A new worm materialized yesterday in the U.S. Pacific region and was continuing a slow circulation across the U.S. mainland last night in search of compromised computer systems.
VeriSign engineers have been tracking increased Internet traffic on customers’ computer systems around the country since April 16th. The increase in suspicious activity through the week had Internet security experts bracing for what some analysts warned could be the next big worm attack worldwide.
Charles Kaplan, MSS information security officer for VeriSign, told TechNewsWorld earlier this week that a new worm with marching orders for some major Internet activity should be evident within the next few days. His prediction proved accurate, as confirmed evidence of a worm surfaced midday Tuesday.
“We don’t know yet if this will be the next so-called ‘Big One,'” Emory Lundberg, research analyst in the Managed Software Services division of VeriSign, told TechNewsWorld. “It might just be a proof-of-concept test or a harbinger of a bigger worm to follow on its heels.”
Pattern Differs from Earlier Attacks
Lundberg said this new worm, which has yet to be named, was formulated by automated worm-creating software. As such, it is not incredibly optimized.
However, worms that attacked older vulnerabilities in Microsoft software and Internet protocols could be more easily stopped than this latest worm. Adjusting router settings and applying patches issued by Microsoft protected computers from being accessed by attackers.
But Lundberg said this newest worm leaves computer users only two options. One is to disconnect from the Internet to prevent intrusion. The other is to apply specifically designed patches to protect against SSL PCT server vulnerabilities.
“We don’t know just yet if up-to-date antivirus software will be able to identify and block this new worm,” Lundberg told TechNewsWorld.
Code Captured Early On
Worm-related activity involved numerous probes checking for computers that already had a back door opened from a previous vulnerability. Engineers succeeded in uncovering portions of the denial-of-service code.
By last Thursday, engineers had found the DoS code posted publicly on many well-known hacker Web sites. Having access to that code allowed Internet security teams to prepare for anticipated attacks.
Lundberg said Microsoft and another as-yet-unnamed company had acquired a copy of the full worm code by yesterday afternoon. The fact that analysts already were working on the worm code might further slow the worm’s progress, he said.
As of last night, VeriSign did not have the worm code, company officials said, but preliminary analysis showed the worm did not seem to have complete directions for a DoS attack. Instead, said Lundberg, it contained a lot of administrator command prompts.
Testing has shown that rebooting a machine that is hit by this new worm might prevent execution of command instructions. But the worm does leave some code on the hard drives of infected computers, according to Lundberg.
Still a Guessing Game
Preliminary activity reports suggest this new worm will not spread with the kind of rapid-fire growth seen in the cases of the Slammer and Blaster worms. “This one seems to be crawling along,” Lundberg told TechNewsWorld.
Two reasons account for the slower spread of this worm, he said. One is that people learned their lessons after the last round of worm attacks and are more prepared now. The other is that they didn’t wait until the last minute to patch their systems.
Engineers said it is still too early to know for sure what the worm writers have in mind.
“We have more analysis to do yet,” said Lundberg.