Recon worms on the way, experts say

Viruses that reconnoiter your computer for flaws before they attack are expected to become more common.

Security experts are warning that vulnerability assessment worms, which check computers for security flaws and relay the information back to the author, are likely to become more of a threat.

James Kay, the chief technology officer at e-mail security company Blackspider Technologies, said last week that vulnerability assessment worms are quite rare at the moment. However, their number will probably increase as virus writers focus their attacks more carefully and try to avoid detection, he said.

"We haven't seen many of them so far, but it's an example of a trend that could accelerate," Kay said. "The idea of reconnaissance fits our view that worms are becoming lower volume and more targeted. In order to produce targeted attacks this information (about the computer's vulnerabilities) would be useful."

The code in vulnerability assessment worms will be different than the code found in flaw scanners such as the open-source Nessus. The worms are also likely to change periodically, as the author remotely alters the malicious code, Kay said.

"The code (that) people write for assessing vulnerabilities is normally quite big and quite heavyweight," he said. "These worms will be smaller and stealthier. They will only look for a small number of vulnerabilities and will change over time."

Bruce Schneier, the chief technology officer at Counterpane Internet Security, also spoke of the risk of vulnerability assessment worms in a blog posting early last week. He suggested that worms such as SpyBot.KEG, which security firm Secunia first reported in February, will become more common in the future.

"In 2005, we expect to see ever more complex worms and viruses in the wild, incorporating complex behavior: polymorphic worms, metamorphic worms and worms that make use of entry-point obscuration. For example, SpyBot.KEG is a sophisticated vulnerability assessment worm that reports discovered vulnerabilities back to the author via IRC channels," Schneier wrote.

But F-Secure was less concerned about the threat of worms that assess vulnerabilities. "We have seen a couple of them, but I wouldn't say it's a big issue at the moment," said Mikael Albrecht, a product manager at the Finnish security-software maker.

Security companies have been talking for a number of months about the change in viruses from sudden-impact viruses, such as the Slammer worm, to slow-burning worms where the focus is on avoiding detection.

Viruses are often used to make money nowadays, so avoiding detection is important to virus writers to increase the chance of picking up financial information, BlackSpider's Kay said.

"What virus writers don't want is to alert people to what they're doing. The longer (the malicious code) is there, the more likely they are to pick up something interesting. If someone patches soon after they're infected, the virus writers are less likely to pick up bank details," Kay said.

Ingrid Marson of ZDNet UK reported from London.