A report this week from a group of developers dismissed the "Love" bug attack as crude and demonstrated -- with code examples and a working model -- how it is possible to create a far more sophisticated virus that would work across platforms, do its work with stealth and disappear before it could be stopped.
Security experts concur that worms in the last year, such as the Love bug and Melissa, merely proved the concept. Corporations should prepare now for much more dangerous worms that operate without user intervention.>>Go to ZDNet Australia's FULL COVERAGE of the Love Bug worm
Michal Zalewski, a Warsaw-based security specialist working for the Internet division of Telekomunikacja Polska SA, worked on a project to see if such a worm could be developed. The project was called Samhain and was developed by a loosely knit group in Europe. All work stopped on the project last year, but the group managed to create a working model.
'Very, very bad things'
"This model is a deadly dangerous engine, which can be used to do very, very
bad things," Zalewski wrote in the report. "Probably we aren't the first
people who thought about it and tried to write it. That's what makes us
scared."
Protecting organisations from such a threat requires more than updated anti-virus software. "The next thing will be hackers using e-mail to hack in to your database without you knowing, to get important pieces of information," said Nick Galea, director of Malta-based GFI.
"I've been asked, twice, to develop such spy software," Zalewski said in an interview conducted over e-mail. "I don't know if it happens everyday, but for sure it's possible. Automated worms are better spies than conventional hackers and crackers."
Some analysts, such as the GartnerGroup have suggested that companies employ a content firewall, quarantining executables, scripts and macros at the e-mail server or firewall level. Several companies have products that claim to do that for e-mail, such as GFI's Mail Essentials and Content Technologies' MimeSweeper.
"But if you encrypt your e-mail, those scanners are going to have trouble," said Andreas Junestam, a technical consultant with Defcom Security in Stockholm, Sweden. Encryption -- itself the answer to many security problems -- will make content filters very difficult, unless the servers have a master key. But the master key itself will then become a security hole, Junestam said.
Zalewski, however, said companies should not expect a boom in such stealth worms. They are still difficult to develop. "It is slow progress," he said, "not a boom. But we probably should expect some kind of boom when talking about Visual Basic disc killers."
The code in the report is very Unix- or Linux-specific, but Zalewski said the project developed enough code for Windows to show that it is possible to spread to that platform as well.
The report summarises the "seven deadly attributes" of a more dangerous
worm:
Portability -- works across platforms.
Invisibility -- stays undetected.
Independence -- spreads itself without user intervention.
Learning -- learns new techniques and tells other worms.
Integrity -- difficult to trace, modify or destroy.
Polymorphism -- changes frequently.
Usability -- does its work easily and disappears.
