How damaging are worms?
Very, says Sandvine Inc, a Canada based Internet security company. It says that the main damage is on ISPs who lose bandwidth to them, and face daily Denial of Service attacks. “In fact,” Sandvine says in one new report (PDF, registration required), ”Internet worms and the malicious, malformed data traffic they generate are wreaking havoc on European service provider networks of all sizes, degrading the broadband experience for residential subscribers and imposing hundreds of millions in unplanned hard costs directly related to thwarting attacks.”
Worms, Sandvine says, consume “massive amounts of bandwidth as they replicate. And depending on the number of vulnerable hosts in a given network environment, a worm can create hundreds of thousands of copies of itself in a matter of hours.” The company’s research shows that between 2 and 12% of all Internet traffic is malicious. Even on a well-run ISP network, that figure is about 5%. And if that doesn’t sound very much, consider the warped effect worms have on processor power, when they propagate and probe for weak spots.
All this means that residential subscribers are going to feel the hurt, partly because it’s their Internet connections that are being targeted by worms, and partly because their connections are going to slow down with all this extra traffic, Sandvine warns. Then of course there are infections: The dirty secret of worm infections is that if you’ve got one, the only sure way to get rid of it is to reinstall everything.
For now, ISPs keep quiet about these things; they don’t want to scare off subscribers, and they don’t want the bad guys to get any fresh ideas about their vulnerabilities. But it seems to me that worms and bots are a topic that needs to be researched, reported and resolved more than it is.
Worms cause a lot of problems, long after we’ve forgotten about them.
Sandvine Incorporated, a network hardware provider, says that worm attacks are hitting internet service provider networks, “degrading the broadband experience for home Internet users and imposing anywhere from thousands to millions (of dollars) in unplanned network and customer support costs directly related to thwarting attacks”. This includes “the cost of specialised tactical response teams, swamping of customer support resources, inflated transit costs and perhaps most damaging over the long term, a loss of brand equity that aggravates the industry-wide problem of customer churn.”
Interestingly, Sandvine also point to another type of expensive worm activity: “persistent, low-level attack traffic caused by remnants of previous worms that tenaciously cling-on to residential subscriber PCs”. The bottom line: On any given day, approximately 5 per cent of home users are “infected by some kind of worm and either actively propagating it or generating malicious traffic”.
This lingering damage doesn’t surprise me. My understanding out here in dial-up land is that many users don’t have the bandwidth to download patches or updates, and don’t have the money to subscribe to anti-virus services, but they still stay online unless their ISP cracks down on them. That’s a lot of people connecting their infected computers to the Internet and pumping out viruses and worms we thought we’d seen the last of.
There’s talk of several new viruses out there which can do some serious damage. Here are a couple, in brief:
- MyDoom (sometimes known as Novarg and as a variant of the Mimail virus) has a random subject lines such as “Mail Delivery System,” “Test” or “Mail Transaction Failed” and contains an executable file and a statement such as: “The message contains Unicode characters and has been sent as a binary attachment.” CNET quotes Vincent Gullotto, of Network Associates as saying “It’s huge. We have it as a high-risk outbreak.”
- Dumaru has the subject line ‘Important message for you. Read it immediately!’ and may be from someone with an email address that contains expletives (a dead giveaway, unless those are the kind of friends you have). Sophos says the worm poses as an emailed photograph, whilst really attempting to steal online banking details in the background. This is done by something called key-logging — the worm will load software which can capture your keystrokes and send them to the ne’er-do-well so they can access your bank account.
Wayne Rash of InfoWorld, writing last week of the arrival of a worm called Bagle, reckons this kind of outbreak is closely related to college terms. “The worms of summer tapered off as fall progressed,” he says. “By November, things were very quiet. Students were working hard on exams, I guess, and didn’t have time for worm-writing. But now that they’ve been away from the book-learning for a while, we’ve got the first significant worm of ’04.”
Sophos, a British anti-virus company, is getting worried about the new Mimail worm (W32/Mimail-A), a mass-mailing worm which first struck in
the United States on Friday 1st August. Sophos says it “has received many reports of Mimail infections and anticipates the worm could be one of
the biggest of 2003″.
The Mimail worm arrives in an email claiming to be from the network administrator. Cunningly, it can even spoof the domain name of the business’s email address. For instance, if the recipient’s email address is John.Smith@ABCLimited.com
the email would appear to come from admin@ABCLimited.com
The message suggests that the recipient’s email account will soon expire and urges them to read the attached information. The attachment, called
‘message.zip’, contains an HTML file which is not a message at all – it is a copy of the worm, which scours the user’s hard disk looking for email addresses for its next round of victims.