One glaringly apparent aspect of the Slammer/Sapphire worm is that it didn't carry a destructive payload. That is, it did no damage to the systems to which it propagated. Instead, it consumed huge amounts of bandwidth because it could spread so rapidly. For a great technical analysis of the worm, visit one of the Web sites listed below:
http://www.caida.org/analysis/security/sapphire/
http://www.silicondefense.com/sapphire/
http://www.cs.berkeley.edu/~nweaver/sapphire/
Unlike Slammer/Sapphire, many intrusive pieces of code have carried destructive payloads, and some of them also propagated by a variety of means, including through file systems, file-sharing systems, email systems, and open ports with vulnerable services. Nimda, Opaserv, Bugbear, and Klez are examples of such malicious code.
This week, Symantec released the "Symantec Internet Security Threat Report, Volume III". According to the new report, the Opaserv, Bugbear, and Klez threats alone accounted for nearly 80 percent of all malicious code during the past 6 months. Symantec says we should expect to see even more virus and worm intrusions that use a blended type of attack.
The report states that "the variety of threat types that facilitate compromises of data/system availability, confidentiality, and integrity is clearly increasing. While historical data analysis indicates that Windows 32 threats, blended threats, and self-replicating mass-mailers are all on the rise, there are several risks based on market analysis that also warrant close attention."
Those risks include Instant Messaging (IM), peer-to-peer (P2P) applications, and mobile devices. Symantec's report states that according to Gartner, as of fourth quarter 2002, about 70 percent of enterprises use unmanaged IM software on their networks. As a result of IM's popularity, we might see virus and worm designers begin to use IM applications to spread code more widely than ever before.
P2P networks are in the same boat as IM networks. Napster made P2P networks hugely popular, and since Napster's demise, other popular networks have cropped up (e.g., KaZaA, Limeware, Morpheus). Infectious code has already traversed P2P networks. And as P2P application use rises, so does the potential for virus and worm propagation.
Wireless networking is hugely popular and growing by leaps. Many businesses already use wireless LANs (WLANs) to support countless mobile laptop users, and to a lesser extent, mobile PDA users, such as those who use Palm and Research In Motion's (RIM's) BlackBerry. As the computing power of new mobile devices (including cell phone/PDA combinations) increases, so does the risk of virus and worm intrusion. Symantec points out that the "always-on" nature of such devices, as well as their tendency to be remotely connected to sensitive data, will attract intrusion attempts.
So when I consider little worms such as Slammer/Sapphire in conjunction with intrusive nuisances such as Nimda (or Opaserv, Bugbear, and Klez) and the many systems on the Internet with unpatched vulnerabilities, what comes to mind is a stage set for a more serious disaster. And Symantec's overall report points out that potential.
We need to realize that someday, probably sooner than later, someone will likely release an incredibly nasty worm that will wreak havoc on systems by using every point of attack it can find. To be as prepared as possible, you need to use the most up-to-date antivirus software, firewalls, Intrusion Detection Systems (IDSs), and monitoring solutions possible. You must also audit your systems regularly to ensure compliance with your security policies. Because as we saw with Slammer/Sapphire, if you aren't part of the solution, you are or might become part of the problem.
