Worms will become dynamic, smarter

As if they aren’t enough trouble already, Internet worms are going to take an evolutionary leap, worm researcher Jose Nazario said Wednesday at the fifth annual Black Hat Briefings conference in Las Vegas.

“We’re going to see a paradigm shift in what worms have to offer … we’re going to see worms evolve,” said Nazario, who works for Crimelabs Security Group.

Internet worms are self-replicating and sustaining programs, often transmitted by e-mail, that infect vulnerable systems, sometimes with disastrous results, sometimes with minimal impact. Worms first gained prominence in the late 80s, but have seen their public profile grow in the last 18 months as the number of worms affecting Windows systems, and more recently, Linux systems, has risen dramatically.

That trend isn’t likely to end any time soon, Nazario said, who was presenting material from a paper Crimelabs will be releasing on its Web site next week. Crimelabs is a security consultancy.

“Worms have been and will continue to be a threat … because they are relatively easy to put together” and because they keep working on their own even after they’ve been set loose, he said.

Given that worms will continue to exist, Nazario and his colleagues at Crimelabs see a change coming for worms. Right now, worms are limited in their targets and objectives, their types of attacks and exploits, he said.

The writers of most high-profile worms seem to be saying, ”Look! I can write a worm,” Nazario said. Their objective seems often to be more the actual writing of the worm than interest in perpetrating damage.

These worms are also limited in the damage they can do because the network traffic they generate grows so exponentially that they are quickly identified and blocked, Nazario said.

Future worms, however, will be more sophisticated and subtle, making detecting and stopping them more difficult, he said. These new worms will include a number of dynamic components, which can be updated after the worm has been released, something that is not currently possible, he said.

Currently, worms use a single communications protocol to communicate between infected systems and with the machine (if any) that is controlling them. The worms Nazario sees coming will use a number of different protocols, and will be able to mix and match protocols, attacks and targets, thus making them harder to identify or stop. These worms will also have dynamic roles, meaning that the “child” worm may not necessarily look or behave how its “parent” did, he said.

Additionally, these worms will be able to change their characteristics and the damage they do on the fly, as the worm writer changes his code, Nazario said. Worms will be written with more modular structures that will allow for updating components, rather than writing new worms, he said. Updates will be distributed via Usenet and Web sites, and by hiding the updates in files that also contain non-worm content, he said.

Worms may even begin to require signed code to prevent update modules being written to keep the worms from working, he said.

Detecting the current crop of worms is largely a matter of understanding how the worm affects one system, which will lead to an understanding of how it will operate on all systems, he said. Dynamic worms will be more complicated, requiring correlation analysis to determine what set of scans and attacks are evidence of which worm.

Along with analysis, new kinds of defenses will have to be created. The oft-repeated mantra of keeping your antivirus software up to date and your system patched just won’t work any longer, he said.

“We keep saying that – no one’s doing it.”

These new worms will have to be fought using anomaly detection, agent-based intrusion detection systems and “poison” updates, modules that will disarm or destroy dynamic worms, he said.

Whether these defenses are in place or not, newer advanced worms will soon be spreading across the Internet, set to plague more and more users, he said.

“There’s going to be a paradigm shift that’s going to make them more prevalent.”

Here’s hoping antivirus and security firms can shift along with the worms.

Black Hat Briefings runs through Thursday at Caesar’s Palace in Las Vegas.

Crimelabs is online at http://www.crimelabs.net.