In-Depth

Security Expert Predicts End of Mass-Mailing Worms in 2003

Look for more sophisticated information attacks this year.

• By Matt Migliore
• 01/08/2003

While 2002 saw its share of code exploits—including those in the form of a denial of service attack on the 13 root servers that control worldwide Internet traffic—the overall cost associated with malicious activity on information systems was down compared to 2001. According to Roger Thompson, technical director of malicious code research for managed security services provider TruSecure, the decrease is due in large part to an increased awareness of how mass-mailing worms function.

“Most companies have figured out that if you simply block all executable attachments you can prevent the spread of mass-mailing worms,” says Thompson. He acknowledges, however, that this approach may not be appropriate in every instance. For example, in college environments free speech protections make it difficult to justify blocking any e-mail. But, he says, in a corporate setting there is really no need to receive executable attachments because typically they’re either jokes or computer worms.

By Thompson’s estimate, widespread use of e-mail monitoring technologies will render mass-mailing worms virtually obsolete in 2003. Still, he believes computer networks will remain in danger this year, primarily due to an increase in more sophisticated information attacks similar to the Nimda and Code Red exploits that wreaked havoc on networks in 2001. “The big issue for businesses now is going to be something that uses 10 different vulnerabilities to get in [the network],” he says. “Once you get behind the outer defenses, [most networks] are soft on the inside.”

Thompson says security professionals should be taking measures to harden the insides of their networks rather than focusing solely on building up their external defense systems. “If everybody could patch all of their operating systems, they wouldn’t need to worry,” he says. “But when you’ve got a bunch of machines, you can’t patch everything.”

Thompson's information security predictions for early 2003 include:

• More Remote Access Trojans (RATs). These attacks increased in 2002 but have decreased in the last few months. Still, RATs remain a favorite of the hacker community, and malware code writers will continue to disguise backdoor scripts as adult movies, posting them to pornography news groups targeting inexperienced users. Thompson expects RATs to remain prominent through 2003, but says they will be mixed with more and more greyware (i.e.. spyware and advertising monitoring).
• Continued decline of mass-mailing Win32 viruses. These attacks were largely unsuccessful in 2002, with the notable exception of organizations that did not filter properly. One of the two biggest worms of the year was W32/Klez, which has primarily been infecting home environments.
• More Code-Red-type malware. Code Red, with four versions and two separate code bases, was a big problem in 2001. In 2002, the Scalper/Slapper worms caused similar problems, though they were not of the same scope. Also, SqlSpida was successful in finding weak SQL servers, but typically did not make it past the server into the organization. In 2003, Thompson says, an attack similar in scope to Code Red is likely.
• Another W32/Nimd. Given that Nimda was internally listed as v0.5, and knowing that the original worm did not exploit all the known vulnerabilities in 2001, Thompson feels a v1.0 is probable in 2003.
• Fewer macro and script viruses. These exploits emerged at a rate of 200 to 300 a month in 2002. However, Thompson believes improvements in the ability of major anti-virus programs to detect macro and script viruses will significantly decrease their effectiveness in 2003.