worm blog: Worms and Viruses Are A Thing of the Past

« A Hybrid Quarantine Defense | Main | Wormboy »

Worms and Viruses Are A Thing of the Past

Another writeup dismissing the worm and bot thing as "a thing of the past." I firmly believe that the death of the worm (or bot) is greatly exaggerated.

From the article:

Ok, now that we covered what classical trojans are all about, what's the deal with the RATs? How do they manage to get passed [sic] firewalls and antivirus running on the target system? Security companies announced that RATs can be found bundled with freeware; their favorite location is deep inside file-sharing applications and even electronic greeting cards. Now, who would have thought of such a thing? File sharing programs which include unwanted and dangerous software... well, nothing new about that. Kazaa used to be the champion of bundling spyware, adware and other such 'pleasant' surprises. RATs can also be found on porn sites and also inside online casinos. So if you plan on visiting such sites or using the applications mentioned earlier, don't be too surprised if you'll end up with a few 'gifts'.

Source: Worms and Viruses Are A Thing of the Past on SoftPedia, 13th of November 2005.

Think about it this way: if you're interested in spreading malware you thousands of users, would you go after hardened servers and hope to distribute your software via that site? You'd have to drive traffic to the site, as well, so you want to go after something pretty big or use major DNS injection. However, you know that these web servers are hardened or monitored, or worse they already have deals with adware and spyware distributors, so whatever you do gets caught in a matter of hours and taken down.

Or you can write software which autonomously goes from one to many hosts, persists for years, and can be updated.

I'll let you digest that one for a while.

One thing that we see time and time again is that worms like Code Red, Nimda, and Blaster, they all linger for years. The quantity of hosts infected with any of the RBot, Spybot or SDBot variants is huge, and they're all at peoples' disposal. This malware is very hard to get rid of, because it just keeps going. You can update it, and you can use many of the same techniques the "RAT" author (above) talks about. You can use rootkits to hide the processes and software, you can use droppers to bootstrap it on there, and you can use an IRC server to control your network. But you get it on there by using an epidemic spreading approach as opposed to the "herd and infect" model. You get it on there in the way that is going to get you the biggest bang for your effort and last the longest. You get it on there using automatic means.

The worm isn't going away for a long time, at least as a distribution model for malware. The bot is the worm's natural evolution (look at our "Future of ..." paper from 2001), the Trojan is another way to get the malware on there, and all of these approaches can easily be automated in a worm-like approach.

November 14, 2005 in editorial | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

One thing that "worm enthusiasts" often overlook is the risk in the inductive step. A worm (an autonomous process that can replicate across a network) may have a bug in how it spreads. This may not dissuade curious grad students, but it is dissuasive to many other actors. Having server-side exploits that spread to clients do not have this limitation, allow greater targeting, can get large audiences, and can penetrate firewalls with relative ease. Those are advantages that are hard to overlook. Although I agree that worms are not going away any time soon (actually, I believe that their usage will increase, but in more selective/less visible ways), understanding worm technology in a broader context will lead to better analysis of when/how they will be used. The question isn't just "what can worms be used to do?" but, "when is a worm the best tool for the job?" I think the answer to the last question has been a fairly narrow space for the last few years. It'll be interesting to see how that space changes over the next few years.

Posted by: Dan Ellis | Nov 21, 2005 2:34:37 PM

shower stalls Economy

Posted by: Economy stalls shower | Dec 19, 2008 12:10:08 AM

The comments to this entry are closed.