Diary of a computer worm

To find new victims, the target locator might generate random IP addresses to test or even raid the DNS cache and its host’s files.

Whatever the method, once the worm locates a running target with the right operating system, the infection propagator can try to break in using unpatched security vulnerabilities that will allow it to inject the worm’s code and set it running.

Depending on the nature of the worm, it may have software to handle remote control and to update its own code. This is a feature of ‘botnet’ worms, whose owners (called ‘herders’) need to keep their code updated to grow their botnets (networks of compromised computers that, without the knowledge of their owners, relay malicious traffic on demand) and to stay one step ahead of both the law and other gangs.

The great skill here is to create a command and control structure that is difficult to trace and distributed for resilience against attack, but very efficient at giving the botnet its orders to upgrade, spam, mount denial of service attacks, and so on.

Some worms are designed to propagate as widely as possible, but most have a more focused purpose. Carrying it out is the job of the payload. Some collect identities for later sale, but many are simply destructive. For example, the Witty worm, released in March 2004, deleted a section of each victim’s hard disk as it spread rapidly, exploiting a vulnerability in several security products marketed by Internet Security Systems.

Perhaps even more frightening is that increasingly sophisticated worm-writing toolkits are now freely available for inexperienced hackers to roll their own. One such toolkit is TrojanToWorm, which can repackage a virus into a worm so that it can spread independently.

According to anti-virus company Panda (www.pandasecurity.com), TrojanToWorm is thought to have originated in Spain because the user interface can be switched between Spanish, Portuguese, Catalan and English. Its advanced point-and-click options include the ability to disable system features such as the Windows Task Manager and Registry editor, and even popular web browsers. It allows an infection date to be set and can even display a message on a victim’s computer.

Releasing a worm
Worms unreleased are worms that may as well not exist. But the problem for the writers is that worms can be traced back to their source. Because there are heavy penalties for knowingly releasing a worm or virus, worm writers have come up with solutions that sometimes rely on psychological trickery as much as technology.

It used to be possible to release worms and viruses from unattended internet terminals in internet cafes or provided free in public libraries and drop-in centres. The tightening up of the physical security of such facilities, and the installation of up-to-date security software, have rendered this release method largely ineffective, but there are plenty of others.

Worm writers can rent time on a botnet and release their work as an attachment to millions of spam emails. Botnet owners are security-conscious criminals and will presumably keep the worm writer’s activities secret. Even if just one recipient clicks on the attachment, possibly in anger at believing they’ve been sent a bill for something they know they didn’t buy, the worm will run and begin spreading.