`
`Thomas M. Chen
`Dept. of Electrical Engineering
`SMU
`PO Box 750338
`Dallas, TX 75275-0338 USA
`Tel: 214-768-8541
`Fax: 214-768-3573
`Email: tchen@engr.smu.edu
`
`Jean-Marc Robert
`Alcatel Canada Inc.
`600 March Road
`Ottawa, Ontario, Canada K2K 2E6
`Tel: (613) 784-5988
`Email: jean-marc.robert@alcatel.com
`
`Abstract - Computer viruses and network worms have evolved through a continuous series of innovations, leading to
`the recent wave of fast-spreading and dangerous worms. A review of their historical development and recent
`outbreaks leads to a number of observations. First, while viruses were more common than worms initially, worms
`have become the predominant threat in recent years, coinciding with the growth of computer networking. Second,
`despite widespread use of firewalls and other network security equipment, worm outbreaks still occur and will likely
`continue to be a threat for the near future. Third, recent worms are appearing as a series of quick successive variants.
`Unlike the independent efforts of early viruses, these variants suggest an increasing level of coordination among
`worm creators. Fourth, recent worms have shown capabilities to spread faster and exploit more infection vectors.
`This trend implies a more urgent need for automated, coordinated protection measures. Finally, more dangerous
`payloads are becoming commonplace. This suggests that worm creators are using worms for other objectives than
`simply infection, such as data theft and setting up denial of service networks.
`
`1. Introduction
`
`Computer viruses and worms are characterized by their ability to self replicate. The modern computer virus
`
`was conceived and formalized by Fred Cohen as a USC graduate student in 1983. Cohen wrote and demonstrated
`
`the first documented virus in November 1983 [1]. Like biological viruses, computer viruses reproduce by taking
`
`advantage of the existing environment. A biological virus consists of single or double-stranded nucleic acid (DNA
`
`or RNA) surrounded by a protein shell (capsid). The capsid gives specificity to bond with those particular hosts with
`
`matching surface receptors, while the inner nucleic acid gives infectivity or potency to subvert the infected host's
`
`cellular machinery. A virus is incomplete and inactive outside of a living cell but becomes active within a host cell
`
`by taking over the host's metabolic machinery to create new virus particles that spread the infection to other cells.
`
`Computer viruses replicate themselves by attaching their program instructions to an ordinary "host"
`
`program or document, such that the virus instructions are executed during the execution of the host program. As a
`
`1
`
`Blue Coat Systems - Exhibit 1045
`
`
`
`simplification of Cohen's definition, a basic computer virus can be viewed as a set of instructions containing at least
`
`two subroutines attached somehow to or within a host program or file [2]. The first subroutine of the virus carries
`
`out the infection by seeking out other programs and attaching or overwriting a copy of the virus instructions to those
`
`programs or files [3]. The method of infection or propagation is called the "infection vector" (borrowed from
`
`epidemiology). The second subroutine of the virus carries the "payload" that dictate the actions to be executed on the
`
`infected host. The payload could be almost anything in theory, for example, deletion of data, installation of
`
`backdoors or DoS (denial of service) agents, or attacks on antivirus software [4]. An optional third subroutine could
`
`be a "trigger" that decides when to deliver the payload [5].
`
`Computer networks have created a fertile environment for worms, which are related to viruses in their
`
`ability to self-replicate but are not attached parasitically to other programs. Worms are stand-alone automated
`
`programs designed to exploit the network to seek out vulnerable computers to infect with a copy of themselves. In
`
`contrast to viruses, worms are inherently dependent on a network and not dependent on any human action (such as
`
`to execute a program infected with a virus). Worms have become more prevalent since Internet connectivity has
`
`become ubiquitous. The Internet increases the vulnerability of all interconnected computers by making it easier for
`
`malicious programs computers to move among computers.
`
`Recent worm outbreaks, such as the Blaster worm in August 2003 and the SQL Sapphire/Slammer worm in
`
`January 2003, have demonstrated that networked computers continue to be vulnerable to new attacks despite the
`
`widespread deployment of antivirus software, firewalls, intrusion detection systems, and other network security
`
`equipment. We review the historical development of viruses and worms to show how they have evolved in
`
`sophistication over the years. The history of virus and worm evolution is classified into four “waves” spanning from
`
`the Shoch and Hupp worms in 1979 to the present day (the term “generations” is less preferred because viruses and
`
`worms of one wave are not direct descendents from an earlier wave). This historical perspective leads to a number
`
`of observations about the current state of vulnerability and trends for possible future worm attacks.
`
`We classify the evolution of viruses and worms into the following waves:
`
`• first wave from 1979 to early 1990s
`
`• second wave from early 1990s to 1998
`
`• third wave from 1999 to 2001
`
`2
`
`
`
`• fourth wave from 2001 to today.
`
`These waves represent periods where new technological trends began and appeared in a significant number of cases.
`
`For example, the third wave was dominated by so-called mass e-mailers: viruses and worms that exploited e-mail
`
`programs to spread. The classification dates are approximate and not meant to imply that waves can be separated so
`
`distinctly. For example, mass e-mailers characteristic of the third wave are still common during the fourth wave.
`
`2. First Wave: Early Viruses and Worms
`
`The first wave of viruses and worms from roughly 1979 to early 1990s were clearly experimental. The
`
`early viruses were commonly boot-sector viruses and targeted mostly to MS DOS. The early worms were prone to
`
`programming bugs and typically hard to control. The term “worm” was created by John Shoch and Jon Hupp at
`
`Xerox PARC in 1979, inspired by the network-based multi-segmented "tapeworm" monster in John Brunner's novel,
`
`The Shockwave Rider. Shoch and Hupp used worm to refer to any multi-segmented computation spread over
`
`multiple computers. They were inspired by an earlier self-replicating program, Creeper written by Bob Thomas at
`
`BBN in 1971, which propelled itself between nodes of the ARPANET. However, the idea of self-replicating
`
`programs can be traced back as early as 1949 when the mathematician John von Neumann envisioned specialized
`
`computers or “self-replicating automata” that could build copies of themselves and pass on their programming to
`
`their progeny [6].
`
`Shoch and Hupp invented worms to traverse their internal Ethernet LAN seeking idle processors (after
`
`normal working hours) for distributed computing [7]. Since the worms were intended for beneficial uses among
`
`cooperative users, there was no attempt at stealth, intrusion, or malicious payload. Even under cooperative
`
`conditions however, they observed that worm management was a key problem to ensure that worm growth could be
`
`reliably contained. Their worms were designed with limited lifetimes, and responsive to a special packet to kill all
`
`worms. Despite these safeguards, one of the worm programs mysteriously ran out of control and crashed several
`
`computers overnight.
`
`In 1983, Fred Cohen conceived, wrote and demonstrated the first computer virus while a graduate student
`
`at USC. The 1986 DOS-based Brain virus, supposedly written by two Pakistani programmers, was interesting in its
`
`3
`
`
`
`attempt to stealthily hide its presence by simulating all of the DOS system calls that normally detect viruses, causing
`
`them to return information that gave the appearance that the virus was not there.
`
`In 1987, the "Christma Exec" virus was among the first to spread by e-mail among IBM mainframes. It is
`
`also an early example of social engineering where the user is tricked into executing the virus because it promised to
`
`draw a Christmas tree graphic. The worm does produce a Christmas card graphic on the computer screen (drawn
`
`using a scripting language called Rexx) but also sends a copy of itself in the user's name to his list of outgoing mail
`
`recipients. The recipients believe the e-mail is from the user so they open the e-mail.
`
`On November 2, 1988, the famous Morris worm disabled 6,000 computers in a few hours (constituting 10
`
`percent of the Internet at that time) [8]. The worm was written by a Cornell student, Robert Morris Jr. Investigations
`
`conducted later (ending in his conviction in 1990) concluded that his motives for writing the worm were unknown
`
`but the worm was not programmed deliberately for destruction. Instead, the damage appeared to be caused by a
`
`combination of accident and programming bugs. It was detected and contained only because an apparent
`
`programming error caused it to re-infect computers that were already infected, resulting in a noticeable slowdown in
`
`infected computers. It was among the first to use a combination of attacks to spread quickly: cracking password
`
`files; exploiting the debug option in the Unix “sendmail” program; and carrying out a buffer overflow attack through
`
`a vulnerability in the Unix “finger” daemon program.
`
`In October 1989, the WANK (Worms Against Nuclear Killers) worm apparently learned from the Morris
`
`worm and infected VMS computers on DECnet. It spread using e-mail functions, exploited default system and field
`
`service accounts and passwords for access, and tried to find accounts where the user name and password were the
`
`same or the password was null.
`
`3. Second Wave: Polymorphism and Toolkits
`
`The second wave in the approximate period from the early 1990s to 1998 saw much more activity in
`
`viruses than worms, although the technical advances in viruses would effect the later evolution of worms. In this
`
`period, viruses began to move from Microsoft DOS to Windows as the primary target; cross-platform macro viruses
`
`appeared; mass creation of polymorphic viruses became easy; and a trend towards e-mail as the preferred infection
`
`vector began.
`
`4
`
`
`
`In the late 1980s, the idea of using encryption to scramble the appearance of a virus was motivated by the
`
`fact that antivirus software could detect viruses by scanning files for unique virus signatures (byte patterns).
`
`However, to be executable, an encrypted virus must be prepended with a decryption routine and encryption key. The
`
`decryption routine remains unchanged and therefore detectable, although the key can change which scrambles the
`
`virus body differently. Polymorphism carries the idea further to continuously permute the virus body. A
`
`polymorphic virus reportedly appeared in Europe in 1989. This virus replicated by inserting a pseudorandom
`
`number of extra bytes into a decryption algorithm that in turn decrypts the virus body. As a result, there is no
`
`common sequence of more than a few bytes between two successive infections.
`
`Polymorphism became a practical problem in 1992 when a well-known hacker, Dark Avenger, developed a
`
`user-friendly Mutation Engine to provide any virus with polymorphism [9]. Other hackers soon followed with their
`
`own versions of mutation engines with names such as TPE, NED, and DAME. In 1994, Pathogen and Queeg were
`
`notable polymorphic DOS-infecting viruses that were produced by Black Baron's SMEG (Simulated Metamorphic
`
`Encryption enGine) [5].
`
`The “virus creation lab” was a user-friendly, menu-driven programming toolkit that allowed hackers with
`
`little programming skill to easily generate hundreds of new viruses [9]. Other virus creation toolkits soon followed
`
`such as PS-MPC. Perhaps the best known product of a virus toolkit was the 2001 Anna Kournikova virus [10]. This
`
`virus was carried in an e-mail attachment pretending to be a JPG picture of the tennis player. If the Visual Basic
`
`Script attachment is executed, the virus e-mails a copy of itself to all addresses in the Outlook address book.
`
`The 1995 Concept virus was the first macro virus, written for Word for Windows 95. It infected Word's
`
`"normal.dot" template so that files were saved as templates and ran the infective AutoOpen macro. An infected file
`
`was accidentally shipped on a Microsoft CD called "Microsoft Windows95 Software Compatibility Test." Later,
`
`Microsoft UK shipped an infected file on another CD called "The Microsoft Office 95 and Windows95 Business
`
`Guide." The vast majority of macro viruses are targeted to Microsoft Office documents. Macro viruses have the
`
`advantages of being easy to write and cross-platform. However, most people now know to disable macros in Office
`
`so macro viruses have lost their popularity.
`
`4. Third Wave: Mass E-Mailers
`
`5
`
`
`
`The third wave spanning roughly 1999 to late 2000 is highlighted by a large number of mass e-mailers,
`
`beginning with the “Happy99/Ska” worm. E-mail continues to be a very popular infection vector today. In January
`
`1999, the Happy99 worm spread by e-mail with an attachment called Happy99.exe [11]. When the attachment is
`
`executed, it displayed fireworks on the screen to commemorate New Year's Day 1999, but secretly modified the
`
`WSOCK32.DLL file (the main Windows file for Internet communications) with a Trojan horse program that
`
`allowed the worm to insert itself into the Internet communications process. The original WSOCK32.DLL file is
`
`renamed to WSOCK32.SKA. Every e-mail sent by the user generated a text-less second copy that carried the worm
`
`to the same recipients.
`
`In March 1999, the Melissa macro virus spread quickly to 100,000 hosts around the world in 3 days, setting
`
`a new record and shutting down e-mail for many companies using Microsoft Exchange Server [12]. It began as a
`
`posting on the Usenet newsgroup "alt.sex" promising account names and passwords for erotic web sites. The
`
`attached Word document actually contained a macro that used the functions of Microsoft Word and the Microsoft
`
`Outlook e-mail program to propagate. Up to that time, it was widely believed that a computer could not become
`
`infected with a virus just by opening e-mail. When the macro is executed in Word, it first checks whether the
`
`installed version of Word is infectable. If it is, it reduces the security setting on Word to prevent it from displaying
`
`any warnings about macro content. Next, the virus looks for a certain Registry key containing the word "Kwyjibo"
`
`(apparently from an episode of the television show, "The Simpsons"). In the absence of this key, the virus launches
`
`Outlook and sends itself to 50 recipients found in the address book. Additionally, it infects the Word “normal.dot”
`
`template using the VBA macro auto-execute feature. Any Word document saved from the template would carry the
`
`virus [13].
`
`The PrettyPark worm became widespread in the summer of 1999. It propagates as an e-mail attachment
`
`called "Pretty Park.exe." The attachment is not explained but bears the icon of a character from the television show,
`
`"South Park." If executed, it installs itself into the Windows system directory and modifies the registry to ensure that
`
`it runs whenever any .EXE program is executed. This can cause problems for antivirus software that runs as an
`
`.EXE file. Furthermore, the worm e-mails itself to addresses found in the Windows Address Book. It also transmits
`
`some private system data and passwords to certain IRC (Internet relay chat) servers. Reportedly, the worm also
`
`installs a backdoor to allow a remote machine to create and remove directories, and send, receive, and execute files.
`
`6
`
`
`
`In June 1999, the ExploreZip worm appeared to be a WinZip file attached to e-mail but was not really a
`
`zipped file [14]. If executed, it would display an error message, but the worm secretly copied itself into the
`
`Windows systems directory or loaded itself into the registry. It sends itself via e-mail using Microsoft Outlook or
`
`Exchange to recipients found in unread messages in the inbox. It monitors all incoming messages and replies to the
`
`sender with a copy of itself.
`
`In early 2000, the BubbleBoy virus (apparently named from an episode of the television show, "Seinfeld")
`
`demonstrated that a computer could be infected just from previewing e-mail without necessarily opening the
`
`message. It took advantage of a security hole in Internet Explorer that automatically executed Visual Basic Script
`
`embedded within the body of an e-mail message. The virus would arrive as e-mail with the subject "BubbleBoy is
`
`back" and the message would contain an embedded HTML file carrying the viral VB Script. If read with Outlook,
`
`the script would be run even if the message is just previewed. A file is added into the Windows start-up directory, so
`
`when the computer starts up again, the virus e-mails a copy of itself to every address in the Outlook address books.
`
`Around the same time, the KAK worm spread by a similar exploit.
`
`In May 2000, the fast-spreading Love Letter worm demonstrated a social engineering attack, which would
`
`become common in future mass e-mailing worms [15]. It propagates as an e-mail message with the subject, "I love
`
`you" and text that encourages the recipient to read the attachment. The attachment is a Visual Basic Script that could
`
`be executed with Windows Script Host (a part of Windows98, Windows2000, Internet Explorer 5, or Outlook 5).
`
`Upon execution, the worm installs copies of itself into the system directory and modifies the registry to ensure that
`
`the files were run when the computer started up. The worm also infected various types of files (e.g., VBS, JPG,
`
`MP3, etc.) on local drives and networked shared directories. When another machine is infected, if Outlook is
`
`installed, the worm will e-mail copies of itself to anyone found in the address book. In addition, the worm makes an
`
`IRC connection and sends a copy of itself to anyone who joins the IRC channel. The worm had a password-stealing
`
`feature that changed the startup URL in Internet Explorer to a web site in Asia. The web site attempted to download
`
`a Trojan horse designed to collect and e-mail various passwords from the computer to an address in Asia.
`
`In October 2000, the Hybris worm propagated as an e-mail attachment [16]. If executed, it modifies the
`
`WSOCK32.DLL file in order to track all Internet traffic. For every e-mail sent, it subsequently sends a copy of itself
`
`to the same recipient. It is interesting for its capability to download encrypted plug-ins (code updates) dynamically
`
`7
`
`
`
`from the “alt.comp.virus” newsgroup. The method is sophisticated and potentially very dangerous, since the worm
`
`payload (destructive capability) can be modified at any time.
`
`5. Fourth Wave: Modern Worms
`
`The fourth wave of modern worms began in 2001 and continues today. They are represented by worms
`
`such as Code Red and Nimda that demonstrate faster spreading and a new level of sophistication including
`
`• blended attacks (combined infection vectors)
`
`• attempts at new infection vectors (Linux, peer-to-peer networks, instant messaging, etc.)
`
`• dynamic code updating from the Internet
`
`• dangerous payloads
`
`• active attacks against antivirus software.
`
`Linux was first targeted by the Bliss virus in 1997. In early 2001, Linux was hit by the Ramen and Lion
`
`worms. The Lion worm seemed to be unusually dangerous. After infection of a new victim, the worm carries out
`
`several actions. The worm sends e-mail containing password files and other sensitive information, e.g., the IP
`
`address and username of the system and bundles the contents of the “/etc/password,” “/etc/shadow,” and
`
`“/sbin/ifconfig” files into the mail.log file before transmission. The worm installs the binary toolkits “t0rn” and the
`
`distributed denial of service (DDoS) agent “TFN2K” (Tribal Flood Network 2000). The t0rn rootkit deliberately
`
`makes the actions of the worm harder to detect through a number of system modifications to deceive the utility
`
`“syslogd” from properly capturing system events. The worm creates a directory named “/dev/.lib” and copies itself
`
`there. The “/etc/host.deny” file is deleted to make any protection offered by TCP Wrappers useless against an
`
`outside attack. The worm also installs backdoor root shells on TCP port 60008 and TCP port 33567. A Trojanized
`
`version of SSH on port 33568 changes the port setting to listening. This port setup could be done to launch future
`
`DDoS attacks using the TFN2K agent.
`
`In February 2001, the Gnutelman/Mandragore worm infected users of Gnutella peer-to-peer networks by
`
`disguising itself as a searched file.
`
`In May 2001, the Sadmind worm spread by targeting 2 separate vulnerabilities on 2 different operating
`
`systems, and set a precedent for subsequent viruses that could combine multiple attacks [17]. It first exploited a
`
`8
`
`
`
`buffer overflow vulnerability in Sun Solaris systems and installed software to carry out an attack to compromise
`
`Microsoft IIS web servers.
`
`A buffer overflow vulnerability in Microsoft's IIS web servers was announced on June 18, 2001, referred to
`
`as the Index Server ISAPI vulnerability. About a month later on July 12, 2001, the first Code Red I (or .ida Code
`
`Red) worm was observed to exploit this vulnerability [18]. Upon infection, the worm set up itself in memory and
`
`generated up to 100 new threads, each an exact replica of the original worm. The first 99 threads were assigned to
`
`spread the worm by infecting other IIS servers. The worm generated a pseudorandom list of IP addresses to probe
`
`but used a static seed which (unintentionally) resulted in identical lists of IP addresses generated on each infected
`
`host. As a result, the spread was slow because probes repeatedly hit previously probed or infected machines,
`
`although 200,000 hosts were infected in 6 days. A side effect was congestion between these hosts, causing a DoS
`
`effect. The last 100th thread was assigned to check the language of the IIS system; if English, then the worm would
`
`deface the system’s web site with the message “Hacked by Chinese.” Next, each worm thread checked for the file
`
`“c:\notworm” and finding it, the worm would go dormant, which seemed to be a mechanism to limit the worm
`
`spread. Finally, each worm thread checked the date. If it was past the 20th of the month, the threads would stop
`
`scanning and instead would launch a DoS attack against port 80 of “www.whitehouse.gov.” On the 27th of the
`
`month, the worm would go dormant permanently although an unpatched machine could be re-infected with a new
`
`worm.
`
`A week later on July 19, a second version of Code Red I (Code Red v2) was noticed which spread much
`
`faster. Apparently, the programming had been fixed to change the static seed to a random seed, ensuring that the
`
`randomly generated IP addresses to probe would be truly random [19]. Code Red v2 worm was able to infect more
`
`than 359,000 machines within 14 hours [20]. At its peak, 2000 hosts were infected every minute. By design, Code
`
`Red I stopped spreading itself on July 20.
`
`On August 4, 2000, a new worm called Code Red II (carrying a different, more dangerous payload than
`
`Code Red I but self-named "Code Red II" in its source code) was observed exploiting the same buffer overflow
`
`vulnerability in IIS web servers [21]. After infecting a host, it laid dormant for 1-2 days and then rebooted the
`
`machine. After rebooting, the worm activated 300 threads (but 600 for Chinese language systems) to probe other
`
`machines to propagate. It generated random IP addresses but they are not completely random; about 1 out of 8 are
`
`9
`
`
`
`completely random; 4 out of 8 addresses are within the same class A range of the infected host's address; and 3 out
`
`of 8 addresses are within the same class B range of the infected host's address. The attack code ran for 24 hours (but
`
`48 hours for Chinese language systems). The enormous number of parallel threads created a flood of scans, in effect
`
`a DoS attack. Then it would write a Trojan horse “explorer.exe” into the root directories of the hard drives, and
`
`cause a reboot to load the Trojan. The Trojan did several things to conceal itself and open a backdoor.
`
`On September 18, 2001, the Nimda worm/virus raised new alarms by using 5 different ways to spread and
`
`carrying a dangerous payload. The fast spreading had a side effect of traffic congestion. Initially, many sites noticed
`
`a substantial increase in traffic on port 80. Nimda spread to 450,000 hosts within the first 12 hours. Although none
`
`of the infection vectors was new, the combination of so many vectors in one worm seemed to signal a new level of
`
`complexity not seen before [22].
`
`• It sent itself by e-mail with random subjects and an attachment named “readme.exe.” It finds e-mail
`
`addresses from the computer’s web cache and default MAPI mailbox. The worm carries its own SMTP
`
`engine. If the target system supports the Automatic Execution of Embedded MIME types, the attached
`
`worm will be automatically executed and infect the target. Infected e-mail is resent every 10 days.
`
`• It infected Microsoft IIS web servers, selected at random, through a buffer overflow attack called a
`
`Unicode Web Traversal Exploit (known for a year prior). This vulnerability allows submission of a
`
`malformed URL to gain access to folders and files on the server’s drive, and modify data or run code on
`
`the server.
`
`• It copied itself across open network shares. On an infected server, the worm writes MIME-encoded copies
`
`of itself to every directory, including network shares. It creates Trojan horse versions of legitimate
`
`programs by prepending itself to .EXE files.
`
`• It added Javascript to web pages to infect any web browsers. If it finds a web content directory, it adds a
`
`small piece of javascript code to each .html, .htm, or .asp file. This javascript allows the worm to spread
`
`to any browser listing these pages and automatically executing the downloaded code.
`
`• It looked for backdoors left by previous Code Red II and Sadmind worms.
`
`Upon infection, it takes several steps to conceal its presence. Even if found, the worm was very difficult to remove
`
`because it makes numerous changes to Registry and System files. It creates an administrative share on the C drive,
`
`10
`
`
`
`and creates a guest account in the administrator group allowing anyone to remote login as guest with a blank
`
`password.
`
`Beginning with the Klez and Bugbear worms in October 2001, “armored” worms contain special code
`
`designed to disable antivirus software using a list of keywords to scan memory to recognize and stop antivirus
`
`processes and scan hard drives to delete associated files [23,24]. Other recent examples of armored worms include
`
`Winevar (November 2002) and Lirva (January 2003). More destructively, the Lirva worm, named after the singer,
`
`Avril Lavigne, will e-mail cached Windows dial-up networking passwords to the virus writer, and e-mail random
`
`.TXT and .DOC files to various addresses [25]. It will connect to a web site “web.host.kz” to download Back Orifice
`
`giving complete control to a remote hacker .
`
`In March 2002, Gibe spread as an attachment in an e-mail disguised as a Microsoft security bulletin and
`
`patch. The text claimed that the attachment was a Microsoft security patch for Outlook and Internet Explorer. If the
`
`attachment is executed, it displays dialog boxes that appear to be patching the system, but a backdoor is secretly
`
`installed on the host.
`
`Another trend to dangerous payloads includes installation of keystroke logging software that record
`
`everything typed on the keyboard, usually recorded to a file that can be fetched by a remote hacker later. The
`
`Bugbear, Lirva, Badtrans (November 2001), and Fizzer (May 2003) worms all install a keystroke logging Trojan
`
`horse.
`
`The SQL Slammer/Sapphire worm appeared in January 2003, exploiting a buffer overflow vulnerability
`
`Microsoft SQL Server announced by Microsoft in July 2002 (with a patch) [26]. It is much simpler than previous
`
`worms and fits in a 376-byte payload of a single UDP packet. In contrast, Code Red was about 4,000 bytes and
`
`Nimda was 60,000 bytes. The sole objective seems to be replication due to the absence of a payload. It appeared to
`
`test the concept that a small, simple worm could spread very quickly. The spreading rate was surprisingly fast,
`
`reportedly infecting 90 percent of vulnerable hosts within 10 minutes (about 120,000 servers) [27]. In the first
`
`minute, the infection doubled every 8.5 seconds, and hit a peak scanning rate of 55,000,000 scans/second after only
`
`3 minutes. In comparison, Code Red infection doubled in 37 minutes (slower but infected more machines). The
`
`probing is fast because infected computers simply generate UDP packets carrying the worm at the maximum rate of
`
`the machine.
`
`11
`
`
`
`6. Current Developments
`
`The week beginning on August 12, 2003, has been called the worst week for worms in history, seeing the
`
`fast-spreading Blaster, Welchia (or Nachi), and Sobig.F worms in quick succession. Blaster or LovSan arrived first,
`
`targeted to a Windows DCOM RPC (distributed component object model remote procedure call) vulnerability
`
`announced only a month earlier on July 16, 2003 [28]. The worm probes for a DCOM interface with RPC listening
`
`on TCP port 135 on Windows XP and Windows 2000 PCs. Through a buffer overflow attack, the worm causes the
`
`target machine to start a remote shell on port 4444 and send a notification to the attacking machine on UDP port 69.
`
`A tftp (trival file transfer protocol) "get" command is then sent to port 4444, causing the target machine to fetch a
`
`copy of the worm as the file MSBLAST.EXE. In addition to a message against Microsoft, the worm payload carries
`
`a DoS agent (using TCP SYN flood) targeted to the Microsoft Web site “windowsupdate.com” on August 16, 2003
`
`(which was easily averted). Although Blaster has reportedly infected about 400,000 systems, experts reported that
`
`the worm did not achieve near its potential spreading rate due to novice programming.
`
`Six days later on August 18, the apparently well-intended Welchia or Nachi worm spread by exploiting the
`
`same RPC DCOM vulnerability as Blaster. It attempted to remove Blaster from infected computers by downloading
`
`a security patch from a Microsoft Web site to repair the RPC DCOM vulnerability. Unfortunately, its probing
`
`resulted in serious congestion on some networks, such as Air Canada's check-in system and the US Navy and
`
`Marine Corps computers.
`
`The very fast Sobig.F worm appeared on the very next day, August 19, only seven days after Blaster [29].
`
`The original Sobig.A version was discovered in January 2003, and apparently underwent a series of revisions until
`
`the most successful Sobig.F variant. Similar to earlier variants, Sobig.F spreads among Windows machines by e-
`
`mail with various subject lines and attachment names, using its own SMTP engine. The worm size is about 73
`
`kilobytes with a few bytes of garbage attached to the end to evade antivirus scanners. It works well because it grabs
`
`e-mail addresses from a variety of different types of files on the infected computer and secretly e-mails itself to all
`
`of them, pretending to be sent from one of the addresses. At its peak, Sobig.F accounted for one in every 17
`
`messages, and reportedly produced over 1 million copies of itself within the first 24 hours. Interestingly, the worm is
`
`programmed to stop spreading on September 10, 2003, which suggests that the worm was intended as a proof-of-
`
`12
`
`
`
`concept. This is supported by the absence of a destructive payload, although the worm is programmed with the
`
`capability to download and execute arbitrary files to infected computers. The downloading is triggered on specific
`
`times and weekdays, which are obtained via one of several NTP servers. The worm sends a UDP probe to port 8998
`
`on one of several pre-programmed servers which responds with a URL for the worm to download. The worm also
`
`starts to listen on UDP ports 995-999 for incoming messages, presumably instructions from the creator.
`
`If these recent worm incidents are viewed as proof-of-concept demonstrations, we might draw the
`
`following observations:
`
`• Blaster suggests a trend that the time between discovery of a vulnerability and the appearance of a worm
`
`to exploit it is shrinking (to one month in the case of Blaster)
`
`• Blaster demonstrates that the vast majority of Windows PCs are vulnerable to new outbreaks
`
`• Sobig shows that worm writers are creating and trying out succe