The recent release and wild propagation of the Conficker worm marks a milestone in the evolution of the Internet Worm.
In this post, I look back over two decades at the evolutionary process of the worm and discover that even complex worms supporting multiple infection vectors, e-mail propagation and social engineering have been around for over 20 years.
Conficker marks the arrival of a new breed of worm, incorporating functionality – disruption-resistant command and control with signed updates – that previously existed only in the written speculations of security researchers. It represents the re-emergence of a phenomenon that appeared to have died out a number of years ago.
This article starts with an exmaination of eleven notable attacks from the last decade, beginning with a mass scale, self-propagating attack by Happy99 and finshing with the latest major advancements in 2004.
The evolutionary progression of the worm through a series of nine advancements is illustrated using these eleven examples.
E-Mail Propagation – 1999
Happy99, the first PC worm to use e-mail as a propagation method, grew quickly to become one of the most prolific worms on the Internet in 1999. In an age when users were less security aware, it required user interaction to run an executable that then modified the WinSock communication layer, adding itself to all outgoing e-mails and USENET posts.
Virus Hybrid – 1999
Melissa, built on existing e-mail propagation techniques by utilising Microsoft Office documents as hosts and executing through embedded macros. This technique borrowed from that of Virus writers – using existing files as hosts for malicious code. Variations of Melissa carried destructive payloads – deleting hidden system files (Melissa.U) and Microsoft Office documents (Melissa.V). In some cases the malware backed up destroyed documents and e-mailed the user demanding a $100 random.
Social Engineering – 2000
ILOVEYOU was one of the largest infections to date and spread to more than 10% (>50million) of worldwide Internet connected machines after its release in 2000. It utilised Visual Basic Scripting (VBS) attachments to e-mail messages and used crude Social Engineering to convince victims to run the script by opening the attachment. It propagated via e-mail to addresses harvested from victims address books. Total global economic damage was in excess of $5 billion. Like Melissa it was also destructive, replacing common user file types (MP3, JPEG, DOC etc) with copies of itself to assist re-infection. An analysis of ILOVEYOU from Matt Bishop.
Operational Activity – 2001
Code Red attacked Microsoft IIS web servers using a buffer overflow condition and operationalised the attack by delivering defacements to websites on affected servers. It required no user interaction, propagating automatically to servers running IIS. After a lie-low period it also launched an uncoordinated DDOS attack against a number of IP addresses, including one leased to the White House. Interestingly, Code Red used runtime patching, so a simple restart of IIS server could remove the infection. Steve Gibson has a fascinating explanation of the failure of the worm’s planned obsolescence.
Multimode – 2001
Nimda (‘admin’ backwards) exploited host machines using a variety of infection vectors. It spread using e-mail, via open network shares, by browsing compromised websites, via IIS server exploitations and using back doors left by the Code Red II and sadmind/IIS worms. Nimda’s versitility, and the number of defensive mitigations required to stop it, led to it becoming the Internet’s most widespread worm within 22 minutes of launch.
Optimsed Propagation (Preferential Scanning) – 2002
Code Red II, which was unrelated to Code Red, but used the same IIS exploit, improved on its predecessor by introducing preferential scanning for bounce-on infections. CRII scanned the local subnet first rather than randomly generating IP addresses. In this way, by selecting computers that could be scanned with a lower latency, the worm achieved a much faster propagation rate.
Optimised Propgation (Single Packet Delivery) – 2003
The Slammer SQL worm (which infected MSSQL server using a publicly released vulnerability) only infected 22,000 servers worldwide but had a devastating effect. It utilised UDP as a transport layer, and was small enough to reside in a single packet so became a fire-and-forget attack. Whilst memory resident and easy to remove, it spread so fast (hundreds of bounce-on infections per second) that reinfection without patching was inevitable. With infection doubling every 8.5 seconds, 90% of all infected machines were infected within 10 minutes. The worm had a devastating global impact as a result of the volume of traffic that infected machines generated. The traffic caused major Internet routers to repeatedly fail and exacerbate the problem with a second-wave DDOS caused by a mass of routing table updates from the failed nodes.
Botnet Hybrid – 2004
Mydoom and Mimail released in late 2003 and early 2004 respectively were both large scale e-mail propagated worms that incorporated a back door to allow remote control of victim computers. MyDoom also incorporated a defensive mechanism – blocking access to the update facilities from Microsoft and several leading Anti-Virus vendors.
Automated Attacks Against Home PCs – 2004
Sasser, released in early 2004 attacked using a Buffer Overflow condition in the Windows LSASS module. It spread automatically using this listening-server exploit and required no user interaction. Interestingly, the exploit that Sasser used had been previously patched by Microsoft. The global destruction that it wrought (Delta airlines had to cancel flights, the UK coastguard lost all their mapping, AFP Press lost all satellite communications), combined with the fact that it is suspected that the virus writer reversed engineered the patch itself to discover the vulnerability, provide a compelling reason to apply patches immediately on release.
Virus Warfare – 2004
Netsky, written by the same German author as Sasser actively removed instances of other virus families from victim computers. Netsky included source code comments insulting the authors of Bagle and MyDoom, and removed them from all victim computers. Propagated through an e-mail attachment in a similar fashion to Happy99 it remained the most e-mailed worm for almost three years.
Social Networks – 2005
Samy was a Cross-Site Scripting (XSS) worm developed to propgate via the MySpace Online Social Network (OSN) site. The worm utilised a stored XSS attack and added itself to victims pages when it was viewed on the pages of their friends. It became one of the fasted spreading viruses of all time when it infected over 1 million MySpace profiles in under 20 hours.
Up until this point, surprisingly, few worm innovations are new. Following worm evolution back another decade to the late 1980s reveals an interesting pre-historic period of development. Most subsequent developments had actually been pioneered years earlier, on a much smaller Internet … by the academic community.
Christmas Tree Exec – 1987
Christmas Tree EXEC (or CHRISTMA, as truncated in the days of 8 character filenames) was released in 1987 by an academic at Clausthan University of Technology. Written in the REXX scripting language it was intended as a proof of concept. The payload merely drew a Christmas Tree graphic on the screen and then propagated using e-mail addresses harvested from the victims address book. An innovation ahead of its time, it was to be over a decade before large scale e-mail worms utilising social engineering were released for end user machines by blackhat hackers.
Morris Worm – 1988
Robert Morris developed another academic worm that whilst not malicious in nature – it was allegedly an experiment to determine the size of the Internet – spread using multiple attack vectors. Exploits and password guessing were used to infect 6,000 mainframe terminals – over 10% over the Internet at that time. In 1 in 7 infections the worm ignored previous instances of itself on servers. This led to multiple infections per machine and Morris quickly became an example of an early Denial of Service attack.
Morris included a number of protection mechanisms, including deleting itself when it was running (to prevent forensics), camouflaging itself as the BASH shell and constantly forking itself and killing the parent to appear shortlived. Mark Eichin and Jon Rochlis from MIT conducted an in depth investigation into the Morris worm in late 1988.
Confiker – 2009
Conficker, the innovative and disruption resistant worm, arrived following a relatively quite period. Conficker fused the best of existing worm technology with a series of breakthroughs. From Nimda, Conficker borrowed multimode infection, exploiting hosts via NetBIOS password guessing, service exploitation and removable media. Following the example set by Sasser, Conficker chose a vulnerability existing in every-day home PCs – Conficker is not limited to the few servers running IIS as Code Red and others were.
Alongside the best of breed functionality from existing worms are a set of worrying new innovations, widely predicted by security commentators (including a decade ago by Bruce Schneier in “Secrets and Lies“). These include an auto-update facility incorporating encrypted communications, signed updates and a resistant distributed command and control system spread initially over 50,000 domain names and eventually (in Conficker.D and Conficker.E) utilising a custom peer-to-peer protocol. SRI have an in depth analysis of the Conficker update functionality and it’s domain-name rendezvous feature.
Before Confiker, most of the innovations in Worm technology from 2000 onwards are repeats of earlier research from the 1980s. The major differences now are:
- The number of machines connected to the Internet
- The speed and always on nature of their communication
- The complexity of operating systems, application programs and web-based services
These differences have increased the attack space, decreased attack latency and increased the implications of an attack. This changed environment, combined with a new class of worm that is disruption-resistant and has the capability to dynamically update itself, put the security industry firmly on the back foot. Lessons have been learned from the industry response to Conficker – the real test will be the success, or not, of its successor.