Malicious Distributed Computing

Jeremy Erwin writes "In this whitepaper, Brandon Wiley suggests a possible design for a "superworm", a coordinated network of worm nodes. Typically worms are designed to infect as many hosts as possible, but as overly rapid growth can lead to early detection, this is a suboptimal strategy. The worm, dubbed Curious Yellow uses communication between worm nodes to ensure optimal infection rates."

Um, why??

[Glove+d'OJ]

Um, ok, I understand that certain types of minds like to think about this kind of thing, but is it responsible for /. or any other "news"-ish source to publish links to details on it? I mean, come on---this is like the NY Times posting a "how to" on taking down planes, trains, and automobiles.

Re:Um, why??

yes it is responsible, think about it. whos the people that would take down a plane. people that already know how to do it or have plans to do it. some random article is not going to make a normal person say, hey thats a good idea, why dont i try it.

btw its called freedom of the press. they can do that. and they should do it (if they feel its appropriate, not when you think its appropriate)

Re:Um, why??

[eet23]

It's better for ways to stop the worm to be thought up now rather than when half the internet is infected by the thing.

Re:Um, why??

[Pedrito]

It's absolutely responsible. Why wait for it to happen when you can warn about the possibility and actually give people a chance to build a defense before someone builds the weapon?

Besides, he's not the first person to think along these lines. Though he has a number of ideas I had never considered, I had come up with an idea for a worm that would build a peer to peer network to coordinate its activities and prevent it from spreading too quickly.

His idea for having it update itself against anti-virus software is something I hadn't considered and is quite ingenius, I think.

I wouldn't have ever written such a program as I have too much useful software ot write to waste my time, but I've certainly thought of ideas on how one might go about it. If I have, and he has, then chances are, so have others, and eventually someone who has the time and motivation will actually do it, so best to protect against it now.

Re:Um, why??

I agree; better to have it publicized to raise awareness of the potential for this kind of attack, so that counter-measures can be put in place before it happens. Of course, the best security experts should already be spending time trolling through the underground hacker sites to watch for the next big threat...

Re:Um, why??

[DarkSkiesAhead]

Law enforcement frequently publish books on how to cheat, scam, swindle. The idea is to expose techniques to the public. If we have potential weaknesses in mind we are more likely to be cautious in designing and using the systems we use.

Re:Um, why??

[Paul+Zest]

Dunno?!?

I found this distributed autonomous intelligence / network worm idea very interesting, I wrote an article about it a couple of years back. Since then I've improved upon my ideas and maybe I'll release the new version in the up and coming 29A Virus Zine.

(the article) .. http://fourq.host.sk/iworm-net.htm

Sorry if you find this information too strong for your delicate palette. Don't follow the link if you think it's going to upset you so much. ;]]

A-Life, Evolution in the 21st Century.

Re:Um, why??

You're absolutely right. On the flipside, the more this type of information gets out, the more options are available for malicious intent. Sure, someone might not immediately say, "Hey, that's a good idea, I think I'll give it a go." But someone who's looking for ways to cause some damage is going to look at the most obvious, and easiest ways first--i.e. less research and legwork required--and this may be one of them.

Don't they..

[papasui]

..already have this? I believe it's called KazaA ;)

Re:Don't they..

[xtremex]

...isn't it spelled kAzaA? or is it KazAa?

Re:Don't they..

[Jucius+Maximus]

"..already have this? I believe it's called KazaA ;)"

Yeah, but Windows XP was proof-of-concept.

Re:Don't they..

[HamNRye]

...Already have this?? It's called samhain and I read about while BillG was in diapers.

The problem with viruses like this one are the difficulty of debugging. "Ha, Ha! The world shall feel the wrath of my superworm!! Hunh?? What do you mean divide by 0 error??"

Pinky, are you thinking what I'm thinking? Yes, but Stallman's beard does tickle so....

The worst virus you can get on your computer is still Microsoft. Word will send unwanted information out to everyone you know, IE will allow anyone to execute remote code on your system, and Outlook will run whatever viruses you manage to send to it.

Now, can this guy get you to shell out $200 US for the privelage of running his virus?? I think not. Microsoft is still the champine of the virii.

Welcome to Virus.NET. Select a project from the new projects wizard:
Nimda Based Worm
Klez Based Worm
Office Macro
Some dippy ass VB script
Windows XP

Ho Hum.
~Hammy

Re:Don't they..

[forgetful_ca]

Pondering. brain and pinky ponder.

Re:Don't they..

from CrimeAgainstAmerica.com
We Choose Life ... Why the Death Penalty is Right
Yup that seems consistent to me ...

Hmmm

[kenp2002]

(Tounge in cheek btw)

Isn't talking about stuff like that, well you know, illegal now? I'm certain that talking about theoretical virus attacks could be considered terrorism. I mean here you are talk about this horrible WHAT-IF scenario and giving bad people all sorts of good ideas (providing AID are we?) Hmmm I have a feeling that this post may cause trouble. I bet our FRIENDS at the Homeland Security office would like to speak to you =)

AWW BUT WHAT THE HELL DO I KNOW! :) I bet someone will have a DMCA issue with this too. Hey Taco looks like we may have incoming! EEEKKK!

Re:Hmmm

[graveytrain]

Isn't talking about stuff like that, well you know, illegal now?

Hah. Depends. Which $CONTINENT do you live in?

Re:Hmmm

[EvilAlien]

I believe the US has ratified the Council of Europe Convention on Cybercrime, as has Canada. This treaty requires that signatories create criminal offences for possession of viruses or other "devices" designed to damage data/networks. I haven't read the whole damn thing yet, but doing time for actually possessing virus code isn't that far away.

As far as law enforcement is concerned, go ahead and think about it... the national security types are who you need to worry about =)

When is ThinkGeek getting Tin Foil hats with a stylish Tux logo?

Re:Hmmm

[kenp2002]

Tounge tastes like the last thing you ate. Mine tastes like Tobacco (I smoke.)

Re:Hmmm

[Jeremi]

This treaty requires that signatories create criminal offences for possession of viruses or other "devices" designed to damage data/networks

Interesting. Are the people whose machines are infected considered "in possession" of the virus, since it now resides on their hard drive?

Of course, I'm still waiting for the virus that infects your machine, then quietly downloads one kiddy-porn .jpg into your C:\Windows directory every day for a month. At the end of the month, it sends an anonymous email to the authorities with your email address and IP address. By the end of the year, the entire computer-using US population will be in jail...

Re:Hmmm

[schmaltz]

So let's see... it's *legal* to possess devices that are designed to quickly kill another person. Some of these are designed to do it from a distance, as demonstrated over the past three weeks.

But it's going to be *illegal* to possess devices or code which might be used to usurp computing resources, damage file systems, etc.

Where are people's priorities? It's all about the bottom line.

Re:Hmmm

[drDugan]

for now...

just wait until you are Eurasia and we are Oceana.

Re:Hmmm

[LilGuy]

Sure the first thing everyone thinks is how bad this could be. But I quickly dismissed that thought myself and jumped to the next one which was: How do you stop it? Perhaps somebody with my technical know-how will think the same and figure it out.

Sometimes you gotta use evil means to return heaven-sent ways.

Re:Hmmm

[LilGuy]

lol my/more...

and i really hate the 20 seconds/2 minutes deal.. thanks taco..

Re:Hmmm

[Jaysyn]

If you want to know what your tounge actually tastes like, just sprinkle some MSG on it...

Jaysyn

Re:Hmmm

Great!

1. Distribute the source code with the virus.
2. Install the virus on your computer. Delete your source code before any other computers get infected.
3. World domination!

Re:Hmmm

[EvilAlien]

Are the people whose machines are infected considered "in possession" of the virus, since it now resides on their hard drive?

Fear the case law.

If Monkeyboy Ballmer was a lawyer, he'd be ranting "PRECENDENT PRECENDENT PRECEDENT" right now. Dangerous laws are the ones written so open that any meathead judge can come along and pass judgement, despite not having any clue whatsoever in the issue at hand.

Those viruses almost exist, by the way. Many of the new viruses getting out (about 4 new ones a day) spread through P2P apps and drop files that look like porn. Its not too much of a stretch to change the filename from hotlesbiansdoingit.mpg to hot16yearoldlesbiansdoingit.mpg, add an addressbook entry for a law enforcement contact, and THEN spam.

Re:Hmmm

[Teknon]

The constitution give us the right to own guns, but not to own viruses. Also, guns serve other purposes than to kill people, viruses have only malicious intent

Re:Reboot...

this article is about a supervirus that destroys pc's slowly so it avoids detection,its made not to destroy them all at the same time.

so

[tps12]

The best way to infect as many hosts as possible is to make sure you don't try to infect too many hosts? How Zen.

Re:so

[FeloniousPunk]

What is the sound of one worm propagating?

Re:so

[Jedi+Alec]

And how logical. Trying not to grasp what is out of your reach and correctly assessing what is in your reach and what isn't sounds like a decent idea to me, in any given situation...

Re:so

[llamalicious]

If a worm infects a computer in the forest, and no one is there, did it infect?

Re:so

maybe you should just not have a .sig then

Re:so

*fap* *fap* *fap*

Thanks for the guide

I'll get to work on it right away!

I've been thinking

[palad1]

At some point, the worm will be detected, thus the slow infection rate will not be optimal.

What if... in order to decide wether the worm should switch to 'Turbo' infection speed, the worm queries google news for 'worm $0', and if the number of results > $we_have_been_discovered/, bang!

Previous worms used irc, but that doens't guarantee the author to be anonymous, does it?

Re:I've been thinking

[Unknown+Bovine+Group]

The one good thing here is that as worms become more complex, there are more holes in THEM which can be exploited. For instance, it seems that one could set up a HoneyPot type worm on machines, which would communicate to the "hive" either that your machines were already infected (so don't bother trying to re-infect) or to force them all to constantly try to reinfect some scapegoat system.

Re:I've been thinking

[sopwath]

There's no need to switch to "Turbo Mode" Achord can update whenever there's a fix for the exploit. In addition, switching to turbo mode would only help raise awareness of the presence on other nodes, therefore endangering other nodes. Each node shouldn't resist being erased. It should resist any updates from a source tat doesn't contain the private key.

Since all they have to do is keep watching for uninfected nodes, each node could wait for a code update (which includes the appropriate private key) and then work around the specific anti-worm software.

Re:I've been thinking

Please, please....

"Pret a tout pour avoir le dernier mot depuis 1977"

no need to thank me...

Re:I've been thinking

[schlach]

At some point, the worm will be detected, thus the slow infection rate will not be optimal.

I propose that a breakthrough was made in the modularity of worm systems last year, with Code Red and Nimda. The infection mechanism can be separated from the intelligence/communication module and payload. Does anyone know how many machines are still infected by Nimda?? It's staggering. You could have a worm that only spread to machines already infected by Nimda, and virtually guarantee that it would never be detected. You'd 0wN a staggering number of machines, your worm could close off others access to the same cmd.exe sitting in the web root, increasing survival chances for your host (less likely to be taken down), and you could do all the intelligent communication you wanted. Better yet, design a mechanism so that later versions of your worm will replace previous ones, so you can release updates as the design becomes more sophisticated. The possibilities are endless. As much time as you want to tinker with the perfect intelligent worm design, and you don't even have to write the infection module yourself.

I think wormnet design is one of the coolest theoretical exercises in CS... the problem right now is that there's no incentive to write intelligent worms (ie WormNet), because the unintelligent ones are so effective. Nimda was spotted almost immediately. It's still one of the worst. What's that tell you? When authors stop thinking about the individual worm, and start thinking that each worm is just a cell in a collective online entity... well, i'm kind of soured on calling things a paradigm shift, so I won't say.. d'oh!

Re:I've been thinking

[Alan+Cox]

This depends upon the goal of the virus writer. The paper assumes a superworm with a goal of staying alive. Its equally valid to construct a superworm with a destruction goal, erasing bioses. disk firmware etc.

I like the paper, its another reminder that the current approach of virus control simply doesn't work. Security needs a lot more depth and a lot more work - and not just on windows either

Re:I've been thinking

[HiThere]

So the worms need to evolve defenses. Genetic programming is the obvious answer. The solution to that is less clear.

Re:I've been thinking

Shit, I was wondering when someone would figure it out.

I've a Concept[1] that switches from a high-stealth cluster worm to a maximum-impact flash (improved Warhol) worm upon discovery.

The discovery detection techniques are complex (debugger detection, honeypot probability scoring, and various timing based checks which anyone debugging the process would seriously foul up), and should be moot - maximum stealth time is 12 hours, and it really is very stealthy and careful about what it infects.

The author is anonymous simply because his system behaves like just another infected system, and the communication is similar, but not identical, to the Freenet peer-to-peer protocol (I actually got the idea originally from the Mixmaster/Cypherpunk remailers, mind).

It also has another really annoyingly cool feature - a large number of payloads that are encrypted. The worm doesn't have the key, and commands from the controller to the worm cluster are transmitted (and propagated) as keys to unlock these payloads. Signatures are used to ensure integrity. There's another concept that allows the author to set timebombs in this manner that cannot be preempted easily - idle cycles on the infected machines solve a distributed computing problem which should take them a couple of hours. The solution is a payload key. The cluster would be big enough that you probably couldn't organise enough legit computing power on a short notice to beat it to the solution.

One thing which might surprise you - Hybris used the predecessors of some of these techniques. Yes, Hybris, the dumbass 'Snow White screensaver' worm. Stupid infection method, smarter payload.

[1] I'm not stupid. The worm's 'infection' method is artificial - ssh connections on a non-standard port, verified by public key - it has an account on the test machines it can use to upload arbitary code via ssh. Couldn't infect normal machines on the internet unless they also were running an ssh server on port 666 which gave root access to anyone with the right public key. This is a proof of concept, goal of the research is to find a defense/detection method, not to write a virus.

Re:I've been thinking

[Felinoid]

There is a need for a third part patch to Windows that gives it similar security precautions found in Unix say a secure mode where only 'installed' software may run and only the os may read program files and nothing may write,edit,erase same.
You have to turn it off to update/install/remove software but I doupt many admin would complain.
This dosen't stop email worms but it's a step in the right direction.

Windows admin and a lot of Unix admin don't take security sereously.
Managment can fix that.
If a hack could have been prevented by a patch fire admin.

Also a third party auditing of Linux destros for security flaws (and other things) would be valuable.
(Maybe VA could do this?)

At one time security on a desktop didn't make sense. But that was a long time ago in a day when phisical access was needed to do anything.
Now computers are interconected on live networks. Security is paramount.
Microsoft , some destros and many admin don't get this.

Re:I've been thinking

[wheany]

I like it!
reposting a post thats been modded +3 Interesting...

It's good but not that good :-)

Re:I've been thinking

[palad1]

I considered flaming the reposter, but hey, it'd be the dmca all over again

let's open source our comments ;

w/ AI

[dirvish]

This would be pretty cool if it was made artificially intelligent through a neural network. It could use its neural network to determine the best way to distribute across the physical network of computers.

Re:w/ AI

[scott1853]

Pfft, we could easily stop it with a tic-tac-toe worm that will make it aware of it's own futility.

Re:w/ AI

[Chibi+Merrow]

Actually I suggested the same thing as a paper idea in my neural networks class... Before I knew how neural networks worked...

Seriously though, having a random hodgepodge of neural network nodes, randomly wired, and without having two endpoints with which to train the network really does you no good. Neural networks are trained to be intelligient by feeding them input, then looking at the output and massaging them to make them produce the correct output in hopes that they eventually "learn" a pattern.

Now essentially building a beowulf cluster of sorts by linking all the nodes into a distributed processing network that could be used to crack RSA keys and the like... And could propogate updates (mutations?) to the worm... Well that will work. :)

Plus when you're detected, you can go out in a huge DDoS blaze of glory...

Re:w/ AI

eheh. That is a perfect followup comment for this load of sci-fi nonsense!

Re:w/ AI

[H310iSe]

Unless one of the nodes is hit by lightning at the exact moment a clumsy comp-sci student spills a coke on the server rack and then BZZWRACK!POW Your worm has achieved consciousness.

thats nothing compared to the /. effect

[JeanBaptiste]

text of article:

Curious Yellow: The First Coordinated Worm Design

By Brandon Wiley

The Warhol worm design began the theoretical discussion of so-called "superworms", a new type of computer worms. A worm is a computer program which copies itself from computer to computer in an attempt to reproduce as much as possible. A superworm uses more advanced techniques to achieve very quick infection of the network. The primary strategy behind the Warhol superworm is to pre-scan the network for vulnerable targets. When the worm is launched it already has a large list of targets with a known method for infection and can therefore quickly infect an initial seed population.

One thing which the Warhol paper mentions is that better results might be achieved via a coordinated worm in which various instances of the worm on different computers communicate with each other in order to optimize infection. The Warhol paper states, however, that no coordinated worm has ever been created. This paper proposes the first design for a worm which utilizes efficient communication between worm instances for an optimal infection strategy.

Benefits and Difficulties of Coordination

The purpose of adding coordination to a worm design is to raise the level of sophistication in the attack from a simplistic greedy strategy to a more game theoretically optimal cooperative divide and conquer strategy. There are times when a greedy strategy can be suboptimal. Overly zealous propagation can lead to early detection and eradication. Also, it is simply wasteful for a worm instance to attempt to infect a system which has already been infected rather than choosing an uninfected host as a target. Unfortunately, typical worms have no information on which to base a more sophisticated attack. In order to divide the infection tasks among operative worms, the worms must know about each other and have a method for dividing work among themselves.

The difficulty in creating a coordinated worm is in minimizing the coordination costs among worms. Since the initial goal of a worm is generally to reach all hosts on the Internet, the number of eventual worm instances will be enormous. The coordination strategy must be able to scale reasonably to that number of instances. If every worm had to coordinate with every other worm, for instance, the amount of bandwidth used to communicate between the worms could easily exceed that used by a greedy worm, defeating the benefits of coordination. The coordination strategy must also be simple to encode since worm designers attempt to make worms as small as possible.

Efficient Coordination of Worms

Interestingly, the problem of efficiently organizing worm instances into a network which can act globally but which has reasonable coordination costs for each node is very similar to problems found in peer-to-peer networks. The particular task of the division of the task space among all of the currently active worms is very similar to the problem addressed in distributed hash tables (DHT) designs. One popular contemporary DHT design is called Chord. In Chord, each node is assigned a portion of the task space such that the space is divided evenly and randomly among all nodes. Chord has some useful properties. First, each node in the network is reachable from each other node in the network with a maximum of O(log N) intervening nodes. Additionally, each node only needs to maintain knowledge of O(log N) other nodes, thus keeping coordination costs down to a reasonable level. What this means in simple terms is that in a network of one million nodes each node only has to keep track of approximately 20 other nodes and for one node to send a message to another node in the most distant part of the network it would take at most 20 intervening nodes. Similarly, for a network of ten million nodes, each node has to keep track of approximately 23 other nodes and it will take at most 23 intervening nodes to reach from one side of the network to the other. There are advanced variants of the Chord architecture which layer additional properties on top of the guarantees provided by the basic Chord design. Anonymous Chord (Achord) adds the property that it is very difficult for any node to find out the identities of all of the other nodes in the network. This makes it more difficult for an attacker to disable the network by discovering the identities of nodes. By having worms form an Achord network, a global framework for division of the space to be attacked can be created with reasonable coordination costs.

Details of Coordinating Worm Attacks with Achord

In order to create an Achord network, each node needs to be assigned a unique, difficult to forge, difficult to generate identifier. Identifiers are assumed to be generally random and evenly distributed. Each task also needs such an identifier. Tasks are matched to the node whose identifier is the closest match. The method which Curious Yellow uses to assign identifiers to worms and targets is via the SHA1 hash of their IP address. It is relatively difficult to choose your own IP address and the SHA1 hash makes the identifier approximately random and evenly distributed.

The method for nominating a worm to attack a target is easy. Each Achord node knows the IP addresses of the two nodes whose identifiers are closest to its own. When it learns of a new target, it calculates the identifier for the target and then determines if it is closer to the worm's own identifier or one of its neighbors. If the worm is the closest to the target then it attacks the target. Otherwise, it informs the closer neighbor of the existence of the target and then forgets about it. Since the identifier space is globally consistent, decisions about which worm should attack will always be consistent. Additionally, the decision about who should attack does not require immediate communication between the worms. Communication is only necessary to inform nodes of found vulnerable nodes which they are responsible for attacking.

Uses of a Coordinated Worm Network

The initial deployment of the worm network using superworm pre-scanning techniques may take up to 15 minutes (Warhol) or merely 30 seconds (Flash). Once the initial seed network is deployed, it can be used as a platform for launching a second stage of activities. One obvious activity is distributed scanning of the network for vulnerabilities and further infection. Unlike Code Red, which used a greedy scanning strategy, Curious Yellow will have exactly one worm scanning each potential target. This will both reduce the load on the network and make detection less of a threat. The global connectedness of the entire worm network allows for an even more interesting type of distributed scanning than is at first apparent. Since all nodes are reachable from all other nodes, it is possible for the worm's creator to release code patches to all of the worms in the network and for these code patches to spread to the entire network even faster than the initial infection (less than 15 seconds). Therefore, as new exploits are found for previously invulnerable systems, they can be distributed to the worm network, which has already been building up a list of potential future targets. The Warhol method of pre-scanning attacks can thus be utilized repeatedly for rapid infection of diverse systems. The speed at which patches can be distributed to worms is so great that it will probably out-pace attempts to fix vulnerabilities. A zero-day exploit can be used by worms for infection before news of the vulnerability has even been made public. Code patches can also be made to change the behavior of the worm to mask signature behavior which could lead to its detection.

The second stage of infection allows the infection to progress from controlling a large portion of the network to controlling the overwhelming majority of the network. This is just another part of the infection stage. Once the majority of the network has been infected, Curious Yellow can lay dormant until part or all of it is activated for some purpose.

There are a number of possible purposes to which Curious Yellow could be used. One obvious use is to simply crash the majority of the Internet at once. Once it is activated, the worm network has achieved its purpose. A slightly more interesting use of the worm network would be to use it for distributed denial of service attacks against enemy hosts. The typical approach for this is to have all compromised hosts send a flood of packets to the target, thus overloading it sufficiently to keep any legitimate packets from getting through. However, this is a naive approach when given such an advanced network to work with. The Curious Yellow infection should, if properly deployed, control the vast majority of the network. All of the infected nodes can act in concert towards a common goal. Nodes and groups of nodes can be specialized for certain tasks. New directives can be sent to the entire network in less than 15 seconds. It is therefore not necessary to have the entire network gang up on a single machine in order to disable it. This is in fact a greedy rather than cooperative strategy and thus suboptimal. First of all, the target to be attacked is probably infected. Therefore, the worm controlling the target can simply be instructed to disable the target. Additionally, if all of the nodes surrounding the target simply drop traffic routed to the target then the target becomes unreachable. Finally, the worms controlling the hosts attempting to contact the target can simply ensure that no attempt to communicate to the server is ever made. Curious Yellow, acting globally and in unison, can make any host simply cease to exist as far as the network is concerned.

Having total control of all of the Internet's traffic allows for other, more interesting, attacks. Traffic can be modified arbitrarily as it passes through the network. Defacing a website no longer requires actually having access to the computer containing the website. Web pages can be defaced automatically as they pass through the network, resulting in the world's collective web browsers rendering the pages differently than they are stored on the servers, a problem that the server administrators are totally powerless to fix. All of the unencrypted traffic on the Internet can also be observed. The entity controlling Curious Yellow can pick out particular individuals to monitor or gather statistical information about a large number of individuals.

Of course, Curious Yellow's control over individual computers is not limited to controlling Internet traffic. As zero-day root exploits are found and patches distributed, worms can eventually gain superuser access to all of the machines, giving them access to all of the stored information and all of the spare resources such as hard drive space and CPU cycles, and the ability to surveil all of the world's Internet-connected computer users. By sending out code updates to the network which cause Curious Yellow to metamorphasize into an anonymizing proxy network, its owners can connect anonymously to target computers and control them interactively, browsing files and watching what users do with them. They could also program the worms to automatically send back potentially interesting information. The spare resources of the world's computers could be utilized for whatever agenda the owners of Curious Yellow have in mind. In general the uses of the network are endless. The entity which controls Curious Yellow controls the world's computers.

The World After Infection

Dealing with the infection once it has been detected is difficult. Once a signature has been detected for the worm, it must be codified by the various competing virus scanner manufacturers and then distributed to infected computers, probably by voluntary downloads. Naturally, once an anti-virus patch for the worm becomes publicly available on the Internet, Curious Yellow will cause that site to disappear from the Internet. Inoculation will therefore have to happen by hand using physical media or network distribution which is secretive enough that that owners of Curious Yellow (subscribers to many major anti-virus update programs) don't find out about it. Once the patch falls into the hands of the creators, Curious Yellow will soon receive a counter-patch obsoleting the old anti-virus patch. Unfortunately, anti-virus distribution methods cannot keep up with the pace of Curious Yellow patch distribution. The only method which can eradicate the virus, therefore, is to disconnect the computers from the network and then apply via physical media patches which both eradicate the virus and patch the vulnerabilities which allowed it to spread. Once the virus is totally eradicated, the creators will wait for a new zero-day exploit to be discovered and then relaunch the virus with a new transmission vector and signature.

The only way to protect against Curious Yellow is to inoculate every computer with an anti-worm, Curious Blue, which uses similar technology to instantly distribute security patches. As soon as an exploit is discovered, a security patch must be released to Curious Blue before an exploit patch can be released to Curious Yellow. Infection and protection is thus primarily a race between the owners of the two entities. Of course, there might not be only two entities. There could be any number of competing vendors of Curious Blue offering different patches and different quality of service guarantees. Similarly, anyone with access to zero-day exploits could launch their own Curious Yellow. The battle does not end there, however. Curious Blue could act as an ideal platform for the initial stage of a Curious Yellow infection. All that is needed is an exploit in the Curious Blue code. Once one is found, the entire Curious Blue network can be turned, like a clever move in a game of Othello . The same is of course true of turning Curious Yellow into Curious Blue. These programs are particularly prone to such corruption because they are already designed to accept arbitrary code upgrades. They merely need to be fooled into accepting code which is not actually authorized.

Security, Cryptography, Signatures, and Trusted Code Updates

The authorization of code updates is a crucial component to both Curious Yellow and Curious Blue. Without a strong authentication system, the worm network can easily be taken over by an arbitrary attacker. The obvious way to do authentication is with public key signatures. In order to use public key signatures, the entity deploying the worm creates a pair of keys, one public and one private. The public key is distributed with the worm. The private key is known only to the worm's creator. When the creator wants to send a new code update, it generates a signature from the code using the private key. Since the worms have the public key, they can check to see if the signature was in fact generated by the matching private key. Using this technique, no attacker can send code updates to the network unless he possesses the creator's private key or finds a vulnerability in the worm which allows circumvention of the signature check.

Maintaining the secrecy of the private key is an interesting problem in a world overrun by competing strains of Curious Yellow and Curious Blue. A simple strategy which an attacker controlling one worm network might use to compromise another is to instruct the network to search all computers for files that might potentially contain the private key of the competing network. Due to the large size of private keys, they cannot be easily remembered and so much be stored electronically somewhere. In order to keep the private key from being discovered, the creator will be forced to have a special computer used for generating signatures which is never connected to the network. Signatures will be generated on this computer and then transferred to a network-attached computer via removable media. The attack then is to find where in the network signatures are first introduced.

The worm network can be configured to search for signature files stored on removable media. The network can also monitor other coexisting worm networks to see when code updates are sent. When a received code update matches a signature file found on removable media, the creator of the worm has been detected. Naturally, the creator of a particular strain of Curious Yellow would prefer that his own computers were not infected with competing strains. Unfortunately, the only way to ensure this is to inoculate with a strain of Curious Blue, which will undoubtedly also be searching for the creator so as to have legal action taken against it. Assuming, however, that the creator has the resources to inoculate against all competing strains, it can still be tracked. As the code updates propagate through the network, competing strains can monitor the progress. Using statistical analysis of the propagation of code updates, the source of updates can eventually be traced. Once the location of the creator has been determined, physical coercion such as spying, threats, lawsuits, and arrest are possible to gain control of the private key and thus the worm network.

In order to avoid being traced, further cryptography is necessary. So that the progress of code updates through the network cannot be monitored, the worm code needs to be encrypted so that it cannot be easily examined to determine which code it currently is running. It is still possible to examine the contents in memory, but this will be a somewhat difficult task to encode in a program the size of a typical worm. Additionally, code updates being sent over the network must be encrypted so that their progress cannot be observed. Even with encrypted connections, however, the creator can still be traced through timing correlations. All the the observer needs to see is that one worm contacted another, then that worm contacted a few others, leading into a cascade. Whichever worm made the first contact is the one closest to the creator. Defeating timing correlation requires the worm network to be constantly sending cover traffic to other worms. Luckily, code updates are generally small, so the amount of cover traffic to be generated is not very much. Once the network is communicating entirely over encrypted channels with constant cover traffic, the creator can send out code updates in an anonymous, untraceable manner. Not only that, but the creator can also use the network to render anonymous any other transactions, such as using it as an anonymous communications channel to converse with other entities and distribute files and information. This would be a boon to the usual cast of characters that could benefit from anonymous communication, such as people attempting to escape human-rights-violating regimes, international terrorists, and music fans.

Who Do You Trust?

In the world after the global infection of the Internet by strains of Curious Yellow and the commercial availability of strains of Curious Blue, computer users will have a choice. One can either have a computer which is never connected to the Internet, risk almost certain infection and control by the various factions controlling Curious Yellow, or intentionally give control to the creators of Curious Blue. There are multiple issues of trust involved. Initially there is the question of whether one places more trust in the harmlessness of the hackers or the professional integrity of the security professionals. If one chooses Curious Blue then there is the issue of which strain will actually be effective in protecting one from infections by Curious Yellow. There is the additional issue of which strain can be trusted to not contain any vulnerabilities which can be exploited to turn it to the other side.

Kazaa and Altnet

There is a disturbing similarity between Curious Yellow and the new Kazaa feature, Altnet. Kazaa is a peer-to-peer file sharing network not entirely unlike Achord, but lacking some of the useful features. In later versions of the software Kazaa bundled a feature called Altnet, which is a second peer-to-peer network deployed alongside Kazaa nodes. when Kazaa is installed, Altnet is quietly installed as well. Buried in the licensing agreement which users click through when installing Kazaa are some interesting provisions concerning Altnet. The user agrees that Altnet is allowed to automatically receive and install code updates and modify settings on the user's computer. This makes Altnet a prime target to be corrupted and used as a widely deployed network from which to launch activities. All that is needed is the proper method for causing the supposedly 2.5 million Kazaa nodes to accept a rogue code update. Interestingly, such an attack has already occurred. While Kazaa is the predominate licensee of the FastTrack network technology, it was previously second to an application called Morpheus, another application using the FastTrack network. Morpheus was mysteriously shut out from the FastTrack network despite the fact that it was supposedly an entirely decentralized network without a central form of control. The network of Morpheus clients was shut down by a rogue code update, eventually discovered to have been sent by the company behind Kazaa. This is the first example of the sort of warfare between strains. It could escalate into being literally a war between worm strains if an entity discovers the key to making Kazaa accept code updates and mobilizes the Kazaa network as a first stage of infection, using it for decentralized scanning of the network for vulnerable hosts and an eventual global takeover of the Internet.

I'll stick to Folding @ Home, thanks.

All these D.C. Projects sure are trying to elbow each other out of the way for my cycles!

Re:I'll stick to Folding @ Home, thanks.

[sopwath]

You'll do as Curious Yello pleases.

good

[hfastedge]

im seriously glad this type of creativity is being put into thinking about worms.

When AI start to become an issue, they'll be able to launch crap for their masters (or for themselves) that is far more complex than can be possibly imagined.

But its good to get some practice in now.

Someone save us...

That's a new Zen Koan...

[Infernus]

if you meet the virus during distribution, kill it.

No need for inter-worm communications

It is quite simple actually. You program your worm to accept an attack range upon installation. Then you divide the IP space on every successful attack. If you start with 64 worms installs, give each worm 1/64th of the ip space to scan. Each worm would then scan/infect and pass down a smaller block. You would infect in a tree like pattern, possibly doubling up scanning efforts.

For example:

64 initial worms go out at /6 bit boundries. They plan on installing 64 worms each giving each sub worm /12 bit networks to scan. Then /18, /24, /30

With a little bit more intelligence you can target the worms on major ISP DSL/Cable networks to infect the home machines.

Re:No need for inter-worm communications

[dabuk]

It would be quite easy for the worm to get stalled in that case. If the worm that is supposed to infect one bit of the IP space gets detected and removed or if there is anything that would stop that machine infecting its IP space (like it's firewalled) then that bit of the IP space is never going to get infected.

But if you combined those two schemes you could get worms reporting back that they're not getting anywhere and a new worm could start on that space.

Re:No need for inter-worm communications

[Birdie-PL]

This strategy is too simple to be efficient in real world.

Some of the worms would most probably be deleted by anti-virus programs before they could infect their share of the network. Many of them wouldn't even succeed to install itself in the first place.

You may try to remedy this off-line, using techniquest from error correcting codes and fault-tolerant computations but I assume that doing it on-line is much simpler. OTH, if you have a degree in CS and like to create worms than why not try to learn some theory.

Re:No need for inter-worm communications

[apdt]

I remember reading something that said that theoretically a worm designed to start scanning the whole IP space and, on each _sucessfull_ infection, pass half it's space onto the newly infected machine, could cover the entire IP space in around 15 minutes.

That sounds pretty effective to me.

Re:No need for inter-worm communications

Each sub worm, should also launch sub-IP attacks on 192.168.x.x and 10.x.x.x's if it comes from outside that IP range and has any network adaptors on those name spaces.

-JR

Re:No need for inter-worm communications

Covering a 64th of all the IP space would be pretty obvious to those further down the network. That much scanning would let the scannee's know they were being infected. The whole point of the initial attack is to propogate undetected.

Of course

[PygmyTrojan]

The only way to protect against Curious Yellow is to inoculate every computer with an anti-worm, Curious Blue, which uses similar technology to instantly distribute security patches

I'd say one good way to protect against it is don't open those files named YippeeImAnIdiot.jpg.vbs

Re:Of course

[OrangeSpyderMan]

Curious Blue works something like litmus paper, and turns curious green when your computer is infected with Curious Yellow.

Re:Of course

[Jeremi]

I'd say one good way to protect against it is don't open those files named YippeeImAnIdiot.jpg.vbs

I'll go you one further... don't use any email client that has the capability of running scripts or executables received in email.

Re:Of course

[SoSueMe]

This will all be fixed by Curious George and The Man in the Big Yellow Hat.

It's too early for Beer, I have no excuse for this post.

Re:Of course

I'd go one step further: don't use any OS that has the capability of running scripts or executables PERIOD.

Moron.

Isn't this how many ddos attacks work now?

[vasqzr]

Infect hosts, get them all in something like an IRC channel, give the signal....

Re:Isn't this how many ddos attacks work now?

[sopwath]

Read the article!!!

The nodes don't need an IRC channel, they already communicate with each other. World propogation of a signal could take as little as 30 seconds. Plus, thay don't rely on a single resource for instructions. Instead all they need is a message from an approved source, one containing the private key.

Precedent

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

the Linux based 'Slapper' worm (link at end of message) was the first worm to create a peer-to-peer network of infected nodes. communication was basic, allowing the network to learn its own topology, and launch DDoS attacks as a single unit when commanded from a single remote location. the piece that Slapper is missing is authentication. imagine if the Slapper worm was written so that it carried with it a public key, and used that key to verify any command sent to it. the worm could be designed to not even reply to UDP requests whose signature fail, making remote detection completely impossible. signed messages would allow the worm author to remotely control the entire network of infected nodes exclusively, distributing patches to combat wormbusters, upgrades to allow the worm to infect new systems, and commands to launch DDoS attacks on targets of his choosing.

it's going to happen. you heard it here first.

- -s.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: i am sllort and i post AC

iD8DBQE9uR/OKpz2COjVE3YRAv1tAJ9HtLZ0AQDOfUvIGh4j z/ /N+aOtBQCgpQyI
igaqDD9fmOA8+/7Apub1nAs=
=XxoQ
- ----END PGP SIGNATURE-----
http://zdnet.com.com/2100-1105-959 385.html

Re:Precedent

[Spencerian]

Given that Windows systems have proven themselves so insecure that they'll soon be susceptible to catching the the Common Cold, and that every other operating system outside of Microsoft is essentially a UNIX flavor, this officially scares the hell out of me.

Most viruses and worms are written with specific hardware or processors in mind, so I guess I shouldn't worry as much with my Mac OS X system...or should I? If the code is really written to leech around or through a typical process in a UNIX flavor and not be concerned about hardware, then--oh, boy.

Thank God Mac OS X has many vulnerable services such as Apache, FTP, SSH, and the like switched off by default so you can't easily hose yourself. But one well-written trojan run on my computer could be a problem if I don't stay wary.

Re:Precedent

Geez, why mod this guy up and encourage him to write comments with all that crap in them.

DO WE REALLY NEED YOU TO GPG SIGN YOUR SLASHDOT COMMENTS?

What a freak.

Re:Precedent

[mamba-mamba]

imagine if the Slapper worm was written so that it carried with it a public key, and used that key to verify any command sent to it. the worm could be designed to not even reply to UDP requests whose signature fail, making remote detection completely impossible

Encryption alone will not do this.

I agree that decrypting the udp packet would be computationally infeasible, assuming strong encryption. Likewise, forging arbitrary packets would be impossible for the same reason.

But you could still use a type of replay attack to flush out infected hosts. Once you capture a command packet (with a sniffer) and the characteristic response on an infected system, you can just resend that packet to another system and then if you see the characteristic response, you know the system is infected. This might not qualify as remote, since you would have to be in a position to observe the "expected response," which realistically means, you have to be on the same subnet.

I don't know. You are definitely on to something. There is probably a simple workaround for the replay attack I outlined. But I don't want to give anyone ideas. I don't want to give a design seminar for hard to detect worms. ;-)

MM
--

Re:Precedent

Well, duh. The same defense you always use against replay attacks - timestamps in the hashed section (or sequence numbers, which wouldn't necessarily be as good).

Re:Precedent

[WNight]

And the source and dest IPs. Once you're decrypting a packet, it doesn't take appreciably longer depending on what's in it, so a few sequence numbers and the like aren't a problem.

Re:Precedent

[Ben+Hutchings]

No, adding addresses would be a bad idea. If the command has to be encrypted differently for each infected host, either the controlling host must generate a huge amount of traffic or the private key must be distributed with the worm so that nodes can re-encrypt the commands.

All Distibuted computing is malicious

[91degrees]

It started with the plans to decode alien transmissions. We all know that SETI is regulalrly receiving alien transmissions from benevolent aliens, but this would interfer3e with the power that Disney has, so they try to break their codes and subvert them. Then there's the cure for cancer search, or rather the seartch for drugs companies to make more money from new drugs. Let's not forget all the code breaking challenges. Why do they want to break this code? There's somethign written in secret that they want to find out? But what? Clearly the lost city of Atlantis. The US government wants its secrets for itself. It's time to stop and find a benevolent use for distributed computing.

Re:All Distibuted computing is malicious

I saw on a television program on TLC that Atlantis had lazers? Do you know if this is true? They had a psychic guy who lived there before in a past life, so I'm inclined to think there might be something to his story.

Re:All Distibuted computing is malicious

[91degrees]

I'm not sure. If it was Macguyver ep with Brian Blessed in,then its all true. Ther rest is just hollywood fictionalisations.

I got the Curious Yellow worm

[teamhasnoi]

It took 3 weeks of antibiotics to get rid of it, and I had the squirts the whole time.

Don't drink the water, they said. Sure, whatever, I said.

I drank the water.

Am I missing something here?

[eet23]

The article seems to assume that the worm designer can find security holes more quickly than they can be patched. But surely it should be possible to block the worm, once it's detected, by announcing to the world something like "firewall off port X, don't run program Y"?

Re:Am I missing something here?

good admins patch their boxes, a lot of people dont. most worms exploit old vunerabilities.

Like Real virususes

[goombah99]

There are any number of real virii and bacteria (like Tuberculosis) that use a quorum sensing mechanism before becoming hostile to their host. The bugs grow but in a mostly benign fashion, concentrating on infecting but not harvesting or killing their host. When their numbers reach a critical level they switch over and become massively virulent, making an all out assualt on the host, overwhelming the defenses.

the interesting thing here is the communication aspect. It's different than say a pre-progogrammed computer virus that does its thing on say jan 1 2000. Here the thing is adaptive and self organizing.

lets take this a step further. China is a breeding ground for both real and computer viruses. Real viruses like flu live in ducks, where they are harmless and mutate rapidly, transfer to pigs where they adapt to mammalian systems, then onto humans when they are ready. THe chinese computers, as discussed in slashdot have become 80% exposed/infected to viruses.

currently these virii (computer) do not actually "breed" in the sense of evolving by themsleves. But why not? Bacteria evolve during their own lifetimes by communicating (by exchange of circular DNA known as plasmids). If we start having computer-virus to computer virus communication we will soon have the cpabaility for viruses that breed and like a genetic algorithm "learn" new ways of infecting a host, learn to tune their rates of infection, and develop new and better communication protocols.

A question emerges then of what happens next. Most virus's follow the pattern of being at first increasingly virulent and deadly to their hosts. Then over time as they begin to kill too manyhosts and the evolve to become less virulent as a survival strategy. at the same time the surviving hosts have become better at killing them. A truce ensues where the bugs are too hard to completely kill because they mutate quickly.

Current viruses have the ability to replicate but not to evolve. The first step in evolving sexual reproductionis communication with another virus. later will come information sharing and controlled mutation. Terminator here we come, but not the same way as the movie.

Re:Like Real virususes

[waider]

You're making a large (and frequently made) leap of faith here, from "communication" to "replication with successful mutation". There are several experiments in the field of mutating programs (look up Artificial Life in Google, for example), but to suggest that the mere ability of viruses to communicate with each other will automatically lead to "breeding" capability is a little far-fetched, to say the least.

Re:Like Real virususes

[Christopher_G_Lewis]

Actually, If I recall, the MS Word Concept virus variations actually started to intermingle code.

There where machines that would get infected with Concept.A, then infected with Concept.B (or something like that), with the second virus stomping on parts of A's delivery system.

You'd get Concept.A's autostart + Concept.B's autoload etc.

Quite a bear to remove, if I remember...

Re:Like Real virususes

[nounderscores]

you're forgetting that in this case the network is the computer.

What happens if Wiley's benign future doesn't happen and the worms kill the internet dead?

As far as curious yellow is concerned, there is only one host.

Re:Like Real virususes

[Saint+Aardvark]

Most virus's follow the pattern of being at first increasingly virulent and deadly to their hosts. Then over time as they begin to kill too manyhosts and the evolve to become less virulent as a survival strategy. at the same time the surviving hosts have become better at killing them.

Or, following what may have happened w/mitochondria, they start performing useful functions...say, drivers for graphics cards. Or would that prove Microsoft's point about the GPL being viral?

(Joke! Joke!)

Re:Like Real virususes

[sopwath]

Now we just have to get virus writers to cooperate. Get a bunch of different virii to not simply destroy the host, or simply DDOS some target they've got a beef with and they could do wonders!

There'd have to be a way to ensure an initial release so that survival of the fitest could be the determining factor in each version's success. Virus writers wouldn't have to controll mutation, they just have to make sure they keep writing new virus code. That way, if a virus doesn't have what it takes, it would be less able to propogate. The more successful virii would have more targets and be better at what they do.

How can you ensure that virii can work together without detroying each other in the process? Digital RNA?

A better mouse trap,

the joys of the world, hit nerd with a mousetrap and you not only get a paper describing why it was a bad idea, but you get suggestions for how you should build a better mousetrap for next time. Hopefully someone will take notice of the potential for a better mousetrap and prepare a "better mousetrap" defense. Though sounds like this would raise a few alarms on an IDS sensor. IDS, place it everywhere, even on your backend IDS network.

Tin foil hats!

[djkitsch]

Didn't you know? It's illegal to THINK about this kind of stuff now.

Microsoft's clickwrap agreement now states that you're only licensing the right to use your own brain matter, and they're legally entitled to read it at thier leisure?

On with the tin foil hats....

Curious Blue = Palladium

[kritique]

Just wait until that kind of worm goes out... :)

A good idea

I think this could be a good thing. Imagine such a worm, but designed to target spammers specifically!

Payback's a bitch, eh?

Bzzzt

Throwing a neural network at something doesn't make it intelligent. There are other, probably more appropriate methods. Neural networks need to be trained. Hypotethically speaking, if you were to write such a worm, you would not want the worm to train itself in the wild. It would probably be detected due to errors made during training.

God's been there already

[dnoyeb]

Interesting that we are doing with computers what God's has appearantly done with us. Or the Angels, or Set, or whoever seems to be toying around with us from time to time...

Kind of twilight zonish don't you agree? I still expect to peel back my skin one day to see gears and rods and sh!t :D

Re:God's been there already

[sh4na]

Interesting that we are doing with computers what God's has appearantly done with us. Or the Angels, or Set, or whoever seems to be toying around with us from time to time...

Ah, but don't you see? God is a programmer. We're just following his footsteps. Now for the clincher... what if there are bugs in the system?

God: What, bugs? No way, I'm perfect! Just let me fix this tiny little thing... (BUM!) Ooops, sorry Bill!

Worms and 'payload'

[jACL]

On Flying: It's not the fall I'm concerned about -- it's the impact.

On Worms: It's not the distribution method I'm concerned about -- it's the impact.

Oh sure, this method is similar to the old nuclear war strategy -- "time on target" -- where the missiles were all set to arrive at their targets at the same time, increasing the surprise factor and decreasing the defensive options. But it's the bombs going off that really ruined your day.

After running plenty of all-nighters flushing out assorted virii from corporate nets, I've come to the conclusion that the worst infections are the ones that look like some other kind of problem. Imagine a worm that changes the IP address of random hosts to the gateway address, or is intelligent enough to worm its way around innocuously until it snags an admin account and can begin 'remote registry' operations, or changes the nameserver addresses to trojans that redirect shopping sites to credit card collection impersonation sites. That kind of stuff is the hard stuff to defend against, because you don't know it's happening until way after it happens.

Re:Worms and 'payload'

[Pii]

I don't know whether these are original thoughts, created by you, or whether you are simply passing along something that you'd read elsewhere...

In either case, you appear to be an Evil Genius [tm].

You should join S.P.E.C.T.R.E (Special Executive for Counterintelligence, Terrorism, Revenge, and Extortion).

Re:Worms and 'payload'

[xixax]

One evening we agreed that an interesting attack would be to randomly transpose digits inside predominantly numerical documents on very long intervals. On the chance that it *was* discovered, most poeple would assume a keying error. Keep it up for a month (most sites) and you have got the backup as well. If you do it at a low enough rate, your data is junk before anyone realises what is happening. The negaitive was machine generated sequences, which would be broken (and noticed) immediately by such a change (i.e. a credit card number would cease working).

The other option was popping random registry locations. At a low enough rate, it would not be distinguishable form the regular Windows bit-rot.

Xix.

Re:Worms and 'payload'

[WNight]

Now, imagine that Win95 was actually truly secure. But, just months into its release, someone wrote a registry-rot worm. It stealthily spread through the population of Win95 machines and eventually infected the dev team at Microsoft. Customers don't suspect anything because it confirms their suspicions. Programmers just assume it's another bug and they work on it as best they can, but the system is too complex so they're never sure it's gone (and thus that it has another cause.)

At some point the spread is so successful that close to 100% of Microsoft is infected, even the machine they use to do builds. Thus, future versions of windows come with this virus pre-installed.

Because of the extra debugging work to get rid of what is really virus behaviour, the windows registry and security model really is the best, but we'll never know because of the virus and the settings it uses.

Or not. :)

That was in an X-Files episode

[nounderscores]

Written by William Gibson, called kill switch.

Read the paper

[Phronesis]

KazaA is discussed in the paper as an existence proof.

Interesting...

[Mike+McTernan]

I thought that the exponential behaviour of worms was deliberate to use all bandwidth and cause disruptions. I guess the slower worm being proposed would carry some other payload and probably be more damaging to individual machines instead...

Mike

A worm with a purpose?

[phorm]

This would actually make a point to worms, etc. Right now most of them seem to be one of three:
-(publicity) Hey, I'm an elite hacker, I've infected half the world's computers
-(revenge, idiocy, attack) I'm pissed at the world and for that your PC's will pay
-(information theft/hijacking) There's something on your computer I might want, and now the door is open to get it

Now, we have a type 4
-All your base are belong... er, I mean, we are the borg, you will be assi... er...
basically, and advanced form of "W3 0WN 40U."

Distributed worms could actually have a point though... There are still certain questions that any individual PC cannot solve (for which they are building voluntary, non-malicious, distributed sytems) that could be processed by this worm. Curious blue (the fix to "curious yellow) could be launched as an "anti-worm, worm" using the same exploit as curious yellow to self-patch the hole.
Similarly, such a worm *could* be used to repair other known large-coverage bugs.
Of course, it would be just as illegal to create/launch "blue" as it would be to create/launch "yellow", but wouldn't it be nice if somebody were to let loose something that goes around fixing those annoying "code-red" and "nimda" infected systems still running amok?
Unfortunately, I cannot even use my own server with a "counterprocedure" to go out and repair those idiot machines that keep trying to access /windows/system/CMD.exe on my linux machine, so nobody can do this legally (it seems that using an exploit is an attack, regardless of intent or method).

Black hat hackers can't touch me, I run Red Hat not Black Hat - phorm

Re:A worm with a purpose?

just send them a message through the MS messenger service

smbclient -M ip_addr

they are still infected by code-red and nimba, so it is probably safe to assume they aren't smart engough to figure our how to shutdow the messenger service

get Google cached link here

http://www.google.com/search?q=cache:blanu.net/cur ious_yellow.html

And oh, yes, if you can't bother to cut'n'paste,
you shouldn't waste bandwitdth anyway... >:-E

Did anyone else hear it?

[Waab]

I swear when I was halfway through the whitepaper I could actually hear 31,337,000 script kiddies begin to salivate.

Meanwhile, in another part of the city, H.A. Rey begins work on on a cautionary tale about what happened when The Man in the Yellow Hat doesn't download the latest patches.

A new project?

[dr_dank]

Hax0r@home - Finding the cure for unpatched b0xen.

easy way to kill it

[nounderscores]

Sniff for packets containing the SHA1 hash of known infected nodes. Follow the links to eradicate the whole damn nest of the bastards.

alternatively release a fake "wormcode patch" which poisons nodes after they pass it on. Such an anti-virus-virus would take the network down in less than 15 seconds.

To be more robust, this worm has to start thinking smarter: it has to organise itself into a network of cells which are networks, rather than one big flat network. That way, only one node in each cell knows about only one node in an adjacent cell. If node A in cell 1 knows about node A' in cell 2, then when it gets compromised, it cannot betray nodes B', C' or D'.

Get the worm to spread until it knows about x number of nodes, and then tell each node that they are suddenly the only node in a new cell, and that all their old cell buddies are just their external contacts to other cells. repeat the process until you have global domination.

That way you can still issue orders, if you have access to the original cell, but if that cell dies, then the worm turns into many rogue cells which act on their standing orders... and any anti-virus-virus "patch" would have to start from the original cell....

Re:easy way to kill it

[hoegg]

He basically addresses this in the paper. Each node only knows about a couple of its neighbors, and transmits information to them.

In his example, Curious Blues and Curious Yellows eventually are battling one another for control of the entire internet. Even if this is a bit apocalyptic, it is an interesting scenario in which viral infection is a part of the internet landscape.

One angle the author did not pursue is the collaborative design and programming of a Curious Blue by the general public as opposed to by "trusted" anti-virus companies a la McAfee or Symantec. Programmers could be nominated as "committers" to the project after reaching a certain level of "trust" with the existing "committers". Sound familiar?

People could then voluntarily infect systems under their control with this version of Curious Blue. At this point, the collective expertise of the public is mobilized against this entire class of worms. As we accumulate "trusted committers" we increase the number of minds searching for ways to inoculate the general public against new strains of Curious Yellow.

Another benefit of this kind of vaccine distribution is that patches for specific security vulnerabilities can be distributed using this network. Any open source project (think OpenSSH, Apache, etc) that wants to quickly distribute urgent security updates can securely distribute and install them using this opt-in network.

There are existing software projects that could be leveraged in something like this. Each of the linux package management systems, FreeBSD's ports, Apache Gump, and CVS/Subversion each have something to contribute to this project.

No it is actually Like Real virususes

[goombah99]

Commnication is a prerequisite to "genetic" evolution . After all how do you think sexual evolution came about.

The real difference in the analogy is the sophistication of the host. In the real world hosts and parasites co-evolved. An early parasite did not have to be a very clever bug. just be one step ahead of its equally dim host. each co-evolving to exploit each other's weaknesses. Now we have some really complex or really simple but tricky bugs that have a level of sophistication that seems miraculous.

That is to say, if you were to create a man-made virus today without stealling the existing machinery from natural bug, you would find it patheticly incompetent to deal with modern hosts. Likewise, current computer virsuses are going up not just against sophisticated computers systems, but also against the human minds that are activley hunting them. Thus it's going to be a while before computer viruses can survive and mutate on their own. they will need human help to combat the humans trying to kill them.

On the otherhand in china it appears there is a fertile breeding area when humans are not aggressively hunting bugs. this would be a good breeding ground for a simple bug to evolve to somthing actually AI quality.

Re:No it is actually Like Real virususes

[JordoCrouse]

On the otherhand in china it appears there is a fertile breeding area when humans are not aggressively hunting bugs. this would be a good breeding ground for a simple bug to evolve to somthing actually AI quality.

Are you forgetting that an human being will have to be responsible for developing the AI for the virus? Today we can't even begin to understand the concepts behind self mutating computer viruses, and we many never fully understand the concepts.

And I, for one, and happy. I fear the the day that mankind releases upon the world code that has the capacity to mutate and change under certain circumstances. No good can come of that.

End of the year

[RedWolves2]

Optimally I should be infected by this worm by the end of the year now that this is public.

Thanks

Some Ideas...

[gfordham]

The communication is the hard part, as soon as this thing gets known, every sysadmin worth his paycheck will block the ports it communicates on. Is there a way to double up processes on one port? If so you could say hook into the port for say, sendmail or something, and then have the worm ignore the sendmail commands, and parse the worm commands. Or you could have several ports listening all the time, UDP style, and have worm node (A) fire off a number that corresponds to the next port that worm node (B) should receive it's next set of commands on. This should get around that pesky admin. I must say I have to agree with the author, that slow and steady will probably win this race. Tally Ho. --Greg

Re:Some Ideas...

You don't know much about the way computers work, do you?

Re:Some Ideas...

[gfordham]

If you have root access on a machine, what's to stop you from using assembly acode to, do stuff you're not supposed to do? A call to bind() wouldn't allow you to connect two processes to one port but, If you knew where in memory you needed to point your process to, then why not? The hard part would be locating the address of the sockaddr struct for the service you wanted to hook into. Besides those problems the server you were humping would probably be spitting out tons of error messges.

Re:Some Ideas...

[broken_bones]

Depending on how you have the thing communicating between infected nodes I would think it might be possible to set up a scheme where the worm would ramdomly switch communication ports. If a tree like network were used each parent could send a message to each of its children saying "all future communication will now be on port X." The parent node would now be able to communicate with its children on the new port while still listening to its own parent on the old port. You may have some problems with losing a child node if the message to switch ports wasn't received but I'm sure one could find a way around that.

NOTE: I'm not a networking specialist/expert. If there is something about the above comment that is just absolutely wrong by all means speak up.

Re:Some Ideas...

[42forty-two42]

Why restrict to single ports? Listen in rawmode, and check for some code that corresponds to the ports/ips/message contents. If it matches up, it's a message. Add a level of redundancy for dropped messages, and use random ports.

lol!

[nounderscores]

I can't believe that someone else watched wargames.

You know, the number of times we've played out the-near-destruction-of-human-kind-at-the-hands-of -our-creations scenario in our minds makes me suspect that it's going to be inevitble. If only for the fact that the meme is at the front of so many people's heads.

Re:lol!

I can't believe that someone else watched wargames [imdb.com].

You're kidding, right? I've loved this movie for a long time. Granted, I'm probably a bit too young to really comprehend it totally (it was made the year before I was born) but it's still the most awesome piece of 1980's film to ever exist.

In my opinoin only of course.

ANN's make no sense here

[siskbc]

Just because nerual nets sound "smart" and we want a "smart" program doesn't mean they're appropriate here. As already mentioned, what are you going to train it with? Second, is the problem highly nonlinear? If not, simpler solutions exist. Best yet, a heuristic (set of rules) based system would make more sense. Give it a set of conditions under which it can alter its behavior - and I think that there are reasonable ways of determining such courses of action before hand.

Remember, this thing needs to be small, not bloated.

Re:ANN's make no sense here

I completely agree. Even though I can train an NN to predict Saturday's powerball numbers based off of previous numbers, I wouldn't call it artificially intelligent.

Re:ANN's make no sense here

[siskbc]

And that's another good point. If you do "predict" powerball numbers, what you've done is overtrained your network on the same input data, and the model is worthless. A lot of people think ANN's are infallible. They're not. I swear, if they weren't called "neural," no one would give them this mystique.

offtopic, i know....

[unwesen]

... but it's interesting to find out an origin for the vurt feather's name.

Vurt Reference - Curious Yellow

[hammy]

I believe curious yellow is more likely to be a reference to vurt by jeff noon. Which is an amazing book by the way.

Re:Vurt Reference - Curious Yellow

[Contact]

Also, I think the reference to the "Curious Yellow" feather in Vurt was taken from the legendary film, I am Curious, Yellow...

Mirror

[Door-opening+Fascist]

Since the site appears to be getting kind of slow, and also seems to be a personally-hosted site, I have set up mirrors here (courtesy of Earlham College) and here (courtesy of UW-Madison).

Re:Mirror

[nounderscores]

<paranoia>no, that was one of the specially delegated and tasked worms scanning and infecting you. your web access may be a little slow every now and then... for the rest of your life....</paranoia>

[OT] Real viruses

[aridhol]

Sorry, that's not how real viruses work. My wife's a virologist (studying ebola, if you care), and she's explained this a "few" times

It is not optimal for a virus to kill its host. Ever. End-of-story.

Because a virus cannot live outside of a host, it is important that the virus keep its host alive as long as possible. Therefore, each virus evolves in an "optimal host". This host is a type of life (animal, plant, even bacteria), in which the virus exists without killing the host. The problem arises when the virus tries to expand its territory to a non-optimal host. In some of these hosts, it can't even get a footing, and dies off without infecting cells. In others, however, it infects the cells in a non-optimal way, killing the host (and with it the virus).

For example, ebola tends to kill people. Depending on the strain, it's between 50% and 90% fatality in humans. Obviously, humans are not ebola's optimal host. However, there are some species of bats that carry the ebola virus, and are not affected by it. These bats are the natural hosts of ebola, allowing the virus the best opportunity to survive without overpopulating.

This is all from memory, as my wife's at work, so corrections are appreciated.

Re:[OT] Real viruses

[goombah99]

Your discussion considers the "equilibrium" virus. In the real world viruses are dynamic. Both in the sense of adapting to new hosts where they tend to be lethal, and in the sense of adapting to new host defenses. Thus as I said, dynamically, viruses tend to become more virulent and then later less virulent as they gain a footing and then evlove to the new host.

On the otherhand, there are plenty of bugs (but not viruses--they require a living host) that look at you as a large sack of purina bacteria kibble. All these thing want to do is kill you and digest your tasty bits at their leisure. These bugs dont require a host to live.

to a certain extent the current crop of computer viruses seem to define success as mortally wounding the host. Self preservations and adapting to their hosts are not the goals of most computer viruses.

Re:[OT] Real viruses

[freality]

> It is not optimal for a virus to kill its host.
> Ever. End-of-story.

Unless of course the virus (or prion.. who's counting?) is Mad Cow Disease!

It is only when the host is killed that the organism gets to propagate, because it's got to be fed to another of the same organism. Ew! Who eats this stuff?!?! uh... *cough cough.. croak*

Re:[OT] Real viruses

[Jeremy+Erwin]

People aren't infected with the variola virus anymore (Well, not officially...), even though a good portion of the world is not vaccinated.

Plenty of potential hosts-- yet there is no epidemic, and smallpox is considered extinct in the wild. Why? Because a couple of decades ago, most everyone was vaccinated. No hosts, no new infections, no virus, no more need to vaccinate.

And yet, before vaccination, smallpox was very virulent, and quite deadly to its hosts.

Re:[OT] Real viruses

[aridhol]

And yet, before vaccination, smallpox was very virulent, and quite deadly to its hosts.

That is because humans were not its optimal host. The virus tended to kill its hosts before it had a chance to evolve into a less-deadly form. Assuming we hadn't destroyed it and it hadn't destroyed us, eventually it could have evolved to a form that doesn't kill us, and we would be the optimal host for the new strain of smallpox, which would probably be deadly to the next species it passed on to.

The exception, not the rule.

[freality]

Assuming you don't live in destitute conditions, it seems more reasonable to say that real viruses don't kill you, except of course for the pathological (pardon the pun) exceptions.

Consider smallpox and cold.

Smallpox of course does kill, but it's not around.. where is it? I don't see it, my neighbors and friends don't see it. Nobody sees it, except for biologists.

Smallpox is laughed at by the other viruses. It has the strength of Hercules, but what does it do with it? It pops up once every few generations and shows its strength, but is usually gone in a flash. Lame.

The common cold, on the other hand, is everywhere.. I have it right now, some of my neighbors and friends have it.. it's spreading like wild-fire!

The cold is a great virus.. it's like the star of the viruses.. it tries its hardest not to get the host sick, becuase a sick host stays home, and then the cold can't get to new hosts.

The real benefit of sanitation, plumbing in particular, is the quarantine of hosts infected by loser viruses. Viruses that devastate poor river villages in the tropics aren't a threat in the rich cities because of sanitation... a couple of people get the virus, stay home (to recover or die), and few others get exposed.

If you want to make better viruses, save us some time and make them cool, like the cold, instead of lame, like smallpox... we'll both be happier for it.

Re:The exception, not the rule.

[JordoCrouse]

Minor nickpick... there is no one virus that causes the common cold (but your claim still holds true for the class of viruses that cause the symptoms of a "common cold").

But other than that, this post was insightful, interesting, funny and underrated.

Mod up now.

How does the network fix itself?

[siskbc]

The major problem is how the network fixes itself. Nodes will go down - either because they just do, or because some sysadmin is going to notice trafic on some strange port.

I could see one node saying "Hey, my neighbor disappeared, we need a new node," but he doesn't know the neighbor's other neighbor. This is exactly like a linked list - if you delete a node before switching the pointers around, you've just created a memory leak.

Also, to make this thing branch, won't each node need at least three neighbors?

Re:How does the network fix itself?

[ahogue]

Read up on Chord, the scheme used in this paper:

http://www.pdos.lcs.mit.edu/chord/

Commnication is a prerequisite to "genetics"

[goombah99]

Commnication is a prerequisite to "genetic" evolution . After all how do you think sexual evolution came about. The real difference in the analogy is the sophistication of the host. In the real world hosts and parasites co-evolved. An early parasite did not have to be a very clever bug. just be one step ahead of its equally dim host; each co-evolving to exploit each other's weaknesses. Now we have some really complex or really simple but tricky bugs that have a level of sophistication that seems miraculous. That is to say, if you were to create a man-made virus today without stealling the existing machinery from natural bug, you would find it patheticly incompetent to deal with modern hosts. Likewise, current computer virsuses are going up not just against sophisticated computers systems, but also against the human minds that are activley hunting them. Thus it's going to be a while before computer viruses can survive and mutate on their own. they will need human help to combat the humans trying to kill them. On the otherhand in china it appears there is a fertile breeding area when humans are not aggressively hunting bugs. this would be a good breeding ground for a simple bug to evolve to somthing actually AI quality.

Scary but Preventable

[photon317]

In today's environment if a group of intelligent hackers with a wide range of skills deployed and attempted to control a Curious Yellow, they would probably succeed, although they would have to start with months of planning and exploit-discovering to make sure they had pre-prepared their own "zero-day" exploits for a wide variety of platforms (wintel may be dominant, but unices and even routers could be crucial to some of the attack plans). And in order to keep up an arms race, they will have to continually here of or discover on their own new exploits before they get widely patched.

The whole problem here revolves around the insecurity of most operating system installs (especially Wintel, but commercial and free *nix are also relatively insecure by default). The real solution to scenarios like Curious Yellow ona global scale would be to secure all the operating systems by default. If every OS vendor would take a slightly more OpenBSD-ish tack on security, disabling most services by default and warning users of potential risks of turning them on misconfigured, auditing their code, and perhaps most importantly, open-sourcing their code for peer-review... it would severly limit Curious Yellow's ability to infect in the first place.

However, I think it's a pretty safe assumption that that level of universal computer security won't happen in the near future, and that some bright people are already coding their Curious Yellow variants. In that case the best you can hope for is to secure your own systems against Curious Yellow by being more secure than the norm. You won't be able to stop the distributed attacks and service problems that will affect your network traffic, but at least you can avoid being part of the problem and avoid direct control of your machine. Take the cautious road - reploy an OS you can see the source of. Disable mostly everything that listens to a network port. Take advantage of security-upping kernel patches (grsecurity for linux comes to mind, a collection of stack protection, randomization of various things, finer grained access control, etc). Run a firewall, make sure you know what it's doing and why. Don't let any traffic in unless there's a need, and keep an eye on that traffic. As with human infections, early detection leads to a faster recovery. Snort is your freind.

Re:Scary but Preventable

[ethereal]

Exactly right.

In the world after the global infection of the Internet by strains of Curious Yellow and the commercial availability of strains of Curious Blue, computer users will have a choice. One can either have a computer which is never connected to the Internet, risk almost certain infection and control by the various factions controlling Curious Yellow, or intentionally give control to the creators of Curious Blue.

I think the risk of infection and/or control can be minimized by not using platforms that are known virus vectors of the past, and by aggressively using up-to-date systems to get patches quickly.

In the worst case, you could have a "kill switch" manned by your OS platform provider, which when thrown will signal your machine to take itself off the 'net, or disable a particular service or daemon, until a patch is ready for the newest Curious Yellow vector. In some cases (if your TCP/IP stack was vulnerable, for instance) it would be pretty tough to get patched back up without getting infected, though.

Re:Scary but Preventable

[AndreasL]

They wouldn't really have to do much reserach.
What if a modular system for exploits is used?
It would be possible to make the worm, give it some basic exploits that are well spread to start with, and then add more modues and remove others with the help of the p2p net.

You wouldn't even need to do research, security mailinglists could be enough.

Port 80

Just use port 80 for Communication. 43 as a back up.. Lets see them cut those ports off.

-JR

How to 0wn the Internet in your Spare Time.

[nweaver]

A better cittion on worms and their strategies: How to 0wn the Internet in your Spare Time by Stuart Staniford, Vern Paxson, and myself.

The warhol paper largely got rolled into the "0wn the Internet" paper.

A worm with a GOOD purpose?

I've been wondering for a few days about this...

What about a worm whose only effect was to change the MS Word default saving format to .rtf, then propagate?

I'm sure we would quickly have a world of MS morons saving their docs in a open file format, because they can't figure how to change back to their old .doc.

Biological viruses

[HisMother]

Perhaps the parallel to biology is too obvious to bother pointing out, but it's well understood in epidemiology that viruses that are quick to incubate, and nearly always fatal, historically couldn't propagate far and so haven't led to epidemics. This is why, for example, there are no Ebola epidemics: it kills such a high percentage of its victims, so quickly, that the virus effectively starves itself to death.

Of course today, with high speed travel so prevalent, we're giving the virii a hand in propagating, and doomsday scenarios become possible...

*shudder*

Asking for trouble...

..but here goes. You have a worm that divides up the address space in two and infects one machine in each partition. The new worms do the same. Just how many partitions should we have 2, 10, 100?

Then you make the child check up on it's parent every now and then. When it's parent fails to respond it tells it's own children that this event has occured (a sort of reverse TTL), when a child receives a rTTL of say 10 or more it knows that the game is up goes beserk! Maybe additionally it could check on its siblings.

Thus killing the worm could (potentially) cause more trouble than if it were left alone. To kill it would require a pseudo parent to replace the real parent which would be able to report the IP of the infected child machines.

It's all getting very X-Files this.

Perhaps the partitioning 2, 10 or 100 is based in the rTTL. When no one has noticed use a small partition, when people start to kill off the parent then crank up the partitions.

MLM goes (truly) viral!

Re:Asking for trouble...

A friend of mine came up with a similar idea regarding decentralized P2P apps.

Many universities try to block or limit P2P traffic, because it takes up to much of the university's bandwith.

The solution: Have the application check the network. If it detects that it is being blocked, have it enter PANIC MODE!

Panic mode could range from anything to actively sending out 'hello' messages 5000 times a second on every port, to sending DivX collections...

The idea is that as soon as the university's IST staff blocks the most generally used port, the situation will get even worse, not better.

Three letters, "RTM"

Sometimes the worms that don't have any intelligence can still do quite a bit of damage.

Don't forget the DMCA

[mmol_6453]

By preventing them from copying the data in your head (by RF shielding your brain), your violating their copyright.

Careful... ;)

Re:Don't forget the DMCA

[djkitsch]

By preventing them from copying the data in your head (by RF shielding your brain), your violating their copyright.

And, quite possibly, the copyright on tin-foil hats...

''Here are some crazy ideas I had''

[Tom7]

This is not a technical whitepaper. This is a dream that a college kid had about a supervirus that controlled the whole internet. It would be much more interesting if he had also dreamed up an implementation, since there are loads of difficult issues that come up when you're forced to detail this kind of idea in the way that's needed to actually write a program. Not even worrying about the obvious scaling issues (especially with regard to failure recovery), there are a bunch of assertions made in the text that are simply wrong, or at least completely unproven. Take, for instance, the statement, "The only way to protect against Curious Yellow is to inoculate every computer with an anti-worm, Curious Blue, which uses similar technology to instantly distribute security patches." (???)

Another example is the "Security, Cryptography..." section, which is essentially just a rambling narrative of a hypothetical situation based on some messed up assumptions:

"Due to the large size of private keys, they cannot be easily remembered and so much be stored electronically somewhere."

Sure, but it's easy to store them encrypted with some memorizable key. That's what PGP does, for instance, and stealing the encrypted private key is pretty useless!

Vague statements like "Using statistical analysis of the propagation of code updates, the source of updates can eventually be traced," are equally underexplained and undermotivated. It's pretty easy to get data anonymously onto the internet -- there are anonymous remailers, web proxies, usenet servers (groups.google.com), etc. I recall a worm whose creator anonymously posted cryptographically signed updates to sci.crypt (or something like that), for instance. Using an internet kiosk or setting up a free AOL account from a payphone and then using one of these would be pretty damn hard to track.

Basically, this is nothing more than wild speculation of the sort, "Wouldn't it be cool if...!", except without the if. Give us technical details and analysis, not a barely believeable science fiction story!

Re:''Here are some crazy ideas I had''

[sdeath]

This is not a new idea, and the author of this "whitepaper" is a twit.

Some time back on a mailing list far, far away, this got knocked around by myself and a couple of other people. (This was around the time of CR2.)

As I conjectured at the time, and still believe, the primary reason most worms fail is that they are either

a) written in a language with which 99% of programmers have very little skill (C, C++), or
b) written in a remedial computer "language" that is useless to begin with (VB, macros, etc.)

This is true with every known worm to date. The problem with VB and languages of that type, well, never mind. If you can't figure it out yourself, stop reading now. The problem with C and C++ is that it is extremely easy to shoot yourself in the dick with either of these languages. (See the Morris worm's replication-rate bug for an example.) The problem is that with such a language, if you do not do everything exactly right, there will be a flaw in your worm and it will most likely fail, subtly if not spectacularly.

I conjectured that it would be a Good Thing (for he who wants to 0wn a large portion of the Internet) to investigate other languages instead. Prolog came immediately to mind. It seems ideally suited for this task as it is an intrinsically goal-oriented language. In addition, all the "complexity" of a Prolog program is hidden inside the resolution engine (which can be made quite small), so given that the resolution engine is operating correctly, if your program is well-designed, you have very few surprises to worry about. (Typically, although this is by far not a globally true statement, Prolog programs with bugs in them simply don't work, rather than failing subtly while appearing to work. That seems to make them a helluva lot easier to check.)

The fact that Prolog is an interpreted language makes it nice and portable; it is possible to create system-dependent and system-independent goals, and let the program figure out where it is and how to deal with it at runtime.

Also discussed for this bit of nastiness (I call it an "amoeba", after the slime mold which has similar traits) were the following:

a) goals added to the database from non-local sources would require a signature for each goal or batch thereof to prevent poison goals from being automatically propagated through the network (said signature using a private key, held by the Evil Overlord, matching a public key distributed with the worm);

b) "local" can be defined as being inside a clique of some finite size, say 10 computers, where goals and derived goals are propagated freely between members of the same clique, but not from members of different cliques unless they bear a valid signature;

c) infection can be maintained within a clique and progress to new machines from the "axolotl" effect; that is, machines will attempt to replace hosts in the clique that are no longer communicating, and at some random point, will decide all other hosts in the clique are "dead" and will seek to regrow the entire thing;

d) communication is probabilistic, not deterministic, since this is an effective means of frustrating attempts to locate infected machines; communications attempts are ignored at random, regardless of source or content, and spurious communications will be sent (random recipients, forged IPs, etc.)

e) Randomizing of opcodes using several different tricks, like instruction reordering a la Intel, instruction rewriting (essentially, replacing instructions with a set of different instructions that performs the same task), etc. The rewriting bit is essentially lambda calculus. >;-> Statistics for rewriting seem to be fairly nasty; I haven't had any luck coming up with an analytic expression for them, and have foregone a mathematical approach for a good old-fashioned "high-water/low-water" method for dealing with the fact that unless all isomorphic instruction strings are the same size (which they're not), this thing will have some serious problems with unbounded growth at some point.

These are a few of the ideas involved in this whole thing. Note carefully that none of this stuff is revolutionary; rather, it simply brings some old concepts back and puts them in a newer context. Once someone jerks their head out of their arse and figures out that C/C++/Java/whatever are not the best languages to do abso-fucking-lutely-everything in, this sort of thing will pop up and will be nastily difficult to defeat. (If indeed it's even discovered.)

-SD

Curious Yellow?

Word from GameCat to virus writers:

Have patience kitlings. Remember, you only get from the Vurt what you're willing to put in.

Go StashRiders!

Re:Precedent (sufficiently OT)

[piranha(jpl)]

Too bad the lameness filter (or whatever the piece is called) royally munged up any chance of validating that GPG signature. (For instance, I'd imagine there should be line breaks in that post.)

For those that aren't aware, it's pretty common to see long strings, like URLs, broken up by spaces by Slashdot's comment engine. Not to mention there is no <pre> facility; one has to use <code> and <br> elements. This makes pasting literal or fragile text, like GPG-signed text, very hard to do.

If you're real lucky, the lameness filter tells you something silly, like "your lines aren't long enough", or "you need more non-strange characters". Even in legitimate comments. (Isn't that what moderation is for?) Grumble.

Thanks, Slashdot!

</rant>

Digital RNA

[goombah99]

I think maybe it would take two ingredients. The first ingredient is that code needs to act less like a sequence of instructions, but a set of routines all acting simultanouesly. That is sort of like multi-threaded object oriented coding where each object has its own thread and they send messages to each other. This would emulate the freeform communication and expression of DNA in cells.

On top of this layer we add "digital DNA." which now is mereley a new object which adds new functionality both throught its own code and through the interactions it has with other objects. Some objects might even "delete" other objects from the DNA. Other objects would act as vectors ('installers') for installing more dna. Some would act as export objects, sending copies of object "DNA" to other viruses.

The current problem is that you cant just overwite code with new code and expect it to work. Basically by setting up an object competion model new code that is flakey does not kill the virus. this allows adaptation.

real viruses often cut chunks of dna out of their hosts, put their own wrappers (i,e, objects) around it and try it out and see what happens. if its useless it evenutally dies out in some generation. if it's useful you have some interesting new dna.

warhol worms

[trybywrench]

Here's a paper explaining the properties of a warhol worm. It sounds pretty interesting but I get the feelings a lot of things have to be "just right" for it to work as advertised.

http://www.cs.berkeley.edu/~nweaver/warhol.html

So is this a hydra?

[BitwizeGHC]

One of those multiheaded worms to sniff out information on 7 different networks at once, like from Swordfish? Can it break 512-bit encryption like Halle Berry said?

Could be used to do pretty bad damage

[cras]

I've thought a few times of network like this. It could even try to be very stealthy in communicating with others by transferring data along normal traffic, automatic mutation, infect also files to be carried outside internet, etc.

Once almost all computers in the world have been infected by the worm, the guy in the charge of them could just decide to make the worms format hard disks, see if they can delete other files from network, and finally try to physically destroy the computer. I find that pretty interesting scenario :)

MAD

[ethereal]

If this were doable, I can really see a future of detente for the 'net. If you had a worm that would essentially take over the 'net, but you didn't know if it would really work or not, and the consequences for trying and failing were pretty severe, then you wouldn't want to try it out. You'd wait, and only if someone else released theirs would you fire off yours. Assuming that this idea isn't too tough for more than one group to figure out, within hours of the release of one superworm the 'net will be swarming with several different variants of the same idea, all fighting to ensure that their creators get a little piece of the soon-to-be balkanized network. Imagine not just tracking, fingerprinting, and distributing fixes for one of these plagues, but trying to fend off several at once, all of them able to almost instantly distribute defensive tactics, etc.

Frankly, the only way you could salvage the 'net (short of a complete reinstall on millions of machines) would be to partition it to cut down the communications avenues, and then sterilize each small subsection one by one. And unfortunately the triumph that is Internet-style routing probably means that partitioning the damn thing would be a lot tougher than you would think.

Here's another scary thought

[laigle]

Imagine if, instead of creating a P2P network of a given virus, somebody simply constructed a viral "protocol" and distributed it over the net. Then, a given virus writer wouldn't necessarily have to have his virus communicate with other infected units, which can be caught via firewall and packet sniffing. He might be able to have his virus get update information about what anti-virus systems were doing or how to evade the latest firewalls whenever a new viral file pops up on the machine, because he would know his virus is "0wnz0r3d 2.0 compliant" or some such.

I mean, we've all seen computing clusters and corporate nets that are just swimming in virii because of lax security procedures, and some of us have the unfortunate experience of having to try to get data from one of them to our virus scanned, firewalled, packet sniffed pristine unit on another network, or worse to our home PCs. Imagine if that cluster was evolving every few hours while one of its clueless users was trying to figure out why that .exe file from his email didn't really show him pics of Anna Kournikova, so that the virii on it would know the latest virus definitions on our sniffers and be smart enough to change to account for them, all without easily filterable upstream communication.

So get infected on purpose!

You heard me... let a "machine" get infected by the worm, and then analyze the behavior. By "machine" I mean a virtualized host, such as user mode Linux or anything else you can totally encapsulate.

Then you will know exactly what the worm is doing, and can use that data to respond to the threat.
Bonus points for rigging it so that the infected box isn't able to cause problems for other networks while you you analyze it.

Re:Precedent (sufficiently OT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

i was able to verify this quite easily by selecting my entire message, pasting it into a text file, and using gpg --verify on the file from the command line. for whatever reason, my gpg client ignores or removes whitespace in signature lines. what are you using?

- -s.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: i am sllort and i post AC

iD8DBQE9uXr6Kpz2COjVE3YRAsQiAJ0RwG+CQP9lCh0xuINU 8J fCfOF3QQCgomlf
7Xpr8WCDrCIJHm/f9B3LV4g=
=D+Ys
- ----END PGP SIGNATURE-----

Malicious Distributed Computing

[Thomas+the+Rhymer]

Windows users are already suffering from this. Kazaa "Pro" installs the Brilliant distributed ad server which goes a whole way further than the typical spyware and adware. Maybe Brilliant are an agent of RIAA who knows? Maybe the whole Kazaa thing is funded by RIAA. But the RIAA are too dumb to have read "the Prince". www.oartech.oar.net/library/presentations/ apr-2002/kazaa.ppt I omit the kazaa url - \. users probably know where to find the terrible Dutch brothers (hint: offshore).

Easy yes, Legal No.

[Dareth]

As has been discussed a thousand times before, but needs to still be pointed out. Worms on systems you do not have legal usage rights on are not allowable. The solution is no better than the problem. Do you want Microsoft, Symantec/Norton, McAfee, etc to run their patch worms on our systems? There is no such thing as a universally trusted entity. And if there even was, then you are down to a single failure point for further and worse exploitation.

Remember that when you kiss her afterwards...

... Then you taste like what she ate last!!

It was published 25 years ago!

[plover]

[ First, remember that pesky First Amendment thing that lets us print what we want. Law enforcement couldn't stop the magazine "The Progressive" from printing plans for an atomic bomb in 1979. An exploratory theory of a computer worm is not even in the same league. ]

Next, this is not new news, and not by a long shot. "The Adolescense of P1", a 1977 novel by Thomas Ryan, discusses a worm almost exactly like Curious Yellow. In it, the worm evolves along three lines: a hunger for new nodes, a paranoid fear of detection, and random mutation.

It takes over virtually every IBM computer in the world, which in 1977 was many thousands, and the author even deemed non-IBM computers as statistically irrelevant. Just as Nimda takes over unsuspecting Microsoft IIS Win2K machines, and deems others irrelevant.

The parallels are striking.

(In the novel, the random mutations cause it to develop sentience, at which point it starts reading news articles and tracks down its creator. But that's just where the "fiction" part of science fiction kicked in.)

It was a great read when I was back in high school. It may be dated, but it is prophetic.

I have to go home tonight and dig this out of my bookshelf. I think it now deserves a reread.

Just a thought...

[coliva]

If someone gets a U.S. patent for the concept of attack worms, will they be able to sue and get royalties from others that construct attack worms? After all, patents on other ways of doing things on the web, like "one-click" purchases have been granted such protections.

Obligatory Vernor Vinge Reference

[spun]

True Names is a great short story about such a worm. It's one of the best "hacking" stories ever written, and one of the earliest stories written about cyberspace. To say much more about the worm or it's author would give away a major plot twist, but the protagonists us something like curious blue as well, to counterattack.

Damn, I was thinking about this weeks ago

I had the same thoughts about a next generation worm that involves multiple operating systems.

WhatMeWorry!

"optimal" virus strategies

[No+Such+Agency]

It is not optimal for a virus to kill its host. Ever. End-of-story.

Evolution selects for whatever increases reproductive success RIGHT NOW, not what might be theoretically optimal. It might be situationally "optimal" to the virus for the host to walk into a crowded room and explode in a shower of highly infective blood. This is basically what happens with Ebola, the patient becomes incredibly infectious to people around them. To be fair, your wife is (of course) correct that this sort of transmission usually is associated with new hosts, as in the case of Ebola. I bet the "wild" host for Ebola carries the virus without dying, perhaps having periodic bouts of the bloody runs to assist in spreading the virus to its conspecifics.

Evil Genius

[jACL]

No, I'm not an evil genius -- just a paranoid engineer (having done way too much security work). This guy is an Evil Genius(tm). I especially like the Kindergarten Death Squad and the argon-filled mylar balloon stunts...

Why the hell not? Re:A worm with a purpose?

[Pliny]

Hide a EULA in your HTTP:// headers that authorises you to tinker with the machines of anybody who tries to access your box....

And here I thought it was a Jeff Noon reference

[complexmath]

"Curious Yellow" is also a term from his novel, "Vurt."

This is nothing.

[NinjaGaijin]

Just wait until he starts making killer robots with really gimmicky powers like bubbles or plants. Then the only thing to do is sit back and hope the little blue guy can save us.

Benevolent Distributed Computing

[arn@lesto]

Infect the net in 15 minutes. 15 seconds if we believe some other papers.

Have the worm/virus announce itself by killing off the most common other viruses. That's all. The logs would go quiet as Nimda, Code Red, Klez and Bugbear stop. It would take a while for people to figure out that a new overlord was in town.

If all it did was 'Benevolent' would there be any action to stop it? Whoever was controlling it would be outside the law.

Re:A worm with a [real]purpose?

[AoT]

why not take it one step further and use it to propagate genuinely useful things. i.e. use a similar worm to set up freenet nodes all over the place. or use it to set up an anonymous cloud network that all infected computers use. i'm sure there's more i'm not thinking of.

Isnt publishing that illegal?

[nurb432]

Not that i agree it should be, but i was thinking that it violated some act/law or something or other related to terrorism/warfare..

But i could be wrong.. dont have the name of the law handy to verify.

Misc thoughts

["Zow"]

Like many others, I've been throwing around ideas along these lines for a while. More to the point:

1. How do we know this hasn't already been done (and I don't just mean Kazza)?
2. What if the worm were to patch the security problems it found on the victim system? In the process it could "evict" any other worms or back doors on the system. Essentially, it gets the machine all to itself.
3. How would this worm avoid Honeypots?
4. I think the key to internode communication would be covert channels (see the recent thread on the SF Vuln-dev mailing list), moreso than encryption. More specifically, the worm will want to avoid disrupting the statistical characteristics of the network that its using. The best way to go about that is most likely to lay domant for a week or so after the initial infection of the system to develop a statistical model of the local network traffic.
5. "such as people attempting to escape human-rights-violating regimes, international terrorists, and music fans", yes people, it's offical: music lovers are now lumped together with poticical agitators and terrorists. Burn your CD collection before they get you.

All in all though, I think the main limiting factor to such an undertaking is its usefullness. I mean, what could be done with such a network while retaining its stealthy qualities? Any computation I can think of would require so many resources as to violate the steathy nature of the beast. That is, even if such a calculation is network efficient, I think the high CPU useage would tip people off. Even if you patched the system so that task manager, top, etc, didn't report the worm's CPU useage, some people would notice that their computers are noticeabily warmer, laptops have a shorter battery life, etc. If the creator of the network were to try to gain in any way through the use of stolen credit card or bank info, law enforcement would track them down when they try to use that information. So as another poster noted, this is really just a fancy way of saying "1 0wn y0u", which is really juvenile. Interesting thought exercise though.

-"Zow"

Curious Yellow, Blue, Crypto, Minow

[billstewart]

Kids these days don't know cultural references. The article refers to Curious Yellow and Curious Blue, and also to cryptography. The late Martin Minow, one of the Cypherpunks cryptography community, lived in Sweden for a number of years working for DEC, later moving back to North America. During that time, he did a number of things, including the English translations of the movies "I Am Curious (Yellow)" and its followon, "I Am Curious (Blue)".

Sooooo Right!

[kaladorn]

I don't think I want my e-mail tool running anything (macro, external executable, script, etc). And I don't accept document/data formats that allow embeded macros very comfortably (word docs, etc). Yes, it means sometimes I don't see the neat new thing someone sends me. But generally they can (if it matters) send it as plaintext, html or a simple image format.

Gosh, I wish I had some mod points to burn just now.... that's one of the best (even if it is obvious to most of us) points....

Re:A worm with a [real]purpose?

[phorm]

Because then it would be useful to the creator, but setting up freenet would be using somebody else's resources for your own purposes. Getting it to fix "code-red'ers" is somewhat different, they're already using up your resources (a large portion of traffic on small web-servers nowadays can be code-red) because they're too uninformed/lazy/incompetent to patch their own servers.

Re:Precedent (sufficiently OT)

i was able to verify this quite easily by selecting my entire message, pasting it into a text file, and using gpg --verify on the file from the command line. for whatever reason, my gpg client ignores or removes whitespace in signature lines. what are you using?

That's more fortunate than I would have expected (I didn't bother trying). I ran 'gpg --import' and pasted your two comments on this thread to standard input; indeed, the check succeeded. Neat.

You may wish to submit your public key to a key server. I may wish to post as AC, only to avoid karma loss.

-piranha(jpl)

Ultimate P2P Windows Worm: The Unpatching Worm

A simple but devastating Windows worm design would be one that selected a local system DLL at random, asked a peer worm on a similar system for its timestamp for the same DLL, then replaced the newer DLL with the older one. Other than some minor details, that's it.

This would be subtle and very damaging: systems in the worm network would progressively become unpatched against security vulnerabilities. It would be computer equivalent of an autoimmune deficiency like AIDS. Little harm would be done directly, but it would undermine sysadmin patches and open up the host to infection from all other earlier known forms of attack.

The dynamics of such a P2P worm system as a whole would be to eventually seek the lowest common denominator patch level.

Such a worm would ideally not render Windows systems inoperable/defunct, so maybe only a small subset of system DLL's would be considered and some date limit to the degree of DLL downgrading might need to be incorporated. This is all hypothetical, but such a worm would make maximum benefit of the "DLL hell" weakness of Windows.

No problemo

Just make sure it's got a EULA !

sign the patches

[ZigMonty]

alternatively release a fake "wormcode patch" which poisons nodes after they pass it on. Such an anti-virus-virus would take the network down in less than 15 seconds.

What's to stop the code from using crypto to sign the patches? Worms have the public key, author has the private key. Simple and reasonably bullet proof.

I'm sorry...

I'm sorry, but I regret to inform you that you have moderated my post wrong. The item you selected, Offtopic, should have been "Funny". Please try harder next time.

Re:A worm with a [real]purpose?

[AoT]

i wasn't thinking of using it for 'my' purposes. i was thinking something that would be generally useful but wouldn't get broad distribution outside of the geek/. community.

Re:A worm with a [real]purpose?

[phorm]

How would it stay within the community (unless perhaps it were linux-only)? It's not really a worm if it's voluntary, then it's a form of distributed application such as been mentioned in previous articles.

Caffeine good

[Chibi+Merrow]

I always knew caffeine was the secret to consciousness...

Only on Slashdot

[Chibi+Merrow]

Will you post a reply to a reply that was a reply to your reply and be marked Offtopic...