Where Is the Killer Worm?

Although worms can create media furor and disrupt business, to date they have adhered to a strange dichotomy: A given worm may spread rapidly or deliver a destructive payload — but no worm has accomplished both tasks with equal aplomb.

SQL Slammer and SoBig.F, for example, tunneled voraciously through the Internet. On the other hand, the Magistr worm had a highly destructive payload but operated in a much smaller sphere. Luckily for enterprises and consumers alike, the two capabilities were not melded in a killer worm that could speedily traverse the Internet, destroying data as it spread.

Still, the threat appears to be reaching new heights. August 2003 was the worst-ever month for worm and virus attacks, thanks largely to the fast-replicating SoBig.F worm (though the Blaster worm also played a part). During the month, nearly 77 percent of all attacks were credited to SoBig.F, based on the number of infections confirmed through antivirus developer Central Command’s Emergency Virus Response Team. According to Steve Sundermeier, vice president of products and services at Central Command, SoBig.F at its peak represented more than 72 percent of all e-mails sent.

The SoBig.F variant was scheduled to expire September 10th. Each previous variant of the worm has been followed by a new version, and security experts have noted that it seems the SoBig author is performing methodical testing of a sort. Is something far worse in the works, or is a truly devastating worm still a distant possibility?

Watch Out

One reason why the plague of worms has become especially pressing is that worms now can spread extremely rapidly, according to Ian Hameroff, security strategist at Islandia, New York-based Computer Associates.

“How many of the people susceptible to [worms] are going to get the cold? That’s now measured in minutes — not days or weeks,” Hameroff told the E-Commerce Times. “The time between a vulnerability being identified and an attack that leverages and exploits it has decreased dramatically.”

Fortunately, antivirus companies also are quicker to respond to threats than they were in the past. “Originally, we used to see viruses that had trigger dates,” David Perry, global director of education at Trend Micro, told the E-Commerce Times. “That would give them a chance to get into circulation before it was obvious they were there. We [now] have a mature antivirus market. We update in minutes.”

Psych Minors

Even so, antivirus firms can have a hard time stopping a fast-spreading worm before it infects significant numbers of machines, as illustrated by last winter’s SQL Slammer attack. Clearly, technology is not holding hackers back from creating uber worms. Rather, industry executives say, the limiting factor is the psychology of the majority of people — generally young males — who write malware.

“People who write these don’t seem to be of a destructive nature,” said Chris Wysopal, director of research and development at Boston-based @stake, in a conversation with the E-Commerce Times. “I think it would be very simple to write destructive worms. There’s nothing technologically challenging about doing it. There’s nothing stopping it from happening.”

Added Computer Associates’ Hameroff: “We’re certainly fortunate we haven’t had a killer worm. But I speak in a limited fashion because I don’t want to throw the gauntlet down. Most of the time the reason why [worm writers] do it — 85 percent to 90 percent of the time — is for notoriety. There are ways in the underworld, the seediest side of cyberspace, that these types of individuals let it be known that they did it.”

Also, worm writers generally do not want to destroy the environment in which they operate, said Michael Rasmussen, an analyst with Forrester Research, in an interview with the E-Commerce Times. “They love the Internet, and they don’t want to bring it down,” he said.

Danger Ahead

Still, there are always a few malfeasants engaged in corporate “netspionage,” according to Hameroff, as well as truly malicious cyber terrorists. “A smaller percentage are doing it for financial reasons,” he said, “[like] a hired hitman on the Internet.

“There is no such thing as socially responsible hackers,” Hameroff added. “It’s any type of criminal activity. There are still criminals, and there is still federal law enforcement. It’s very important for us to stay in front of it and not get lax.”

However, industrial and international spies are not likely to release a worm that could generate a great deal of press. Such a spy “wants to siphon off the information for economic reasons without leaving a footprint,” Forrester’s Rasmussen noted.

On the other hand, terrorists often are out to destroy economies other than their own, so they seek to create the most damage, Rasmussen said.

Crime Prevention

Fortunately, computer users are not ignoring the threat or blindly hoping for a reprieve. In fact, the opposite is true.

Corporate and home users spent a record US$2.2 billion on antivirus programs in 2002, according to IDC. By 2007, the research firm expects antivirus spending will reach $4.4 billion. One reason is increased consumer knowledge about the impact of worm and virus attacks, said Chris Christiansen, vice president for IDC’s security products services. In the United States, 82 percent of 325 firms surveyed by IDC had experienced attacks. More than 30 percent of those surveyed reported the attack was detected but not instantly countered.

In addition, organizations are working proactively to prevent viruses and worms from infiltrating their networks. “You’ve got to know [attacks] are going to come,” Hameroff said. “Security management will be the means of reducing the impact. We’re not just looking at a technology solution. We’re constantly educating people.”

More Than Antivirus

However, antivirus programs would not have prevented Blaster or most other worms, said Wysopal of @stake. “People need to run a personal firewall on their machines unless they have one on their personal firewalls,” he said. “Worms require the program to be listening on the network, like a server, and it needs to have no authentication.”

Working with the vendor community, @stake checks and tests pieces of code that exist in the pre-authentication area of a network. “We actually work with software vendors and help them design programs and test programs to make sure they don’t have these flaws when they ship their programs,” Wysopal noted. “It really comes down to another level of quality assurance on the software level.”

The company also works with government and private-sector organizations to check their infrastructures and monitor employee policies.

Despite all of these measures, corporations consistently must manage, monitor and work to reduce their network vulnerability on both the technology and employee fronts — and then hope for the best. In the world of viruses and worms, anything is possible, because the actions of malware authors are invisible until they release their creations.

“I personally would not be surprised to see [a killer worm] tomorrow — or if we waited five years until we saw it,” Forrester’s Rasmussen said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels