P2P attack network and superworm uncovered

8 January 2004 Hackers have developed a peer-to-peer (P2P) ‘malware’ network, dubbed Sinit, which security specialists warn could be used to launch a new breed of ‘superworm’.


The Sinit network is made up of hosts — typically broadband connected home PCs — infected with Trojan horse software.

By harnessing this network of compromised machines, viruses and worms could infect virtually all Internet hosts within minutes of launch, warned Peter Simpson, head of the ThreatLab at security software supplier Clearswift and the former chair of the Independent Information Security Group (IISyG).

Its use of multiple entry points and lack of a central server makes it much more difficult to terminate the virus; the Sobig worm was stalled because ISPs and law enforcement were able to close down the web page which was instructing it, says Simpson.

The propagated Trojans finished locating each other in December 2003, but the network has been kept in ‘quiet mode’. It may be stealthily scanning the Internet for vulnerable computers but its potential for causing vast disruption is yet to be fully exploited.

This has caused doubts as to the origins of the network, although many suspect that East European crime gangs are behind it. “It might just be a bunch of techies,” said Pete Simpson, “but it may well be that those responsible are keeping their heads down because it’s a precursor to something much bigger.”

The second threat identified by Simpson comes from a new kind of worm, called the Serotonin worm, which is able to replicate and evolve itself in a manner reminiscent of the biological natural selection process.

“The remarkable thing about this Serotonin worm is that it’s received no publicity,” said Simpson, “but it is a landmark development — genetic programming techniques in a worm.”

Serotonin was developed by one of the old school of virus writers who are more interested in the academic challenge — and resulting glory — of creating worms, rather than using it for criminal activities, added Simpson.

The author released the binary code onto the Internet and to antivirus companies in January 2003 and is expected to publish the source code in February 2004.

The worm is yet to be released into the wild, but Simpson believes it is only a matter of time before it falls into the wrong hands, now that the “genie has been let out of the bottle”. “After February, whoever wants to be able to play with it will be able to,” he said. “There is nothing to stop another fool taking his code and releasing it.”

However, although he believes that this sort of worm represents “a clear warning for what is to come”, he added that the virus code was currently too complex for the casual ‘script kiddie’ to jump on the bandwagon and wreak havoc.

Simpson’s advice to companies wanting to protect themselves against these new threats was to harden their security.

At the PC level, they need to make sure that they have installed all the latest patches on the Internet Explorer web browser, which he described as a common “Achilles’ heel”. They should even consider deploying alternative browsers, such as Mozilla or Opera, which are less likely to be targeted.

He also suggested that Internet service providers (ISPs) might offer value-added services such as blocking open ports by default and scanning individual PCs for vulnerabilities.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics