Slashdot Mirror
Malicious Distributed Computing
Jeremy Erwin writes "In this whitepaper, Brandon Wiley suggests a possible design for a "superworm", a coordinated network of worm nodes. Typically worms are designed to infect as many hosts as possible, but as overly rapid growth can lead to early detection, this is a suboptimal strategy. The worm, dubbed Curious Yellow uses communication between worm nodes to ensure optimal infection rates."
..already have this? I believe it's called KazaA ;)
The best way to infect as many hosts as possible is to make sure you don't try to infect too many hosts? How Zen.
Karma: Good (despite my invention of the Karma: sig)
At some point, the worm will be detected, thus the slow infection rate will not be optimal.
What if... in order to decide wether the worm should switch to 'Turbo' infection speed, the worm queries google news for 'worm $0', and if the number of results > $we_have_been_discovered/, bang!
Previous worms used irc, but that doens't guarantee the author to be anonymous, does it?
It is quite simple actually. You program your worm to accept an attack range upon installation. Then you divide the IP space on every successful attack. If you start with 64 worms installs, give each worm 1/64th of the ip space to scan. Each worm would then scan/infect and pass down a smaller block. You would infect in a tree like pattern, possibly doubling up scanning efforts.
/6 bit boundries. They plan on installing 64 worms each giving each sub worm /12 bit networks to scan. Then /18, /24, /30
For example:
64 initial worms go out at
With a little bit more intelligence you can target the worms on major ISP DSL/Cable networks to infect the home machines.
It's absolutely responsible. Why wait for it to happen when you can warn about the possibility and actually give people a chance to build a defense before someone builds the weapon?
Besides, he's not the first person to think along these lines. Though he has a number of ideas I had never considered, I had come up with an idea for a worm that would build a peer to peer network to coordinate its activities and prevent it from spreading too quickly.
His idea for having it update itself against anti-virus software is something I hadn't considered and is quite ingenius, I think.
I wouldn't have ever written such a program as I have too much useful software ot write to waste my time, but I've certainly thought of ideas on how one might go about it. If I have, and he has, then chances are, so have others, and eventually someone who has the time and motivation will actually do it, so best to protect against it now.
I'd say one good way to protect against it is don't open those files named YippeeImAnIdiot.jpg.vbs
Trying is the first step towards failure.
-----BEGIN PGP SIGNED MESSAGE-----
j z/ /N+aOtBQCgpQyI
- ----END PGP SIGNATURE-----9 385.html
Hash: SHA1
the Linux based 'Slapper' worm (link at end of message) was the first worm to create a peer-to-peer network of infected nodes. communication was basic, allowing the network to learn its own topology, and launch DDoS attacks as a single unit when commanded from a single remote location. the piece that Slapper is missing is authentication. imagine if the Slapper worm was written so that it carried with it a public key, and used that key to verify any command sent to it. the worm could be designed to not even reply to UDP requests whose signature fail, making remote detection completely impossible. signed messages would allow the worm author to remotely control the entire network of infected nodes exclusively, distributing patches to combat wormbusters, upgrades to allow the worm to infect new systems, and commands to launch DDoS attacks on targets of his choosing.
it's going to happen. you heard it here first.
- -s.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: i am sllort and i post AC
iD8DBQE9uR/OKpz2COjVE3YRAv1tAJ9HtLZ0AQDOfUvIGh4
igaqDD9fmOA8+/7Apub1nAs=
=XxoQ
http://zdnet.com.com/2100-1105-95
the interesting thing here is the communication aspect. It's different than say a pre-progogrammed computer virus that does its thing on say jan 1 2000. Here the thing is adaptive and self organizing.
lets take this a step further. China is a breeding ground for both real and computer viruses. Real viruses like flu live in ducks, where they are harmless and mutate rapidly, transfer to pigs where they adapt to mammalian systems, then onto humans when they are ready. THe chinese computers, as discussed in slashdot have become 80% exposed/infected to viruses.
currently these virii (computer) do not actually "breed" in the sense of evolving by themsleves. But why not? Bacteria evolve during their own lifetimes by communicating (by exchange of circular DNA known as plasmids). If we start having computer-virus to computer virus communication we will soon have the cpabaility for viruses that breed and like a genetic algorithm "learn" new ways of infecting a host, learn to tune their rates of infection, and develop new and better communication protocols.
A question emerges then of what happens next. Most virus's follow the pattern of being at first increasingly virulent and deadly to their hosts. Then over time as they begin to kill too manyhosts and the evolve to become less virulent as a survival strategy. at the same time the surviving hosts have become better at killing them. A truce ensues where the bugs are too hard to completely kill because they mutate quickly.
Current viruses have the ability to replicate but not to evolve. The first step in evolving sexual reproductionis communication with another virus. later will come information sharing and controlled mutation. Terminator here we come, but not the same way as the movie.
Some drink at the fountain of knowledge. Others just gargle.
Didn't you know? It's illegal to THINK about this kind of stuff now.
Microsoft's clickwrap agreement now states that you're only licensing the right to use your own brain matter, and they're legally entitled to read it at thier leisure?
On with the tin foil hats....
sig:- (wit >= sarcasm)
On Flying: It's not the fall I'm concerned about -- it's the impact.
On Worms: It's not the distribution method I'm concerned about -- it's the impact.
Oh sure, this method is similar to the old nuclear war strategy -- "time on target" -- where the missiles were all set to arrive at their targets at the same time, increasing the surprise factor and decreasing the defensive options. But it's the bombs going off that really ruined your day.
After running plenty of all-nighters flushing out assorted virii from corporate nets, I've come to the conclusion that the worst infections are the ones that look like some other kind of problem. Imagine a worm that changes the IP address of random hosts to the gateway address, or is intelligent enough to worm its way around innocuously until it snags an admin account and can begin 'remote registry' operations, or changes the nameserver addresses to trojans that redirect shopping sites to credit card collection impersonation sites. That kind of stuff is the hard stuff to defend against, because you don't know it's happening until way after it happens.
"It remains to be seen if the human brain is powerful enough to solve the problems it has created." Dr. Richard Wallace
Pfft, we could easily stop it with a tic-tac-toe worm that will make it aware of it's own futility.
Sniff for packets containing the SHA1 hash of known infected nodes. Follow the links to eradicate the whole damn nest of the bastards.
alternatively release a fake "wormcode patch" which poisons nodes after they pass it on. Such an anti-virus-virus would take the network down in less than 15 seconds.
To be more robust, this worm has to start thinking smarter: it has to organise itself into a network of cells which are networks, rather than one big flat network. That way, only one node in each cell knows about only one node in an adjacent cell. If node A in cell 1 knows about node A' in cell 2, then when it gets compromised, it cannot betray nodes B', C' or D'.
Get the worm to spread until it knows about x number of nodes, and then tell each node that they are suddenly the only node in a new cell, and that all their old cell buddies are just their external contacts to other cells. repeat the process until you have global domination.
That way you can still issue orders, if you have access to the original cell, but if that cell dies, then the worm turns into many rogue cells which act on their standing orders... and any anti-virus-virus "patch" would have to start from the original cell....
As far as law enforcement is concerned, go ahead and think about it... the national security types are who you need to worry about =)
When is ThinkGeek getting Tin Foil hats with a stylish Tux logo?
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
It is not optimal for a virus to kill its host. Ever. End-of-story.
Because a virus cannot live outside of a host, it is important that the virus keep its host alive as long as possible. Therefore, each virus evolves in an "optimal host". This host is a type of life (animal, plant, even bacteria), in which the virus exists without killing the host. The problem arises when the virus tries to expand its territory to a non-optimal host. In some of these hosts, it can't even get a footing, and dies off without infecting cells. In others, however, it infects the cells in a non-optimal way, killing the host (and with it the virus).
For example, ebola tends to kill people. Depending on the strain, it's between 50% and 90% fatality in humans. Obviously, humans are not ebola's optimal host. However, there are some species of bats that carry the ebola virus, and are not affected by it. These bats are the natural hosts of ebola, allowing the virus the best opportunity to survive without overpopulating.
This is all from memory, as my wife's at work, so corrections are appreciated.
I can't say that I don't give a fuck. I've just run out of fuck to give.
A better cittion on worms and their strategies: How to 0wn the Internet in your Spare Time by Stuart Staniford, Vern Paxson, and myself.
The warhol paper largely got rolled into the "0wn the Internet" paper.
Test your net with Netalyzr
..but here goes. You have a worm that divides up the address space in two and infects one machine in each partition. The new worms do the same. Just how many partitions should we have 2, 10, 100?
Then you make the child check up on it's parent every now and then. When it's parent fails to respond it tells it's own children that this event has occured (a sort of reverse TTL), when a child receives a rTTL of say 10 or more it knows that the game is up goes beserk! Maybe additionally it could check on its siblings.
Thus killing the worm could (potentially) cause more trouble than if it were left alone. To kill it would require a pseudo parent to replace the real parent which would be able to report the IP of the infected child machines.
It's all getting very X-Files this.
Perhaps the partitioning 2, 10 or 100 is based in the rTTL. When no one has noticed use a small partition, when people start to kill off the parent then crank up the partitions.
MLM goes (truly) viral!