Worm, virus makers pick up speed

New worms are becoming more efficient and the window between exposure of a vulnerability and the appearance of an exploit is shrinking, according to the latest Internet Security Threat Report from Symantec Corp. of Cupertino, Calif.

"Things are becoming faster," said Alfred Huger, senior director of development for Symantec Security Response. "The people who are designing worms are learning from their mistakes."

But the threat from worms and viruses that long ago passed out of the headlines, such as Code Red and Nimda, remains. "Once one of these things get released in the wild, they stay in the wild," Huger said.

These are among the findings of Symantec's fourth semiannual security report, released today. It compares security data from the first six months of 2003 with the same period from last year. The information comes from an analysis of 30 terabytes of data culled from Symantec's security operations center in Alexandria, Va., and from its DeepSight Threat Management System, which monitors data from firewalls and intrusion detection systems installed around the world.

The report concludes that systems within the United States are still the primary source of attacks, malicious code is becoming more sophisticated, speed of propagation is increasing, and Linux systems appear to be targeted for new attacks. New vectors for infection over the first half of the year include instant messaging and peer-to-peer services.

Vandalism still accounts for the vast majority of malicious code being released, "but we're seeing it being used to deliver messages," Huger said. The recent Blaster worm, for instance, carried a message for Microsoft Corp. founder Bill Gates. "I think we're going to see more of that."

Some worms are becoming more specifically targeted, which could indicate a more malicious intent. Bugbear, for instance, although it infected computers indiscriminately, searched for data from financial institutions. Financial gain also appears to be a motive in recent denial-of-service attacks launched against antispam services. "There is a great deal of money to be made" from spam, and commercial e-mailers could be targeting the services, Huger said.

The MS-DOS-bots used to launch these attacks often are placed on compromised machines through back doors opened by Trojan programs that have been delivered by old worms and viruses. These exploits account for much of the background noise detected by Symantec's large system of honeynets, which attract and track malicious activity.

"Something like 85 percent of the attacks we see on these machines are from people trying to plant these Trojans," often using old, unsophisticated exploits, Huger said.

Symantec's findings are born out by Arbor Networks Inc. of Lexington, Mass. That company's recent monitoring of Internet activity found that Code Red, Nimda and Blaster still account for more than 32,000 infections a day. Code Red and Nimda account for more than half of this total, although they are two years old. The company has observed more than 5 million Code Red source addresses and more than 275,000 Blaster worm source addresses, generating more than 20 million infection attempts each day.

The situation persists because administrators often are hesitant to upgrade and patch production systems, because fixing them may require taking them out of service and because patches can have unintended consequences.

But "an ounce of prevention is worth a pound of cure," Huger said. Enterprises can use test beds to test patches and upgrades to ease the process of deploying them on a working system.