How bigger, badder worms are being built

COMMENTARY--As I write this, there are two new fast-spreading Internet worms for Windows users: Apost does the now-familiar "e-mail itself to everyone" thing we've come to expect from Windows worms and viruses, except this worm sends multiple copies of itself. And then there's an updated version of Magistr, redesigned to infect even more users with its destructive payload. Faster propagation has been the trend with Win32 viruses and worms, but what if rapid propagation methods were employed for network-savvy worms such as Code Red? Well, someone has already given thought to that.

Andy Warhol is famous for saying "In the future, everybody will have 15 minutes of fame." Nicolas Weaver at UC Berkeley has written a paper proposing that virus writers constructing some future Code Red-like worm add a list of 10,000 to 50,000 "well connected" Internet servers, then launch the virus. The advantage, he argues, is that even if only 10 to 20 percent of the servers are vulnerable to the worm's exploit, that would still be an enormous jump on Code Red and previous worms. Weavers adds that the initial 10 percent infection could be achieved in the first minute or so; he then proposes that his "uberworm" could infect most of the Internet within 15 minutes (hence the Warhol worm).

Not to be outdone, the team of Suart Staniford, Gary Grim, and Roelof Jonkman at Silicon Defense proposed an even greater propagation rate: they claim they can infect the Internet in 30 seconds. They argue that a worm writer could scan the Internet in advance and identify almost all of the vulnerable systems on the Internet before launching the worm. With a very fast Internet connection (they mention an OC12 link), they argue even a 48MB address list of vulnerable Internet address could be sent out in about 4 minutes.

Jose Nazario, a biochemist by trade who has previously offered valuable insights on digital worms, points out that neither of these papers take into account the basic elements of propagation on the Internet. Nazario points to an IBM paper called "How Topology Affects Population Dynamics," which looks at lessons learned from biological infections and how, with an understanding of this model, programmers might better design future digital organisms (they don't specifically say "worms").

Basically, the authors of both the Warhol and Flash worms assumed a very simple Internet model where every node to be infected is a neighbor of every other node. The reality is much more complicated. That's what Nazario says torpedoes the technical merits of both of these studies.

So why even mention this research? Nicolas Weaver himself posts that he is leaving his paper up online so that people can understand, with documentation, what danger there is in a homogenous Internet. Someone will attempt to do what these authors have proposed, and someone might someday make a worm that "flashes" the entire Internet with a malicious payload. Rather than be caught unaware, isn't it better to realize this is out there and take steps to minimize its impact?

Weaver proposes that companies use context-sensitive firewalls where only "that which is not explicitly allowed is forbidden." He further suggests internal firewalls throughout the company and regular security audits. He adds, "regular backups are also essential." He further suggests that: "Homogenous populations, whether in potatoes or computers, are always more vulnerable to diseases." That's something to remember when implementing one or multiple types of servers on your network. Just as biodiversity has kept life going on Earth, mixing up one's operating systems can only strengthen the Internet.

Is diversity the key to minimizing vulnerabilities? Are you worried about worms such as the theoretical Warhol worm? TalkBack to me below.