The year is only half over, and so far we’ve already seen a stream of new Internet worms and viruses – not to mention the ones that were created in 2003 that just won’t go away. Let’s look at recent Internet threats, and what the future of threat activity may hold.

The latest worms
2004 was ushered in with the introduction of the Bagle worm and its variants. This worm was different because it didn’t rely on the damaging payload to be transported in a file attachment – in this case, recipients need only preview or read the email message to become infected. Netsky.v took a page out of Bagle’s book by exploiting a vulnerability in Internet Explorer that was first disclosed, and the patch made available, in October 2003. But those using Outlook or Outlook Express that didn’t patch against those vulnerabilities would fall prey to Netsky. At last count, more than 28 variants of Netsky have been documented – second only to the Melissa virus, an early mass-mailing worm.

While investigators are still trying to track down the authors of these nasty worms and their variants, Netsky and Sasser continue to make their way into computers around the World. Microsoft’s offer of a reward leading to the identity of the Sasser writer appears to have worked this time – it didn’t work last year, when a bounty for the MSBlaster and SoBig authors was offered, yet produced no leads.

Sasser has many of the same features that Blaster, which struck in August 2003, had. Both are self-executing, meaning users do not need to receive an email message, open a file to be infected, or even be on their PC in order to become infected. Sasser scans the Internet for unprotected computers running a Microsoft OS. Blaster and Sasser are also similar because they exploited relatively new holes in Windows. The release of Sasser marks the shortest time yet – just 18 days – between the identification of a vulnerability and the beginning of an attack – more evidence of the shrinking vulnerability threat window (see below).

Now we have Dabber. Instead of relying on using an operating-system vulnerability to spread itself, Dabber might be the first worm that spreads specifically by targeting a flaw in another worm's code. W32.Dabber.A propagates by using a vulnerability within the Sasser worm to attack and infect systems.

It is easy to observe that virus and worm writers are getting better at their malicious craft. We are seeing more and more variants of viruses and worms emerging, with the author making modifications and updates to the original, in order to bypass security measures or increase its reach; tweaking the code to spread via both email and file-sharing networks, for instance.

A glimpse into the future
It is hard to predict the future of Internet threats, but Symantec has a handle on the current threat landscape, and has special insight into what the future could hold. Every six months, Symantec releases the “Internet Security Threat Report,” a comprehensive review and analysis of Internet threat activity during the prior six months, including discussion about how threats are evolving. The most recent report observed the following:

• Blended threats continue to be a significant issue. Blended threats use multiple methods and techniques to spread. As a result, they can cause widespread damage very quickly. The overall volume of blended threat submissions in the top 10 viruses and worms increased by 59% in the last six months of 2003, with Blaster, Welchia, and Sobig.F leading the pack.
  
• Vulnerabilities are increasingly severe and more easily exploited. Symantec documented 2,636 new vulnerabilities in 2003, averaging seven per day. Of those vulnerabilities, 70% were easily exploited, due to the fact that no exploit was required or an exploit was readily available. (This is a 10% increase over 2002, when only 60% were easily exploitable.) These figures indicate that attackers can gain access to more critical systems more easily. Perhaps more worrisome: the period of time between the announcement of a vulnerability and the release of an associated exploit is shrinking (this time is known as the “vulnerability threat window”) – Sasser was evidence of this.
  
• One of the more successful worms of 2003 Blaster, targeted a vulnerability in core Windows components. These components are more widespread than the server software targeted by previous network-based worms, resulting in a much higher density of vulnerable systems, ultimately leading to more successful threats.
  
• “Zero-day” attacks are coming. Symantec believes that “zero-day” threats are imminent. A zero-day blended threat would exploit a vulnerability before the vulnerability is announced, and a patch made is made public.

Conclusion
While ripples of Sasser and its variants are still being felt, and stories about the arrest of its author are still making headlines, you can be sure there are plenty more people out there, trying to create the next Sasser. As virus writers continue to learn from the past, they will create increasingly elusive and nastier threats to the world’s networks and computers. Do your part to protect your little piece of cyberspace by being aware, employing layered security software, and keeping patches up to date.