Little Bugs and Big Nasty Worms

Published Dec 11, 2003
[an error occurred while processing this directive]

Edit page New page Hide edit links

Our computers are bombarded with malicious viruses and huge amounts of spam e-mails every day. And despite the high level of attention from law enforcement and security experts, we are not gaining ground on the hackers and dubious marketing operations that are behind this; in fact, they seem to be pulling ahead. So what can we do to stop the attacks?

RE: Wicked Screensaver
This fall, electronic mailboxes all over the world started filling up with messages regarding "Re: Wicked screensaver", "Re: Your application", "Thank you!", or containing similar, seemingly innocuous subject lines, and a body text urging the recipient to "see enclosed file for details." The sender could be someone you knew, or some arbitrary, but valid and real, e-mail address. The mail included an attachment, corresponding to the subject line, which could be opened by the customary click. And many people did.

Little Bugs and Big Nasty Worms-Link

They were, of course, unaware that the attached file was in reality a virus, known as SoBig F, or more correctly, W32.Sobig.F@mm. This particular little critter is a mass-mailing worm that sends itself to all the email addresses it finds in the files on your computer with certain extensions, including .txt, and .html – common file extensions that characterize text documents and html files respectively. It uses a technique known as "email spoofing;" the worm randomly selects an address it finds on an infected computer and sends itself to that address.

SoBig F spread like wildfire, using its own SMTP engine to propagate (the protocol that enables your mail program to send e-mails). It travelled across the globe with blinding speed, annoying users and infecting computers until it self-destructed on September 10th. This was a built-in feature of the virus. So after this date, the virus no longer spread itself. It did, however, contain other features that have not shut down.

One interesting feature with SoBig F is the way it spread. Over a span of maybe ten days, I received over 500 messages carrying the virus. On the first day, every "Wicked Screensaver" e-mail I got was from a lawyer in one of Oslo’s many firms. A few days later, it was media people, and from then on the senders got more diverse. The reason for this strange grouping lies in the way the virus works. Stein Møllerhaug, Senior Consultant at Symantec, and a respected expert on all things viral, explains.

Boom! There goes your computer!
A virus, according to the widely renowned expert Fred Cohen, can be described as "a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself". The metaphor is obvious – viruses in the human body behave in much the same way, and both kinds of viruses tend to spread in a similar fashion. Computer viruses don’t have to cause damage to fall under the definition, and many, such as SoBig F, are more of an annoyance than anything else. But there are worse creatures, and one of them is known as Blaster.

The worm, known by the virus experts as W32.Blaster.Worm, first reared its ugly head on August 11th, infecting not through e-mail, but by exploiting a vulnerability in Windows. Its main payload was to cause the infected computer to try to repeatedly call up a Microsoft website in what is known as a Denial of Service attack – like a mindless bunch of vandals attacking a store. In addition, the worm caused computers to reboot frequently or disrupted users’ Internet browsing, which was annoying to most and dangerous to some. Because even though this was not a virus that destroyed huge amounts of data, "practical software jokes" like this can be very dangerous. Just imagine a hospital computer housing a life support system or handling patient records being shut down like this – it could easily create a life-threatening situation for many patients.

Little Bugs and Big Nasty Worms-Body

Thankfully, Microsoft are not the only software makers to write bad code; the Blaster virus attacked, which was the wrong address for the Microsoft website that offers downloads for software patches. The correct address is, and while Microsoft had long been redirecting from the incorrect address to the real site, they only had to stop the redirect to cancel the threat. So Blaster did not have the crippling effect on Microsoft’s network, or the Internet, that it could have.

Love letters and tennis players
Malicious software takes many shapes. A lot of them spread through e-mail, camouflaged in cloaks of spam mail, or using the address books of infected computers, masquerading as legitimate senders. This last technique was used to great effect by the "I love you" virus that ran rampant in 2001. Since people thought they were getting e-mail from someone they knew, they opened the attachment, and unleashed a worm that destroyed the content on their hard disks by overwriting files and replacing them with copies of itself.

Another virus preyed on people’s voyeuristic tendencies by promising exciting images of the biggest sex symbol in the world of tennis. Kournikova, or VBS.SST@mm, as it is known to security professionals, spread in the same way as "I love you", and came with an attachment purporting to be a picure of the tennis star. Infected computers spread the virus through Outlook, but did little damage except clogging mailboxes and exposing the sender as a lecher. But if this virus had been carrying a more devastating payload, the damage could have been extensive.

More trouble every day
Viruses are spreading faster than we can stop them. 450 new viruses and variations on old ones are identified each month, and the speed of cyberattacks has also accelerated dramatically, with a rapidly shrinking window of opportunity for patching systems after a breach is announced. Gerhard Eschelbeck, CTO and vice president of engineering at Qualys, told Wired Magazine recently that, "Slammer came out six months after the vulnerability that it exploited was announced. Nimda appeared four months after a vulnerability announcement, Slapper took six weeks to arrive and Blaster came out just three weeks after news of the vulnerability that it attacked." We can expect this rate to soon come down to days or hours.

One reason for the exponential growth in the number of new viruses and their accelerating "time to market" lies with software that is released to consumers too quickly and is designed for features and functionality rather than security. In the software business, speed is king, and operating systems and large computer programs are so complex that it is next to impossible to ensure that they are bug-free upon release. But this is not the whole picture. A big reason for the proliferation of viruses is that users just don’t think it can happen to them.

Slow learners
The problem is that people do not seem to learn how to protect themselves. They keep opening attachments, infecting computers and spreading the virus to others. "Viruses spread like wildfire partly because most people do not believe they will be infected," says Stein Møllerhaug. He believes there is only one solution to the problem. "We can’t expect aunt Agatha to be able to handle virus prevention on her own," he says. "People who have never experienced virus infection – or don’t know that they have been infected – don’t have the motivation or the knowledge to take appropriate measures. Internet Service Providers have to start scanning for viruses on their servers and in their networks. This will take care of 99% of the malicious attacks," he says, "The remaining percentage will have to be fixed through security updates."

The problem with ISPs scanning and blocking viruses is that some people, experienced users, don’t like the idea of having providers infringing on their freedom to control their own computer security. Møllerhaug thinks this is a minor obstacle. " ISPs can let users opt out on centralized scanning if they wish, " he says.

According to Møllerhaug, the issue has been raised by several major ISPs. "Some are considering this solution, and at least one provider has already started scanning user accounts and traffic." The consequences of not adopting this approach could be dire. The lack of direct, concerted action leaves a huge threat unchecked. Møllerhaug spells it out: "You can cripple the entire Internet form one home PC. And remember, not all viruses are spread via e-mail. Exploitation of the TCP and UDP port systems can cause a lot of damage. Infected PCs are moved from one network to another, bringing viruses and infecting from the inside. " And with the huge increase in bandwidth for consumers, the amount of traffic – including worms and other destructive code creatures – is exploding.

Instantly outdated
As I write this, the latest virus threat registered on Symantec’s web site is W32.Yaha.AB@mm, a worm that uses its own SMTP engine to email itself to all contacts in the Outlook Address Book, MSN Messenger, .NET Messenger, ICQ Pager, and all files whose extensions contain the letters HT. It performs Denial of Service attacks through several ports. It can wreak considerable havoc, but does not make the list of top virus threats. Here the two leaders are the worms Welchia and Blaster – related in style and payload, and both distributed widely across the Internet and connected networks. One thing is certain: As you read this, this last paragraph will be hopelessly outdated. I hope you are taking the necessary precautions.

Bookmark and Share

Do you have any comments to this articel, please let us now:

Do you have any comments to this articel, please let us know:

Please be civil.

(Use Markdown for formatting.)

This question helps prevent spam:





Mobile News
Mobile news

Our news on
your website


Do you have any
tips to us


sitemap xml