Fear the worm. The computer worm – that is, cautions the director of research for a computer security firm.
People are aware of the dangers computer viruses pose, but computer users need to be aware of another growing threat called a worm, said Symantec Corp.’s, director of research, Stephen Trilling. The two are somewhat similar, but they differ in one important way: the way they spread, Trilling told attendees at Dell Computer Corp.’s DirectConnect conference in Austin, Tex. on Thursday.
Viruses spread from one file to many on a single computer, but they don’t move to another computer on their own, he said. A user has to do something to make it happen – whether it’s accidentally sharing a contaminated diskette or inadvertently passing or receiving an infected file via e-mail. A worm, on the other hand, lives to go forth and proliferate.
“A worm is a program specifically designed to spread itself from one computer to another on a network,” Trilling said.
A virus spreads only as fast as people exchange information, but a worm spreads at the speed of the Internet, he said. A worm is less interested in infecting additional files on a single PC and is more interested in reaching more PCs.
People often confuse viruses and worms, he said. Why did Melissa, ExploreZip, and Love Letter spread so fast? They were worms.
The ExploreZip worm came out last year. It arrived as an e-mail, and when you clicked it, the worm would sit on your system and respond to each incoming e-mail. It also spread from one shared drive to the next without any user intervention, he said.
Melissa hit in March 1999. Once it arrived on a system it would send itself out to the first 50 people in the user’s address book. Thanks to mailing lists with hundreds of names, it spread to more than 50 people each time it went out, he said.
The first worm was created for beneficial purposes at Xerox Corp., Trilling said. In 1982 the company created a worm to perform a variety of repetitive tasks on computers such as cleaning up temporary files. It was a very useful program, until it went bad. The worm began to crash systems, and Xerox had to create one of the first antivirus programs to get rid of it.
In 1987, a new worm called Christmas.exe spread throughout IBM Corp.’s e-mail network, he said. It moved like the Love Bug and displayed a primitive Christmas tree on its victims’ monitors.
Finally, in 1988 a Cornell computer science graduate released an infamous worm called the Morris Internet worm. It used known Unix backdoors to break into some 6,000 systems. These backdoors had patches, but people hadn’t installed them, Trilling said.
These early worms stirred people up, but had limited worldwide impact. However, today’s worms are able to reach considerably more users thanks to combination of factors.
Computers and networks were once based largely on proprietary hardware and software, which made it difficult to create a one-size-fits-all worm. The rise of a homogeneous computing infrastructure has led to a proliferation of worms, Trilling said.
So many people and companies are standardizing on the same software and hardware, one worm can infect many systems, he said. With today’s powerful software and hardware, just about any miscreant can create and test a worm, and the rise of the Internet makes it all too easy to spread it.
By January 2001, experts predict there will be 300 million Internet users, and if they’re all using basically the same types of systems and software, one worm can reach them all, he said.
And just wait until more home users get broadband, he said. Most threats today hit corporations because of their always-on connections. Individuals become more vulnerable when they’re connected full time.
Traditional virus-fighting methods can’t cope with worms, Trilling said. Antivirus companies such as Symantec and its competitors will have to react much faster and work more proactively, he said. Today Symantec can respond to a new virus within 48-hours, which is plenty of time. But it won’t be fast enough when new worms begin appearing daily.
An effective firewall can help defend against worms. But Trilling said antivirus vendors need to create a more automated system to create and deploy fixes faster, he said, Human beings don’t operate at the speed of the Internet. The need will be to spread a cure at a faster rate than the threat moves.
And what if villainous programmers begin pumping out worms every 10 seconds? Traditional software can’t handle it, he said. Corporations and users will have to stop using programs with macros, they’ll have to strip executable content at the Internet gateway, before it reaches the computers.
Two new technologies could help to fight worms, too. Digital immune systems will automatically detect suspicious behavior and automatically forward samples to a company like Symantec. The company replicates the infection, creates and tests a cure, and ships it to subscribers automatically. The approach can work, but it’s still reactive, he said.
A more future-looking technology is called behavior blocking. It looks at the operating system and watches what a program is doing. If a program acts weird – such as deleting files it didn’t create – it can flag it as malicious. Today this approach is still prone to too many false positives, but down the road it will be more viable, he said.
Regardless of what method proves best, it’s time people and companies started thinking about the worm problem more seriously, he said. It might not be a 15-year-old that launches the next one: It could be someone intent on causing more serious damage.