Worms to get smarter, spread in more ways

Sircam, Code Red and Code Red II may be causing some inconvenience, but this is just a fraction of the damage a worm could do, according to a worm expert speaking at hacker conference here on Friday.

“Most of the existing worms have been (of) very amateurish construction. We have only seen the tip of the iceberg of the worm problem,” said Jonathan Wignall, a member of the Data and Network Security Council, an independent information-security U.K. pressure group that promotes safer networking, during the Hackers at Large conference.

Wignall, who hosted well-attended session on worms at the Hackers at Large hacker conference here, gave away what he sees as the keys to a successful worm. It should be small, targeted at inexperienced users, be effective in replication, gain publicity, carry a payload that is not easily defeated, attack a large vulnerable population, be correctly coded and, last but not least, be untraceable.

“No worm has ever met all of these criteria. Sircam is large in size because it was written in Delphi. Code Red replicated by scanning random IP addresses — so it hit unused addresses — and its attack on the White House Web site was easily fended off because it is programmed to only attack a single IP address,” said Wignall.

A well-programmed worm could cut off entire countries from the Internet by attacking Internet exchanges, Wignall cautioned.

“It wouldn’t take too much to design a worm that attacks key parts of the Internet. You could cause quite a problem for a country or a network. There are only a few ways into each country,” he said.

In addition to better-coded worms, Wignall also predicted that worms would start using a new type of replication: the Web. Today’s worms crawl from system to system via e-mail, which typically requires the users to open an attachment, or by exploiting server holes. Sircam is an example of an e-mail worm; Code Red is a server worm.

“There are tons of holes in Internet Explorer a worm could use to self-propagate. Many people don’t bother fixing holes in IE. The bulk of the system administrators see security as an inconvenience, rather than something they should implement,” he said.

Wignall showed the basic code for a Web worm and invited the attendees to download the code. However, he did urge them not to complete the code and unleash a new worm.

Infection by a Web worm would only be possible by visiting a Web site spreading the worm. Provided that users only visit trusted Web pages, a Web worm would have less of a chance getting out in the wild than a server worm or an e-mail worm.

Hackers at Large, in Enschede, the Netherlands, is expected to attract about 3,000 hackers and computer security enthusiasts from around the world. The event continues until Sunday Aug. 12.

Hackers at Large is at http://www.hal2001.org/.

The Data and Network Security Council is at http://www.dnscon.org/.