Smarter worms will spread in more ways

The inconvenience caused by Sircam, Code Red and Code Red II is just a fraction of the damage a worm could do, said an expert at...

The inconvenience caused by Sircam, Code Red and Code Red II is just a fraction of the damage a worm could do, said an expert at the Hackers at Large conference in the Netherlands.

Jonathan Wignall, a member of the Data and Network Security Council, an independent pressure group promoting safer networking, said, "Most of the existing worms have been [of a] very amateurish construction. We have only seen the tip of the iceberg of the worm problem."

Wignall, who hosted the well-attended session on worms at the conference, revealed what he sees as the keys to a successful worm. It should be small, targeted at inexperienced users, effective in replication, gain publicity, carry a payload that is not easily defeated, attack a large vulnerable population, be correctly coded and, last but not least, be untraceable.

"No worm has ever met all of these criteria," said Wignall. "Sircam is large in size because it was written in Delphi. Code Red replicated by scanning random IP addresses, so it hit unused addresses, and its attack on the White House Web site was easily fended off because it is programmed to only attack a single IP address."

A well-programmed worm could cut off entire countries from the Internet by attacking Internet exchanges, Wignall cautioned.

"It wouldn't take too much to design a worm that attacks key parts of the Internet. You could cause quite a problem for a country or a network. There are only a few ways into each country," he said.

In addition to being better coded, Wignall also predicted that worms would start using a new type of replication: the Web. Today's worms crawl from system to system via e-mail, which typically requires the users to open an attachment; or by exploiting server holes. Sircam is an example of an e-mail worm, while Code Red is a server worm.

"There are tons of holes in Internet Explorer [that] a worm could use to self-propagate. Many people don't bother fixing holes in IE. The bulk of the system administrators see security as an inconvenience, rather than something they should implement," he said.

Wignall showed the basic code for a Web worm and invited the attendees to download it. However, he urged them not to complete the code and unleash a new worm.

Infection by a Web worm would only be possible by visiting a Web site spreading the worm. Provided that users only visit trusted Web pages, a Web worm would have less of a chance getting out in the wild than a server worm or an e-mail worm.

The Hackers at Large conference, which ended 12 August, was expected to attract about 3,000 hackers and computer security enthusiasts from around the world.

Further information:
The Data and Network Security Council:

Read more on Antivirus, firewall and IDS products