Infestation: Worms are crawling everywhere

So far this year worms account for eight of the Top-10 computer infections, with AnnaKournikova, Hybris and LoveLetter variants leading the list. It took just four hours for 'Anna' to sweep the Net.
Written by Robert Lemos, Contributor
Four hours. That's how long it took for a glamorous tennis player to become the talk of the Net, for countless companies to shut down their e-mail gateways, and for a new virus to spread across the Atlantic.

At the height of the barrage, the AnnaKournikova virus--which took the pernicious form of a "worm" attachment--was included in one of every 106 e-mails that arrived at the gateway of e-mail service provider MessageLabs. It saw almost 20,000 copies of the worm in a week.

"It blew up that day," said Mark Sunner, chief technology officer of the Gloucester, U.K., company. "We saw a bell curve around the working hours...It sat in a critical mass of in-trays and, when people came to work, it kicked off."

Computer worms are not ordinary viruses. Their ability to spread quickly across the Internet has made worms the weapon of choice for malicious vandals to spread their latest creations. Furthermore, the programs can be easily copied and changed, and point-and-click tools to create complex worms are readily available, increasing their popularity.

In fact, of the annual 10 most widespread infections, worms accounted for half in 2000, sharing the No. 1 honors with macro viruses, according to security site SecurityPortal. And early indications in January and February suggest that worms will account for at least eight of the top 10 slots in 2001, with AnnaKournikova, Hybris and LoveLetter variants leading the list.

Though creating such programs in the past may have required some technical knowledge and, possibly, a mentor in the virus-writing underground, today anyone can download applications from the Internet to do the work for them. The VBS Worm Generator--the program responsible for creating the AnnaKournikova virus--has been downloaded more than 15,000 times from one popular site, VX Heavens, according to that site's administrator.

"These kits are very easy to use and can be found by anyone who knows how to use a search engine," said Max Vision, a security-conscious hacker who edits the security site Whitehats.

The worms created with such generators can vary from benign mass mailers that clog e-mail gateways to vicious code that is the equivalent of the Ebola virus to computers. What differentiates these two extremes is what the author throws into the mix. Yet no matter the payload, worms deliver quickly.

Worms...can proliferate extremely fast through a network," said Ken Dunham, senior analyst for SecurityPortal. "This is especially true when one considers the fact that the average user knows very little (about) computer technology and commonly practices unsafe computing methods, such as blindly opening any attachment within an e-mail."

Originally coined in a 1982 paper by researchers John Shoch and Jon Hupp of the Xerox Palo Alto Research Center, the term "worm" is derived from "The Shockwave Rider," a 1972 science-fiction novel about the downfall of an Orwellian society caused, to some degree, by a "tapeworm" program that liberated data as it proliferated through networks.

Shoch and Hupp had needed a way to automate the installation of Ethernet-performance measuring tools on more than 100 computers at Xerox PARC, so they turned to a class of programs that could send and install themselves across the network. The programs installed quickly, could be updated and ran automatically.

"What we called the worm is a kind of distributed computation that is a really interesting and powerful thing," said Shoch, now a general partner at venture capital firm Alloy Ventures in Palo Alto, Calif.

But to the pair's dismay, when their program developed a bug, the bad code automatically spread across the network as well.

"The worm would quickly load its program into (the computer); the program would start to run and promptly crash, leaving the worm incomplete--and still hungrily looking for new (computers)," Shoch and Hupp wrote in a 1982 paper on the experiments with that and other self-spreading programs.

"The embarrassing results were left for all to see: 100 dead machines scattered about the building."

The computer worm was born.

Anatomy of a worm
Later, worms quickly fell into two categories. Some camouflage themselves as interesting e-mail attachments. When such an attachment is opened, the worm executes, spreading itself in a burst of e-mail. Then the programs can infect systems and mail themselves to every name listed in the computer's address book.

The Christmas Tree virus was perhaps the first worm on a worldwide network, spreading across BITNET--an IBM-only precursor to the Internet--in December 1987. Many of today's worms, such as Melissa, LoveLetter and AnnaKournikova, take a page from the Christmas Tree book.

Other worms need no human interaction, infecting computers that have certain security flaws and then using the new host to scan for more computers with the same flaw.

These worms are modeled after the Cornell Internet Worm, which overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet, in November 1988. The worm, which exploited flaws in Unix systems, was written and released by Robert T. Morris, a Cornell University graduate student.

Two recent worms, W95/Bymer and the Linux Ramen worm, can spread to other computers without any person's interaction. And worms are getting trickier with each incarnation.

Hybris uses encrypted plug-ins to update itself and monitors the infected computer's network connection to find e-mail addresses to which it can send itself. The Linux Ramen worm, formed of several hacking tools, spreads much like the Cornell Internet Worm by taking advantage of holes in servers.

W95/Bymer spread by finding unprotected shared drives on Windows computers. Once it infected a computer, it would run a distributed computing client to take part in a contest hosted by Distributed.net to break an encryption code. A second variant entered the contest as a different user, and the two worms would fight over computer systems.

Such tricks will become standard fare as toolkit writers incorporate such tactics into the latest worm generator application. At least one author of such a program, [K]alamar, the 18-year-old Argentinian programmer who created the VBS Worm Generator, hopes that others will learn from his toolkit.

"I've made that tools coz i've learned to code," he said in a recent e-mail. "...and i want other people to learn like me."

[K]alamar refused to remove the tool from his site, despite the spread of the AnnaKournikova worm, and has since released a second version of the program. Previously, another virus writer--who also used the name Kalamar and had the tool on his site--claimed to be the author of the code.

Toolkits such as [K]alamar's are a long tradition in the virus-exchange, or VX, underground. As a result, techniques for creating the latest worms are quickly being passed between writers.

Another factor: Many worms are written in one of several scripting languages, which can be read by even semi-knowledgeable virus writers and changed to release variants mere hours after a major virus epidemic. Virus writers latched onto LoveLetter, for example, which struck in May 2000, and have cranked out more than 40 variants to date.

Fighting back
Companies and antivirus software makers are looking for answers to stave off future worm attacks.

Companies will typically filter e-mail attachments at their gateways--the corporate connections to the Internet. A common part of this defense is to try to beat worms at their own game by distributing new virus detection faster than the viruses can spread. However, if a new virus does not match any of the types contained in the filtering software's definitions, the scanner will not flag the attachment as malicious code.

To address this problem, Symantec and IBM have teamed to create what they call a "Digital Immune System." By responding to the first new infection and pushing any new scanning definitions and software to all their customers, the companies hope to protect computers before a worm attack can peak.

Other efforts, which hope to catch worms at an even earlier stage, seek to block the malicious behavior of computer viruses. But these efforts have a long way to go.

The AnnaKournikova virus, a worm written in Visual Basic Script, spread worldwide despite being quite similar to LoveLetter and other recent, lesser-known worms. One independent antivirus researcher, who asked not to be named, said the worm was so effective because some antivirus manufacturers--most notably Symantec--failed to detect the creation of the VBS Worm Generator right away.

The fact that worms can spread so easily should have every person using the Internet just a little paranoid, said Whitehats' Max Vision.

"Although most worms are benign, they demonstrate serious vulnerabilities," he said. "There are many worms propagating through the networks constantly."

That's not the only worry, said Cary Nachenberg, chief researcher for Symantec. With so many worms on the Internet, the chance that they could start interacting with each other has grown.

"These sorts of complex systems can create their own emergent behavior," he said. "Many have already caused effective denial-of-service attacks because of bandwidth consumption."

What's next? Nachenberg doesn't know, but he said it won't be good.

"It's the sort of thing that scares me," he said.

Editorial standards