The Virus and Worms Reloaded by Frederic V. Farcy of TNTmax, LLC.

There are over 800 new viruses and/or worms detected each month. Out of this 800 viruses/worms only a few make the headlines.

What is a Virus?

A computer virus is a program written by a cracker that "infects" other programs by embedding a copy of itself inside the code of its software target.

The virus hides itself within a trusted program very much like a "Trojan horse". When the infected program is executed by the user, the embedded virus code is executed, trigering three main actions: - replication of itself to other software applications on the local host - spreading itself to other hosts - delivering its payload (the attack)

A virus needs a "host" - the particular hardware and software environment on which it can run and a "trigger" - the event that starts it running.

Unlike a worm, a virus cannot infect other computers without assistance (user intervention). It is propagated by vectors such as humans trading programs with their friends.

What is a Worm?

On November 2, 1988 the Morris Worm was launched at the MIT Artificial Inteligence (AI) lab. It quickly spread to other Ivy league universities, its primary target before spreading to the rest of the Internet. By the next morning, nearly all of the Internet was infected. It propagated through a number of bugs in BSD Unix and its derivatives. Morris himself was convicted under the US Computer Crime and Abuse Act and received three years' probation, community service and a fine in excess of $10,000. This was the first recorded worm attack. At the time when Robert T. Morris, Jr. released his worm his dad Robert Morris, Sr. was a very important chief scientist at the National Security Agency (NSA). In May 2000, 12 years later, the notorious VBS/Love letter worm, also known as the "I love you" virus (actually a worm)was launched.

A "worm" is a program that seeks out and automatically attacks systems that are vulnerable to compromise via a number of attacks built into the worm program itself. These worm programs can compromise literally thousands of systems within a very short period of time. In addition to replication, a worm may be designed to do any number of things, such as delete files on a host system or send documents via em-ail. More recent worms may be multi-headed and carry other executables as a payload. However, even in the absence of such a payload, a worm can wreak havoc just with the network traffic generated by its reproduction. Mydoom, for example, caused a noticeable worldwide Internet slowdown at the peak of its spread Call "Internet Noise". A common payload is for a worm to install a backdoor in the infected computer, as was done by Sobig and Mydoom. These backdoors are used by crackers for all kinds of havoc (spam distribution, remote hacking, illegal download sites, etc...)

Crackers are quickly adapting to the fast response of the anti-virus companies and have started to deploy multi-tier worms attacks. These attacks consist of worm mutation strains that can leverage previous virus/worm backdoors, have the ability to modifying themselves (stealth/cloaking), possess multiple delivery mechanisms, scan systems for vulnerability and much more; for example: Beagle.[A..K] - Netsky.[A..F] - MyDoom.[A..G] virus/worms.

This multi-tier worm mutation is highlighting a much more aggressive attack strategy used by crackers world wide. While most of the burden of virus detection, prevention and removal lies on the shoulders of security companies worldwide, it is crucial to get the end user actively involved and well informed on the latest preventive procedures. "Security is a Process not a Product". It is important to educate your customers on how to deal with e-mail attachments. A well educated user will greatly reduce the chance of getting a "Zero-Day" attack wrecking havoc on your network. Security companies around the world are a key to our daily computer health and they are rarely given the credit they deserve. Stopping viruses and worms from spreading out of control and wreaking chaos on the Internet is the security company's job. Customer infection from a "Zero-Day" worm/Virus occurs from time to time. This is due to the fact that when a brand new virus/worm is released on the Internet, it takes several hours for it to be noticed, detected, and to find a cure for it. Virus detection and cleaning is very much like seeing a doctor. To protect yourself from the flu, doctors recommend that you eat healthy, take your vitamins, wash your hands often, and avoid people who are sick. They can also give you a flu shot but none of these preventive precautions can guarantee that you will not get sick and catch the flu. There are many new types of flu and every year the flu mutates. Companies like TNTmax that provide anti-virus and anti-spam filtering to customers are very much like doctors. We remove all the currently known viruses and keep an hour by hour eye on new possible signs of computer virus/worm infections. Very much like doctors we recommend that our customers take additional steps to improve their chances of not getting a virus/worm infection on their computers by running anti-virus software on their workstations, being careful when receiving attachments, and keeping informed.

There is always the growing "Zero-day" threat, that can spread through your computer within seconds and does not have a cure for several hours, while infecting everyone in its path, included people protected by anti-virus filtering systems. These virus/worms get contained very rapidly by our industry but they create chaos for our customers. The average virus/worm cure is posted and available to customers within hours. This is fast by human standards and an eternity in computer terms. Within seconds a virus can spread around the globe. Within minutes a virus/worm can infect 1000 host computers. Within hours we can have over 100,000 infected computers on the Internet trying to find a new host to spread to. Without the security companies providing anti-virus filtering and cures, the Internet would be crippled within one day. So be informed and be careful of received e-mails and what web sites you visit.