While the media was preoccupied with Code Red last weekend, a second major worm was making the rounds. SirCam didn't target the White House, nor did it capitalise on Microsoft's vulnerabilities, nor did it specifically target Outlook. Stealth was just what the virus writer wanted, and under the crush of Code Red's press coverage, that's what SirCam got. Now SirCam is the number one virus in the world.
Jose Nazario, who spoke at this year's Black Hat Security Briefing, is a biochemist that makes biological parallels with computer viruses. The problem with the current group of worms, according to Nazario, is that they are all too highly visible, unable to infect specific targets, and too easily blocked by antivirus vendors. Nazario predicted that future worms will be written with a specific goal in mind, such as infecting a specific large network or spreading a political or hacktivism message within a specific group of industry servers. And they will do so with greater stealth.
NAZARIO SAID that virus writers were getting more sophisticated and are trying to balance spread vs. penetration. The ILOVEYOU worm set off red alerts all over the world in the first five hours of infection, whereas two recent worms, Magistr and SirCam, both spread quietly. Each was able to penetrate a fairly large number of computers within a short period of time without a whole lot of attention.
Magistr and SirCam both use their own SMTP engines. Rather than target systems using Microsoft Outlook email software, these worms can grab email addresses from an infected system and send copies of themselves whether or not an email client is installed on the system. SirCam actually goes one step further by also being "network-aware." It looks for shared resources and attacks networked drives, so many people will be infected with SirCam without ever even seeing the original infected e-mail.
Unlike viruses that need a file or e-mail to spread, worms are themselves on autopilot; they are always on the lookout for new computers to infect. Once they hit a network, they work tirelessly to claim every machine. Nazario predicts that in the future, worms will be even more dynamic. Instead of trying to match specific infection criteria with each computer (as worms do now), these new worms might settle for only two of three criteria for each new infection. If that happens, detecting and removing these worms could get much harder as patterns or signatures become even more difficult to identify.
I RECENTLY SPOKE WITH Joe Hartman, director of North American antivirus research for Trend Micro, who said one way to guard against network-aware worms like SirCam is to restrict network access, either by restricting open shares altogether or allowing them under certain conditions such as requiring a password. In Windows 2000, you can set permissions on open file shares.
Unfortunately, just cleaning your machine isn't enough--you can still be re-infected with SirCam once you've removed it. If you are on a network system, try to trace back to find out who may have sent you an infected email or an infected file and immediately follow up. Your entire network remains vulnerable until the last trace of SirCam is removed.
We haven't heard the last of Code Red or SirCam, because virus writers build on each other's successes and create endless variations. It's time to batten down the hatches. Update your antivirus program and scan frequently because smarter, better worms are coming. You have been warned.
7%
3%
