CNET is calling this year the year of the worm after a number of high profile intrusive agents have crippled some major networks. Most of the worms have taken advantage of the general naivety of email users, a side effect of email's acceptance as mainstream form of communication. While these worms are probably the biggest threat to the average user, they are generally ignored by the computer aficionados, with the exception of the poor souls in system administration and support. What is more interesting is the rebirth of an old type of worm, in fact, the rebirth of the very first type of worm. In 1988, a 23 year old graduate student at Cornell released a small program that sought out Sun and VAX machines on the Internet with one of several security holes. Upon finding a victim, it replicated itself on that machine and began to recursively expand its domain. This type of worm depends upon system administrator neglect and not user interaction to propagate. Morris had intended the worm as an innocuous proof-of-concept project, but he quickly discovered the biggest danger with this type of worm, exponential growth. As the worm continued to replicate, it saturated processors on machines and network devices making much of the Internet slow or unusable. Twice recently, worms similar to Morris' have made appearances in the mainstream media. Fortunately, they fell short of crippling the Internet. They did, however, slow things down a bit.

First, two siblings (CodeRed and CodeRedII) made a lackluster attempt at taking over Microsoft powered web servers by exploiting a buffer overflow in one of the standard modules. Interestingly enough, the CodeRed worms appear to be a proof-of-concept project like the Morris worm. They have made a middling attempt to find other machines, and even fall idle (or sleep as it's called) much of the time. It does, however, randomly pick hosts to attack through a biased random address generator that favors the current computer subnet. This is a wise move due to the prevalence of broadband home networks, and in the days after its release the worm quickly spread inside of networks like @home and roadrunner/AT&T. The worm is still alive thanks to the ignorance of many Windows server owners, but even at its peak it only attacked me 55 times in a day. As you can tell by the graphic, the w32.nimda (or nimda) worm is fiercer in its attempts to reproduce.

w32.nimda searches for hosts at a much faster rate, and even looks for back doors installed by CodeRed and other previous worms. For the first time, this worm uses a method of invasion on the web pages displayed by the servers it has infected so that it can infect surfers to the site. Many owners of web servers began to investigate a barrage of strange hits on their servers by viewing the web pages of the attacking machine, and found themselves infected. Despite various warnings on Slashdot not to visit the sites, many very skilled users fell victim to this worm. nimda also causes much more damage after the infection by writing files onto any network shares it can find in the local network. Unlike the Codes Red, nimda installs itself on the infect machine so that it will persist even after a reboot. At its peak, this worm was generating a lot of traffic on the Internet. On kellegous.com which seems to have faired better than some, over 4,500 hits were recorded on September 19th. I suspect we will see many more as inimical as nimda.

Being enthralled and somewhat annoyed by the persistent hits on kellegous.com, I decided to start tracking the attempted attacks by each of the more interesting worms. It certainly illustrates the relative aggressiveness of the w32.nimda, who at its peak was attacking my site 80 times more often than CodeRed. Perhaps, I will even add another worm to the graph that tries to attack Linux DNS servers called L10n. It is far more malicious that the two IIS exploits, but it is challenging a much more capable community in the Linux world.

While the technical evolution of these agents is certainly impressive, it is a far more interesting phenomenon when we consider it culturally. At several points, in the babble above, I personified the worms and described them as beings that make decisions and follow a set of objectives. Strangely, very few people think it strange these days to describe a computer program as a sentient being. Did the old school engineers consider their stack of punch cards a source of life? Is a file of 3,000 lines of C code equivalent to human DNA? Some of the very ideas that seemed so foreign in science fiction are imbuing themselves into our popular conscience so subtly that we hardly notice. Is this a good thing? My intent is to expand on some of these questions in future articles, but until that time, the graph above will be updated twice a day hopefully illustrating the life cycles of these worms.



relavant reading: