Sinister Sasser

Think the Sasser worm is trivial? Think just because it had near-zero impact on U.S. businesses, it's not something you need to worry about? Think again. True, Sasser infections numbered only in the dozens at places like American Express Co., Citibank NA and Lehman Brothers Holdings Inc., and the worm was cleaned up quickly. Even in Europe, where banks, a stock exchange and even the offices of the European Commission were reportedly hit, Sasser was more of an annoyance than a crisis -- nothing to really worry about.

Start worrying. Worm writers are learning. And they have a plan.

Why do you think there are endless versions of new, seemingly ineffective worms like Netsky and Sasser? They don't do much besides spread themselves. So why 30 versions of Netsky in 11 weeks? Why a dozen Welchia worms in three months? Think: Why would you churn out lots of small prototypes very quickly, with only slight differences among them?

That's right -- to test them with users and get feedback, to find out which features of each prototype work and which are a waste of time. We do it with a pilot group of users. The worm writers are doing it with the entire Internet.

These prototype worms aren't supposed to wreak havoc. They're just supposed to spread. They're experiments, prototypes with cycle after cycle of tweaking and testing.

Once, the individuals who wrote malware just took their best shot. Now they work in teams, developing their software slowly and carefully, testing one element at a time. Those step-by-step results aren't very dramatic. But once the worm writers put it all together, their worms will be a lot more likely to work.

Feeling a little worried yet?

That slow, steady approach to worm writing has other results, too. Worm writers now know that the timing of a worm launch matters. Sasser hit on Friday evening, just after the security experts went home for what was a three-day weekend in Europe -- so it got a much better head start than if it had been released on a Thursday afternoon.

Worm writers have also accustomed us to lots of worms -- two or three new variants per day now -- and high infection rates. Five years ago, the Chernobyl virus spread to 700,000 computers. Everyone was astounded. Last week, Sasser probably topped a million, and everyone yawned. As worm writers are getting more methodical, effective and -- ultimately -- threatening, we're paying less attention.

So what is their plan? What's all this meticulous worm development leading to?

We don't know. But we can guess. The goal might just be a giant network of spam relays. Or it could be something much worse.

What if all those different worms are turned into empty delivery vehicles? What if a future generation does its overnight mass infection, and then each worm phones home for a payload? That would form a perfect platform for massive denial-of-service attacks. Properly designed, the worms could hide their target until the last minute -- because they won't contain the attack payload until the last minute.

Worried now? Good.

That DoS attack, when it comes, might be aimed squarely at you. It might hit a key supplier or service provider. It might just suck up all the bandwidth in your vicinity. You need to be prepared for an attack -- or for collateral damage.

If you don't already have a DoS recovery plan, make one now. Then test it. Refine it. Make sure your IT shop can execute it. Prepare for a DoS attack like you would for a fire, flood or any other disaster.

Because even if those worms don't ultimately pose a DoS threat, you're no worse off. You're ready in case someone or something else slams you with a DoS attack.

But if the worms turn on you, the last thing you'll think they are is trivial.

Frank Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.

Join the newsletter!

Error: Please check your email address.

More about American Express AustraliaCitigroupEuropean CommissionHayesVicinity

Show Comments
[]