Stopping New Generation of Internet Worms: Mission Impossible?

The definition
Today many Internet users are worried about the threat of falling the victim to the computer worms (more properly called "Internet worms"). The facts say that the Internet worms should be considered as malicious as their comrades-in-arms: viruses and Trojans.

What is the definition of the Internet worm? A worm is a self-replicating program that does not modify files but resides in active memory and replicates itself by means of computer networks. Worms use facilities of an operating system that are meant to be automatic and latent to the user. It is common for worms to be detected only when their uncontrolled replication depletes system resources, slowing or halting other applications.

New classes of worms reside in the system's memory and self-replicate, but also contain a malicious payload. Some worms are referred as "Email worms" as they rapidly spread over the Net using e-mail clients. Such worms send copies of themselves to recipients in infected users' address books. "Email worms" can cause loss of productivity and revenue, as email servers cannot handle the weight of the heavy traffic.

A worm is comparable to a virus in many aspects, except that it is a self-contained program that is able to rapidly spread functional copies of itself or its segments to other computer systems over the networks without a dependency another program to host its code. As for the viruses in order for a virus to spread, it typically needs to attach itself to a host program.

The main difference between worms and trojans is in fact that a trojan horse program does not spread itself from one machine to another. The worms unlike Trojans are rarely used for remote access to infected machines.

The history
But why are the worms called so?

On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, created an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. So called "Morris worm" was a self-contained program that exploited several common vulnerabilities to spread itself across the network at a phenomenal rate. The aim of the Morris Worm was to gain access to another computer so that it can replicate itself on the new computer and reproduce further. The worm accomplished this by exploiting vulnerabilities in several popular programs, as well as by taking advantage of known host access loopholes to spread itself across the network. For an example the worm exploited a non-standard command available in a particular version of Sendmail (a popular program for providing e-mail routing and delivery services) to spread from one machine to another.

Morris chose to release his malicious program from MIT, to disguise the fact that the worm came from Cornell. Morris soon discovered that his program was replicating and re-infecting machines at a much faster rate than he had anticipated -- there was a bug. Ultimately, many computers at locations around the country either crashed or became "catatonic".

When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and avoid re-infection. However, because the network route was clogged, this message did not get through until it was too late. Computers were affected at many sites, including universities, military sites, and medical research facilities.

Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision.

New threat to the Internet Community
By some means old versions of Internet worms were inoffensive in contrast to recent worms like infamous "Red Code".

"Red Code" worm is used to produce massive denial-of-service (DoS) attacks. So each server infected by the "Red Code" was scheduled to send 100KB of junk data to Whitehouse.gov as part of an apparent DoS attack. As there were more than 250.000 computers infected by the worm, administrators of the White House Web site decided to switch the numerical address of the site to an alternate Internet address to escape the dangerous DoS attack.

The second version of "Code Red" is in fact even more dangerous as it contains a Trojan that enables an attacker to remotely access the infected server.

The new generation of Internet worms seems to become the turning point to the safety of all Internet participants. Because the recent worms contain Trojans or can be used to produce DoS attacks, they look much more dangerous than ordinary Trojans or other computer viruses put together.

The major trouble with the threat of the recent Internet worms is there is no suitable solution for the problem. Once the victim's computer has been infected, it would spread the worm to at least one or two other machines, each of these two machines will infect the other two and so on. Acting like that a worm can effortlessly infect several thousands machines worldwide. Since each infected machine can be remotely controlled by the creator of the worm (or just designed to perform certain malicious actions) all infected computers combined can produce destructive DoS attack to any server of the Net.

How does Denial-of-Service attack take place? Very simple. The main goal of such attacks is the intention to consume all of the bandwidth of victim's connection to the Internet. The attacker uses several hundreds or thousands computers that send malicious flood of data to the victim's server/computer. As a result, the visitors of the site see "Page not Found" or "Service Unavailable" message instead of the home page.

The only solution for the victim is to switch the numerical address of the site to an alternate Internet address to escape the attack. But how would the user find out that his/her server is going to be DoS attacked? It is not a big problem of finding out when the worm is programmed to attack certain server like it lately happened to Whitehouse.gov, but it is impossible to foresee the attack when the worm enables the attacker to remotely control all the infected machines. Another problem is that if even one computer has been infected by such worms, the risk it infects others is very high.

The new generation of worms can produce a real havoc to the whole Internet community, hence, the Internet economy.

How to prevent your computer from the worms?
To be sure your computer is well protected against the Internet worms you have to learn and practice the following safety procedures:

• Always check for the patches and updates of software you use
• Install anti-virus program that has worms definitions in its database of known viruses
• Regularly update your anti-virus software
• If you use Windows, regularly check for new security patches from Microsoft
• Do not run unknown programs. Always check e-mail attachments with anti-virus software even from people familiar to you
• Always check news about recently explored security vulnerabilities and flaws
• If you are a network manager you should try to detect suspicious traffic and take appropriate action before whole groups of users can be infected.