Related Resources • Code Red Worm • Nimda worm • CT: Fact or Fiction? • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • WormWatch

While speculation exists as to whether our virtual world is really threatened by a doomsday "digital Pearl Harbor", the fact remains that worms such as Code Red and Nimda prove - at least in concept - that disruption can be wrought upon unsuspecting Internet users. Though the effects of these worms may not have been catastrophic in a literal sense, they did create fairly severe connectivity problems, as site after site succumbed to their infection. Roger Thompson, Director of Malicious Code Research at TruSecure Corp., has created a tool that may not prevent such attacks, but will provide valuable early warning indicators that might well lead to better response and reduced damage costs.

WormCatcher works by monitoring major ports, seeking out specific activity indicative of known Internet worms. Anything accessing these ports is subjected to a checksumming and compared to a database of known Internet worms. Submitted events are synchronized to coordinated universal time (UTC), formerly known as Greenwich Mean Time (GMT) and reported in ten minute intervals via graphs on WormWatch.org, the digital home of WormCatcher.

WormCatcher is a tiny little program that runs unobtrusively in the background. A small little yellow worm icon appears in the system tray and the worm wiggles when worm activity is discovered. I first installed WormCatcher during the Nimda outbreak and it seemed that little worm was never going to stop moving. (Of course, the animation of the icon can be disabled). Watching the worm under such circumstances provides clear evidence of the sheer number of attacks to which our machines can be subjected. A side benefit to WormCatcher is that it doesn't allow known worm activity to pass through to the user's system, thus it's ideal used behind the firewall which by necessity generally allows all Port 80 traffic through. Of course, WormCatcher is not designed to be protection for the user, but rather it's intended goal is to provide valuable early warning indicators of activity indicative of an attack. By correlating the data in near real-time, and making it publicly available, Roger Thompson provides an excellent service to the Internet community.

For further details on WormWatch or to request a copy of WormCatcher, visit http://www.wormwatch.org.