News Stay informed about the latest enterprise technology news and product updates.

Tried, tested methods still work for virus writers

Malicious code writers were motivated by money in 2003, making for a busy year combating viruses, worms and Trojans. Experts expect that trend to continue next year as spammers and worm writers join forces and blended threats continue to haunt enterprises.

The Internet did not melt down because of a large-scale worm outbreak in 2003.

No multi-operating system worm wreaked havoc.

New technologies like wireless and instant messaging weren't targeted by malicious code to any significant degree.

Worms and viruses didn't take any significant technological leaps in 2003, but that didn't mean it was a quiet year for malicious code.

"Regular e-mail worms were the most popular [for worm writers] in 2003 and will probably continue next year," said Joe Hartmann, director of North American antivirus research at Trend Micro Inc. "They are working, so why fix them?"

One disturbing new trend was introduced this year: More worm writers were motivated by profit, and that's likely to continue next year. Some experts contend that there is a connection between malicious code writers and spammers. Some experts add that it appears virus writers are either working with spammers or are borrowing some of their techniques. Also, blended threats aren't going away. Experts warn of more worms like SQL Slammer and Blaster.

The SQL Slammer worm illustrated the potential power and danger of Internet worms. The worm sent a single 376-byte UDP packet out to vulnerable SQL Server databases. Once hitting a machine, the worm infected and then turned the system into a Slammer-shooting machine gun. Each packet that hit a vulnerable machine started the process all over again.

This routine was so effective that the worm infected all vulnerable machines worldwide in 10 minutes. In other words, there was no time for administrators to do workarounds, much less install the patch (which had been available for six months).

In August, the Blaster and Nachi worms appeared. Both exploited an RPC-DCOM vulnerability in Windows. In an unusual move, Nachi actually tried to patch a systems vulnerability and protect against Blaster. However, its propagation method meant the worm gummed up networks with the traffic it produced.

Mass-mailer worms were far from dead in 2003. There were several high-profile mass-mailers this year, from Swen to Sobig.

While the technology of mass mailers isn't changing rapidly, the reasons for spreading them has changed in some cases. Two distinct families of worms, Sobig and Mimail, weren't sent out to wow other underground worm writers. The Sobig worms dropped spam-routing software in infected machines. The Mimail family tried to steal sensitive personal data from recipients and launched denial-of-service attacks on antispam groups.

"It is the actors behind the viruses and worms that are changing," said Fred Cohen, an analyst with the Burton Group who 20 years ago dubbed the term "computer virus." "Some of these threats seem to be coming from well-organized, structured groups.

"They are better at self-control."

The Sobig worms, in particular, were definitely created with function in mind, more than form. They began spreading in the first few days of the year. The unusual thing about them was they contained an expiration date and were given a short life cycle to see how features worked in the wild.

Having an expiration date also makes a lot of sense, because most people would have been alerted to the new worm within a few weeks and antivirus definitions would have been updated.

In a bizarre sort of way, the Sobig worms were too successful. The creator wanted to infect systems so that spamming software could be dropped in. Clogging networks and making headlines does not play into this strategy, but that is actually what happened with Sobig-F. The worm crippled some networks as infected systems pumped out thousands of e-mails containing copies of itself.

According to Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp, Sobig-F probably didn't infect that many more machines than previous Sobig variants, but its mailing routine was so efficient that just a few infected machines could send thousands of messages. Sobig-F created a denial-of-service effect on some networks, as e-mail servers became clogged with copies of the worm.

F-Secure estimates Sobig-F sent more than 300 million copies of itself. To put it another way, U.K.-based e-mail filtering outsourcer MessageLabs Inc. found that, at the worm's peak, one in every 28 messages contained Sobig-F.

Hypponen had an interesting experience with all the traffic generated by Sobig. His team discovered the worm contained a Trojan that was set to connect to one of 20 servers on a specific date. He e-mailed the list of IP addresses to the CERT in Finland, but after a few hours the message still hadn't got there.

"We ended [up] printing out the list and sending a messenger over to the office with it," he said.

Dig Deeper on Hacker tools and techniques: Underground hacking sites

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.