"Helkern" - The Beginning of End As Anti-virus Experts Have Long Warned
27 Jan 2003
Kaspersky Lab analyzes the consequences of the latest epidemic
The 'Helkern' epidemic has become huge, not only in the number of infected severs (nearly 80,000), geographic coverage and its rate of spreading, but also in the consequences it has caused regarding the general functioning of the Internet. Never before has a malicious program threatened to tear apart the composite parts of the worldwide network and destroy communications between regions. 'Helkern' has managed to: disrupt the operation of and temporarily shutdown the Internet installations in the U.S., South Korea, Australia and New Zealand. According to Kaspersky Lab, 'Helkern', at the peak of the epidemic (January 25, 2003), slowed the Internet's performance by 25%. This means that every 4th site was either unable to respond or was under duress. Similarly manifestations were seen in other services using the Internet, such as email, FTP servers, Internet messaging among others.
Is 'Helkern' an isolated event or unpremeditated attack? Or is it the next step for cyber-terrorists exposing network weaknesses that model the collapse of the Internet? What consequences will result from this epidemic have on the future of the Internet? These questions raise concerns for everyone who is in some way exposed to the Internet.
It is essential to understand the real danger posed by 'Helkern'. It attacks only servers; so many Internet users may feel that safe as if a computer does not have the database management system Microsoft SQL Server installed, the worm is unable to inflict damage. However, the scale at which 'Helkern' spreads and the consequence of exponential rises in Internet traffic could lead to an Internet outage. Therefore, all Internet users are at the least indirectly made to suffer.
The future of the Internet is not only put in jeopardy just by 'Helkern' but by the application of technologies that can in a flash slowdown networks. More than likely, very soon, just after the source code of this worm appears in sites and forums dedicated to computer viruses, the computer underground will set to the task of cloning 'Helkern'. New modifications will be created that will distinguish themselves with even greater spreading capabilities and destructive payloads. The consequences of this developing event and the potential damages to the world economy are practically beyond placing a value.
The 'Helkern' attack demonstrates the general vulnerability of the Internet. It graphically demonstrates one of the weakest points through which it is possible to, on the whole, halt network operation, namely, vulnerabilities (breaches) in security systems that viruses can unimpeded exploit to penetrate computers. It would be hard to find a better example of this danger than with the current circumstances involving 'Helkern'.
It is well known that the 100% protection of software does not exist. Each day up to 10 vulnerabilities are discovered in a myriad of operating systems and applications, for which their creators quickly release patches. Weak system kernels, as is often the case, is an unavoidable human factor. Making matters worse is that many system administrators infrequently install these patches, leaving their networks open to potential attack from new malicious programs. The 'Helkern' experience has shown just how 'productively' it is possible to take advantage of these shortcomings. The main threat lies in the fact that nothing can stop virus writers from continuing to create network worms targeting software vulnerabilities. Pandora's Box is open and already there is nothing that can be done to rein in its destructive power. From another side, the amount of software vulnerabilities existing today is enough for the release of 'Helkernesque' worms each and every day over several years. Under such circumstances the Internet would fail as a means for business communications, entertainment or information searches.
The danger posed by the abuse of software vulnerabilities was foreseen by Kaspersky Lab experts several years ago with the appearance of the first 'stealth' worms ('BubbleBoy' and 'KakWorm'), which penetrated computers via security system vulnerabilities. Until recently this information remained with a narrow circle of specialists who intentionally did not leak it to the public for fear of instigating a catastrophe. However, in August 2001 Nicholas Weaver of the University of Berkeley, published research analyzing the technologies used to create the worm 'Warhol' (a.k.a. 'Flash-worm'), which over just fifteen minutes could manage to spread around the entire world. For this very reason the worm was given its moniker, as it was Andy Warhol who coined the phrase, 'In the future everybody will have 15 minutes of fame'. Today, this idea has been realized, and thus we can observe how virus authors have taken it to heart.
This provokes the question of whether or not 'Helkern' was created to 'test the water' of the Internet in order to detect weak spots, only to later follow up with a full scale attack. We are far from conspiracy thoughts however; most likely this is just usual cyber hooliganism. Hooliganism in terms of approach, but when considering results - it is indeed terrorism. Usually the scale of the consequences differentiates these two terms. In this specific case, where there has been a deliberate attack on and violation of global communication systems, it is possible to be classified as a cyber-terrorist act. To our opinion, without urgent preventive and prophylactic measures in the nearest future this situation might go out of control and even cause us to question the Internet's existence.
However, under current conditions to dramatically alter how we approach preventative measures is almost impossible. An effective system aimed at virus epidemic detection and prevention cannot rely on today's standards of identifying Internet users, which is now basically chaotic. When such an epidemic occurs it is almost impossible to locate its epicenter - with the exception of when the virus author by mistake gives himself away. In the event of the wide spread of a malicious program, in order to prevent it from spreading further, entire regions of the network must be disconnected and switched off. These measures are meaningless, you can endlessly patch the holes in a security system, but this won't prevent further attacks. Basically today we are fixing consequences rather than the causes - while at the moment the sheer volume of 'consequences' or symptoms have already reached such a level that it would be cheaper, faster and in the end more efficient to cure the problem at its roots.
As was mentioned earlier, the reason it is so difficult to prevent virus attacks is due to Internet anarchy. It is much more tempting to abuse the network when one is sure he or she can't be tracked. On the other hand, to reform the Internet in order to fix this problem (to introduce personal IDs) appears to be almost impossible as this process is confronted with extremely complex political and economic problems at an international level. The only possible and realistic solution would be if large multinational corporations - the 'locomotives' of the modern economy develop a parallel network where they concentrate all their business communications and limit this network's exposure to the Internet; doing this will allow the processing of new standards to happen faster and less painfully.
To summarize, we must note that the scale of virus epidemics similar to that of 'Helkern' will happen again and that the frequency of such epidemics will most likely only increase. Eventually, using the Internet will become so inconvenient, with constant interruptions and malfunctions at the hands of viruses and hacker attacks, that users will be forced to switch to other means of communication. Naturally, 'snail mail' and telephone communications do not offer the kinds of conveniences that the Internet does. Therefore the development of a parallel network that offers a high level of reliability and security is today a matter of high priority.