Diary of a computer worm

Computer worm writers are often seen as a breed apart: über-hacker loners with a hatred of society bent on pushing their own twisted agenda. But the truth is that it might not be maliciously inclined whizz kids who are creating today’s worms. In fact, worms are easier to write than the simplest Windows application.

At its most basic, a computer worm is just a self-contained lump of code whose function is to spread between computers by replicating itself. There’s no complex user interface to design, build or test. There are usually no complex file or database sub-routines to consider, either.

In contrast to commercial programs, worms do not have to observe programming standards, so the source code can contain the proverbial and unmaintainable ‘spaghetti’ programming. In fact, worm code need never be maintained at all, so there are no support issues to worry about either. If a worm crashes due to unforeseen circumstances or bad programming, it simply crashes. Depending on the writer’s intent, if it takes Windows down with it, that may be a bonus.

With worm writing becoming easier, it’s no surprise there are already several hundred species roaming the internet, looking for computers to infect.

Dissecting the worm problem
Unlike viruses, which attach themselves to host programs and only become infectious when that host runs, worms are independent applications, capable of traversing the internet on their own and as email attachments. Those caught in the wild have ranged from as little as 30 bytes in length to several megabytes, depending on their capabilities and intent. Their numbers are rising, but one anti-virus researcher says it’s a mistake to think the problem is out of control.

“The number of new viruses is not increasing exponentially, as is often claimed,” says IBM virus researcher David M Chess.

The Wildlist anti-virus website (www.wildlist.org) agrees: “The rate of appearance of new viruses in the collections of anti-virus workers has been increasing gradually for several years, at roughly a linear rate.” Wildlist carries a monthly round-up of the worms and viruses known to be active. In September 2008, the total stood at 762, with 43 declared extinct over the previous months.

Despite their growing variety, all worms have several distinct parts in common. The basic elements can be thought of as the target locator, the infection propagator, an optional remote control and update handler, and finally the payload.

Depending on how virulent the worm is, the target locator could be designed to find targets in a number of ways. It may raid your address book and send emails to everyone you know with a copy of itself as an attachment. The famous Melissa worm of 1999 propagated itself this way, using a Windows API to read the address book, and emailing itself to the first 50 contacts.

Emailing is still a viable way for worms to spread today. Think about how many times you’ve not hesitated before opening an email attachment from a trusted friend, and you can see how quickly an epidemic can start.