March 30, 2001 10:25 AM PST
Computer vandals dig worms
The result? "I think we are going to see a lot more of these," said Greg Shipley, director of consulting services for computer-security firm Neohapsis.
A week ago, Shipley stayed up all night to analyze the new 1i0n Linux worm that had been found in the wild. The worm exploits a vulnerability in widely used domain-name service, or DNS, software used to direct Internet visitors to the proper site.
While the worm does not seem to have spread widely, it had the potential to do extensive damage to systems it compromised, concluded Shipley. His results were a major factor behind advisories released March 23 by both the System Administration Networking and Security (SANS) Institute and the National Infrastructure Protection Center.
Worse, less-technical online vandals--also called script kiddies--could take the scripts, modify them and create a powerful malicious program, he said.
"The script kiddies are being empowered by the automation," said Shipley. "These kids aren't profiling systems (to target their attack). They are playing a numbers game."
David Dittrich, senior security engineer at the University of Washington and a computer forensics expert, worries that the new worms will escalate just as distributed denial-of-service (DDoS) tools did two years ago.
First seen in May 1999, DDoS tools were born as poorly constructed programs that could flood a single Web site or Internet server with so much data, and from so many sources, that the computer effectively would disappear from the Internet.
In August 1999, in one of the first known uses, the University of Minnesota came under attack. Six months later, the tools came to the public's attention when Yahoo, ZDNet, CNN and other high-profile Web sites suffered similar attacks.
Dittrich analyzed both 1i0n and the earlier Ramen worm and found significant improvements in 1i0n's code. He worried that worms, like many other hacker tools, are evolving and getting better.
"With these worms, it's fairly similar in that there (is) a lot of code out there, someone could grab it and mutate it--now, the worm is out there hacking with a different exploit," he said.
With worms exponentially spreading, the Internet could become a much less friendly place, said Mixter, the German hacker who created the Tribe Flood Network, the DDoS tool used in the attacks on Yahoo and others a year ago.
"These are a general threat," he said, adding that--in setting up his own domain--he had come to realize how prevalent scanning, by worms and other automated tools, has become. "Before we had a domain name, we had 300 probes" from scanners, he said. "We don't analyze them because there is too much data."
Worms spread by doubling and doubling again. Robert Graham, chief technology officer with firewall maker Network ICE, thinks that could clog up the works of the Internet.
"In some ways, I'm surprised that they haven't brought down the Internet," he said.
And worms are set to get even more prevalent. With about 30 new vulnerabilities uncovered every week, such automated code for cracking systems has almost infinite potential, said Neohapsis's Shipley.
"My fear is that (hackers) will turn the worm into a framework," he said. "Plug in an exploit and let it go."