While the media was
preoccupied with Code
Red last weekend, a second major worm was making the rounds. SirCam
didn't target the White House, nor did it capitalize on Microsoft's
vulnerabilities, nor did it specifically target Outlook. Stealth was
just what the virus writer wanted, and under the crush of Code Red's
press coverage, that's what SirCam got. Now SirCam is the number one
virus in the world.
Jose Nazario, who spoke at this year's Black Hat Security
Briefing, is a biochemist who makes biological parallels with
computer viruses. The problem with the current group of worms,
according to Nazario, is that they are all too highly visible,
unable to infect specific targets, and too easily blocked by
antivirus vendors. Nazario predicted that future worms will be
written with a specific goal in mind, such as infecting a specific
large network or spreading a political or hacktivism message within
a specific group of industry servers. And they will do so with
greater stealth.
NAZARIO SAID that virus writers were getting more
sophisticated and are trying to balance spread vs. penetration. The
ILOVEYOU
worm set off red alerts all over the world in the first five hours
of infection, whereas two recent worms, Magistr
and SirCam, both spread quietly. Each was able to penetrate a fairly
large number of computers within a short period of time without a
whole lot of attention.
Magistr and SirCam both use their own SMTP engines. Rather than
target systems using Microsoft Outlook e-mail software, these worms
can grab e-mail addresses from an infected system and send copies of
themselves whether or not an e-mail client is installed on the
system. SirCam actually goes one step further by also being
"network-aware." It looks for shared resources and attacks networked
drives, so many people will be infected with SirCam without ever
even seeing the original infected e-mail.
Unlike viruses that need a file or e-mail to spread, worms are
themselves on autopilot; they are always on the lookout for new
computers to infect. Once they hit a network, they work tirelessly
to claim every machine. Nazario predicts that in the future, worms
will be even more dynamic. Instead of trying to match specific
infection criteria with each computer (as worms do now), these new
worms might settle for only two of three criteria for each new
infection. If that happens, detecting and removing these worms could
get much harder as patterns or signatures become even more difficult
to identify.
I RECENTLY SPOKE WITH Joe Hartman, director of North
American antivirus research for Trend Micro,
Inc., who said one way to guard against network-aware worms like
SirCam is to restrict network access, either by restricting open
shares altogether or allowing them under certain conditions such as
requiring a password. In Windows 2000, you can set permissions on
open file shares.
Unfortunately, just cleaning your machine isn't
enough--you can still be re-infected with SirCam once you've removed
it. If you are on a network system, try to trace back to find out
who may have sent you an infected e-mail or an infected file and
immediately follow up. Your entire network remains vulnerable until
the last trace of SirCam is removed.
We haven't heard the last of Code Red or SirCam, because virus
writers build on each other's successes and create endless
variations. It's time to batten down the hatches. Update your
antivirus program and scan frequently because smarter, better worms
are coming. You have been warned.
Did you get infected by the SirCam worm? TalkBack to
me.
.gif){kind=spacer}
.gif){kind=spacer}
