Spying worms likely to proliferate

Worms that scan for vulnerabilities in your computer are expected to become more common, as virus writers plan more targeted attacks

Security experts have warned that vulnerability assessment worms, which assess computers for security flaws and relay the information back to the author, are likely to become more of a threat.

James Kay, the chief technology officer of Blackspider, said on Friday that vulnerability assessment worms are quite rare at the moment, but their number will probably increase as virus writers focus their attacks more carefully and try to avoid detection.

"We haven't seen many of them so far, but it's an example of a trend that could accelerate," said Kay. "The idea of reconnaissance fits our view that worms are becoming lower volume and more targeted. In order to produce targeted attacks this information [about the computer's vulnerabilities] would be useful."

The code in vulnerability assessment worms will be different to the code found in vulnerability scanner products, such as the open source vulnerability scanner Nessus. The worms are also likely to change periodically, as the author of the worm remotely changes the code in the worm, according to Kay.

"The code people write for assessing vulnerabilities is normally quite big and quite heavyweight," said Kay. "These worms will be smaller and stealthier. They will only look for a small number of vulnerabilities and will change over time."

Bruce Schneier, the chief technology officer of security firm Counterpane Internet Security, also spoke of the risk of vulnerability assessment worms in a blog earlier this week. He suggested that worms like SpyBot.KEG, which Secunia first reported in February, will become more common in the future.

"In 2005, we expect to see ever more complex worms and viruses in the wild, incorporating complex behaviour: polymorphic worms, metamorphic worms, and worms that make use of entry-point obscuration. For example, SpyBot.KEG is a sophisticated vulnerability assessment worm that reports discovered vulnerabilities back to the author via IRC channels," said Schneier.

But F-Secure was less concerned about the threat of worms that assess vulnerabilities. "We have seen a couple of them, but I wouldn't say it’s a big issue at the moment," said Mikael Albrecht, a product manager at F-Secure.

Security firms have already been talking for a number of months about the change in viruses from sudden impact viruses, such as the Slammer worm, to slow-burning worms where the focus is on avoiding detection.

Viruses are often used to make money nowadays, so avoiding detection is important to virus writers to increase the chance of picking up financial information, according to Kay from Blackspider.

"What virus writers don't want is to alert people to what they're doing. The longer it [the malicious code] is there, the more likely they are to pick up something interesting. If someone patches soon after they're infected, the virus writers are less likely to pick up bank details," said Kay.