Another large-scale worm attack looming?

Worms and viruses have gotten sneakier. But your antivirus software hasn't. Worried? Here's how to prepare for future threats.
Written by Robert Vamosi, Contributor
commentary One year ago this week, the Code Red worm caused a national panic that compelled Microsoft and the FBI to conduct a joint press conference. What's changed in the past year?

According to Ryan Russell, senior threat analyst at SecurityFocus, Internet worms have become much more robust since Code Red. And that doesn't bode well for you, since antivirus software hasn't kept up with all the changes.

So far in 2002, we've been lucky. We've seen fewer worms and viruses this year than last, when big-name worms such as Sircam, Code Red, Code Blue, and Nimda wreaked havoc on the Net. Last year I reported on 60 different viruses. This year, I've written up only 20. Given that we're halfway through 2002, it looks like we're on pace to see about 30 percent fewer viruses in 2002.

Speaking at last month's NetSec 2002 conference in San Francisco, Russell said that many of today's worms are based on old software vulnerabilities. So if you've already patched those flaws, you shouldn't become reinfected, nor help the worm spread. For example, the latest worm, Frethem.k, takes advantage of Internet Explorer MIME header and IFRAME flaws, which were both fixed by Microsoft last year in its MS01-020 security patch.

Code Red, on the other hand, exploited Microsoft ISS's index server buffer overflow, which had been discovered a month before the worm was let loose.

Russell expects that the period between when a new vulnerability is announced and a new worm appears to take advantage of it will get shorter. Soon, the day a worm appears will be the first time the general public hears about the vulnerability it exploits; this is called an "0-Day worm."

Another trend: We're seeing more Internet worms that build on previous worms. Nimda, for example, infected servers already infected with Code Red II. And the Leaves worm looked for boxes already compromised by the SubSeven Trojan horse. Worms are also becoming more territorial. Code Red II terminated Code Red I code by rebooting the infected system, and the Code Blue worm terminated instances of Code Red II.

Worm authors are learning to work around software fixes, too. Using the default SMTP servers in Windows, desktop worms such as Sircam are able to bypass Outlook's new security settings. They're also bypassing the Outlook Address Book (which is now protected), and instead culling e-mail addresses from files such as those found in the temporary cache in Internet Explorer.

But it could be much worse. The Internet worms we're seeing today aren't carrying destructive payloads that could destroy files or your computer's hard drive.

Looking ahead, you should watch out for spam written in foreign languages, as they may contain worms. Because these messages won't contain the clever subject lines and attached files you're used to seeing in infected emails, you might overlook these worms and allow them to execute upon arrival in your inbox. Clearly, English is no longer the default language for Internet worms. Sircam and Hybris/SnowWhite both used multiple languages.

Also in the future, virus writers may have more control over the code they write after they've let a worm loose on the Net. Currently, if a virus author wants to upgrade an Internet worm, he must tinker with it offline and re-release the improved worm. But Russell expects more worms to start including backdoors, so the author can make changes on the fly--either to evade antivirus software or to change its functionality.

He also speculated that worms might one day set up their own communications channel, like a file-sharing network. If a worm could learn from its own experiences, it could then communicate updated code via a private IRC channel to its brethren on the Internet. This would help it not only evade antivirus software, but also increase its destructive capabilities.

Russell concludes that current antivirus software will soon be ineffective against these evolving worms. The pattern-matching approach still used by many antivirus vendors is outdated, based on viruses from the early 1980s. A few products that monitor the behavior of malicious code, such as Okena's StormWatch, are capable of catching the latest worms. But this approach, common in enterprise products, has yet to trickle down to antivirus apps designed for the end user.

Will we see another large-scale worm such as Code Red or Nimda this year? Or will 2002 be quieter than 2001? TalkBack to me below.

Editorial standards