Tag Archives: Worm

The Price of Worms

How damaging are worms?

Very, says Sandvine Inc, a Canada based Internet security company. It says that the main damage is on ISPs who lose bandwidth to them, and face daily Denial of Service attacks. “In fact,” Sandvine says in one new report (PDF, registration required), ”Internet worms and the malicious, malformed data traffic they generate are wreaking havoc on European service provider networks of all sizes, degrading the broadband experience for residential subscribers and imposing hundreds of millions in unplanned hard costs directly related to thwarting attacks.”

Worms, Sandvine says, consume “massive amounts of bandwidth as they replicate. And depending on the number of vulnerable hosts in a given network environment, a worm can create hundreds of thousands of copies of itself in a matter of hours.” The company’s research shows that between 2 and 12% of all Internet traffic is malicious. Even on a well-run ISP network, that figure is about 5%. And if that doesn’t sound very much, consider the warped effect worms have on processor power, when they propagate and probe for weak spots.

All this means that residential subscribers are going to feel the hurt, partly because it’s their Internet connections that are being targeted by worms, and partly because their connections are going to slow down with all this extra traffic, Sandvine warns. Then of course there are infections: The dirty secret of worm infections is that if you’ve got one, the only sure way to get rid of it is to reinstall everything.

For now, ISPs keep quiet about these things; they don’t want to scare off subscribers, and they don’t want the bad guys to get any fresh ideas about their vulnerabilities. But it seems to me that worms and bots are a topic that needs to be researched, reported and resolved more than it is.

 

The Lingering Damage Of Worms

Worms cause a lot of problems, long after we’ve forgotten about them.

Sandvine Incorporated, a network hardware provider, says that worm attacks are hitting internet service provider networks, “degrading the broadband experience for home Internet users and imposing anywhere from thousands to millions (of dollars) in unplanned network and customer support costs directly related to thwarting attacks”. This includes “the cost of specialised tactical response teams, swamping of customer support resources, inflated transit costs and perhaps most damaging over the long term, a loss of brand equity that aggravates the industry-wide problem of customer churn.”

Interestingly, Sandvine also point to another type of expensive worm activity: “persistent, low-level attack traffic caused by remnants of previous worms that tenaciously cling-on to residential subscriber PCs”. The bottom line: On any given day, approximately 5 per cent of home users are “infected by some kind of worm and either actively propagating it or generating malicious traffic”.

This lingering damage doesn’t surprise me. My understanding out here in dial-up land is that many users don’t have the bandwidth to download patches or updates, and don’t have the money to subscribe to anti-virus services, but they still stay online unless their ISP cracks down on them. That’s a lot of people connecting their infected computers to the Internet and pumping out viruses and worms we thought we’d seen the last of.

I’m Not Saying Worms Are A Good Idea But…

 One small consolation of worms like Sobig is that you end up having a large number of inadvertent penpals. It’s like a huge chainletter. Sobig ransacks address books and fires off emails to all and sundry, along with the worm (which then does lots of damage, I’m not contesting).
 
While I don’t condone the activities of silly anti-virus vendors who haven’t figured out that worms like Sobig fake the sender of emails (see my earlier posting on this) — making the sending of automated emails to the apparent senders of worms an absurd and self-defeating endeavour — it’s kinda interesting to get emails from servers around the globe in places that you couldn’t possibly know anyone. I just got one from Romania complaining I sent someone called Deico an infected email. I have never been to Romania, and as far as I know I have never corresponded with someone from Romania. But someone I know must, or someone they know. Or someone they know. Or someone they know….

I’m Not Saying Worms Are A Good Idea But…

 One small consolation of worms like Sobig is that you end up having a large number of inadvertent penpals. It’s like a huge chainletter. Sobig ransacks address books and fires off emails to all and sundry, along with the worm (which then does lots of damage, I’m not contesting).
 
While I don’t condone the activities of silly anti-virus vendors who haven’t figured out that worms like Sobig fake the sender of emails (see my earlier posting on this) — making the sending of automated emails to the apparent senders of worms an absurd and self-defeating endeavour — it’s kinda interesting to get emails from servers around the globe in places that you couldn’t possibly know anyone. I just got one from Romania complaining I sent someone called Deico an infected email. I have never been to Romania, and as far as I know I have never corresponded with someone from Romania. But someone I know must, or someone they know. Or someone they know. Or someone they know….

Update: Blaster Graph

 Network Associates say that over 1.2 million systems have been affected from the Lovsan/Blaster threat, also know as W32/Lovsan.worm which is continuing to spread at a steady rate and is infecting over 30,000 systems per hour during peak times. A detailed graph of the worm’s progress can be found in http://www.hackerwatch.org/checkup/graph.asp.

News: Klez Is Still So Big

 Viruses, worms, whatever, don’t have to be new to be a pain. Bill Fallon, Vice President of Product Marketing at EasyLink Services Corporation, the company that offers and operates MailWatch (“a leading Spam-blocking, virus-scanning and content-filtering service protecting corporate networks worldwide!”) : “The Klez worm, which debuted back in October 2001, continues to be the most widely circulating threat among corporate networks almost two years later. Just last month we intercepted it over 95,000 times.” That baby just seems to run and run. There are three times as many Klezes running around as the next most popular worm, Sobig (32,000).

News: It’s Monday, the Worms Are Out

 Sophos, a British anti-virus company, is getting worried about the new Mimail worm (W32/Mimail-A), a mass-mailing worm which first struck in
the United States on Friday 1st August.  Sophos says it “has received many reports of Mimail infections and anticipates the worm could be one of
the biggest of 2003″.
 
 
The Mimail worm arrives in an email claiming to be from the network administrator. Cunningly, it can even spoof the domain name of the business’s email address.  For instance, if the recipient’s email address is John.Smith@ABCLimited.com the email would appear to come from admin@ABCLimited.com.
The message suggests that the recipient’s email account will soon expire and urges them to read the attached information. The attachment, called
‘message.zip’, contains an HTML file which is not a message at all – it is a copy of the worm, which scours the user’s hard disk looking for email addresses for its next round of victims.  
 
More information about the Mimail worm can be found at http://www.sophos.com/virusinfo/analyses/w32mimaila.html.