Real Can of Worms
code, vicious virus and virtuosic hackers are making the Internet
a minefield for users, and experts say it’s only going to
How much do you trust your computer? How sure are you that
while you click your way through e-mails and Web pages that
it’s communicating with the rest of the world the way you
intend it to?
How do you know it’s not logging your keystrokes for some
hacker in Kazakhstan to steal your passwords? That it’s not
sending out spam or spreading a worm?
I’m not so sure I trust mine all that much. Despite a firewall,
two anti-spyware programs, a pop-up blocker, automatic updates
to my antivirus software and automatic downloads of Microsoft
security patches, I can’t help but wonder whether somebody
somewhere has wormed their way into my computer.
Internet worms pose a serious threat to networks and home
users, and the nasty little creatures are becoming better
at what they do. According to the latest Internet Security
Threat Report from Symantec, malicious code that can expose
confidential data increased dramatically over the second half
Plus, newly discovered vulnerabilities in Microsoft Windows
are becoming increasingly severe and easy to exploit, meaning
that it takes little skill to gain unauthorized access to
critical data in a network or computer.
Unlike computer viruses, worms are self-propagating. They
don’t require the activation of a host file on the infected
PC in order to spread. They often exist in resident memory
rather than on a hard drive, making them difficult to detect
and remove. They frequently hide in Word or Excel documents
as macro commands.
Because worms can spread rapidly, they often clog servers
and pipelines, and the biggest of them can slow Internet traffic
to a crawl and crash network servers. They also can deliver
virus payloads, planting a host file on the targeted computer
before e-mailing themselves across the Internet.
In the second half of 2003, threats to privacy and confidentiality
grew by a whopping 519 percent, and the number of mass-mailer
worms, with their own e-mail engine, increased 61 percent.
Those cute little mass-mailer worms are the ones that send
out the fake e-mails from administrator@fill-in-the-blank-ISP.com,
or take the actual text of an existing message from someone
and use it as the body of an e-mail with an attached virus
that is sent to everyone on the target’s address book. The
use of mailers allows the worm to evade detection by not interacting
with the user’s e-mail system.
Last August, the Internet endured three Category 4 worms (“severe”—the
second highest threat level) in 12 days. Blaster, Welchia
and Sobig.F infected millions of computers around the globe
and may have caused as much as $2 billion in damage.
According to Clive Thompson in the “The E-Infectors,” a story
about underground virus writers in the Feb. 8 issue of The
New York Times Magazine, copies of Sobig.F accounted for
one of every 17 e-mail messages sent across the Internet at
the height of the attack. And copies of Mydoom.A, which hit
in January of this year, accounted for one of every five e-mails.
Hackers like to refine and retool their handiwork, and Sobig
alarmed virus researchers by its methodical development over
six releases, Thompson reported. Each new variant was programmed
to permanently shut down after several days or weeks in what
appeared to be a series of controlled experiments. Sobig.F,
the latest version thus far, installed a back door on victim’s
computers that would allow the programmer to gain control
of it in the future, perhaps for sending spam or stealing
financial information. Experts believe that a new version
of Sobig will be released this year.
And worm writers continue to be more enterprising, giving
online security experts a real headache.
Just two weeks ago, two new worms surfaced with surprising
twists. The first was a new version of the Bagle worm (aka
Beagle) that is activated as soon as a user views an e-mail.
There’s no need to open an attachment. Once the e-mail is
visible in an Outlook preview frame—which comes up automatically
for most Windows users—the worm gets busy. Hidden HTML code
takes advantage of a flaw in Internet Explorer that allows
for the automatic download of a file from a remote Web site.
It can disable certain anti-virus programs and firewalls (though
not the most popular ones) and also seeks out shared folder
files for spreading itself through file-sharing programs.
Currently, the worm simply downloads a version of itself onto
the user’s computer, but that’s subject to change as hackers
work on newer versions of it.
Only two days later, the Witty worm struck with a destructive
payload, a rarity for worms. It was the first worm ever to
enter computers and network systems through vulnerabilities
in a firewall—BlackICE and RealSecure in this case. And it
signalled the fastest turnaround time ever between the disclosure
of a program vulnerability and the appearance of a worm to
exploit it, taking only two days.
The worm infected about 30,000 computers. Once it found a
victim, it would generate 20,000 random IP addresses in an
attempt to propagate itself and then would overwrite 64K of
hard drive with random data. The process then repeated itself,
again and again, methodically destroying the hard drives of
infected computers as it continued to spread.
Most worms and viruses are predictably aimed at Windows and
its Win32 software platform. And most new worms take advantage
of “back doors” opened by previous worms, allowing a certain
type of evolution to occur.
Security experts see a number of troubling possibilities for
future attacks. One is the presence of stealth worms, which
spread at a slower rate by hiding within normal Internet traffic.
The goal is to gain access to computers and systems in order
to unobtrusively harvest data. By not drawing attention to
themselves, they stand less chance of being identified.
Another is the potential emergence of “zero-day” blended threats.
These threats combine the characteristics of viruses, worms
and Trojan horses (malicious programs that masquerade as something
benign) with coding designed to exploit unknown vulnerabilities.
A zero-day outbreak would occur when malicious code is released
before a vulnerability is known, and days before security
patches become available.
Chances are good that some of these worms will wreak major
havoc before it’s all said and done. It’s almost enough to
make you want to give up on the Internet, if such a thing
Instead, it might be a good time to switch to a Mac computer
or Linux as your operating system, or at least get away from
Microsoft Outlook and Internet Explorer by switching to a
program such as Mozilla or Opera.
You might be glad you did.