Worms in the Mist:
The trends in the development and deployment of worms
Abstract
Worms have become extremely virulent over the last number of years. This is due to the human trends and changes in the motivations behind the creation and deployment of worms, from an anarchistic model to being financially driven. These motivators in turn have changed the methods employed by worm writers when writing the underlying code. The changes in worms have affected the three main components, to generate attack lists to focus on specific targets, propagation methods that focus on the speed of delivery by utilising multiple exploits and finally deliver payloads that have the ability to steal information. The changes in the motivators and evolution of this worm code warrant investigation and discussion.
Keywords
Worms, Malicious Code, Future Trends
1. INTRODUCTION
Code Red, Code Red 2, Nimda, Blaster, Sasser. All of these and other such worms often instil fear in the systems administrator and everyday user. A worm is a variety of malicious code that Weaver et al. (2003) define as a self- propagating program that moves across a network exploiting security or policy flaws in widely used services. This ability to self-propagate between victims is what differentiates a worm from a virus. Weaver et al. also distinguishes between worms and viruses by highlighting that user interaction is not required for the worm to spread. For the purpose of this paper the same approach will be taken to identifying worms. To many users’ dismay the self-propagating abilities of worms have enabled this malicious code to successfully and rapidly spread and infect networks and consume computing resources. This process is often instigated through operating system flaws and through popular services such as web and email, as was the case of the original worm, the Morris Worm. Launched on November 2, 1988 this worm utilised a well-known flaw in the Sendmail service, infecting approximately 10 percent of systems connected to the Internet (Gebhart, 2004) with the resultant damages estimated to be between 10 and 100 million dollars (Wikipedia, 2005). The negative impact of the Morris Worm has been replicated with ever-increasing ferocity through worms such as Code Red and Sasser, impacting millions of systems and resulting in billions of dollars in damages (BBC, 2001). In addition to the financial costs such worms also drain other resources such as time and manpower and can have a negative emotional impact on their human victims.
The increasing occurrence and severity of worm development and deployments stems from changing motives as they move away from anarchistic objectives to more targeted and financially-oriented aims. This has led to a more sophisticated approach being taken toward target selection, propagation and payloads, resulting in worms that are more aggressive and purposeful. The burgeoning costs resulting from these changes to the use of worms necessitates an analysis of how these trends have evolved in order to reach a higher level of understanding of the future directions of these types of attacks.
2. HUMAN AND MOTIVATIONAL TRENDS
Trend: Personal Challenge to Personal Gain
When worms made their first appearance they were predominately developed and deployed by students and knowledgeable recreational computer users, often simply as a means to challenge their abilities at creating malicious code, as was the case with the Morris Worm (Wikipedia, 2005). Developed by graduate student Robert T. Morris the worm was created in order to test the possibility of such an attack being carried out. While the creation of malicious code still holds significant appeal for those seeking out a personal challenge, there has been a growing number of programmers, both amateur and professional, who are generating worms not as a means of challenging their abilities but rather for financial and other material gains (Lemos, 2005). One of the most recent examples of this trend is the case of the Zotob worm, which was created by Farid Essebar, a Moroccan student, in August 2005 in exchange for money (Lemos, 2005).
Trend: Increased Accessibility, Decreased Costs
Since the release of the first worm in 1988 many more have been developed partly due to the opportunities provided by increased accessibility to improved technologies and greater connectivity resulting from the significant technological strides made over the past two decades. Advancements such as high speed Internet, improved application development environments and more efficient hardware have enabled programmers to develop and execute worms with speed and efficiency. This increased accessibility has been accompanied by a growing stock of knowledge, including more educational opportunities and access to an ever-expanding supply of code from previous worms, enabling improvements to be made in the development of this malicious code. When these developments combine with decreased costs the scope of potential perpetrators greatly expands. The introduction of wireless technologies (Bluetooth, WiFi), mobile devices (cellular telephones) and portable computing solutions (PDAs, ultra-light notebooks) may also contribute not only to increased accessibility but also to the potential for anonymity. The ability to anonymously access other systems from the most opportune location translates into a decreased risk of exposure. This in turn increases the appeal of perpetrating attacks through malicious code including worms and, as such, the number of people willing to execute these types of attacks may grow with the further development of these technologies.
Trend: Anarchic Disruption to Targeted Crime
Originally worms were used primarily as a tool for societal disruptions such as inhibiting information flows and also as a means of protest, for example, the Mawanella worm that was created in 2001 as a protest against violence in Sri Lanka (Sophos Plc, 2001). While worms are still used for these purposes, as illustrated through the Sober-P worm that caused infected computers to distribute political spam (BBC, 2001), there is also now a growing trend toward malicious code for profit. Due, at least in part, to the aforementioned trends toward personal gain and increased accessibility to technology the use of worms in white collar and organised crime is on the rise. Owing to the global proliferation of computing devices there is now ample opportunity to use worms for purposes such as intellectual property and trade secrets theft, influencing financial markets and aiding in the theft of banking details. The use of worms in a financially-driven and targeted manner has been exemplified through Bugbear.B, a worm that targets information entered locally and records these keystrokes (E. Chen, 2003). This attack was primarily aimed at financial information demonstrating a growing trend toward using worms for financial gain.
In recent years computer crime has also become more organised as it is increasingly employed by career criminals as a method of attack, often through the use of a third party employed to create malicious code for a specific purpose, as evidenced through the aforementioned case of Farid Essebar and the Zotob worm (Lemos, 2005). Due to the rapid global adoption of technology there is now more incentive for criminal and political groups to incorporate computer crime into their activities which may result in a growing number of individuals from the IT industry offering their expertise in exchange for payment. Furthermore, because the global community now relies heavily for its day-to-day functioning on Internet technologies there is an increasing motivation for politically-oriented groups to employ malicious code including worms as a potential method of persuasion and power gain. One of the ways in which this method of attack may be exploited is through payment to an external third party knowledgeable in the development of worms. The initial stage of this trend has arisen in the Chechen conflict with the release of the Maslan-C worm that inhibits the websites of Chechen separatists (Leyden, 2004).
A future trend could see an increased use of worms by terrorists groups, particularly those concerned with anti- globalisation and terrorist cells aiming for economic disruption rather than loss of life. Many terrorist groups hold the globalisation phenomenon as their primary concern and therefore aim to inflict large-scale economic damage on those believed to the perpetrators of capitalist greed at the cost of human rights. Today many corporate organisations operate on an international scale and depend heavily on information technologies which form the backbone of Western-led globalisation and capitalism. The targeted release of a worm into a corporate environment is an economical and relatively easy mode of attack against globalisation and Westernisation that has the potential to cause widespread damage and wreak havoc on business operations (Weaver et al., 2003).
3. TARGET TRENDS
Trend: Machine Gun to Sniper Fire
When worms were initially developed they were deployed in an ad hoc and rudimentary fashion with chance determining whether or not any specific targets were impacted (Z. Chen, Gao, & Kwiat, 2003). In these instances worms utilised inefficient scanning algorithms which resulted in network congestion and a reduced ability to locate systems that were susceptible to infection, as was the case with the Morris Worm. Another random quality that exists in worms is the way in which the code reaches its targets. The original design of worms takes a random “machine gun” approach to target selection through the use of pre-existing system lists such as /etc/hosts on a Unix-like system and also email addresses from a user’s inbox (Weaver et al., 2003). Although these are valid sources that ensure legitimate hosts are on the receiving end of propagation attempts, the lack of controls on target selection means that a system could be unnecessarily attacked several times.
In the last two years the development of worms has become far more sophisticated in an attempt to eliminate the aforementioned inefficiencies in target selection. Worm authors are now taking a more proactive approach to propagating their code by enhancing the quality of the information that the worm is given for target selection. This has resulted in worms that gather information from a centralised source allowing the worm to collaborate with threads of itself in order to avoid unnecessarily repeating attacks on unsusceptible systems. This information is exchanged through services such as Internet Relay Chat (IRC) which acts as a regrouping point where the worm may be upgraded and receive new information regarding hosts that have already been attacked. Worm authors are also realising the power that can be harnessed through search engines such as Google, Yahoo and Alta Vista. Through these metadata servers valid information can be gathered pertaining to systems with flaws that are known to be advantageous in executing a successful attack. Game servers could also be used for these purposes, providing the worm with valid live exploitable systems (Weaver et al., 2003).
The improvements that have been made in the design of worm code has enabled attacks to be carried out within a more rigidly defined scope that focuses primarily on the intended target rather than deploying a worm randomly on that basis that it will eventually reach the desired target or targets. In addition to the improvements outlined above, it should also be noted that a future trend may evolve from a recent development in which pre-generated hit lists could be used to create flash worms that have the ability to rapidly strike multiple targets (Vamosi, 2001). Nicholas Weaver has termed this worm model the Warhol Worm as it has the potential to infect all vulnerable hosts within fifteen minutes of deployment due to the worm’s internal coordination that allows it to locate infected systems and patch itself more rapidly, all leading to a more virulent attack (Skoudis, 2002).
4. PROPAGATION TRENDS
Trend: Single Exploit to Multiple Exploits
In the early days of their development worms would utilise a single exploit ranging from Sendmail bugs to poorly secured network shares to bugs in other common services such as the Finger services and Http servers. By exploiting only one weakness the population that is vulnerable to attack shrinks thus diminishing the potential for widespread disruption, which is in most cases the end-goal of a worm release. For example, the Sapphire/Slammer worm ‘exploited a buffer overflow vulnerability in computers on the Internet running Microsoft's SQL Server or MSDE 2000’ (Moore et al., N.D.), which limited its attack capabilities and number of possible targets.
In order to broaden the base of potential targets, worms have been developed that are able to utilise multiple exploits. An example of this is the Nimda worm which used four exploits as a means of propagation. These four exploits were: ‘file infections, mass e-mail of infected attachments, web server attacks, and LAN propagation via shares’ (Computer Incident Advisory Capability, 2001). While this worm was successful, a notable shortcoming in Nimda’s capabilities was that it only attacked and exploited Microsoft Windows-based machines. This lack of platform independence prevented attacks being carried out on targets with different operating systems such as Unix Variants or Mac OS. This is one of many barriers that must be overcome before a truly platform- independent worm can be created.
As worm code continues to evolve a trend may develop in which platform-independence becomes a key component to ensure maximum propagation. This could be achieved through the use of a platform-independent language such as Java or even Flash, both of which utilise standardised compilers and libraries. The use of such languages would allow the worm the move between operating systems thus increasing that rate of infection. Trend: Acknowledged Exploits to Zero Day Exploits
Since their creation worms have been built in order to exploit known vulnerabilities in systems, with the length of time between the discovery of the flaw to the deployment of the worm shrinking as coding tools become more sophisticated and time-efficient. This reduction in the time it takes to detect and attack an exploit has been evidenced through the diminishing time-frames involved in the Nimda, Slammer, MS-Blaster and Zotob worms. The Nimda worm was deployed 336 days after the MS00-078 patch was released while the Slammer worm was deployed 185 days after the MS02-039 patch was released, showing that between the years 2000 and 2002 the ability to rapidly exploit vulnerabilities grew. This timeframe was further shortened by the MS-Blaster worm that, in 2003, took only 26 days to exploit the flaw mitigated by the patch MS03-026 while 2004 saw a further time reduction when the Sasser worm was deployed 17 days after the MS00-078 patch was released. This shrinking timeframe is evidence of a greatly improved ability to rapidly develop worms using more sophisticated development tools (Gruber, N.D.).
As the time it takes to deploy a worm in response to a vulnerability continues to shrink, the potential destructive impact of worms is heightened. Worms such as Zotob (Lemos, 2005), which took only 5 days from exploit to implementation, are demonstrative of a growing trend towards worms that, rather than simply focusing on an exploit, are more concerned with targeting the most recent exploits. This is building up to the possibility that someone may discover an exploit and implement it into a worm before the general computer security community is made aware of its existence. Since this type of attack targets a flaw that does not yet have a security patch the potential to cause widespread damages increases dramatically as far more systems would be vulnerable to infection.
Trend: Laissez-faire to Stealth
To date worm code has been moderately easy to decipher and reverse-engineer in order to impede attacks and propagation. This is because a majority of worm creators take a laissez-faire approach to protecting their source code, either because they do not yet have the capability to encrypt and guard against reverse engineering or because their purposes do not require the aforementioned defence mechanisms. In the future worms may be developed that are more covert in their attack and propagation in order to increase the length of time it takes to reverse-engineer the code so as to increase the lifespan of the worm. Such methods may include polymorphism whereby the worm changes it signature between its propagation, making detection and analysis more difficult, which in turn increases the difficulty in engineering a security patch. Worms that are obscured by encryption may also be developed with the encryption disguising the code, making reverse- engineering a more difficult task to perform as this would also require a knowledge of cryptology. A further way in which worms may protect themselves is through the use of secured links between hosts. This could involve mechanisms such as Secure Socket Layer (SSL) or Virtual Private Network (VPN) connections, both of which create a secure end-to-end connection between host and client which prohibits third parties from interpreting communications through that connection.
5. PAYLOADS TRENDS
Trend: Impersonal to Personal
Originally worms were released in order to cause chaos and as a test of personal skill with the lack of further purpose signifying that these types of worms had non-functional payloads. While non-functional payloads still exist in worms, technological advancements have introduced new motivations for attack which has led to the development of a broader range of payloads. Over recent years improvements have been made to the code of viruses, Trojans and Bot-nets, increasing their capability to steal information. This trend may transfer to the use of worms in the near future as worms are able to harvest information through autonomous installation and retrieval processes that are not reliant on a controller’s commands, as is the case with Bot-nets and Trojans. This may see an increase in the theft of intellectual property and financial information and also identity theft. As worms continue to develop and the motivations behind their use diversify, payloads may also begin to function as tools of revenge, both personal and political. For instance, if an individual or group feels they have been wronged by a company, particularly one that conducts its business online, a worm could be used to create a denial of service condition that would hinder the organisation’s trade capabilities, causing financial harm and damage to its reputation. A company’s operations could also be disrupted through a mail bombing attack instigated by a worm. This would involve a worm dumping extremely large amounts of email into the accounts of customer service representatives, hindering their ability to respond to client requests. Worms could also be used to seek political revenge through such things as a mass emailing of defamatory material from the target’s account and also website vandalism focused on a specific target. A further payload that may arise in worms is that of state and industrial espionage. In the case of state espionage a worm could be used to gather intelligence pertaining to national security, foreign relations and documents that are normally exempt from the Freedom of Information Act or equivalent. The use of worms for industrial espionage could involve obtaining information regarding an organisation’s financial matters such as mergers, acquisitions, tenders, quotes and internal financial reports. Information could also be gathered regarding trade secrets and marketing strategies. The reasons for obtaining such information, whether it be governmental or industrial, usually involve extortion and other types of financial gain as outlined in the above section on human and motivational trends.
CONCLUSION:
Since their first development in 1988 the motives behind worms have been continuously evolving, leading to more efficient and virulent worms being developed. Originally worms were used by a select few, often as a means of challenging their technical abilities. However, as the code improved and technology became more accessible, more people began to realise that worms could be used for such things as financial gain, organised crime and political protest. These changes in the human and motivational factors behind worms resulted in changes to the targeting mechanisms in worms in order to create more direct attacks focused on specific targets. Furthermore, in order to increase attack capabilities the propagation abilities of worms have evolved from the use of old, known exploits to new exploits for which a security patch is not yet widely distributed and also the use of multiple exploits. A future trend could see a more covert deployment of worms and also the use of zero-day exploits, which could have devastating impact on systems worldwide. The trend in worm payloads has also shifted, moving from non-functional to more purposeful payloads concerned with such things as financial gain, theft and espionage. These changing trends have resulted in worms that are far more sophisticated with heightened abilities to cause financial and material damage on a large scale. While the above discussion is by no means a definitive exploration of the scope of worms and their capabilities, it is a good starting point to a better understanding of worms and what trends may arise in the future development of this malicious code. The burgeoning costs that are resulting from more virulent worms necessitates an analysis of the evolution of worms and the motivations behind these changes if the impact of worms is to be effectively minimised.
REFERENCES:
BBC. (2001). Code Red cost tops $1.2bn. Retrieved 19 October, 2005, from http://news.bbc.co.uk/1/hi/business/1468986.stm
Chen, E. (2003, 11 April, 2005). W32.Bugbear.B@mm. Retrieved 9 October, 2005, from http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html
Chen, Z., Gao, L., & Kwiat, K. (2003). Modeling the Spread of Active Worms. Paper presented at the IEEE Infocom 2003. Computer Incident Advisory Capability. (2001, September 25, 2001). Advisory Notice - L-144b: The W32.nimda Worm. Retrieved October 3, 2005, from http://www.ciac.org/ciac/bulletins/l-144.shtml
Gebhart, G. (2004). Worm Propagation and Countermeasures: SANS Institute. Gruber, M. W. (N.D.). McAfee Heuriger – Risk Management. Retrieved 19 October, 2005, from http://www.lsz- consulting.at/pdf/heuriger_18_8_05/mcafee_risk_management.pdf
Lemos, R. (2005). Zotob suspects arrested in Turkey and Morocco. Retrieved 12 October, 2005, from http://www.securityfocus.com/news/11297/2
Leyden, J. (2004). Playgirl virus attacks Chechen rebel sites. Retrieved 4 October, 2005, from http://www.theregister.co.uk/2004/12/09/maslan/
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., & Weaver, N. (N.D.). The Spread of the Sapphire/Slammer Worm. Retrieved September 23, 2005, from http://www.cs.berkeley.edu/~nweaver/sapphire/
Skoudis, E. (2002). Cyberspace Terrorism - Malicious ‘super worms’ are coming. Retrieved 18 October, 2005, from http://www.serverworldmagazine.com/monthly/2002/02/superworms.shtml
Sophos Plc. (2001). Virus information - VBS/VBSWG-Z. Retrieved 19 October, 2005, from http://www.sophos.com/virusinfo/analyses/vbswgz.html
Vamosi, R. (2001, September 4, 2001). How bigger, badder worms are being built. Retrieved 12 October, 2005, from http://news.zdnet.com/2100-9595_22-504027.html
Weaver, N., Paxson, V., Staniford, S., & Cunningham, R. (2003). A Taxonomy of Computer Worms. Paper presented at the WORM '03, Washington DC, USA. Wikipedia. (2005, 23 October 2005). Morris worm. Retrieved 24 October, 2005, from http://en.wikipedia.org/wiki/Morris_worm
COPYRIGHT Matt Brunckhorst ©2005. Any usage is prohibited without the express permission of the authors
The trends in the development and deployment of worms
Abstract
Worms have become extremely virulent over the last number of years. This is due to the human trends and changes in the motivations behind the creation and deployment of worms, from an anarchistic model to being financially driven. These motivators in turn have changed the methods employed by worm writers when writing the underlying code. The changes in worms have affected the three main components, to generate attack lists to focus on specific targets, propagation methods that focus on the speed of delivery by utilising multiple exploits and finally deliver payloads that have the ability to steal information. The changes in the motivators and evolution of this worm code warrant investigation and discussion.
Keywords
Worms, Malicious Code, Future Trends
1. INTRODUCTION
Code Red, Code Red 2, Nimda, Blaster, Sasser. All of these and other such worms often instil fear in the systems administrator and everyday user. A worm is a variety of malicious code that Weaver et al. (2003) define as a self- propagating program that moves across a network exploiting security or policy flaws in widely used services. This ability to self-propagate between victims is what differentiates a worm from a virus. Weaver et al. also distinguishes between worms and viruses by highlighting that user interaction is not required for the worm to spread. For the purpose of this paper the same approach will be taken to identifying worms. To many users’ dismay the self-propagating abilities of worms have enabled this malicious code to successfully and rapidly spread and infect networks and consume computing resources. This process is often instigated through operating system flaws and through popular services such as web and email, as was the case of the original worm, the Morris Worm. Launched on November 2, 1988 this worm utilised a well-known flaw in the Sendmail service, infecting approximately 10 percent of systems connected to the Internet (Gebhart, 2004) with the resultant damages estimated to be between 10 and 100 million dollars (Wikipedia, 2005). The negative impact of the Morris Worm has been replicated with ever-increasing ferocity through worms such as Code Red and Sasser, impacting millions of systems and resulting in billions of dollars in damages (BBC, 2001). In addition to the financial costs such worms also drain other resources such as time and manpower and can have a negative emotional impact on their human victims.
The increasing occurrence and severity of worm development and deployments stems from changing motives as they move away from anarchistic objectives to more targeted and financially-oriented aims. This has led to a more sophisticated approach being taken toward target selection, propagation and payloads, resulting in worms that are more aggressive and purposeful. The burgeoning costs resulting from these changes to the use of worms necessitates an analysis of how these trends have evolved in order to reach a higher level of understanding of the future directions of these types of attacks.
2. HUMAN AND MOTIVATIONAL TRENDS
Trend: Personal Challenge to Personal Gain
When worms made their first appearance they were predominately developed and deployed by students and knowledgeable recreational computer users, often simply as a means to challenge their abilities at creating malicious code, as was the case with the Morris Worm (Wikipedia, 2005). Developed by graduate student Robert T. Morris the worm was created in order to test the possibility of such an attack being carried out. While the creation of malicious code still holds significant appeal for those seeking out a personal challenge, there has been a growing number of programmers, both amateur and professional, who are generating worms not as a means of challenging their abilities but rather for financial and other material gains (Lemos, 2005). One of the most recent examples of this trend is the case of the Zotob worm, which was created by Farid Essebar, a Moroccan student, in August 2005 in exchange for money (Lemos, 2005).
Trend: Increased Accessibility, Decreased Costs
Since the release of the first worm in 1988 many more have been developed partly due to the opportunities provided by increased accessibility to improved technologies and greater connectivity resulting from the significant technological strides made over the past two decades. Advancements such as high speed Internet, improved application development environments and more efficient hardware have enabled programmers to develop and execute worms with speed and efficiency. This increased accessibility has been accompanied by a growing stock of knowledge, including more educational opportunities and access to an ever-expanding supply of code from previous worms, enabling improvements to be made in the development of this malicious code. When these developments combine with decreased costs the scope of potential perpetrators greatly expands. The introduction of wireless technologies (Bluetooth, WiFi), mobile devices (cellular telephones) and portable computing solutions (PDAs, ultra-light notebooks) may also contribute not only to increased accessibility but also to the potential for anonymity. The ability to anonymously access other systems from the most opportune location translates into a decreased risk of exposure. This in turn increases the appeal of perpetrating attacks through malicious code including worms and, as such, the number of people willing to execute these types of attacks may grow with the further development of these technologies.
Trend: Anarchic Disruption to Targeted Crime
Originally worms were used primarily as a tool for societal disruptions such as inhibiting information flows and also as a means of protest, for example, the Mawanella worm that was created in 2001 as a protest against violence in Sri Lanka (Sophos Plc, 2001). While worms are still used for these purposes, as illustrated through the Sober-P worm that caused infected computers to distribute political spam (BBC, 2001), there is also now a growing trend toward malicious code for profit. Due, at least in part, to the aforementioned trends toward personal gain and increased accessibility to technology the use of worms in white collar and organised crime is on the rise. Owing to the global proliferation of computing devices there is now ample opportunity to use worms for purposes such as intellectual property and trade secrets theft, influencing financial markets and aiding in the theft of banking details. The use of worms in a financially-driven and targeted manner has been exemplified through Bugbear.B, a worm that targets information entered locally and records these keystrokes (E. Chen, 2003). This attack was primarily aimed at financial information demonstrating a growing trend toward using worms for financial gain.
In recent years computer crime has also become more organised as it is increasingly employed by career criminals as a method of attack, often through the use of a third party employed to create malicious code for a specific purpose, as evidenced through the aforementioned case of Farid Essebar and the Zotob worm (Lemos, 2005). Due to the rapid global adoption of technology there is now more incentive for criminal and political groups to incorporate computer crime into their activities which may result in a growing number of individuals from the IT industry offering their expertise in exchange for payment. Furthermore, because the global community now relies heavily for its day-to-day functioning on Internet technologies there is an increasing motivation for politically-oriented groups to employ malicious code including worms as a potential method of persuasion and power gain. One of the ways in which this method of attack may be exploited is through payment to an external third party knowledgeable in the development of worms. The initial stage of this trend has arisen in the Chechen conflict with the release of the Maslan-C worm that inhibits the websites of Chechen separatists (Leyden, 2004).
A future trend could see an increased use of worms by terrorists groups, particularly those concerned with anti- globalisation and terrorist cells aiming for economic disruption rather than loss of life. Many terrorist groups hold the globalisation phenomenon as their primary concern and therefore aim to inflict large-scale economic damage on those believed to the perpetrators of capitalist greed at the cost of human rights. Today many corporate organisations operate on an international scale and depend heavily on information technologies which form the backbone of Western-led globalisation and capitalism. The targeted release of a worm into a corporate environment is an economical and relatively easy mode of attack against globalisation and Westernisation that has the potential to cause widespread damage and wreak havoc on business operations (Weaver et al., 2003).
3. TARGET TRENDS
Trend: Machine Gun to Sniper Fire
When worms were initially developed they were deployed in an ad hoc and rudimentary fashion with chance determining whether or not any specific targets were impacted (Z. Chen, Gao, & Kwiat, 2003). In these instances worms utilised inefficient scanning algorithms which resulted in network congestion and a reduced ability to locate systems that were susceptible to infection, as was the case with the Morris Worm. Another random quality that exists in worms is the way in which the code reaches its targets. The original design of worms takes a random “machine gun” approach to target selection through the use of pre-existing system lists such as /etc/hosts on a Unix-like system and also email addresses from a user’s inbox (Weaver et al., 2003). Although these are valid sources that ensure legitimate hosts are on the receiving end of propagation attempts, the lack of controls on target selection means that a system could be unnecessarily attacked several times.
In the last two years the development of worms has become far more sophisticated in an attempt to eliminate the aforementioned inefficiencies in target selection. Worm authors are now taking a more proactive approach to propagating their code by enhancing the quality of the information that the worm is given for target selection. This has resulted in worms that gather information from a centralised source allowing the worm to collaborate with threads of itself in order to avoid unnecessarily repeating attacks on unsusceptible systems. This information is exchanged through services such as Internet Relay Chat (IRC) which acts as a regrouping point where the worm may be upgraded and receive new information regarding hosts that have already been attacked. Worm authors are also realising the power that can be harnessed through search engines such as Google, Yahoo and Alta Vista. Through these metadata servers valid information can be gathered pertaining to systems with flaws that are known to be advantageous in executing a successful attack. Game servers could also be used for these purposes, providing the worm with valid live exploitable systems (Weaver et al., 2003).
The improvements that have been made in the design of worm code has enabled attacks to be carried out within a more rigidly defined scope that focuses primarily on the intended target rather than deploying a worm randomly on that basis that it will eventually reach the desired target or targets. In addition to the improvements outlined above, it should also be noted that a future trend may evolve from a recent development in which pre-generated hit lists could be used to create flash worms that have the ability to rapidly strike multiple targets (Vamosi, 2001). Nicholas Weaver has termed this worm model the Warhol Worm as it has the potential to infect all vulnerable hosts within fifteen minutes of deployment due to the worm’s internal coordination that allows it to locate infected systems and patch itself more rapidly, all leading to a more virulent attack (Skoudis, 2002).
4. PROPAGATION TRENDS
Trend: Single Exploit to Multiple Exploits
In the early days of their development worms would utilise a single exploit ranging from Sendmail bugs to poorly secured network shares to bugs in other common services such as the Finger services and Http servers. By exploiting only one weakness the population that is vulnerable to attack shrinks thus diminishing the potential for widespread disruption, which is in most cases the end-goal of a worm release. For example, the Sapphire/Slammer worm ‘exploited a buffer overflow vulnerability in computers on the Internet running Microsoft's SQL Server or MSDE 2000’ (Moore et al., N.D.), which limited its attack capabilities and number of possible targets.
In order to broaden the base of potential targets, worms have been developed that are able to utilise multiple exploits. An example of this is the Nimda worm which used four exploits as a means of propagation. These four exploits were: ‘file infections, mass e-mail of infected attachments, web server attacks, and LAN propagation via shares’ (Computer Incident Advisory Capability, 2001). While this worm was successful, a notable shortcoming in Nimda’s capabilities was that it only attacked and exploited Microsoft Windows-based machines. This lack of platform independence prevented attacks being carried out on targets with different operating systems such as Unix Variants or Mac OS. This is one of many barriers that must be overcome before a truly platform- independent worm can be created.
As worm code continues to evolve a trend may develop in which platform-independence becomes a key component to ensure maximum propagation. This could be achieved through the use of a platform-independent language such as Java or even Flash, both of which utilise standardised compilers and libraries. The use of such languages would allow the worm the move between operating systems thus increasing that rate of infection. Trend: Acknowledged Exploits to Zero Day Exploits
Since their creation worms have been built in order to exploit known vulnerabilities in systems, with the length of time between the discovery of the flaw to the deployment of the worm shrinking as coding tools become more sophisticated and time-efficient. This reduction in the time it takes to detect and attack an exploit has been evidenced through the diminishing time-frames involved in the Nimda, Slammer, MS-Blaster and Zotob worms. The Nimda worm was deployed 336 days after the MS00-078 patch was released while the Slammer worm was deployed 185 days after the MS02-039 patch was released, showing that between the years 2000 and 2002 the ability to rapidly exploit vulnerabilities grew. This timeframe was further shortened by the MS-Blaster worm that, in 2003, took only 26 days to exploit the flaw mitigated by the patch MS03-026 while 2004 saw a further time reduction when the Sasser worm was deployed 17 days after the MS00-078 patch was released. This shrinking timeframe is evidence of a greatly improved ability to rapidly develop worms using more sophisticated development tools (Gruber, N.D.).
As the time it takes to deploy a worm in response to a vulnerability continues to shrink, the potential destructive impact of worms is heightened. Worms such as Zotob (Lemos, 2005), which took only 5 days from exploit to implementation, are demonstrative of a growing trend towards worms that, rather than simply focusing on an exploit, are more concerned with targeting the most recent exploits. This is building up to the possibility that someone may discover an exploit and implement it into a worm before the general computer security community is made aware of its existence. Since this type of attack targets a flaw that does not yet have a security patch the potential to cause widespread damages increases dramatically as far more systems would be vulnerable to infection.
Trend: Laissez-faire to Stealth
To date worm code has been moderately easy to decipher and reverse-engineer in order to impede attacks and propagation. This is because a majority of worm creators take a laissez-faire approach to protecting their source code, either because they do not yet have the capability to encrypt and guard against reverse engineering or because their purposes do not require the aforementioned defence mechanisms. In the future worms may be developed that are more covert in their attack and propagation in order to increase the length of time it takes to reverse-engineer the code so as to increase the lifespan of the worm. Such methods may include polymorphism whereby the worm changes it signature between its propagation, making detection and analysis more difficult, which in turn increases the difficulty in engineering a security patch. Worms that are obscured by encryption may also be developed with the encryption disguising the code, making reverse- engineering a more difficult task to perform as this would also require a knowledge of cryptology. A further way in which worms may protect themselves is through the use of secured links between hosts. This could involve mechanisms such as Secure Socket Layer (SSL) or Virtual Private Network (VPN) connections, both of which create a secure end-to-end connection between host and client which prohibits third parties from interpreting communications through that connection.
5. PAYLOADS TRENDS
Trend: Impersonal to Personal
Originally worms were released in order to cause chaos and as a test of personal skill with the lack of further purpose signifying that these types of worms had non-functional payloads. While non-functional payloads still exist in worms, technological advancements have introduced new motivations for attack which has led to the development of a broader range of payloads. Over recent years improvements have been made to the code of viruses, Trojans and Bot-nets, increasing their capability to steal information. This trend may transfer to the use of worms in the near future as worms are able to harvest information through autonomous installation and retrieval processes that are not reliant on a controller’s commands, as is the case with Bot-nets and Trojans. This may see an increase in the theft of intellectual property and financial information and also identity theft. As worms continue to develop and the motivations behind their use diversify, payloads may also begin to function as tools of revenge, both personal and political. For instance, if an individual or group feels they have been wronged by a company, particularly one that conducts its business online, a worm could be used to create a denial of service condition that would hinder the organisation’s trade capabilities, causing financial harm and damage to its reputation. A company’s operations could also be disrupted through a mail bombing attack instigated by a worm. This would involve a worm dumping extremely large amounts of email into the accounts of customer service representatives, hindering their ability to respond to client requests. Worms could also be used to seek political revenge through such things as a mass emailing of defamatory material from the target’s account and also website vandalism focused on a specific target. A further payload that may arise in worms is that of state and industrial espionage. In the case of state espionage a worm could be used to gather intelligence pertaining to national security, foreign relations and documents that are normally exempt from the Freedom of Information Act or equivalent. The use of worms for industrial espionage could involve obtaining information regarding an organisation’s financial matters such as mergers, acquisitions, tenders, quotes and internal financial reports. Information could also be gathered regarding trade secrets and marketing strategies. The reasons for obtaining such information, whether it be governmental or industrial, usually involve extortion and other types of financial gain as outlined in the above section on human and motivational trends.
CONCLUSION:
Since their first development in 1988 the motives behind worms have been continuously evolving, leading to more efficient and virulent worms being developed. Originally worms were used by a select few, often as a means of challenging their technical abilities. However, as the code improved and technology became more accessible, more people began to realise that worms could be used for such things as financial gain, organised crime and political protest. These changes in the human and motivational factors behind worms resulted in changes to the targeting mechanisms in worms in order to create more direct attacks focused on specific targets. Furthermore, in order to increase attack capabilities the propagation abilities of worms have evolved from the use of old, known exploits to new exploits for which a security patch is not yet widely distributed and also the use of multiple exploits. A future trend could see a more covert deployment of worms and also the use of zero-day exploits, which could have devastating impact on systems worldwide. The trend in worm payloads has also shifted, moving from non-functional to more purposeful payloads concerned with such things as financial gain, theft and espionage. These changing trends have resulted in worms that are far more sophisticated with heightened abilities to cause financial and material damage on a large scale. While the above discussion is by no means a definitive exploration of the scope of worms and their capabilities, it is a good starting point to a better understanding of worms and what trends may arise in the future development of this malicious code. The burgeoning costs that are resulting from more virulent worms necessitates an analysis of the evolution of worms and the motivations behind these changes if the impact of worms is to be effectively minimised.
REFERENCES:
BBC. (2001). Code Red cost tops $1.2bn. Retrieved 19 October, 2005, from http://news.bbc.co.uk/1/hi/business/1468986.stm
Chen, E. (2003, 11 April, 2005). W32.Bugbear.B@mm. Retrieved 9 October, 2005, from http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html
Chen, Z., Gao, L., & Kwiat, K. (2003). Modeling the Spread of Active Worms. Paper presented at the IEEE Infocom 2003. Computer Incident Advisory Capability. (2001, September 25, 2001). Advisory Notice - L-144b: The W32.nimda Worm. Retrieved October 3, 2005, from http://www.ciac.org/ciac/bulletins/l-144.shtml
Gebhart, G. (2004). Worm Propagation and Countermeasures: SANS Institute. Gruber, M. W. (N.D.). McAfee Heuriger – Risk Management. Retrieved 19 October, 2005, from http://www.lsz- consulting.at/pdf/heuriger_18_8_05/mcafee_risk_management.pdf
Lemos, R. (2005). Zotob suspects arrested in Turkey and Morocco. Retrieved 12 October, 2005, from http://www.securityfocus.com/news/11297/2
Leyden, J. (2004). Playgirl virus attacks Chechen rebel sites. Retrieved 4 October, 2005, from http://www.theregister.co.uk/2004/12/09/maslan/
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., & Weaver, N. (N.D.). The Spread of the Sapphire/Slammer Worm. Retrieved September 23, 2005, from http://www.cs.berkeley.edu/~nweaver/sapphire/
Skoudis, E. (2002). Cyberspace Terrorism - Malicious ‘super worms’ are coming. Retrieved 18 October, 2005, from http://www.serverworldmagazine.com/monthly/2002/02/superworms.shtml
Sophos Plc. (2001). Virus information - VBS/VBSWG-Z. Retrieved 19 October, 2005, from http://www.sophos.com/virusinfo/analyses/vbswgz.html
Vamosi, R. (2001, September 4, 2001). How bigger, badder worms are being built. Retrieved 12 October, 2005, from http://news.zdnet.com/2100-9595_22-504027.html
Weaver, N., Paxson, V., Staniford, S., & Cunningham, R. (2003). A Taxonomy of Computer Worms. Paper presented at the WORM '03, Washington DC, USA. Wikipedia. (2005, 23 October 2005). Morris worm. Retrieved 24 October, 2005, from http://en.wikipedia.org/wiki/Morris_worm
COPYRIGHT Matt Brunckhorst ©2005. Any usage is prohibited without the express permission of the authors