Hybrid worms are hard to hook

Hundreds of brand-new computer viruses appeared out of the Internet ether last year, but the Code Red and Nimda "hybrid worms" that struck last summer proved to be among the most dangerous and hard to combat with traditional antivirus methods.

Code Red (in its many variants) and Nimda are classified as hybrid worms because they spread in multiple destructive ways. Both exploit software vulnerabilities, specifically those in unpatched Microsoft servers or browsers, and through mass mailing or network file sharing. They corrupt files, and scan violently in search of new victims, causing congestion or even knocking network equipment offline in what looks like a denial-of-service attack. And they leave a "Trojan horse" behind for hackers to gain a backdoor entry.

Still striking victims six months later, Code Red and Nimda result in painstaking cleanups, often requiring re-loading the operating system afresh to ensure networks aren't compromised.

"Because of the Trojan-horse aspect, we recommend re-installing the [operating system] and the office suite," says Chris Wraight, technical director at antivirus software firm Sophos. "These virus writers keep moving the bar [higher] with the hybrid worms."

Out of the 1,000 new viruses catalogued by Sophos last year - for a total of about 71,000 known viruses in all - Code Red and Nimda stand out as dangerous precedents for even more damaging worms to come.

"The nature of malicious code has been changing such that the distinctions between viruses and attack exploits are blurring," notes Charles Neal, vice president of cyber terrorism detection and incident response at Exodus Communications. "Thus, the distinction between virus detectors and intrusion detection is also blurring."

Traditional virus-signature updating fails to prevent fast-moving virus and worm outbreaks. But behavior-blocking software, which can be preventative, comes with its own set of challenges, Neal says.

"It is important to realize when you accept the concept of prevention [behavior blocking], you introduce new risks," Neal says. There's risk in allowing software to automatically alter processing and risk in requiring an administrator to "turn off rules" when users complain about blocking.

The worm threat has many corporations pondering how puny their traditional antivirus defense seemed at the height of the spread of Code Red and Nimda.

"The downturn in the economy has already increased pressure from management to know why their investment in information security isn't yielding better results in the face of attacks like Code Red and Nimda," says Stephen Northcutt, education director at SANS Institute in its recent bulletin about important security trends. This year, the IT community will re-evaluate best practices, he adds.