Worms will become dynamic, smarter

As if they aren’t enough trouble already, Internet worms are going to take an evolutionary leap, worm researcher Jose Nazario said Wednesday at the fifth annual Black Hat Briefings conference in Las Vegas.

“We’re going to see a paradigm shift in what worms have to offer … we’re going to see worms evolve,” said Nazario, who works for Crimelabs Security Group.

Internet worms are self-replicating and sustaining programs, often transmitted by e-mail, that infect vulnerable systems, sometimes with disastrous results, sometimes with minimal impact. Worms first gained prominence in the late 80s, but have seen their public profile grow in the last 18 months as the number of worms affecting Windows systems, and more recently, Linux systems, has risen dramatically.

That trend isn’t likely to end any time soon, Nazario said, who was presenting material from a paper Crimelabs will be releasing on its Web site next week. Crimelabs is a security consultancy.

“Worms have been and will continue to be a threat … because they are relatively easy to put together” and because they keep working on their own even after they’ve been set loose, he said.

Given that worms will continue to exist, Nazario and his colleagues at Crimelabs see a change coming for worms. Right now, worms are limited in their targets and objectives, their types of attacks and exploits, he said.

The writers of most high-profile worms seem to be saying, ”Look! I can write a worm,” Nazario said. Their objective seems often to be more the actual writing of the worm than interest in perpetrating damage.

These worms are also limited in the damage they can do because the network traffic they generate grows so exponentially that they are quickly identified and blocked, Nazario said.

Future worms, however, will be more sophisticated and subtle, making detecting and stopping them more difficult, he said. These new worms will include a number of dynamic components, which can be updated after the worm has been released, something that is not currently possible, he said.

Currently, worms use a single communications protocol to communicate between infected systems and with the machine (if any) that is controlling them. The worms Nazario sees coming will use a number of different protocols, and will be able to mix and match protocols, attacks and targets, thus making them harder to identify or stop. These worms will also have dynamic roles, meaning that the “child” worm may not necessarily look or behave how its “parent” did, he said.

Additionally, these worms will be able to change their characteristics and the damage they do on the fly, as the worm writer changes his code, Nazario said. Worms will be written with more modular structures that will allow for updating components, rather than writing new worms, he said. Updates will be distributed via Usenet and Web sites, and by hiding the updates in files that also contain non-worm content, he said.

Worms may even begin to require signed code to prevent update modules being written to keep the worms from working, he said.

Detecting the current crop of worms is largely a matter of understanding how the worm affects one system, which will lead to an understanding of how it will operate on all systems, he said. Dynamic worms will be more complicated, requiring correlation analysis to determine what set of scans and attacks are evidence of which worm.

Along with analysis, new kinds of defenses will have to be created. The oft-repeated mantra of keeping your antivirus software up to date and your system patched just won’t work any longer, he said.

“We keep saying that – no one’s doing it.”

These new worms will have to be fought using anomaly detection, agent-based intrusion detection systems and “poison” updates, modules that will disarm or destroy dynamic worms, he said.

Whether these defenses are in place or not, newer advanced worms will soon be spreading across the Internet, set to plague more and more users, he said.

“There’s going to be a paradigm shift that’s going to make them more prevalent.”

Here’s hoping antivirus and security firms can shift along with the worms.

Black Hat Briefings runs through Thursday at Caesar’s Palace in Las Vegas.

Crimelabs is online at http://www.crimelabs.net.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now