Network News

X My Profile
View More Activity

The Worm Business

Now that some of the dust has settled from the outbreak(s) of the Zotob worm last week, the time is right to put this latest Internet worm into perspective.

First off, security blogger Dominic White has put together a chronology of Zotob that's worth a read. White says despite claims that Zotob represented the "fastest turnaround from the announcement of a vulnerability to the actual virus," that distinction actually belongs to the Sasser worm, which appeared in May 2004 the day after computer code showing how to exploit the flaw was released. He also notes that the Witty worm appeared about 36 hours after public disclosure of the vulnerability it exploited.

In its paper, titled "The Future of Bot Worms," Trend Micro examines the ever-shrinking window of time between the release of a Windows security patch and the emergence of an automated threat that exploits the flaw.

The Nimda worm surfaced a week after Sept. 11, 2001, almost exactly one year after Microsoft issued a patch for the vulnerability it exploited. On Superbowl weekend, Jan. 25, 2003, the Slammer worm wiggled through a security hole that Microsoft patched just six months earlier. Windows users had 4 1/2 weeks to apply patches before the Blaster worm struck in August 2003. The spring of 2004 brought Sasser, released 18 days after a patch was available. Last week, the first Zotob hit the Web just four days after Microsoft released a fix.

Trend Micro says attackers are exploiting network security flaws faster because so much virus and worm computer code has been open-sourced, meaning it is available for free on dozens of Web sites. This allows virus authors to pick and choose the exact functionality they require, and merely plug that in to any new exploit code that is made available.

"When a piece of code is written to exploit a certain vulnerability in an operating system and is published on the Internet, the creators of these worms can just attach it to the old code of the worm, recompile it, and voila -- a new dangerous worm is ready to be unleashed," the Trend Micro report says.

Chicago-based Internet security firm LURHQ made this same point in their early writeup on Zotob, which notes that people who authored the many Zotob variants merely used the newly identified Microsoft Windows flaw as just another vehicle used to spread their invasive programs. "Despite reports of a single, widespread worm affecting companies around the world, what we are actually seeing is the effect of multiple existing threats which have been updated to utilize the new exploit. Previously these same trojans would spread using.....other older exploits, as well as social engineering through email and instant messaging," LURHQ observed.

The Trend Micro paper correctly notes that "automatic updates [from Microsoft] are just not an option anymore,"; that comment mainly refers to home users because businesses tend not to use auto-updates as network administrators like to test patches before deploying them to ensure they don't break other applications. Plus, the Internet traffic generated by nearly all network worms can be (and usually is) filtered by Internet service providers, so home users do not have nearly as much to fear from network worms these days (this does not, however, eliminate the need for basic home user security, including the use of a firewall and anti-virus software.)

The group of Windows users that has the most to lose from a network worm comprises small- to mid-sized businesses, many of which cannot afford to hire full-time security professionals and instead rely on off-the-shelf software and hardware to take care of security needs. While several big companies made news after battling Zotob infections last week, I'm betting there were hundreds of small businesses that we'll never know about that lost a lot of business as a result of this worm.

On the security blog run by the folks at Russian anti-virus maker Kaspersky Lab, there's an interesting post that speaks to this very issue, entitled "The Rise of the Business Worm," which posits that we're on the threshold of a new era in which "business worms" will cause "local network outbreaks" in large corporations but will have little effect on the Internet as a whole.

"We've seen no tell-tale signs of an epidemic on the Internet. And we've had no reports of infection from individual users. There's no question that this worm is spreading. However, it seems to be confined to localized 'explosions' inside large corporations," the Kaspersky posting notes. "These organizations, typically made up of 'small internets' behind heavily defended Internet gateways, have experienced infection."

That's precisely what we saw last week, with Zotob infecting large companies like the New York Times, ABCNews, CNN, and Caterpillar, companies that likely spent millions fortifying their perimeter defenses but were powerless to stop the spread of a worm inside an isolated network of unpatched Windows machines. Still, those companies that experienced outbreaks probably did not spread the infections to those outside of their firewalls.

I like Kaspersky's "business worm" idea because it aptly describes what today's worms are all about. Past worms like Nimda, Slammer and Blaster, were more costly annoyances than real threats. Sasser changed all that, as it was quickly re-engineered to mine infected PCs for personal and financial data. While the initial Zotob version merely trapped some infected computers in a reboot loop, new versions that emerged less than a day later would log the victim's keyboard keystrokes and steal other data from their hosts.

As LURHQ says in its writeup, "the motive behind most of the activity involved with these botnets appears to be in some cases installation of adware, and in other cases installation of spam proxies." Last week I wrote a story about the increasing use of botnets to install adware and spyware.

By Brian Krebs  |  August 22, 2005; 11:00 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Customs Crashed by Zotob
Next: Bank Sites Still Driven by Marketers


A distinction needs to be made when addressing worms. For example, the SQL Slammer worm targetted UDP port 1434...I have yet to see a business reason for exposing this port to the Internet. Code Red exploited a buffer overflow in a script mapping DLL in IIS...a script mapping that should have been disabled immediately after installation.

One thing that needs to be included in worm assessments is an "ease of mitigation" factor. If a worm targets a port that should not be exposed to the Internet, or a simple configuration change (ie, disabling a script mapping) would have prevented infection, then that information should be considered right along with the "time to exploit" and infection rate of the worm.

Mr. Emm's write up at Kaspersky Labs (UK) is interesting, to say the least.

H. Carvey
"Windows Forensics and Incident Recovery"

Posted by: H. Carvey | August 23, 2005 7:06 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company