IT Security Pro Fears Stronger, Super Worms Coming

"The next super worm is about to hit," said Scott Chasin, chief technology officer of message filtering firm MX Logic and creator of the well-known security discussion group Bugtraq.

The next generation of mass-mailed worms will be even more dangerous than the current malware that plagues corporations and consumers, Chasin warned. Instead of relying on embedded SMTP engines to propagate from one machine to another, the newest threats will use their own peer-to-peer networking technology to not only proliferate but also to communicate with systems infected with other worms, creating a so-called "super worm" that could continue to mutate almost indefinitely.

The best example so far of such capability is Phatbot, said Chasin, a worm that so far has had limited success.

"Phatbot represents the latest and most modern architecture of a worm," said Chasin, because it includes peer-to-peer (P2P) networking technology taken from AOL's Nullsoft development group. The source code for the P2P technology, dubbed WASTE, was made public available last summer, and was put into use by Phatbot.

Sponsored post

Worms like Phatbot are particularly hard to stymie, since their P2P-based attacks can be shut down only if every infected computer is tracked down and cleaned.

Put a number of P2P worms together, though, and give them the capability of talking to one another, and the danger escalates dramatically, as an %FCber network of hundreds of thousands of infected machines is created.

"I've never seen an instance of these worms where they've been able to communicate with each other, but when they do, it will open an entirely new threat vector," said Chasin.

"They'll have the ability to touch just one infected machine and provide new attack code for the entire network of connected machines."

That could put an end to the worm "waves" that security experts now deal with -- where a worm appears, peaks, then essentially disappears -- and replace it with a continuous barrage of new exploits.

Among the other possible uses of such inter-worm communication might be able to build a spam-spewing collection so large that spammers could send just a few messages from each compromised mail server, doing an end-around administrators' tactics of watching for high spikes in mail volume or other anomalies.

Worm-to-worm communication could also be used to raise the denial-of-service (DoS) attack ante. DoS attacks, which have been the hallmark of such worms as MyDoom and Netsky, could become more aggressive, more frequent, and be used for political and economic gain.

"This was really defined by MyDoom taking on SCO's site, and other worms targeting Microsoft or the RIAA," said Chasin. "Those examples will only become more common."

Although P2P-based worms are often originally spread by e-mail -- still a very effective propagation technique, Chasin said -- new avenues such as insecure wireless access points are what worries him most.

There are already tools which let spammers conduct "drive-by spamming," where a car and a laptop are used to cruise for unprotected access points, and spam is shunted through those APs to the general Internet. "Worm writers could easily take that and leverage APs as insertion points for malicious code," said Chasin, resulting in "drive-by worming" using a mobile "worm truck."

"A Honda and a laptop could do this," he warned.

Doom and gloom? Chasin's take is that the bad guys now have the upper hand, and that defenses will be tough to implement and take a long time to put into place.

"They have the advantage, and it's us who are playing catch-up."

This story courtesy of TechWeb .