Worms will become dynamic, smarter

As if they aren't enough trouble already, Internet worms are going to take an evolutionary leap, worm researcher Jose Nazario said here Wednesday at the fifth annual Black Hat Briefings conference.

"We're going to see a paradigm shift in what worms have to offer ... we're going to see worms evolve," said Nazario, who works for Crimelabs Security Group.

Internet worms are self-replicating and sustaining programs, often transmitted by e-mail, that infect vulnerable systems, sometimes with disastrous results, sometimes with minimal impact. Worms first gained prominence in the late 1980s, but have seen their public profile grow in the last 18 months as the number of worms affecting Windows systems, and more recently, Linux systems, has risen dramatically.

That trend isn't likely to end any time soon, Nazario said, who was presenting material from a paper Crimelabs will be releasing on its Web site next week. Crimelabs is a security consultancy.

"Worms have been and will continue to be a threat ... because they are relatively easy to put together" and because they keep working on their own even after they've been set loose, he said.

Given that worms will continue to exist, Nazario and his colleagues at Crimelabs see a change coming for worms. Right now, worms are limited in their targets and objectives, their types of attacks and exploits, he said.

The writers of most high-profile worms seem to be saying, ''Look! I can write a worm," he said. Their objective seems often to be more the actual writing of the worm than interest in perpetrating damage.

These worms are also limited in the damage they can do because the network traffic they generate grows so exponentially that they are quickly identified and blocked, Nazario said.

Slimy worms

Future worms, however, will be more sophisticated and subtle, making detecting and stopping them more difficult, he said. These new worms will include a number of dynamic components, which can be updated after the worm has been released, something that is not currently possible, he said.

Currently, worms use a single communications protocol to communicate between infected systems and with the machine (if any) that is controlling them. The worms Nazario sees coming will use a number of different protocols, and will be able to mix and match protocols, attacks and targets, thus making them harder to identify or stop. These worms will also have dynamic roles, meaning that the "child" worm may not necessarily look or behave how its "parent" did, he said.

Additionally, these worms will be able to change their characteristics and the damage they do on the fly, as the worm writer changes his code, Nazario said. Worms will be written with more modular structures which will allow for updating components, rather than writing new worms, he said. Updates will be distributed via Usenet and Web sites, and by hiding the updates in files which also contain non-worm content, he said.

Worms may even begin to require signed code to prevent update modules being written to keep the worms from working, he said.

Detecting the current crop of worms is largely a matter of understanding how the worm affects one system, which will lead to an understanding of how it will operate on all systems, he said. Dynamic worms will be more complicated, requiring correlation analysis to determine what set of scans and attacks are evidence of which worm.

Along with analysis, new kinds of defenses will have to be created. The oft-repeated mantra of keeping your antivirus software up to date and your system patched just won't work any longer, he said.

"We keep saying that -- no one's doing it."

These new worms will have to be fought using anomaly detection, agent-based intrusion detection systems and "poison" updates, modules that will disarm or destroy dynamic worms, he said.

Whether these defenses are in place or not, newer advanced worms will soon be spreading across the Internet, set to plague more and more users, he said.

Here's hoping antivirus and security firms can shift along with the worms.

Black Hat Briefings runs through Thursday at Caesar's Palace in Las Vegas.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

PC World
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?