For Worm Writers, Speed Thrills


By Arik Hesseldahl As computer attacks go, the recent rash of worms that shut down computers around the world hasn't infected as many machines as others that have come before. But what worries computer-security researchers about this latest round is how quickly the worms hit the Web.

Despite the attention the latest round of worms received from the media organizations they affected -- including Time Warner's (TWX) CNN, Disney's (DIS) ABC News, and The New York Times (NYT) -- the attacks on several versions of Microsoft's (MSFT) Windows operating system weren't as devastating as some previous worms.

Instead, what concerns researchers is the record time in which the worms appeared following Microsoft's disclosure of a vulnerability in Windows last week. "Normally it would take two to four weeks from the time that an exploit is disclosed to the time that we would normally see even the first proof-of-concept code that takes advantage of it," says Bruce Hughes, senior antivirus researcher at TrendMicro (TMIC) a computer-security software company based in Tokyo.

RETOOLED VARIANTS. Microsoft revealed the vulnerability in Windows and released a software patch to repair it on Aug. 9. Code that could be used to create worms that take advantage of the bug first started circulating on the Internet on Aug. 12, and the first worms appeared on Aug. 14. By Wednesday morning, Aug. 17, at least 11 variants of the worm, bearing such names as Zotob, IRCbot, Rbot, SDbot and Drudgebot, were spreading.

In some cases, the worms' creators may be simply reconfiguring existing worm programs to work with the newly disclosed vulnerabilities, says Ero Carrera, a researcher with F-Secure, a security-software concern in Helsinki, Finland. "Sometimes all you have to do is plug in new code to make an existing worm work with a new exploit," he says.

Whatever the reason for the worm programmers' fast work, it only underscores the fact that when software companies -- particularly Microsoft and antivirus software companies -- issue updates, it's a good habit to install them as quickly as possible and to check for new updates often. Even as reporters were demonstrating the effects of the worm live on CNN on the night of Aug. 16, users of most major antivirus software products who had updated their virus definitions, as well as those who had downloaded Microsoft's patches to fix the vulnerability, were already protected against the worm.

TURKISH ORIGIN? And the need for faster response times to new vulnerabilities certainly won't make life any easier for already overtaxed corporate info-tech personnel. Tech managers are generally used to having more time to respond after a vulnerability is first disclosed, Hughes says. "Most people don't patch for 30 to 60 days after a disclosure because they need to test it, and the virus writers know this. A lot of companies probably had to patch for this a lot faster than they were used to," he says.

Meanwhile, researchers in Britain have started to zero in on the identity of the creator of at least one variant of the Zotob worm. Alex Shipp, a virus researcher at MessageLabs, based in London, says researchers there have found telltale signatures that a virus writer who uses the nom-de-keyboard Diabl0, and who is thought to be based in Turkey, appears to behind at least one version. "Our researchers found that this worm contacts a server that had previously been used in worms written by Diabl0 and that code from some of those previous worms is present in the new one," Shipp says.

Diabl0 -- the end of the nickname is a zero -- is also known to post messages to certain Web sites based in Turkey and writes in Turkish, Shipp says. He's thought to have been the author of the MyTob worm, which first appeared in March of this year and may have evolved from some versions the MyDoom. The first MyDoom worm, which was one of the fastest-spreading computer worms ever, infecting more than a million computers over six days in early 2004.

WORM WARS. The large number of variants -- at least 11 had been sighted by the morning of Aug. 17 -- may indicate the renewal of a factional rivalry between virus and worm creators, researchers at MessageLabs and F-Secure say.

Experts at F-Secure say they've determined that one set of worm variants going under the name IRCbot removes certain versions of the Zotob worm as well as a few other worms going under the name Rbot and SDbot. As yet nothing is known about who may be behind the Zotob-killing variants of the worms. And even though it removes Zotob and others, IRCbot still leaves the computer infected -- and uses the same vulnerability to do it.

The occurrence of such a rivalry, in which one worm removes the other, could be significant because in previous worm outbreaks, the ongoing game of one-upmanship led to increasingly noxious forms of the worms spreading onto the Internet over the course of several hours or days, making the task of inoculating computers all the more challenging, especially for corporate IT managers in charge of large numbers of PCs. "The last time we saw something like this, it got as high as 20 different variants," Carrera says. "If it continues like this, it will get messy."

WE INTERRUPT THIS PROGRAM... Researchers generally don't see any significance to the fact that the worms seemed to strike at least three major media organizations on the same day. "Media organizations have always been targets," says Arthur Wong, vice-president of Symantec's (SYMC) security-response unit.

But the fact that at least one -- CNN -- preempted its regular programming in order to cover news of the outbreak could lead virus and worm programmers, who often crave notoriety, to encourage others to specifically target media outfits in the future. "I think it was just chance that this hit so many media companies at once," says TrendMicro's Hughes. "But I sure bet the bad guys enjoyed their worm getting on CNN."

Hesseldahl is a reporter for BusinessWeek Online in New York


We Almost Lost the Nasdaq
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

 
blog comments powered by Disqus