Worm:[from `tapeworm' in John Brunner's novel "The Shockwave Rider", via XEROX PARC] A program that propagates itself over a network, reproducing itself as it goes. Compare virus. Nowadays the term has negative connotations, as it is assumed that only crackers write worms. Perhaps the best-known example was Robert T. Morris's Great Worm of 1988, a `benign' one that got out of control and hogged hundreds of Suns and VAXen across the U.S. See also cracker, RTM, Trojan horse, ice. Recently we've seen some big examples. The Code-Red Worm (CRv2) exploits a hole in Microsoft's IIS server software. This is software that turns a computer into a webserver (in other words, this won't infect your home computer.) IIS is installed on roughly 20% of web servers (although there are various reasons why that number may be misleadingly low.) This page has an interesting technical look at the rapid spread of the worm:On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute. 43% of all infected hosts were in the United States, while 11% originated in Korea followed by 5% in China and 4% in Taiwan. The .NET Top Level Domain (TLD) accounted for 19% of all compromised machines, followed by .COM with 14% and .EDU with 2%. We also observed 136 (0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm. A QuickTime animation of the geographic expansion of the worm is available. If you've got a fast connection don't miss the QuickTime animation. Nice/scary.
But it's not just web servers that have to be careful. The SirCam worm is making even more of a nuisance of itself in the Windows world (although not Windows NT or Windows 2000.) I've yet to get a single copy of it (anyone might get it, but it will only infect Windows machines,) but evidently it is very widespread, and not exactly going away. Ev thinks we may need to "create a disinfectant virus and release it the same way" in order to stop it.
From the symantec page linked above: - Payload:
- Large scale e-mailing: The worm appends a random document from the infected PC to itself and sends this new file via email
- Deletes files: 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems where the date is October 16 and which are using D/M/Y as the date format. Always occurs if attached file contains "FS2" not followed by "sc".
- Degrades performance: 1 in 50 chance of filling all remaining space on the C: drive by adding text to the file c:\recycled\sircam.sys
- Releases confidential info: It will export a random document from the hard drive by appending it to the body of the worm
As Ev pointed out, some people are really enjoying that bit where it mails out a random document from the hard drive of the infected computer. Both of these worms infect only systems running the vulnerable Microsoft products.
The interesting thing about these worms (as Ev seems to suggest above) is that they are becoming sophisticated enough that it is very difficult to wipe them out. Maybe even they are coming alive. Here's Robert Cringely on the subject (try to ignore all the lame inline advertising for MessageLabs products if you click through.)It will be beautifully organic, this hacking
organism that can only be stopped by being utterly destroyed. And because it can live on any
insecure system anywhere on the Net, and replicate from there, the chances of taking it down
are very low indeed.... It will be a living
electronic hack, an organism that lives on the Web. Is this the start? Are these things really becoming "Borg code, the creation of e-life"? I guess the process of deciding will run parallel to (or be the flip side of) the process of deciding exactly what this word "life" means. We've never really had to think too hard about it before.
Ha. This morning I got my first SirCam worm. It was sent to root at digitalmediatree which supports the idea that it looks through your browser cache to find web pages and then looks for email addresses it can harvest there (rather than in your outlook address book which is usually what these things do.) The attachment I got is called 'FROEBEL EVALUATION JULY AUG 200' which made it sound like it might be interesting, but I can't make any information out. Maybe it's a powerpoint document or some other non-human readable file format. Anyway, if that sounds like a file of yours then you better do some disinfecting.
I guess I should note that you should only open a document like this in a text editor, not in microsoft word or anything scriptable, and definitely not by just double clicking the icon. If you're not sure, definitely don't open it. Just throw it away.
|
But it's not just web servers that have to be careful. The SirCam worm is making even more of a nuisance of itself in the Windows world (although not Windows NT or Windows 2000.) I've yet to get a single copy of it (anyone might get it, but it will only infect Windows machines,) but evidently it is very widespread, and not exactly going away. Ev thinks we may need to "create a disinfectant virus and release it the same way" in order to stop it.
From the symantec page linked above:
- Payload:
- Large scale e-mailing: The worm appends a random document from the infected PC to itself and sends this new file via email
- Deletes files: 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems where the date is October 16 and which are using D/M/Y as the date format. Always occurs if attached file contains "FS2" not followed by "sc".
- Degrades performance: 1 in 50 chance of filling all remaining space on the C: drive by adding text to the file c:\recycled\sircam.sys
- Releases confidential info: It will export a random document from the hard drive by appending it to the body of the worm
As Ev pointed out, some people are really enjoying that bit where it mails out a random document from the hard drive of the infected computer. Both of these worms infect only systems running the vulnerable Microsoft products.The interesting thing about these worms (as Ev seems to suggest above) is that they are becoming sophisticated enough that it is very difficult to wipe them out. Maybe even they are coming alive. Here's Robert Cringely on the subject (try to ignore all the lame inline advertising for MessageLabs products if you click through.) Is this the start? Are these things really becoming "Borg code, the creation of e-life"? I guess the process of deciding will run parallel to (or be the flip side of) the process of deciding exactly what this word "life" means. We've never really had to think too hard about it before.
- jim 7-26-2001 3:06 pm
Ha. This morning I got my first SirCam worm. It was sent to root at digitalmediatree which supports the idea that it looks through your browser cache to find web pages and then looks for email addresses it can harvest there (rather than in your outlook address book which is usually what these things do.) The attachment I got is called 'FROEBEL EVALUATION JULY AUG 200' which made it sound like it might be interesting, but I can't make any information out. Maybe it's a powerpoint document or some other non-human readable file format. Anyway, if that sounds like a file of yours then you better do some disinfecting.
I guess I should note that you should only open a document like this in a text editor, not in microsoft word or anything scriptable, and definitely not by just double clicking the icon. If you're not sure, definitely don't open it. Just throw it away.
- jim 7-27-2001 3:17 pm