An established, clandestine network of compromised computers could become the launching pad for a superworm that would have a massive impact on the Internet.
The malware network was created by an unpublicized Trojan — a malicious program that poses as a benign one — called Sinit, which has already infected hundreds of thousands of computers, according to a report released Monday by Clearswift, a UK-based maker of software for managing and securing communications.
Sinit has created an underground peer-to-peer network that’s removed the single point of failure that is often targeted by law enforcers to terminate viruses, the company explained in a statement. With Sinit, there is no central server that can be shut down. Each infected host becomes part of a peer-to-peer network through which additional Trojans can spread.
Great Deal of Malice
“It’s spooky in the sense that it seems to have the potential for a great deal of malice,” Greg Hampton, Clearswift vice president for U.S. marketing, told TechNewsWorld. “How it will be used is still unclear, so we don’t want to raise any false alarms.”
“The reason why Sinit is quite concerning is that it opens up a port on a machine, much like opening a window in your house,” Sharon Ruckman, senior director for security response at Symantec, told TechNewsWorld. Through that open window, she explained, a hacker can filch a computer’s network information, perform remote tasks on the computer, capture keystrokes and download more malware onto the machine. “It opens up a machine to anyone to come in and do whatever they want,” she said.
According to the Clearswift report, the network has been used to hijack modems and run up the phone bills of unwary victims. But Clearswift said that, curiously, “the potential for much broader abuse remains as yet untapped.”
Superworm in the Works
That broader abuse includes the spread of a superworm that could move rapidly and exponentially through the Internet, Hampton said. “It could start and stop before anyone had a chance of doing anything,” he noted. “Whatever damage it did would be done in a hurry.”
The reason it could replicate so quickly is because it wouldn’t require human intervention, explained Steven Sundermeier, vice president for products and services at Central Command, an antivirus software maker in Medina, Ohio. The superworm — should one be released — would use a network of compromised machines to replicate itself from machine to machine, as we would see with a magnified version of the Slammer worm.
“The danger of these fileless infectors is the fact that they can replicate so fast,” he told TechNewsWorld.
Buzzword Bingo
Although superworms have the potential to carry out massive mischief, not everyone believes that potential will be exploited by virus writers. “It’s a buzzword that people like to throw out there,” Joe Stewart, a senior security researcher at LURHQ, a managed-security provider headquartered in Myrtle Beach, South Carolina, told TechNewsWorld. “Whether we’ll see one, I’m not sure.
“What we’re seeing more now than people writing things just to be malicious or writing things to prove a concept is writing malware to make a profit,” Stewart continued. “If there’s profit in writing a superworm, someone will do it pretty soon.”
Stewart cited several money-grabbing schemes used by malware scribblers: spammers using infected machines to distribute their messages and avoid being shut down; spammers using infected machines to host their own Web sites; modem and browser hijacking; and denial-of-service attacks to impair the operations of competitors or extort money from individuals.
Growth Business
Writing malware for financial gain will be a growth business in 2004, according to Central Command’s Sundermeier. “We’re anticipating an increase in the creation of Internet worms — maybe in collaboration with spammers or hackers — in order to have some sort of financial gain,” he said.
“In the past, viruses were written for the virus writer’s own notoriety,” he continued. “Now we’re seeing kind of a scary trend toward writing virus code and replication in order to ruin the livelihood of Internet users.”