Return of the worms

A couple of months ago I wrote that the appearance of worms and viruses seemed to be somehow related to those times when computer science students had too much time on their hands. I noted that the last major worm infestation seemed to happen in August when schools were closed.

Here it is January, and most colleges and universities have had at least three weeks of downtime. And once again, the fruits of those idle hours are appearing, this time with a worm called either Beagle or Bagle (it varies, as these things sometimes do).

The worms of summer tapered off as fall progressed. By November, things were very quiet. Students were working hard on exams, I guess, and didn’t have time for worm-writing. But now that they’ve been away from the book-learning for a while, we’ve got the first significant worm of ’04.

As worms go, Beagle is only moderately successful. But in another sense, it reaches new levels of sophistication. By now you know that it spreads itself with spam-like tactics, much like the more recent worms of last year. Where Beagle gets interesting is in how it propagates: Instead of just looking for e-mail addresses in Outlook, and thus being stymied by non-Outlook users, Beagle hunts for e-mail addresses in a variety of files on the victimized hard disk, including files ending in the .txt and .htm extensions. To further broaden its reach, Beagle attempts to download a Trojan horse from a long list of Web sites. Fortunately, the URLs Beagle is looking for have all been shut down, so it can’t complete that part of its mission.

Beagle does have an expiration date: Jan. 28, 2004. As has been the case in the past, that probably means that a new version will be released about then, perhaps one that can take advantage of holes opened in infected systems by its predecessor.

And open holes it does: Symantec’s DeepSight reports a significant amount of activity on TCP port 6777, which Beagle attempts to open as a trap door into an infected system.

You can see that Beagle is somewhat improved over the worms of ’03. Clearly, whoever wrote this version is building on the knowledge of earlier attempts. The suspicion that we would see ever-improving worm-writing skills was well-founded.

Likewise, the malware writers are attacking on multiple fronts, posing a new threat entirely. Security researchers at Symantec claim to have discovered a hacker-controlled network of DNS servers that are used to direct DDoS attacks. Apparently, the hackers implant a Trojan horse on the name servers that lets them communicate through IRC sessions. While this threat is still in its early stages, it shows yet another level of security-breaching sophistication.

All of these threats, attacks, and ideas add up to one sure thing: You’re about to face another year of global attacks against your enterprise. I’m sure you’re thrilled. The advantage is that this year you won’t be caught be surprise. You know how to handle worms, and the means to deflect DDoS attacks are out there. Now what you need is constant vigilance (but as a dedicated reader of this column, you already knew that).

Of course, you also need the people and the tools to put that vigilance to work. One advantage: The economy is on the rebound and it’s early in the fiscal year. This time you have a fighting chance.