|Fast-spreading code is weapon of choice for Net vandals |
By Robert Lemos
Special to CNET News.com
March 15, 2001, 4:00 a.m. PT
Four hours. That's how long it took for a glamorous tennis player to
become the talk of the Net, for countless companies to shut down their
e-mail gateways, and for a new virus to spread across the Atlantic.
At the height of the barrage, the AnnaKournikova virus--which took the pernicious form of a "worm" attachment--was included in one of every 106 e-mails arriving at the gateway of MessageLabs. The e-mail service provider saw almost 20,000 copies of the worm in a week.
"It blew up that day," said Mark Sunner, chief technology officer of the
Gloucester, U.K., company. "We saw a bell curve around the working hours...It sat in a critical mass of in-trays and, when people came to work, it kicked off."
Computer worms are not ordinary viruses. Their ability to spread quickly
across the Internet has made worms the weapon of choice for malicious
vandals to spread their latest creations. Furthermore, the programs
can be easily copied and changed, and point-and-click tools to create
complex worms are readily available.
In fact, of the annual 10 most widespread infections, worms accounted
for half in 2000, sharing the No. 1 honors with macro viruses, according to
security site SecurityPortal. And early indications in January and
February suggest that worms will account for at least eight of the
top 10 slots in 2001, with AnnaKournikova, Hybris and LoveLetter variants
leading the list.
Though creating such programs in the past may have required some
technical knowledge and, possibly, a mentor in the virus-writing
underground, today anyone can download applications from the Internet to do the work for them. The VBS Worm Generator--the program responsible for creating the AnnaKournikova virus--has been downloaded more than 15,000 times from one popular site, VX Heavens, according to that site's administrator.
"These kits are very easy to use and can be found by anyone who knows
how to use a search engine," said Max Vision, a security-conscious hacker
who edits the security site Whitehats.
The worms created with such generators can vary from benign
mass mailers that clog e-mail gateways to vicious code that is the
equivalent of the Ebola virus to computers. What differentiates these two extremes is what the author throws into the mix. Yet no matter the payload, worms deliver quickly.
"Worms...can proliferate extremely fast through a network," said Ken
Dunham, senior analyst for SecurityPortal. "This is especially true when one considers the fact that the average user knows very little (about) computer technology and commonly practices unsafe computing methods, such as blindly opening any attachment within an e-mail."
Originally coined in a 1982 paper by researchers John Shoch and Jon Hupp of the Xerox Palo Alto Research Center, the term "worm" is derived from "The Shockwave Rider," a 1972 science-fiction novel about the downfall of an Orwellian society caused, to some degree, by a "tapeworm" program that liberated data as it proliferated through networks.
Shoch and Hupp had needed a way to automate the installation of
Ethernet-performance measuring tools on more than 100 computers at Xerox
PARC, so they turned to a class of programs that could send and install
themselves across the network. The programs installed quickly, could be
updated and ran automatically.
"What we called the worm is a kind of distributed computation that is a
really interesting and powerful thing," said Shoch, now a general
partner at venture capital firm Alloy Ventures in Palo Alto, Calif.
But to the pair's dismay, when their program developed a bug, the
bad code automatically spread across the network as well.
"The worm would quickly load its program into (the computer); the program
would start to run and promptly crash, leaving the worm incomplete--and
still hungrily looking for new (computers)," Shoch and Hupp wrote in a 1982
paper on the experiments with that and other
"The embarrassing results were left for all to see: 100 dead machines
scattered about the building."
The computer worm was born.
Later, worms quickly fell into two categories. Some camouflage themselves as interesting e-mail attachments. When such an attachment is opened, the worm executes, spreading itself in a burst of e-mail. Then the programs can infect systems and mail themselves to every name listed in the computer's address book.
The Christmas Tree virus was perhaps the first worm on a worldwide network,
spreading across BITNET--an IBM-only precursor to the Internet--in December
1987. Many of today's worms, such as Melissa, LoveLetter and
AnnaKournikova, take a page from the Christmas Tree book.
Other worms need no human interaction, infecting
computers that have certain security flaws and then using the new host
to scan for more computers with the same flaw.
These worms are modeled after the Cornell Internet Worm, which
overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet, in November 1988. The worm, which exploited flaws in Unix systems, was written and released by Robert T. Morris, a Cornell University graduate student.
Two recent worms, W95/Bymer and the Linux Ramen worm, can spread to other computers without any person's interaction. And worms are getting trickier with each incarnation.
Hybris uses encrypted
plug-ins to update itself and monitors the infected computer's network
to find e-mail addresses to which it can send itself. The Linux Ramen worm, formed of
several hacking tools, spreads much like the Cornell Internet Worm by
taking advantage of holes in servers.
W95/Bymer spread by finding unprotected shared drives on Windows
computers. Once it infected a computer, it would run a distributed
computing client to take part in a contest hosted by Distributed.net to
encryption code. A second variant entered the contest as a different
user, and the two worms would fight over computer systems.
Such tricks will become standard fare as toolkit writers incorporate
these tactics into the latest worm generator application. At least one author
of such a program, [K]alamar, the 18-year-old Argentinian programmer who
the VBS Worm Generator, hopes that others will learn from his toolkit.
"I've made that tools coz i've learned to code," he said in a recent e-mail
to CNET News.com. "...and i want other people to learn like me."
[K]alamar refused to remove the tool from his site, despite the spread of the AnnaKournikova worm, and has since released a second version of the program. Previously, another virus writer--who also used the name Kalamar and had the tool on his site--claimed to be the author of the code.
Toolkits such as [K]alamar's are a long tradition in the virus-exchange, or VX, underground. As a result, techniques for creating the latest worms are quickly being passed between writers.
Another factor: Many worms are written in one of several scripting languages, which can be read by even semi-knowledgeable virus writers and changed to release variants mere hours after a major virus epidemic. Virus writers latched onto LoveLetter, for example, which struck in May 2000, and have cranked out more than 40 variants to date.
Putting up a fight
Companies and antivirus software makers are looking for answers to stave
off future worm attacks.
Companies will typically filter e-mail attachments at their gateways--the
corporate connections to the Internet. A common part of this defense is to try to beat worms at their own game by distributing new virus detection faster than the viruses can spread. However, if a new virus does not match any of the types contained in the filtering software's definitions, the scanner will not flag the attachment as malicious code.
To address this problem, Symantec and IBM have teamed to create what they
call a "Digital Immune System." By responding to the first new infection and pushing any new scanning definitions and software to all their
customers, the companies hope to protect computers before a worm attack
Other efforts, which hope to catch worms at an even earlier stage, seek to
block the malicious behavior of computer viruses. But these efforts have a
long way to go.
The AnnaKournikova virus, a worm written in Visual Basic Script, spread worldwide despite being
quite similar to LoveLetter and other recent, lesser-known worms.
One independent antivirus researcher, who asked not to be named, said
the worm was so effective because some antivirus
manufacturers--most notably Symantec--failed to detect the creation of the
VBS Worm Generator right away.
The fact that worms can spread so easily should have every person
using the Internet just a little paranoid, said Whitehats' Max
"Although most worms are benign, they demonstrate serious
vulnerabilities," he said. "There are many worms
propagating through the networks constantly."
That's not the only worry, said Cary Nachenberg, chief researcher for
Symantec. With so many worms on the Internet, the chance that
they could start interacting with each other has grown.
"These sorts of complex systems can create their own emergent behavior,"
he said. "Many have already caused effective denial-of-service attacks because
of bandwidth consumption."
What's next? Nachenberg doesn't know, but he said it won't be good.
"It's the sort of thing that scares me," he said.
| || || |
Hardly a day goes by without a new virus, worm or Trojan horse popping up to worry the average Net surfer. As a group, such programs are called
"malicious code," and only a few guidelines exist to determine the
classification of any particular program.
Moreover, classifying malicious code is not always clear-cut.
Many programs can be classified as all three. For example, the original
Melissa virus infects files (making it a virus), but also uses e-mail to
spread itself to other computers (making it a worm) and appears to be a list
of porn sites (making it a Trojan horse).
The classification of malicious code is not a comment about how dangerous or
destructive the code can be. A virus, worm or Trojan horse may only spread
itself or it may erase a computer's hard drive, or anything in between.
Here are the main types of malicious code:
Virus (Infector filus)
A virus is a program that spreads itself by infecting files. When it runs, a
virus will essentially wrap a file's data in its own code. When the file is
opened, the virus runs its program first and then opens the file as
Standard viruses will spread only when an infected file is transferred from
one computer to another.
CIH--sometimes called the Chernobyl virus--is a prime example of a standard
Worm, mass mailer (Cestoidea emailus)
Worms, unlike viruses, don't infect files, but entire disks or
computer systems. Because worms can't rely on file-to-file transfers to
spread their code, they need to have a way of sending themselves to other
computer systems. Perhaps the most common way today is via e-mail.
Known as mass mailers due to the technique of spamming themselves to every
address in the e-mail address book, such worms generally require a person's
action to spread. Typically, that means opening an attachment in the
By scamming people, such mass-mailing worms are similar to Trojan horses.
A good example of a mass mailer is the recent AnnaKournikova worm.
Worm, network-aware (Cestoidea network)
Some worms squirm into another computer through security holes. Whether
taking advantage of unprotected, shared drives or of a vulnerability in FTP
software, such network-aware worms don't require a person's action to
While defense against mass-mailing worms only requires someone to passively
reject any e-mail attachments and employ antivirus software, defense
against network-aware worms requires a computer's owner to patch security
holes, assign passwords to systems and use a personal firewall.
The Linux Ramen worm and W95/Bymer are two examples of network-aware worms.
Trojan horse (Equus chameleus)
Unlike worms and viruses, the purpose of a Trojan horse is not to spread,
but to have a particular target--that is, a computer's owner--to run the
program. A strict definition of a Trojan horse is any program that does
something besides what a person believes it will do.
Modified programs that open a back door into a system or a program hidden
inside of a humorous animation are typical examples of Trojan horses. Yet
some have broadened the definition to include commercial software that
collects data on the person running the program and sends it back to the
company without adequate warning to that person.
Many mass-mailing worms are considered Trojan horses because they have to
convince someone to open them.
The SubSeven server--software that lets an attacker remotely control any
computer on which it is installed--is an example of a program typically
embedded in a Trojan horse.
New virus-creation utility set to wreak havoc
Anna virus generator back in business
Virus on Internet music-swapping service
Firms update handheld virus help
Antivirus company blasts industry, media for scare tactics
You, too, can write an Anna worm
Q&A: 2 Windows disk tools for good housekeeping
The New York Times--free registration required
Battling the Internet parasites
How the Anna virus was created
NakedWife virus hits U.S. military, companies
Gnutella worm finds new way to squirm into PCs
Browser hijackings upset security pundits
Late "Valentin" could delete files
"Anna" virus toolkit pulled from Net
FBI probes virus outbreak after "Anna" arrest
Police vs. Anna: Match point?
Microsoft uncloaks new security software
Anna virus author comes forward
Anna virus rushes the Net
Damage minimal from Italian "Love" bug
Consumers could fall prey to "Love" bug variants