The rapid influx of computer worms and viruses that have spread their ugly heads lately have rattled the corporate brains of companies around the world. With names like Sobig, Nachi, Blaster and Slammer, today’s breed of viruses and worms sound like the bad guys you might read about in your favourite
comic book, but these villains are far more real and just as malicious.
On January 25, 2003, the SQL Slammer worm ravaged the Internet. The emergence of SQL Slammer marked a watershed moment in the evolution of information security and the Internet. Slammer’s repercussions were felt not only by the online community, but also the general public. For the first time, a person without an e-mail address, Web access, or even a computer, felt the effects of a new class of Internet threat. The fast moving worm caused airport delays by crashing ticketing systems. ATM networks and online bill-pay systems went offline and Slammer disrupted nearly all Internet connectivity in South Korea, making the country virtually disappear from the Web.
Events of August 2003 played out remarkably similar to those that marked Slammer’s presence. The Blaster worm created chaos by crashing numerous vulnerable Windows machines across the Net, changing the rules on malicious code attacks.
Blaster shattered the partially reassuring notion that e-mail-borne worms and viruses are the most significant threat for the home user. It was designed from the ground up to actively target more aggressively the home desktop as opposed to actual server computers.
Similar to some of its predecessors, Blaster wasn’t directly destructive – it didn’t format hard drives or trash files yet it infected thousands of computer systems around the world. Following in the footsteps of Slammer there was one key difference that separated Blaster from such worms as Code Red and Nimda – it actually crossed the digital divide into the mainstream. With both Slammer and Blaster, worms were no longer seen as virtual creations that only disrupted connected businesses and people surfing the Web or checking their e-mail.
Within days of Blaster, a white hat worm brought computer systems down at Air Canada and several other companies in mid-August. The worm moved from machine to machine in a bid to undo the damage wrought by Blaster.
Nachi, one of the many names the white hat worm has been called, spread across networks, removing Blaster and forcing infected computers to download a patch from Microsoft Corp. to fix the vulnerability it exploited. In doing so, Nachi tied up network traffic, causing as many problems as Blaster itself.
Although its intentions were good, Nachi’s actions crippled some organizations. There is no such thing as a good worm. Any worm that propagates as quickly as Nachi did is going to cause problems with networks regardless of whether or not it has code to destroy files or delete hard drives. Aggressive propagation in itself is enough to fill up networks, use up bandwidth and cause routers and firewalls to crash under the load.
Sobig, which was totally unrelated to Blaster and Nachi, is a good example of the “”piling on effect.”” IT organizations were racing around trying to deploy patches on all their desktops (tens of thousands of machines in some cases) for Blaster and Nachi and then Sobig hits.
Sobig was a bigger deal than it would have been otherwise because everyone was dealing with the first two issues at the same time they had to deal with Sobig. The problem lied in the fact Sobig was highly optimized to send out multiple messages at a time. In most all situations, anti-virus companies need a copy of the actual virus or worm before they are able to update their products to protect against the issue. Because Sobig spread so quickly, its effects were maximized because anti-virus companies were unable to update their products in time to ward against infection.
If we look at Sobig, Nachi and Blaster, none of them were directly destructive and none of them tried to delete information or destroy files – they all just propagated. We have yet to deal with viruses and worms of the magnitude of Slammer and Code Red that have also carried a destructive payload. That’s really what experts are cringing at and waiting for. E-mail based worms, although numerous and sometimes destructive, can be classified as nuisance worms. Network based worms such as Blaster, Slammer and Code Red are the ones we really have to worry about because they don’t require any user intervention. Basically if your computer is plugged in it can be infected by one of these types of worms by way of some vulnerability.
When searching for reasons why today’s computer bugs are so widespread, look no further than globalization. The spread of computer worms such as Slammer and Blaster are a result of world progress. Everything and everyone is now connected. The commoditization of bandwidth, the explosion of Internet technology, the integration of IP in everything from environmental control systems to our dial tone has rendered every system connected. All of these advances virtually guarantee that in one way or another, everything is connected.
This continuing, irreversible trend has guaranteed that massive, destabilizing events on the Internet can cause cascading failures in unexpected places. We endure the vulnerability because the benefits of a connected society are worth pursuing – speed, convenience, and access to services and information on a global scale. However, acceptance of this way of life leaves us questions when it comes to technology. What’s the fallout going to be when the next Blaster propagates wildly over the Internet? We, unfortunately, might learn the answer soon enough.
Dan Ingevaldson, engineering manager of Internet Security Systems’ X-Force research and development team, played a key role in the discovery and identification of the Slammer worm. In his role as security researcher, he has lead teams responsible for the discovery of several high-profile vulnerabilities including those in widely used software including DNS, Sendmail and PeopleSoft.