One Worm To Rule Them All

Every day we hear about new worms circulating our networks, if it’s not Sasser it’s Netsky or MyDoom.
I’ve heard a lot about the monetary cost of these worms, usually from companies that profit from the hystaria surrounding them. I mean, the virus and worm writers create the market for anti-virus software, and the anti-virus software companies feed the egos of the virus and worm writers with their exaggerated figures. It’s a wonderfully symbiotic relationship.
Two useful sites are and Vmyths, the first takes care of malware and the second takes care of the hype surrounding malware. But the hype is interesting, what kind of worm would really put it in perspective? As an intellectual exercise, what would the worm to end all worms look like?
First, it would have to run on several platforms. Windows is a given, especially Windows XP Embedded, which runs on many ATMs. Also, Mac OS X is a prime target due to the lack of anti-virus software (which is due to the lack of OS X viruses). It would be possible to make a multi-platform worm by carrying payloads for both systems and sending them with the appropriate exploit. Linux doesn’t seem like as good a target due to its fragmented nature and the higher percentage of Linux users who know how to secure a computer. Still, it would be nice to see a Slashdot discussion about the latest virus without the usual smugness.
I won’t really get into delivery methods because Warhol Worms: The Potential for Very Fast Internet Plagues covers this in far greater detail than I would bother with. One thing it doesn’t cover is the fact that a lot of pirated software is available on P2P networks, and so infecting those executables seems like a fairly trivial task with a high payoff in terms of infections.
Now for the payload. Most worms these days exist only to propagate, or maybe to destroy some files. While it’s annoying, it’s not exactly earth shattering stuff. What if the payload contained a network stack for a P2P file sharing network? What if it shared your entire hard drive on a P2P network for the world to search?
We got a glimpse of what would happen when the SirCam emailed private FBI documents to random people. Only with a P2P worm, someone doing a Gnutella search for Paris Hilton might get an Excel spreadsheet with quarterly profits for the Hilton hotel in Paris, thanks to an infected computer. That’s as close as I can imagine to a non-nuclear information apocolypse.
People would spend all sorts of time searching for words like “confidential” and “private” in hopes of turning up something juicy. Oracle, SQL Server and MySQL database filenames would probably become common searches among curious geeks. And of course, the really scary stuff like credit and medical reports would show up too, remember that this would run on ATMs.
So that’s pretty much the worst worm I can think of that doesn’t specifically target military or medical machinery. What could be done to protect against it?
Barring some sudden jump in computer science, computers will remain vulnerable to exploits. Barring the invention of a terminal computer worm, people will remain vulnerable to being tricked into running worms emailed to them. The P2P payload problem could be mitigated if it used an easily blockable protocol, there are already network filters that stop popular protocols like Gnutella.
Any thoughts on how a worm like this could be even more devistating or how you would stop a worm like this from spreading?

2 thoughts on “One Worm To Rule Them All

  1. Another possible feature: flood abuse@ e-mail addresses and other reporting conventions.
    DDoS of antivirus update sites, forcing manual update of definitions.
    If take advantage of known patches exploit, modify OS to think it is already patches.
    Instead of adding an autorun entry: infect an actual executable file.
    Mail death threats to various political figures around the world.
    DDoS airline web allocations. Other mean things to travel infrastructure.
    Terror threats. Yeow!

  2. This topic reminds me of a conversation I was involved in in New York 2 years ago. We got into payloads for different OSs and facilitating updates and control into worms, signing new instructions with private keys.

Leave a Reply