In-Depth

Your Next Battle Front: Network-Based Worms

As the effectiveness of e-mail worms decreases, attackers turn to network-based worms.

• By Mathew Schwartz
• 04/27/2005

Just because e-mail worms are going away doesn't mean worms in general are disappearing.

In 2004, IT managers battled a variety of fast-spreading worms, including Mydoom, Bagle, and NetSky. According to Symantec, “Mass-mailing worms dominated the top malicious code reported over the last six months of 2004,” with worms accounting for eight of the top 10 most prevalent threats.

So far in 2005, however, no new e-mail worm scourges have appeared.

In fact, e-mail worms appear to be disappearing. According to Alexander Gostev, a senior virus analyst at Kaspersky Lab, this phenomenon “may be due to the fact that the antivirus industry has developed new methods to block such worms.” For example, antivirus engines can now analyze password-protected zip files, and also vet executable files attached to e-mails. Thus “all these techniques make it possible to stop outbreaks in the early stages before an epidemic can develop.”

Call it luck, or evolution, but new malware targeting unpatched machines has also been relatively scarce. Perhaps that’s because “no new vulnerabilities as serious as the LSASS or RPC DCOM vulnerabilities have been detected in Windows,” says Gostev. Of course, attackers crafted (and continue to craft) a variety of worms to take advantage of the flaws, though antivirus software effectively stops most of those efforts.

Beyond improved technology, security education campaigns appear to be paying off. Experts say in general, today’s users are less likely to open e-mail attachments of strange or unknown origin.

Microsoft has also been releasing patches for publicly disclosed vulnerabilities more quickly, enabling security managers to patch systems before attackers have time to capitalize on the flaw. Last year, for example, Microsoft quickly patched a NetBIOS naming problem disclosed in November 2004. This year, Microsoft also “ensured that patches were available for all known critical vulnerabilities in both Outlook and Outlook Express.”

Security managers, of course, still can't rest. “Due to the widespread deployment of Microsoft Windows operating systems in enterprise and consumer environments, Windows … viruses and worms pose a serious threat to the security and integrity of the computing community,” notes antivirus software provider Symantec. In its most recent Internet Security Threat Report, Symantec researchers report a 64 percent increase in the overall number of viruses and worms from the first half of 2004 until the end of 2004.

Just this year, several vulnerabilities in Microsoft products have already been disclosed, including a Windows kernel flaw, a bug in how Windows processes PNG images, and a flaw in the hyperlink object library. Any of these could be exploited by attackers to create worms.

The Ascendancy of Network Worms

In other words, don’t expect all worms to fade away. Rather, attackers’ use of worms is changing. In particular, while e-mail worms are disappearing, on the rise are “network worms incorporating Trojan components,” says Gostev. In fact, Kaspersky Lab characterizes network worms as the current biggest malware threat to organizations’ networks, since they allow attackers to construct bot networks, or “botnets.”

A botnet is “any network of infected computers that is controlled by a single—malicious—remote user,” says Gostev. The infected PCs are sometimes referred to as zombies, since after infection they can be exploited at a later date, without a user ever knowing the PC is infected. En masse, these zombie PCs can launch a variety of attacks, including taking down Web sites via distributed, denial-of-service attacks.

Thanks to the automated nature of today’s worms, which infect PCs and continue to spread through a variety of means, the size of botnets is also growing. “Researchers estimate that the number of zombie machines in botnets increases by 300,000 to 350,000 every month,” notes Gostev, and “the total number of zombies is estimated at several million.”

Botnets are also evolving. Initially, the worms used to create botnets installed Trojan software on compromised machines, then awaited further commands via Internet Relay Chat (IRC) channels. The most prevalent worms today—variants of Agobot, Rbot, and SdBot—still follow this approach. Newer worms, however, can arrive with their own server software, and also use password-cracking algorithms to gain access to secured network resources.

More recent bots can also load Trojan software onto compromised PCs to watch for sensitive—perhaps financial—information, then upload it to an attacker. Hence, worms have gone beyond being a nuisance (or a way to disrupt global networks) to having a more direct financial component. Accordingly, says Symantec, “ the use of bots and bot networks for financial gain will likely increase, especially as the diverse means of acquiring new bots and developing bot networks become more prevalent.”

Unfortunately, the limited lifespan of the worms which generate botnets—since antivirus software providers quickly update their engines to block new variants—also drives rapid increases in the worms’ functionality. That is, while the worms needed to create a botnet can be detected and eliminated, that fact causes attackers to constantly refine and improve the efficacy of their worms to escape detection.

Welcome to the latest information security arms race, and given the potential damage from legions of compromised computers, security managers have a new mandate: “Detection and prevention of botnets should be a priority for both the IT industry and end users,” warns Gostev.

Related Articles:

Mass-Mailing Worms on the Outs
http://www.esj.com/Security/article.aspx?EditorialsID=1324

Automated Bots Crawl Internet for Spyware
http://www.esj.com/Security/article.aspx?EditorialsID=1249