The Rise of the Business Worm

The recent high profile worm outbreak in the corporate sector by Zotob/Bozori in August, is a harbinger of a significant shift in both the type of malicious code utilized by and the motivation of today’s hackers.

The shift signals the rise of what can be categorized as “business worms,” a new type of attack that targets enterprises rather than home users.

What makes this trend all the more worrisome is the clear intent on access and manipulation of corporate data and trade secrets. Unlike previous worms such as Sasser and Blaster, which were mainly aimed at disrupting home users in order to gain bragging rights in the underground hacker community, attacks like Bozori are perpetrated by hackers that are highly trained, well funded, and have clear criminal intent.

The existing business network climate, with a greater number of machines run behind firewalls that are more likely to have unpatched Windows 2000 systems, means businesses have become a much more likely target for hackers.

For some time now, the security vendor community has been tracking a shift in virus writers’ tactics. The relative decline in the number of global epidemics during the last year signals a move away from the use of mass attacks on users worldwide. Instead, viruses, worms and Trojans are becoming more localized.

Changing Tactics

Of course, changing tactics are nothing new in the field of malicious code. Technological advances have always been the chief driving force behind change. The emergence of the Internet as a means of doing business formed the backdrop to the development of Internet-borne malware. The technological “tug-of-war” between malware authors and security vendors has also influenced the development of malicious code.

However, technology is not the only factor involved. Social dynamics have an equal influence on the direction in which malware develops. The heavy use of social engineering techniques to lure unsuspecting users into running malicious code is just one example of this. The anatomy of the current Bozori worm outbreaks provides another clear example of the social dynamic in malware development.

On the face of it, Bozori was no different than earlier Internet worms like Blaster or Sasser: it uses an exploit to spread directly to vulnerable machines. Yet there was no global epidemic. This was a very localized, if very well known, attack, with its notoriety due more to the profile of victims such as CNN and the New York Times than the actual footprint of the assault.

In general there were no tell-tale signs of an epidemic on the Internet, with the European and Asia/Pacific regions virtually unaffected. Additionally, there were practically zero reports of infection from individual users.

Still, there’s no question that this worm did spread. However, it appeared to be confined to localized “explosions” inside large U.S. corporations. Affected organizations were made up of so many machines they effectively formed small internets. Being behind heavily defended Internet gateways, these businesses experienced the heaviest infestations.

Bozori, it seems, caused local outbreaks whenever it was able to reach the critical mass (and this was heavily dependent on the level of management in the organization). The worm couldn’t reach many machines over the Internet because most businesses today implement firewalls. However, a worm can penetrate a local network without going through the firewall.

When an infected laptop is brought into a network with, let’s say, 50 Windows 2000 machines, chaos can erupt. That’s why Bozori didn’t affect small companies and home users. On the other hand, a number of globally interconnected corporations, running large networks of computers—practically their own reduced versions of the Internet—were badly hit.

Businesses felt secure and confident these types of attacks couldn’t reach them; that the damage came as a result of what may or may not have existed on the inside made it all the worse.

This trend is not caused by any technical change in the way virus authors code their malware. What has changed is a shift in the social organization or social dynamics. Organizations have been secured behind their “impenetrable” firewalls, filtering all e-mails and stripping all executable content.

The Bozori incident suggests that we’re on the threshold of a new era, in which business worms will cause local network outbreaks in large corporations, but will have little effect on the Internet as a whole.

Shane Coursen is a Senior Technical Consultant for Kaspersky Lab, a U.S. information security company with R&D located in the world’s foremost Internet security lab, Kaspersky Lab, in Moscow, Russia. He can be contacted at [email protected].