squirm into another computer through security holes. Whether taking advantage of unprotected, shared drives or of a vulnerability in FTP software, such network-aware worms don't require a person's action to spread.

While defense against mass-mailing worms only requires someone to passively reject any e-mail attachments and employ antivirus software, defense against network-aware worms requires a computer's owner to patch security holes, assign passwords to systems and use a personal firewall.

The Linux Ramen worm and W95/Bymer are two examples of network-aware worms.

Trojan horse (Equus chameleus)
Unlike worms and viruses, the purpose of a Trojan horse is not to spread, but to have a particular target--that is, a computer's owner--to run the program. A strict definition of a Trojan horse is any program that does something besides what a person believes it will do.

Modified programs that open a back door into a system or a program hidden inside of a humorous animation are typical examples of Trojan horses. Yet some have broadened the definition to include commercial software that collects data on the person running the program and sends it back to the company without adequate warning to that person.

Many mass-mailing worms are considered Trojan horses because they have to convince someone to open them.

The SubSeven server--software that lets an attacker remotely control any computer on which it is installed--is an example of a program typically embedded in a Trojan horse.

-RL

New virus-creation utility set to wreak havoc
Newsbytes

Anna virus generator back in business
Vnunet.com

Virus on Internet music-swapping service
Channelnewsasia

Firms update handheld virus help
InternetNews

Antivirus company blasts industry, media for scare tactics
Elcom

You, too, can write an Anna worm
Wired

Q&A: 2 Windows disk tools for good housekeeping
The New York Times--free registration required

Battling the Internet parasites
ZDNet

How the Anna virus was created
ZDNet