Lo! 'tis a gala night
Within the lonesome latter years!
An angel throng, bewinged, bedight
In veils, and drowned in tears,
Sit in a theatre, to see
A play of hopes and fears,
While the orchestra breathes fitfully
The music of the spheres.
Mimes, in the form of God on high,
Mutter and mumble low,
And hither and thither fly-
Mere puppets they, who come and go
At bidding of vast formless things
That shift the scenery to and fro,
Flapping from out their Condor wings
Invisible Woe!
That motley drama- oh, be sure
It shall not be forgot!
With its Phantom chased for evermore,
By a crowd that seize it not,
Through a circle that ever returneth in
To the self-same spot,
And much of Madness, and more of Sin,
And Horror the soul of the plot.
But see, amid the mimic rout
A crawling shape intrude!
A blood-red thing that writhes from out
The scenic solitude!
It writhes!- it writhes!- with mortal pangs
The mimes become its food,
And seraphs sob at vermin fangs
In human gore imbued.
Out- out are the lights- out all!
And, over each quivering form,
The curtain, a funeral pall,
Comes down with the rush of a storm,
While the angels, all pallid and wan,
Uprising, unveiling, affirm
That the play is the tragedy, "Man,"
And its hero the Conqueror Worm.
By Edgar Allan Poe
Poe’s statements seem almost prophetic in this day and time when computer worms grip the Internet and its users in fear and bewilderment. Worms and their variants have become a popular topic in the news media in these days. They have been given names that are human in nature and seem to carry a personality along with them. Many have become aware of worms and their potential to wreck much devastation on the economy and pose even global and national security threats but I suppose few really understand much more about them than what is broadcast on the local news. Today’s worms are very high tech programs that have almost become an art form enabled with capabilities of a chameleon able to change their color to camouflage themselves in the jungle of technology. Worms have evolved to a place that they can even reproduce themselves giving birth to new ones. Let’s examine who writes these worms and why they are such a threat.
Originally when the first worms were written by programmers they were not the malicious ones that we are familiar with today. According to Konczal in the History of Worms article located at csrc.nist.gov worms were not originally created to wreck havoc.
Konczal says this,” Worms were first used as a legitimate mechanism for performing tasks in a distributed environment. Network worms were considered promising for the performance of network management tasks in a series of experiments at the Xerox Palo Alto Research Center in 1982. The key problem noted was ``worm management;'' controlling the number of copies executing at a single time. This would be experienced later by authors of malicious worms.”( Konczal )[1]
The original worms being useful can again be seen in Charles Schmidt’s article The history of worm like programs as he describes the origins of the first worms and how they lead up to the Morris worm.
Here is Charles article,” The 1988 Internet worm was not the first program of its type, nor (alas) was it the last. Here is a brief description of other historical worms.
The term "worm" actually comes from a science fiction story called The Shockwave Rider written by John Brunner in 1975. In short, the story is about a totalitarian government that controls its citizens through a powerful computer network. A freedom fighter infests this network with a program called a "tapeworm" forcing the government to shut down the network, thereby destroy its base of power.
Between this and the 1988 worm, it is small wonder that worm programs are getting a bad name. However, the first worm programs were actually designed to facilitate better usage of a network.
The first program that could reasonably called a worm was written in 1971 by Bob Thomas. This program was in response to the needs of air traffic controllers and would help to notify operators of when control of a certain airplane moved from one computer to another. In actuality, the program, called "creeper" only traveled from screen to screen in the network displaying the message "I'm creeper! Catch me if you can!" The creeper program did NOT reproduce itself.
After this, several other programmers tried their hands at similar programs, but the idea gradually died out in a couple of months.
In the early 1980's, John Shock and Jon Hepps of Xerox's Palo Alto Research Center began experimenting with worm programs. (This was the first time that the term worm was actually applied to this sort of code.) They developed 5 worms, each of which were designed to perform helpful tasks around the network. Some worms were quite simple, such as the town crier worm, which simply traveled throughout the network posting announcements. Other worms were quite clever and complex, such as the "vampire" worm. This worm was idle during the day, but at night, it would take advantage of the largely idle computers and apply them to complex tasks which needed the extra processing power. At dawn, it would save the work it had done so far, and then become idle, waiting for the next evening.
However, although these programs were inherently useful, it became apparent that worm could be dangerous tools if incorrectly used. This was demonstrated amply when one of Xerox's worms malfunctioned during the night. When people arrived at work the next day, they found that computers throughout the research center had crashed. Moreover, when they tried to restart the machines, the malfunctioning worm immediately crashed them again. A "vaccine" had to be written to prevent the worm from crashing the systems.
At that point, worm research (for some odd reason) died out of the public spotlight until it was violently thrust back into it by Morris in November of 1988. Morris's worm received vast amount of media attention, becoming front page news for over a week after the occurrence. (Which is pretty impressive for a computer program when Presidential elections are going on.) The media jumped on the story of the program that had single handedly crashed the Internet, to the point of hampering attempts by the MIT and Berkeley teams to decompile the captured worm program. However, this media coverage was mortally wounded when reporters found out that there was nothing visual to describe to the general viewing audience. the story ended up being more a coverage of the attempts to defeat the worm, and the consequences the worm would have on the Internet community, not to mention Robert Morris.”(Schmidt)[2]
The next major worm to hit the media was Melissa in March of 1999. Stephen T. Kelly describes Melissa impact in his white paper for Sans saying,” Then there was Melissa that hit the Internet in late March of 1999. Melissa was a Microsoft Word 97 and Word 2000 macro virus3. Melissa was a virus – it didn’t propagate itself. But why I mention it here, and what made Melissa both wormlike and severe was that it was propagated in email attachments. The problem being in that any one opening and reading the email propagated the virus giving it the worm-like appearance.
Remember, this was one of the first email spreading virus. At final toll CERT indicated
over 100,000 hosts were affected. Again, Melissa itself didn’t do anything destructive to systems.”(Kelly)[3]
Melissa was probably the first worm to hit the net that the media reported on that displayed the name of a human. Melissa named after a Florida stripper admired by David L Smith, the worms author congested the email systems of companies worldwide causing many to panic and shut down their internet connection to the outside world. (Sophos)[4]
The next worm to come down the worm hole that made media attention was Code Red.
Steven Kelly writes about this worm also in his white paper for Sans saying,” except for the DDOS side effect of the worm I didn’t seem to be vulnerable. But what would the impact be if I had a Microsoft IIS server running? CERT further stated that some variants of the Code Red worm deface web pages supported by the compromised servers. This was one of the “payloads”. Any requests to the compromised server would get “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!”. In attack mode, compromised servers would perform a DDOS against a defined IP. Initially one of the IP’s was the White House website, www.whitehouse.gov.”(Kelly)[3]
This was the first major attack by a worm upon the government in the U.S.A. This did open their eyes and cause them to wake up and smell the coffee. Suddenly the government saw what a distributed denial of service attack could do and began to take measures to educate the public about securing their computers against worms of this type that could use the homeowner’s machine to launch an attack upon the government.
When the government was attacked they responded .It took an attack of that magnitude to prompt them to focus more on educating the public about the dangers of worms.
Worms and their variants continued to progress and in 2001 the NIMDA worm was released into the wild. NIMDA is ADMIN spelled backwards. This worm brought on new terrors as it had the ability to not only propagate itself via email but could compromise a web server and infect clients by just visiting a web page that was infected.
This meant that a user just casually surfing the Internet could become infected by this worm by simply stumbling upon a web page that the worm had infected, this new advancement made the NIMDA worm even more malignant that its predecessors.
In 2003, I recall being in school studying Microsoft’s SQL server learning SQL. At that time I seen a vulnerability that could be exploited using the RPC port and discussed it with teachers and others I knew online and offline. Most agreed that this could be exploited but seen no need to close that port because they determined it would be improbable that a hacker would use it. Three weeks later MS SQL worm otherwise named the Slammer worm hit the Internet. This worm used UDP packets to increase its speed and brought the net down worldwide in 15 minutes. People who knew me at that time pay a little closer attention now when talk about such things.
Paul Boutin describes the impact of this worm in his article Slammed! An inside view of the worm that crashed the Internet in 15 minutes saying,” Slammer had knocked out more than just the Internet. Emergency 911 dispatchers in suburban Seattle resorted to paper. Continental Airlines, unable to process tickets, canceled flights from its Newark hub.
By the time the news made Slashdot, seven interminable hours later, network engineers the world over had been paged from their beds to man the bucket brigade. Lost revenue spilled over halfway into the next week. Total cost of the bailout: more than $1 billion.”(Boutin)[5]
Throughout 2003 worms continued to get more horrific and dangerous and as we came into 2004 the Internet was penetrated with a new worm one that made Microsoft corporations and the SCO group wake up. In late January of 2004 MYDOOM worm hit the Internet. This worm targeted Microsoft and SCO bringing down their servers using a distributed denial of service attack. This cost Microsoft and SCO group money. Suddenly we seen bounties posted on the heads of the worm writers by Microsoft .Rewards were being offered to anyone who could identify the writers of these worms. On January 29th of 2004 Microsoft and the SCO group both offered 250,000$ rewards for anyone who could identify the author of the MYDOOM worm. (CNN)[6]
In May of 2004 the Sasser worm hit the net. This proved to be an even worse threat. This worm scanned for open ports on other computers and invaded them by doing that. This meant anyone connected to the Internet who did not have a properly configured firewall could get this worm just by being connected to the Internet. It didn’t need email or attachments like others, anyone connected to the net could become infected if they had any open ports. If someone did not have a firewall it would be just a matter of time. During this time windows XP also had a vulnerability of leaving a port open if an application crashed. This led to many hackers using buffer overflow techniques and incorporating them into worms.
These bounties were not the solution to the problem. The worms and their variants would continue to propagate using the distributed denial of service attacks. To have any effect on these worms the problem of the end user, the homeowner with his or hers computer unsecured with no firewall or antivirus running had to be addressed. Microsoft had installed a firewall in windows XP but this was not sufficient as it only processed incoming ICMP requests.
To deal with these worms outgoing requests had to be dealt with. I applaud Microsoft for finally realizing this and developing the firewall in the latest service pack SP2. Their motives are more than likely monetary as this service pack will help stop attacks upon them. Maybe this is why even pirated versions can install the service pack. Perhaps it’s an attempt to stop the attacks upon Microsoft. Some time back when SP1 was released many who pirated versions had got a blue screen after installing the service pack. This led them to format their hard drives and reinstall XP and use it without the protection of the patches from the updates. Of course many of these patches were to deal with the worms and their propagation. Many people I have recently talked with have installed SP2 on pirated versions with no blue screen. Perhaps Microsoft has seen that casting blame is unfruitful and is dealing with the unknowledgeable insecure end user in a much wiser fashion with its release of SP2.