The Internet is constantly changing and so are the threats that are faced everyday by the millions of users who rely on the greatest communication medium ever for work and play.

Under the surface the Internet is a scary and dangerous place, and it’s the less than honest users who want your personal information, your passwords, your credit card numbers, your money and even control of your computer. It is these people that make it such a dangerous playground.

But isn’t that what security is meant to stop? The answer is yes, but today’s security is a band-aid solution at best. You may have the latest virus scanner and pop-up blocker installed and all of your current operating system updates and even a firewall running and you’d bet you are pretty safe, Wrong.

These things will stop your basic script kiddie hackers who just use hacking tools available for download all over the internet; this is because a lot of these programs and tools are widespread and known about in a lot of the wannabe hacker communities. The real threat lies with the people who write the 0-day exploits and reverse engineer the software running on your system to find any weakness and use it to their advantage.

No doubt you will be familiar with the term Internet Worm, there have been many classic examples in the past few years, Melissa, I Love You, Nimda, Code Red and most recently Storm. Worms are a particularly nasty form of virus, they spread  rapidly, they are smarter and more efficient than your typical virus and the payload can be devastating.

The typical Internet worm usually starts from one infected host, from there it will search (or scan) for other computers either in the general vicinity or the same IP range, once it identifies one or more hosts it will try to compromise the uninfected host by using an exploit against a running service, that could be a Web Server like Apache or Microsoft’s IIS, VPN services, SQL or other Database services, P2P Services, even running VNC or Remote Desktop services, anything is a potential target. Usually a worm will target a specific service like the IIS Web server, It will then use an exploit against the service, say one that will allow it to either write data somewhere on the host or craft a command that will cause the server to download a specified file from somewhere on the internet thereby infecting the new host. Once it accomplishes this task the cycle repeats. Using this method worms can spread very rapidly.

There is a downside to this method, worms that spread rapidly get noticed and they get noticed fast. This then leads to all the major security software companies analyzing and reverse engineering the worm to find out how and why it works and creating updates for their software that block the worm’s propagation and patch the vulnerability that the worm exploits to take over the host. This is a problem for the virus writers who have larger motives in mind, they don’t want their worms found and especially don’t want them quarantined and removed; all that hard work for nothing doesn’t really make sense. On the other hand there are the virus writers who want their 15 minutes of fame and are happy when their worm gets caught, these kind of worms don’t usually have the darker motives in mind.

In detail these worms are fairly simple, they don’t use heavy encryption to make it hard to reverse engineer them, their payloads are usually trivial, delete some files here, crash this system there, deface a website there, jump statically from host to host to make tracing the infection path easy and allowing the security and Anti-virus companies to compile a pretty good estimate on how many infections there are in the wild. All this has made using these types of worms on the Internet basically useless for anything more than mischievous annoyance.

This is where the next generation of Internet Worms steps in, opening the doors for Information Warfare over the Internet like never before, this is the stuff you need to be scared about.

These new worms are using Public Key Cryptography, stealth propagation, stealing information by using encrypted P2P and Mix networks for propagation which makes tracing the infection path near impossible.

So let’s take a look at the new generation of Worms. The orders are basically the same, search out uninfected hosts, infect, rinse and repeat. But there is a difference now.

For this example I am going to use a worm that infects a host then searched for a specific file or document then copies and encrypts the data with a public encryption key; stores and then sends back the encrypted information to the attacker untraceably. You may be a bit skeptical but this can be done and is probably being done right now.

The worm will be coded with a public encryption key built in like RSA.  The target is a specific file or document; the worm will infect the computer and locate the file or document. Once the target is located it is asymmetrically encrypted with the public RSA key and the resulting cipher text is stored within the virus. This cipher text is held in the virus until the author extracts the cipher text and decrypts it using his or her private key. This method is also applicable to malware and spyware in general.

In this case the worm is also contactable by the author in a sort of  ‘Bot’ fashion, where the worm can be queried and information ca be extracted from it like the cipher text above.

The worms can also overcome easy detection by many virus and spyware scanners by constantly keeping a static size, this way anti-virus programs can’t search for the usual virus signatures like slowly incrementing file sizes and so on. Say the area within the worm that is used to store the captured data can contain 40000 characters. This space is reserved when the worm is created especially for this purpose and is filled with dummy characters, say all 1’s. These ones are also encrypted in cipher text form so they are not easily detectable. So when keystrokes are captured the 1’s are simply overwritten with the captured content, re encrypted and stored. This way it stays out of sight of any security software keeping an eye out.

Now the author can then extract this encrypted cipher text from the worm and decrypt it using their own private key and viola they have all they keystrokes captured on your system.

The author will usually use what’s known as a ‘mix network’ or an encrypted P2P network to distribute and communicate with the worms in the wild. These networks are beyond the scope of this article but basically it is an encrypted network of hosts or nodes that pass information between each other in a random fashion using public and private key encryption along the way (Much like Onion routing but much more complex). This makes it extremely difficult to trace any information sent through these networks due to the encryption and random routes taken, these networks are not based on the most efficient or fastest way to send data but the most secure, by hopping randomly between nodes, even looping multiple times before continuing to their destination, now try and think of it with each hop or node along the way passing thousands of requests simultaneously? It’s impossible to trace, plus it’s encrypted and once the data has passed through the network it could pop out of any random node on the internet and continue to its destination.

The encryption also makes it impossible to know exactly what has been logged and transmitted as the only way to decrypt the cipher text is by using the private key that matches the public key, the author of the worm is the only person who has this key in their possession as it was generated along with the public key using the encryption algorithm by the author, and it is easily destroyed if the need arises making all the encrypted data un readable, therefore you will never know what was actually stolen. This alone makes the entire process completely deniable.

Imagine this being used by a government for spying or espionage, they could covertly infect a host using a mix or encrypted P2P network and look for a particular piece of information. Once the information is located it is encrypted and stored within the worm for later retrieval. Even if the worm is found it is not known what information is encrypted inside it or even where the worm originated from. The information is then later retrieved through a mix or encrypted P2P network by the government agency and decrypted, bam they have exactly what the were looking for, no one gets caught, non one even has to leave the country, too easy. And best of all completely deniable.

I’m sure you can imagine the potential uses for this kind of worm, and now Microsoft wants to use worms to deliver software updates! I wonder what else will be in them? scary isn’t it.