Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Distributed Computing

Posted by michael on from the ubiquity dept.

Jeremy Erwin writes "In this whitepaper, Brandon Wiley suggests a possible design for a "superworm", a coordinated network of worm nodes. Typically worms are designed to infect as many hosts as possible, but as overly rapid growth can lead to early detection, this is a suboptimal strategy. The worm, dubbed Curious Yellow uses communication between worm nodes to ensure optimal infection rates."

20 of 207 comments (clear)

  1. Hmmm by kenp2002 · · Score: 3, Interesting

    (Tounge in cheek btw)

    Isn't talking about stuff like that, well you know, illegal now? I'm certain that talking about theoretical virus attacks could be considered terrorism. I mean here you are talk about this horrible WHAT-IF scenario and giving bad people all sorts of good ideas (providing AID are we?) Hmmm I have a feeling that this post may cause trouble. I bet our FRIENDS at the Homeland Security office would like to speak to you =)

    AWW BUT WHAT THE HELL DO I KNOW! :) I bet someone will have a DMCA issue with this too. Hey Taco looks like we may have incoming! EEEKKK!

    --
    -=[ Who Is John Galt? ]=-
    1. Re:Hmmm by EvilAlien · · Score: 5, Interesting
      I believe the US has ratified the Council of Europe Convention on Cybercrime, as has Canada. This treaty requires that signatories create criminal offences for possession of viruses or other "devices" designed to damage data/networks. I haven't read the whole damn thing yet, but doing time for actually possessing virus code isn't that far away.

      As far as law enforcement is concerned, go ahead and think about it... the national security types are who you need to worry about =)

      When is ThinkGeek getting Tin Foil hats with a stylish Tux logo?

      --
      perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
  2. I've been thinking by palad1 · · Score: 5, Interesting

    At some point, the worm will be detected, thus the slow infection rate will not be optimal.

    What if... in order to decide wether the worm should switch to 'Turbo' infection speed, the worm queries google news for 'worm $0', and if the number of results > $we_have_been_discovered/, bang!

    Previous worms used irc, but that doens't guarantee the author to be anonymous, does it?

    1. Re:I've been thinking by Alan+Cox · · Score: 4, Interesting

      This depends upon the goal of the virus writer. The paper assumes a superworm with a goal of staying alive. Its equally valid to construct a superworm with a destruction goal, erasing bioses. disk firmware etc.

      I like the paper, its another reminder that the current approach of virus control simply doesn't work. Security needs a lot more depth and a lot more work - and not just on windows either

  3. w/ AI by dirvish · · Score: 2, Interesting

    This would be pretty cool if it was made artificially intelligent through a neural network. It could use its neural network to determine the best way to distribute across the physical network of computers.

    --
    FoundNews.com - get paid to blog.,
    1. Re:w/ AI by Chibi+Merrow · · Score: 2, Interesting

      Actually I suggested the same thing as a paper idea in my neural networks class... Before I knew how neural networks worked...

      Seriously though, having a random hodgepodge of neural network nodes, randomly wired, and without having two endpoints with which to train the network really does you no good. Neural networks are trained to be intelligient by feeding them input, then looking at the output and massaging them to make them produce the correct output in hopes that they eventually "learn" a pattern.

      Now essentially building a beowulf cluster of sorts by linking all the nodes into a distributed processing network that could be used to crack RSA keys and the like... And could propogate updates (mutations?) to the worm... Well that will work. :)

      Plus when you're detected, you can go out in a huge DDoS blaze of glory...

      --
      Maxim: People cannot follow directions.
      Increases in truth directly with the length of time spent explaining them
  4. Like Real virususes by goombah99 · · Score: 5, Interesting
    There are any number of real virii and bacteria (like Tuberculosis) that use a quorum sensing mechanism before becoming hostile to their host. The bugs grow but in a mostly benign fashion, concentrating on infecting but not harvesting or killing their host. When their numbers reach a critical level they switch over and become massively virulent, making an all out assualt on the host, overwhelming the defenses.

    the interesting thing here is the communication aspect. It's different than say a pre-progogrammed computer virus that does its thing on say jan 1 2000. Here the thing is adaptive and self organizing.

    lets take this a step further. China is a breeding ground for both real and computer viruses. Real viruses like flu live in ducks, where they are harmless and mutate rapidly, transfer to pigs where they adapt to mammalian systems, then onto humans when they are ready. THe chinese computers, as discussed in slashdot have become 80% exposed/infected to viruses.

    currently these virii (computer) do not actually "breed" in the sense of evolving by themsleves. But why not? Bacteria evolve during their own lifetimes by communicating (by exchange of circular DNA known as plasmids). If we start having computer-virus to computer virus communication we will soon have the cpabaility for viruses that breed and like a genetic algorithm "learn" new ways of infecting a host, learn to tune their rates of infection, and develop new and better communication protocols.

    A question emerges then of what happens next. Most virus's follow the pattern of being at first increasingly virulent and deadly to their hosts. Then over time as they begin to kill too manyhosts and the evolve to become less virulent as a survival strategy. at the same time the surviving hosts have become better at killing them. A truce ensues where the bugs are too hard to completely kill because they mutate quickly.

    Current viruses have the ability to replicate but not to evolve. The first step in evolving sexual reproductionis communication with another virus. later will come information sharing and controlled mutation. Terminator here we come, but not the same way as the movie.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Like Real virususes by waider · · Score: 2, Interesting

      You're making a large (and frequently made) leap of faith here, from "communication" to "replication with successful mutation". There are several experiments in the field of mutating programs (look up Artificial Life in Google, for example), but to suggest that the mere ability of viruses to communicate with each other will automatically lead to "breeding" capability is a little far-fetched, to say the least.

  5. Worms and 'payload' by jACL · · Score: 5, Interesting

    On Flying: It's not the fall I'm concerned about -- it's the impact.

    On Worms: It's not the distribution method I'm concerned about -- it's the impact.

    Oh sure, this method is similar to the old nuclear war strategy -- "time on target" -- where the missiles were all set to arrive at their targets at the same time, increasing the surprise factor and decreasing the defensive options. But it's the bombs going off that really ruined your day.

    After running plenty of all-nighters flushing out assorted virii from corporate nets, I've come to the conclusion that the worst infections are the ones that look like some other kind of problem. Imagine a worm that changes the IP address of random hosts to the gateway address, or is intelligent enough to worm its way around innocuously until it snags an admin account and can begin 'remote registry' operations, or changes the nameserver addresses to trojans that redirect shopping sites to credit card collection impersonation sites. That kind of stuff is the hard stuff to defend against, because you don't know it's happening until way after it happens.

    --
    "It remains to be seen if the human brain is powerful enough to solve the problems it has created." Dr. Richard Wallace
  6. Interesting... by Mike+McTernan · · Score: 2, Interesting

    I thought that the exponential behaviour of worms was deliberate to use all bandwidth and cause disruptions. I guess the slower worm being proposed would carry some other payload and probably be more damaging to individual machines instead...

    Mike

    --
    -- Mike
  7. A worm with a purpose? by phorm · · Score: 4, Interesting

    This would actually make a point to worms, etc. Right now most of them seem to be one of three:
    -(publicity) Hey, I'm an elite hacker, I've infected half the world's computers
    -(revenge, idiocy, attack) I'm pissed at the world and for that your PC's will pay
    -(information theft/hijacking) There's something on your computer I might want, and now the door is open to get it

    Now, we have a type 4
    -All your base are belong... er, I mean, we are the borg, you will be assi... er...
    basically, and advanced form of "W3 0WN 40U."

    Distributed worms could actually have a point though... There are still certain questions that any individual PC cannot solve (for which they are building voluntary, non-malicious, distributed sytems) that could be processed by this worm. Curious blue (the fix to "curious yellow) could be launched as an "anti-worm, worm" using the same exploit as curious yellow to self-patch the hole.
    Similarly, such a worm *could* be used to repair other known large-coverage bugs.
    Of course, it would be just as illegal to create/launch "blue" as it would be to create/launch "yellow", but wouldn't it be nice if somebody were to let loose something that goes around fixing those annoying "code-red" and "nimda" infected systems still running amok?
    Unfortunately, I cannot even use my own server with a "counterprocedure" to go out and repair those idiot machines that keep trying to access /windows/system/CMD.exe on my linux machine, so nobody can do this legally (it seems that using an exploit is an attack, regardless of intent or method).

    Black hat hackers can't touch me, I run Red Hat not Black Hat - phorm

  8. easy way to kill it by nounderscores · · Score: 5, Interesting

    Sniff for packets containing the SHA1 hash of known infected nodes. Follow the links to eradicate the whole damn nest of the bastards.

    alternatively release a fake "wormcode patch" which poisons nodes after they pass it on. Such an anti-virus-virus would take the network down in less than 15 seconds.

    To be more robust, this worm has to start thinking smarter: it has to organise itself into a network of cells which are networks, rather than one big flat network. That way, only one node in each cell knows about only one node in an adjacent cell. If node A in cell 1 knows about node A' in cell 2, then when it gets compromised, it cannot betray nodes B', C' or D'.

    Get the worm to spread until it knows about x number of nodes, and then tell each node that they are suddenly the only node in a new cell, and that all their old cell buddies are just their external contacts to other cells. repeat the process until you have global domination.

    That way you can still issue orders, if you have access to the original cell, but if that cell dies, then the worm turns into many rogue cells which act on their standing orders... and any anti-virus-virus "patch" would have to start from the original cell....

  9. [OT] Real viruses by aridhol · · Score: 5, Interesting
    Sorry, that's not how real viruses work. My wife's a virologist (studying ebola, if you care), and she's explained this a "few" times

    It is not optimal for a virus to kill its host. Ever. End-of-story.

    Because a virus cannot live outside of a host, it is important that the virus keep its host alive as long as possible. Therefore, each virus evolves in an "optimal host". This host is a type of life (animal, plant, even bacteria), in which the virus exists without killing the host. The problem arises when the virus tries to expand its territory to a non-optimal host. In some of these hosts, it can't even get a footing, and dies off without infecting cells. In others, however, it infects the cells in a non-optimal way, killing the host (and with it the virus).

    For example, ebola tends to kill people. Depending on the strain, it's between 50% and 90% fatality in humans. Obviously, humans are not ebola's optimal host. However, there are some species of bats that carry the ebola virus, and are not affected by it. These bats are the natural hosts of ebola, allowing the virus the best opportunity to survive without overpopulating.

    This is all from memory, as my wife's at work, so corrections are appreciated.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  10. How does the network fix itself? by siskbc · · Score: 4, Interesting

    The major problem is how the network fixes itself. Nodes will go down - either because they just do, or because some sysadmin is going to notice trafic on some strange port.

    I could see one node saying "Hey, my neighbor disappeared, we need a new node," but he doesn't know the neighbor's other neighbor. This is exactly like a linked list - if you delete a node before switching the pointers around, you've just created a memory leak.

    Also, to make this thing branch, won't each node need at least three neighbors?

    --

    -Looking for a job as a materials chemist or multivariat

  11. Scary but Preventable by photon317 · · Score: 4, Interesting


    In today's environment if a group of intelligent hackers with a wide range of skills deployed and attempted to control a Curious Yellow, they would probably succeed, although they would have to start with months of planning and exploit-discovering to make sure they had pre-prepared their own "zero-day" exploits for a wide variety of platforms (wintel may be dominant, but unices and even routers could be crucial to some of the attack plans). And in order to keep up an arms race, they will have to continually here of or discover on their own new exploits before they get widely patched.

    The whole problem here revolves around the insecurity of most operating system installs (especially Wintel, but commercial and free *nix are also relatively insecure by default). The real solution to scenarios like Curious Yellow ona global scale would be to secure all the operating systems by default. If every OS vendor would take a slightly more OpenBSD-ish tack on security, disabling most services by default and warning users of potential risks of turning them on misconfigured, auditing their code, and perhaps most importantly, open-sourcing their code for peer-review... it would severly limit Curious Yellow's ability to infect in the first place.

    However, I think it's a pretty safe assumption that that level of universal computer security won't happen in the near future, and that some bright people are already coding their Curious Yellow variants. In that case the best you can hope for is to secure your own systems against Curious Yellow by being more secure than the norm. You won't be able to stop the distributed attacks and service problems that will affect your network traffic, but at least you can avoid being part of the problem and avoid direct control of your machine. Take the cautious road - reploy an OS you can see the source of. Disable mostly everything that listens to a network port. Take advantage of security-upping kernel patches (grsecurity for linux comes to mind, a collection of stack protection, randomization of various things, finer grained access control, etc). Run a firewall, make sure you know what it's doing and why. Don't let any traffic in unless there's a need, and keep an eye on that traffic. As with human infections, early detection leads to a faster recovery. Snort is your freind.

    --
    11*43+456^2
  12. A worm with a GOOD purpose? by Anonymous Coward · · Score: 2, Interesting

    I've been wondering for a few days about this...

    What about a worm whose only effect was to change the MS Word default saving format to .rtf, then propagate?

    I'm sure we would quickly have a world of MS morons saving their docs in a open file format, because they can't figure how to change back to their old .doc.

  13. Biological viruses by HisMother · · Score: 4, Interesting

    Perhaps the parallel to biology is too obvious to bother pointing out, but it's well understood in epidemiology that viruses that are quick to incubate, and nearly always fatal, historically couldn't propagate far and so haven't led to epidemics. This is why, for example, there are no Ebola epidemics: it kills such a high percentage of its victims, so quickly, that the virus effectively starves itself to death.

    Of course today, with high speed travel so prevalent, we're giving the virii a hand in propagating, and doomsday scenarios become possible...

    *shudder*

    --
    Cantankerous old coot since 1957.
  14. Asking for trouble... by Anonymous Coward · · Score: 5, Interesting

    ..but here goes. You have a worm that divides up the address space in two and infects one machine in each partition. The new worms do the same. Just how many partitions should we have 2, 10, 100?

    Then you make the child check up on it's parent every now and then. When it's parent fails to respond it tells it's own children that this event has occured (a sort of reverse TTL), when a child receives a rTTL of say 10 or more it knows that the game is up goes beserk! Maybe additionally it could check on its siblings.

    Thus killing the worm could (potentially) cause more trouble than if it were left alone. To kill it would require a pseudo parent to replace the real parent which would be able to report the IP of the infected child machines.

    It's all getting very X-Files this.

    Perhaps the partitioning 2, 10 or 100 is based in the rTTL. When no one has noticed use a small partition, when people start to kill off the parent then crank up the partitions.

    MLM goes (truly) viral!

  15. Re:Um, why?? by Paul+Zest · · Score: 4, Interesting

    Dunno?!?

    I found this distributed autonomous intelligence / network worm idea very interesting, I wrote an article about it a couple of years back. Since then I've improved upon my ideas and maybe I'll release the new version in the up and coming 29A Virus Zine.

    (the article) .. http://fourq.host.sk/iworm-net.htm

    Sorry if you find this information too strong for your delicate palette. Don't follow the link if you think it's going to upset you so much. ;]]

    A-Life, Evolution in the 21st Century.

  16. It was published 25 years ago! by plover · · Score: 4, Interesting
    [ First, remember that pesky First Amendment thing that lets us print what we want. Law enforcement couldn't stop the magazine "The Progressive" from printing plans for an atomic bomb in 1979. An exploratory theory of a computer worm is not even in the same league. ]

    Next, this is not new news, and not by a long shot. "The Adolescense of P1", a 1977 novel by Thomas Ryan, discusses a worm almost exactly like Curious Yellow. In it, the worm evolves along three lines: a hunger for new nodes, a paranoid fear of detection, and random mutation.

    It takes over virtually every IBM computer in the world, which in 1977 was many thousands, and the author even deemed non-IBM computers as statistically irrelevant. Just as Nimda takes over unsuspecting Microsoft IIS Win2K machines, and deems others irrelevant.

    The parallels are striking.

    (In the novel, the random mutations cause it to develop sentience, at which point it starts reading news articles and tracks down its creator. But that's just where the "fiction" part of science fiction kicked in.)

    It was a great read when I was back in high school. It may be dated, but it is prophetic.

    I have to go home tonight and dig this out of my bookshelf. I think it now deserves a reread.

    --
    John