Worms will become dynamic, smarter

As if they aren't enough trouble already, Internet worms are going to take an evolutionary leap, worm researcher Jose Nazario said here Wednesday at the fifth annual Black Hat Briefings conference.

"We're going to see a paradigm shift in what worms have to offer ... we're going to see worms evolve," said Nazario, who works for Crimelabs Security Group.

Internet worms are self-replicating and sustaining programs, often transmitted by e-mail, that infect vulnerable systems, sometimes with disastrous results, sometimes with minimal impact. Worms first gained prominence in the late 1980s, but have seen their public profile grow in the last 18 months as the number of worms affecting Windows systems, and more recently, Linux systems, has risen dramatically.

That trend isn't likely to end any time soon, Nazario said, who was presenting material from a paper Crimelabs will be releasing on its Web site next week. Crimelabs is a security consultancy.

"Worms have been and will continue to be a threat ... because they are relatively easy to put together" and because they keep working on their own even after they've been set loose, he said.

Given that worms will continue to exist, Nazario and his colleagues at Crimelabs see a change coming for worms. Right now, worms are limited in their targets and objectives, their types of attacks and exploits, he said.

The writers of most high-profile worms seem to be saying, ''Look! I can write a worm," he said. Their objective seems often to be more the actual writing of the worm than interest in perpetrating damage.

These worms are also limited in the damage they can do because the network traffic they generate grows so exponentially that they are quickly identified and blocked, Nazario said.

Slimy worms

Future worms, however, will be more sophisticated and subtle, making detecting and stopping them more difficult, he said. These new worms will include a number of dynamic components, which can be updated after the worm has been released, something that is not currently possible, he said.

Currently, worms use a single communications protocol to communicate between infected systems and with the machine (if any) that is controlling them. The worms Nazario sees coming will use a number of different protocols, and will be able to mix and match protocols, attacks and targets, thus making them harder to identify or stop. These worms will also have dynamic roles, meaning that the "child" worm may not necessarily look or behave how its "parent" did, he said.

Additionally, these worms will be able to change their characteristics and the damage they do on the fly, as the worm writer changes his code, Nazario said. Worms will be written with more modular structures which will allow for updating components, rather than writing new worms, he said. Updates will be distributed via Usenet and Web sites, and by hiding the updates in files which also contain non-worm content, he said.

Worms may even begin to require signed code to prevent update modules being written to keep the worms from working, he said.

Detecting the current crop of worms is largely a matter of understanding how the worm affects one system, which will lead to an understanding of how it will operate on all systems, he said. Dynamic worms will be more complicated, requiring correlation analysis to determine what set of scans and attacks are evidence of which worm.

Along with analysis, new kinds of defenses will have to be created. The oft-repeated mantra of keeping your antivirus software up to date and your system patched just won't work any longer, he said.

"We keep saying that -- no one's doing it."

These new worms will have to be fought using anomaly detection, agent-based intrusion detection systems and "poison" updates, modules that will disarm or destroy dynamic worms, he said.

Whether these defenses are in place or not, newer advanced worms will soon be spreading across the Internet, set to plague more and more users, he said.

Here's hoping antivirus and security firms can shift along with the worms.

Black Hat Briefings runs through Thursday at Caesar's Palace in Las Vegas.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?