Fast-spreading code is weapon of choice for Net vandals

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1003-201-5125673-0.html?tag=tp_pr

[Couple interesting sidebars in the story to read.  - WK]

By Robert Lemos
Special to CNET News.com
March 15, 2001, 4:00 a.m. PT

Four hours. That's how long it took for a glamorous tennis player to
become the talk of the Net, for countless companies to shut down their
e-mail gateways, and for a new virus to spread across the Atlantic.

At the height of the barrage, the AnnaKournikova virus--which took the
pernicious form of a "worm" attachment--was included in one of every
106 e-mails arriving at the gateway of MessageLabs. The e-mail service
provider saw almost 20,000 copies of the worm in a week.

"It blew up that day," said Mark Sunner, chief technology officer of
the Gloucester, U.K., company. "We saw a bell curve around the working
hours...It sat in a critical mass of in-trays and, when people came to
work, it kicked off."

Computer worms are not ordinary viruses. Their ability to spread
quickly across the Internet has made worms the weapon of choice for
malicious vandals to spread their latest creations. Furthermore, the
programs can be easily copied and changed, and point-and-click tools
to create complex worms are readily available.

In fact, of the annual 10 most widespread infections, worms accounted
for half in 2000, sharing the No. 1 honors with macro viruses,
according to security site SecurityPortal. And early indications in
January and February suggest that worms will account for at least
eight of the top 10 slots in 2001, with AnnaKournikova, Hybris and
LoveLetter variants leading the list.

Though creating such programs in the past may have required some
technical knowledge and, possibly, a mentor in the virus-writing
underground, today anyone can download applications from the Internet
to do the work for them. The VBS Worm Generator--the program
responsible for creating the AnnaKournikova virus--has been downloaded
more than 15,000 times from one popular site, VX Heavens, according to
that site's administrator.

"These kits are very easy to use and can be found by anyone who knows
how to use a search engine," said Max Vision, a security-conscious
hacker who edits the security site Whitehats.

The worms created with such generators can vary from benign mass
mailers that clog e-mail gateways to vicious code that is the
equivalent of the Ebola virus to computers. What differentiates these
two extremes is what the author throws into the mix. Yet no matter the
payload, worms deliver quickly.

"Worms...can proliferate extremely fast through a network," said Ken
Dunham, senior analyst for SecurityPortal. "This is especially true
when one considers the fact that the average user knows very little
(about) computer technology and commonly practices unsafe computing
methods, such as blindly opening any attachment within an e-mail."

Originally coined in a 1982 paper by researchers John Shoch and Jon
Hupp of the Xerox Palo Alto Research Center, the term "worm" is
derived from "The Shockwave Rider," a 1972 science-fiction novel about
the downfall of an Orwellian society caused, to some degree, by a
"tapeworm" program that liberated data as it proliferated through
networks.

Shoch and Hupp had needed a way to automate the installation of
Ethernet-performance measuring tools on more than 100 computers at
Xerox PARC, so they turned to a class of programs that could send and
install themselves across the network. The programs installed quickly,
could be updated and ran automatically.

"What we called the worm is a kind of distributed computation that is
a really interesting and powerful thing," said Shoch, now a general
partner at venture capital firm Alloy Ventures in Palo Alto, Calif.

But to the pair's dismay, when their program developed a bug, the bad
code automatically spread across the network as well.

"The worm would quickly load its program into (the computer); the
program would start to run and promptly crash, leaving the worm
incomplete--and still hungrily looking for new (computers)," Shoch and
Hupp wrote in a 1982 paper on the experiments with that and other
self-spreading programs.

"The embarrassing results were left for all to see: 100 dead machines
scattered about the building."

The computer worm was born.

Worm evolution

Later, worms quickly fell into two categories. Some camouflage
themselves as interesting e-mail attachments. When such an attachment
is opened, the worm executes, spreading itself in a burst of e-mail.
Then the programs can infect systems and mail themselves to every name
listed in the computer's address book.

The Christmas Tree virus was perhaps the first worm on a worldwide
network, spreading across BITNET--an IBM-only precursor to the
Internet--in December 1987. Many of today's worms, such as Melissa,
LoveLetter and AnnaKournikova, take a page from the Christmas Tree
book.

Other worms need no human interaction, infecting computers that have
certain security flaws and then using the new host to scan for more
computers with the same flaw.

These worms are modeled after the Cornell Internet Worm, which
overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of
those connected to the early Internet, in November 1988. The worm,
which exploited flaws in Unix systems, was written and released by
Robert T. Morris, a Cornell University graduate student.

Two recent worms, W95/Bymer and the Linux Ramen worm, can spread to
other computers without any person's interaction. And worms are
getting trickier with each incarnation.

Hybris uses encrypted plug-ins to update itself and monitors the
infected computer's network connection to find e-mail addresses to
which it can send itself. The Linux Ramen worm, formed of several
hacking tools, spreads much like the Cornell Internet Worm by taking
advantage of holes in servers.

W95/Bymer spread by finding unprotected shared drives on Windows
computers. Once it infected a computer, it would run a distributed
computing client to take part in a contest hosted by Distributed.net
to break an encryption code. A second variant entered the contest as a
different user, and the two worms would fight over computer systems.

Such tricks will become standard fare as toolkit writers incorporate
these tactics into the latest worm generator application. At least one
author of such a program, [K]alamar, the 18-year-old Argentinian
programmer who created the VBS Worm Generator, hopes that others will
learn from his toolkit.

"I've made that tools coz i've learned to code," he said in a recent
e-mail to CNET News.com. "...and i want other people to learn like
me."

[K]alamar refused to remove the tool from his site, despite the spread
of the AnnaKournikova worm, and has since released a second version of
the program. Previously, another virus writer--who also used the name
Kalamar and had the tool on his site--claimed to be the author of the
code.

Toolkits such as [K]alamar's are a long tradition in the
virus-exchange, or VX, underground. As a result, techniques for
creating the latest worms are quickly being passed between writers.

Another factor: Many worms are written in one of several scripting
languages, which can be read by even semi-knowledgeable virus writers
and changed to release variants mere hours after a major virus
epidemic. Virus writers latched onto LoveLetter, for example, which
struck in May 2000, and have cranked out more than 40 variants to
date.

Putting up a fight

Companies and antivirus software makers are looking for answers to
stave off future worm attacks.

Companies will typically filter e-mail attachments at their
gateways--the corporate connections to the Internet. A common part of
this defense is to try to beat worms at their own game by distributing
new virus detection faster than the viruses can spread. However, if a
new virus does not match any of the types contained in the filtering
software's definitions, the scanner will not flag the attachment as
malicious code.

To address this problem, Symantec and IBM have teamed to create what
they call a "Digital Immune System." By responding to the first new
infection and pushing any new scanning definitions and software to all
their customers, the companies hope to protect computers before a worm
attack can peak.

Other efforts, which hope to catch worms at an even earlier stage,
seek to block the malicious behavior of computer viruses. But these
efforts have a long way to go.

The AnnaKournikova virus, a worm written in Visual Basic Script,
spread worldwide despite being quite similar to LoveLetter and other
recent, lesser-known worms. One independent antivirus researcher, who
asked not to be named, said the worm was so effective because some
antivirus manufacturers--most notably Symantec--failed to detect the
creation of the VBS Worm Generator right away.

The fact that worms can spread so easily should have every person
using the Internet just a little paranoid, said Whitehats' Max Vision.

"Although most worms are benign, they demonstrate serious
vulnerabilities," he said. "There are many worms propagating through
the networks constantly."

That's not the only worry, said Cary Nachenberg, chief researcher for
Symantec. With so many worms on the Internet, the chance that they
could start interacting with each other has grown.

"These sorts of complex systems can create their own emergent
behavior," he said. "Many have already caused effective
denial-of-service attacks because of bandwidth consumption."

What's next? Nachenberg doesn't know, but he said it won't be good.

"It's the sort of thing that scares me," he said.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".