IT administrators affected by the recent Blaster worm probably thought to themselves, "That wasnt too bad." Or at least they thought that after the initial scramble to patch and secure systems. Actually, this is probably the feeling most companies have had for the last couple of years, because its been at least that long since weve seen a virus or worm designed to do any real damage.
OK, all worms and viruses cause damage—in terms of bandwidth lost, systems shut down and man-hours required to respond to them. But when you look at recent viruses and worms on their face, they tend to be more annoyances than system- and data-destroying tragedies. Theres really nothing stopping them from doing much more damage. Rather than causing systems to restart, Blaster could have easily corrupted systems and data by loading a Trojan that would enable remote control of systems.
So why havent we seen more nasty and severely damaging worms? Are the virus and worm writers actually nice people who are just trying to prove a point? Is their main goal to embarrass Microsoft, and so write the worms and viruses to avoid collateral damage? I doubt it.
One theory is that the current crop of viruses and worms is a sort of proof of concept that will eventually be leveraged by more nasty or stealthy attacks directed at specific companies, industries or geographic locations.
When I asked Gerhard Eschelbeck, CTO of security vendor Qualys, why we havent seen more damaging worms and viruses lately, he said that many of the past worms weve seen have been a "first strike" and that well be seeing more stealthy and targeted worms and viruses in the future. "Most importantly, we need to watch for covert payloads, which are not identified immediately and selectively start modifying content on the victimized system," said Eschelbeck. "I would not be surprised if any of the many mutations of [Blaster] are already carrying such covert payloads."
I recently spoke with Stephen Northcutt, director of training and certification at The SANS Institute, who agreed that recent viruses and worms are just a taste of things to come.
Its also quite possible that we are being set up—that these endlessly annoying but relatively benign worms and viruses are like a series of jabs that are setting us up for the knockout punch.
"Nimda is often considered a proof of concept for targeting multiple vulnerabilities," said Northcutt. "SQL Slammer seems to be a proof of concept for rapid expansion infecting just over 90 percent of vulnerable hosts within 10 minutes. Finally, note this latest RPC DCOM worm was experimenting with a denial of service against the source of the patch to stop it. The technology is now in the hands of worm writers to do incredible damage, especially to small-office and home users. Most of them do not back up their files or patch their systems, so a malicious payload could potentially do trillions of dollars in damage. It is one of those things that has to happen eventually—chalk it up to a really mean person, terrorism or information warfare. The end result is the same."
Its kind of a chilling thought—a future filled with superworms that have learned from those before them and are designed to cause massive amounts of damage. But its a future we have to be ready for.
Every time you deal with a virus or worm and think, "That wasnt too bad," you are becoming conditioned not to care about viruses and worms. Theres probably even an unofficial policy in your company to just deal with viruses and worms when they happen and not worry too much about spending the time and resources to secure systems ahead of time.
No one will admit it, but we all know these attitudes exist. And you can count on the virus and worm writers knowing it, too.
And someday, perhaps soon, youll walk into the office to find many, if not all, systems infected with a virus or worm. And there wont be any easy solution because everything will be stolen, deleted or corrupted.
Its not a pleasant picture, but its your future if you dont take security seriously.
Discuss this in the eWeek forum.
Jim Rapoza can be reached at firstname.lastname@example.org.