worm blog: Access For Sale: A New Class of Worm

« The Top Speed of Flash Worms | Main | The Myth of the "Good Worm" »

Access For Sale: A New Class of Worm

Kamal points me at a paper from WORM03 that is telling:

The damage inflicted by viruses and worms has been limited because the payloads that are most lucrative to malware authors have also posed the greatest risks to them. The problem facing authors of this self-reproducing malware is that monetizing each intrusion requires the author to risk communication with the infected system or its owner. The tool of choice for malware authors looking to minimize risk and maximize loot has been the carefully target attack, often employing a trojan horses or attack script. However, attacker’s preferences would likely change if they could infect a large number of systems using a worm and sell access to infected systems to other black hats. We introduce a new type of worm that enables this division of labor, installing a back door on each infected system that opens only when presented a system-specific ticket generated by the worm’s author. The risk to the worm’s author is minimized because he need not communicate with the infected systems. This new class of attack could increase the incentives to write malware and create a market for such specialized skills. In addition to describing this new threat, we propose a number of approaches for defending against it.

Source: Access For Sale: A New Class of Worm, Stuart E. Schechter and Michael D. Smith. Presented at the WORM03 workshop.

This type of observation is nothing new (nor was it when the authors did their work for WORM03). It's how I got started in analyzing worms and analyzing their likely futures, and we're seeing this use at an increased rate. We (and other groups) have detected, for example, correlations between Sasser worm hosts and spam that we receive in our inboxes, showing that these hosts have been used to send or relay spam. After all, if you want to get something widely distributed, you should look at automated it's release and update.

How zombie networks fuel cybercrime, which appeared in a recent issue of The New Scientist, discusses the highly motivated people behind such coordinated actions. As long as such motivations exist and their goals can be achieved, use of worms like this is likely to continue. And that means we'll definitely see more worms in the coming months and years.

November 7, 2004 in papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit