The attack of the worms

DQW Bureau
New Update


Worms generally wiggle. Some cost Rs 2 lakh with three computer programmers and coding experts to work on it. A computer worm is a program directed to look for e-mail address in cache memory and infect them. The moment target is found the worm injects itself and lays back. Soon after the computer gets connected to the Internet, the worm flies into the Net towards the addressees. This worm does not wiggle. The cost mentioned is an estimate by a security con-sultant that might be spent in terms of man-hours to produce a ‘reasonable’ worm. At this cost, he calls a worm to be ‘cheap’.

During the eve of Independence Day in India, this year, allegedly the ‘blaster’ worm set out on its flight in the afternoon –local time–in New York. The target seemed to have been the servers–SCADC–the energy giant, which supply electricity to the city. The aim seemed to have been to cause ‘war dialing’, another property that can be coded into a worm.

The effort clogs the servers. Clogging the telephone lines cause denial of service or access. Later that evening when the power supply got disrupted, the servers could not moni-tor and report alerts on the failure of the supply. The result, NY went without electric power for a few days. 


Allegedly a person of Chi-nese origin is said to have been the originator of another worm left in the US that was christe-ned one month after detection as ‘code red’. Slammer is another that is based on Sequential Query Language. There are many more listed by the anti virus vendors, who keep the alerts flowing.

Worm travels from one com-puter to another through e-mail as the delivery vehicle. It is ‘gentlemanly’ in behavior. Trojan is a camou-flaged program–a damaging code appearing to be genuine. This consultant calls it ‘logical bomb’. Further, many are aware that virus is designed with more sophistication and gets injected into file structures. Virus costs more. Comparatively a worm not only is cheap but efficient as well.

In the world of hackers, color of the hat worn by the dealer–in worm, trojan and the virus–differentiates the good, the bad and the ugly. While the Red colored hat was stolen away by the propagators of an open source operating system, white hat remains with the ethical hackers. The nasty one wears the Black hat that also uses the tools devised by the white hat. One recalls the cartoon strip ‘Spy versus Spy’ in which the spy with the white top hat counters the other with the black top hat.


Hacking can be crude or sophisticated. When it is the latter, the affected user does not even realize that information is leaking away unobtrusively from his or her desktop. Though silence is not comparable, it is said that a server can be hacked ‘more’ silently than a desktop–for the simple reason that a PC is attended to by the human user while the server remains unattended for long periods. Cracking occurs with an element of vengeance–the targeted data is destroyed. It can graduate to deny a desktop from being reached and as the next step deny usage of a server.

Not just the missiles from India’s Integrated Guided Missile Development program but a computer worm can be designed to carry a ‘pay load’. It can be a destructive payload. It can sit on an ‘engine’ that serves the worldwide Web or just the e-mail transaction or can be used as the above mentioned ‘war dialer’.

Presently worm is classified into (a) homogeneous (b) heterogeneous (c) hybrid. When it can affect only the same kind of OS as Windows it is homogeneous. It does not affect say, Unix or Linux. Cross platform capability is built into the heterogeneous worm–it affects more than one OS. Hybrid worm can take different facets.


A worm generally has two components–a Graphical User Interface based tool and an engine. Both can be indepe-ndently configured. GUI worm can get into the engine and sits in the back up, biding for time. Such a worm can use a ‘key log-ger’. It does not descend on any desktop but slips through ‘selectively’. An example: the worm can be made to detect specific Single Message Trans-fer Protocol string and drop ‘only’ into it.

A time-thirsty hacker may program a worm with a code to activate itself in a particular time zone say, Greenwich Mean Time plus five and one half hour–to visit India. It can further be coded to attack first on say, the fifth day of the specified month. It may launch its second attack only on the 13 with the third attack scheduled for the 27th day! This is a staggered attacker. It can be progra-mmed to cause selective destruction of data too.

A hybrid worm can be tuned to penetrate a ‘firewall’. Soon after it detects a firewall, it can issue a command asking the firewall program to ‘close itself’! Anti virus program usually reside on the desktop to face the intruder at the entry point. A worm can be prepared to await the anti virus program to show up–and then counter it. This would be similar to the malarial parasite overcoming the white corpuscles in the human blood.


Hacker uses military strategy. What was described above has a tinge of warfare–derived from electronic warfare. As a first step, the hacker resorts to reconnaissance or ‘reccee’ in military jargon. One studies the vulnerabilities in the OS and the connecting habits of the users. It is similar to stalking a prey–before attacking to kidnap, to rape or to kill. During the reccee, the OS in use, different OS on the machine, the routers that are connected, the type of the organization and the intranet set up are studied.

Telephone numbers allotted to an organization are first collected. Methodically, the ones usually used for voice communication, for facsimile and for connecting to the Inter-net are monitored. Those connected to routers are given special preference–it could even be an Integrated Services Digital Network. Computers are monitored to judge when they get on the Net. A manual modem is watched to find the habit of the user who is not always on the Net. The nature of connectivity to the intranet is the next step. A router is watched with the hope that a computer is at its end–to find the machine address.

The unsolicited e-mail requesting moral help is to be watched says the expert. When replied, the server address, machine configuration, net-work node identification, the OS and other OS loaded on the machine are traced and may end up with disclosing a few File Transfer Protocol files. e-mail directed into an organization, when forwarded, gets juicy stuff to a hacker.


It ends up by providing a fingerprint of the organizational set up.

A separate effort goes on to trace the ‘unlisted’ telephone numbers. Numbers may not immediately be identified but the suspected activity is monitored. It may not be surprising if a search engine looking only for the unlisted numbers is lurking somewhere in the Net. Transparency is sought after in anything and in everything. All are ‘on’ and are transparent. …. whither security …… wonder ….. why users dress up at all ….

Sqn Ldr B G Prakash