The threat to computer networks from worms is multiplying in both sophistication and potential for damage, according to security experts.
The industry is on the cusp of an evolution in computer worms — those malicious programs that replicate themselves and can spread automatically over the network from one machine to another, wreaking havoc as they go. And that evolution is bringing a new breed of problems for network and security administrators.
“I think there’s a lot of potential for damage coming down the pike,” says Stephen Trilling, senior director of research at Symantec Corp., an Internet security company based in Cupertino, Calif. “We will see worms with increasing sophistication. We’ll see worms with new ways of spreading. We’ll see worms that can spread themselves through Instant Messaging…They can steal documents and information from your machine. They can create new holes in your system, and once they’ve taken over your machine, they can launch attacks from it.”
A few recent worms and viruses — such as the Frethem.E and the Simile.D — didn’t wreak any havoc on the Internet but they did serve as a warning for future worm attacks, say security analysts.
The Frethem worm had the ability to propagate itself. It collected email addresses from the Windows Address Book and used its own SMTP engine to send out infected messages. The Simile virus is largely considered the first complicated virus with cross-platform capabilities — able to attack both Windows and Linux operating systems.
And that’s just a taste of what’s to come, according to George Bakos, senior security expert at the Institute for Security Technology Studies at Dartmouth College in Hanover, N.H.
“Hybrid worms are going to become more and more common,” says Bakos. “They’re going to be attacking multiple vulnerabilities, maybe on multiple operating systems.”
Recent Worm Alerts
Windows Worm, Multiple Bugs Haunt MS Users
Self-Propagating Worm Roaming Internet
New Klez.G Email Worm Targets Outlook, Express
Bakos says the industry should be expecting the arrival of worms with new and powerful capabilities. He says to expect worms that infect a computer and then set up a communication channel so it can communicate with its controller. He also warns that administrators should be aware of more polymorphic worms, which are worms designed to hide their own presence.
Sleeper Worms Waiting To Strike
“If you had a worm that incorporated these points, you’d have a whole new life form,” says Brett Tofel, research associate at ISTS. “And it would have a long life.”
Dan Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a wholly owned subsidiary of Raytheon, says the industry is looking at the coming of such attacks as super worms and sleeper worms.
A sleeper worm infects a computer but doesn’t automatically attack the system as soon as it’s in. Instead, the worm waits for a signal before it attacks. The signal could be a predetermined time or date, or the arrival of a certain email, or simply the 17th time that the user logs onto her system.
“It goes in and waits for a while and then resurfaces after you think you’ve cleaned out your system,” says Woolley. “They can be placed there and you have no idea they’re there…Worms can be very quiet. It can be hidden in a file you don’t even know exists. It’s not something the average Joe Blow script kiddie is not going to come up with. It’s very sophisticated.”
Symantec’s Trilling says sleeper worms are particularly dangerous because they can be spread across the Internet and then awakened all at once to launch a targeted attack on a particular company, organization, sector of the Internet or even a country.
“There are a lot of machines out there that are vulnerable and once they’re all harnessed, they can do a lot of damage,” says Trilling.
Another category of attack is the super worm, which is generally considered to be a blended or hybrid worm. That means it generally can propagate itself and can pack a number of vulnerabilities into one payload. For instance, a super worm would get into a system and not just try to attack one vulnerability. It would try one known vulnerability and then another and another.
“It will pack a number of vulnerability attacks into a single warhead and one of them is bound to stick,” says Woolley. “It will find something that you haven’t patched and you’ll be caught. I don’t think any company is completely patched up. Look at all the vulnerabilities that come out on a day-to-day basis and think of a large corporation that has multiple servers, multiple systems and multiple networks. How do you stay on top of them all? Administrators often times have systems out there they don’t even know exist, and if you don’t know they’re there, how can you possibly patch them?”
And while administrators are trying to patch their networks, they also need to be keeping a close eye on Instant Messaging, says Symantec’s Trilling.
Trilling says he’s starting to see worms that spread themselves over IM. A hacker sends a link to an IM user, the user clicks on it and a worm spreads to everyone in the user’s IM address book.
“With Instant Messenger, you’re connected all the time so you’re vulnerable all the time,” says Trilling. “Over the next year to two years, we’ll see much more of this.”
Keith Rhodes, chief technologist at the U.S. General Accounting Office in Washington, D.C., says administrators should be patching up their systems, updating their anti-virus software and educating their employees because worm attacks are about to get much worse.
“I think we’re on the cusp of something,” says Rhodes. “As computing evolves, so do the malicious attacks. Your ability to understand them improves so your opponent also improves. The attacks become faster. The software becomes more complex and buggier. Your opponents, therefore, have much more opportunity to attack you.”