Super Worms On The Way? April 22, 2004

Discussion in 'malware problems & news' started by bigc73542, Apr 22, 2004.

Thread Status:
Not open for further replies.
  1. bigc73542

    bigc73542 Retired Moderator

    Sep 21, 2003
    SW. Oklahoma
    story link

    Super Worms On The Way? April 22, 2004

    The creator of the Bugtraq security discussion group says the threat from Internet worms is about to grow exponentially, and predicted an especially menacing version in the near future.
    By Gregg Keizer, TechWeb News
    The threat from malicious Internet worms is about to explode exponentially, a security expert said Thursday as he predicted release of an especially menacing "super worm" in the near future.

    "The next super worm is about to hit," said Scott Chasin, chief technology officer at message filtering firm MX Logic and creator of the well-known security discussion group Bugtraq.

    The next generation of mass-mailed worms will be even more dangerous than the current malware that plagues businesses and consumers, Chasin warned. Instead of relying on embedded SMTP engines to propagate from one machine to another, the newest threats will use their own peer-to-peer networking technology to not only proliferate but also to communicate with systems infected with other worms, creating a so-called "super worm" that could continue to mutate almost indefinitely.

    The best example so far of such capability is Phatbot, said Chasin, a worm that so far has had limited success.

    "Phatbot represents the latest and most modern architecture of a worm," said Chasin, because it includes peer-to-peer networking technology taken from AOL's Nullsoft development group. The source code for the peer-to-peer technology, dubbed Waste, was made publicly available last summer and was put into use by Phatbot.

    Worms like Phatbot are particularly hard to stymie, since their P2P-based attacks can be shut down only if every infected computer is tracked down and cleaned. Put a number of P2P worms together and give them the capability of talking to one another and the danger escalates dramatically--as a network of hundreds of thousands of infected machines is created.

    "I've never seen an instance of these worms where they've been able to communicate with each other, but when they do, it will open an entirely new threat vector," Chasin said. "They'll have the ability to touch just one infected machine and provide new attack code for the entire network of connected machines."

    That could put an end to the worm "waves" that security experts now deal with--where a worm appears, peaks, then essentially disappears--and replace it with a continuous barrage of new exploits.

    Among the other possible uses of such inter-worm communication might be able to build a spam-spewing collection so large that spammers could send just a few messages from each compromised mail server, doing an end-around administrators' tactics of watching for high spikes in mail volume or other anomalies.

    Worm-to-worm communication could also be used to raise the denial-of-service attack ante. These attacks, which have been the hallmark of such worms as MyDoom and Netsky, could become more aggressive, more frequent, and be used for political and economic gain.

    "This was really defined by MyDoom taking on SCO's site, and other worms targeting Microsoft or the RIAA," Chasin said. "Those examples will only become more common."

    Although peer-to-peer-based worms are often originally spread by E-mail--still a very effective propagation technique, Chasin said--new avenues such as insecure wireless access points are what worry him most.

    There are already tools which let spammers conduct "drive-by spamming," where a car and a laptop are used to cruise for unprotected access points, and spam is shunted through those access points to the Internet. "Worm writers could easily take that and leverage APs as insertion points for malicious code," said Chasin, resulting in "drive-by worming" using a mobile "worm truck."

    "A Honda and a laptop could do this," he warned.

    Doom and gloom? Chasin's take is that the bad guys now have the upper hand, and that defenses will be tough to implement and take a long time to put into place. "They have the advantage," he said, "and it's us who are playing catch-up
Thread Status:
Not open for further replies.