Slashdot Mirror

← Back to Stories (view on slashdot.org)

Curious Yellow, Superworm

Posted by Hemos on from the destroying-the-world dept.

jpmccord writes "Brandon Wiley's white paper, Curious Yellow, explains how "a superworm -- a worm that coordinates it actions among infected hosts and launches a massive distributed denial of service attack on any hosts it can't infect using those it can" (via disLEXia, a weblog by Maximillian Dornseif). The "doomsday scenario" frightens "even us", says Dornseif. An accompanying discussion rebukes Wiley's article a bit. Aaron Swartz's light-hearted take is rather entertaining: "So go read it now and find out how you can take over the whole Internet. And if you're going to, could you give me 24 hours notice?""

11 of 167 comments (clear)

  1. worms to crawl by Bubblesculpter · · Score: 1, Interesting
    maybe worms may crawl similar to a spider.


    Why let the worms have all the fun?


    A spider attack could crawl all the webservers looking for IIS machines, or flaws on other servers. Link by link taking down servers...

    --
    www.Beyond7.com Insane modern art water sculpture.
  2. Biological counterpart? by the+bluebrain · · Score: 0, Interesting

    From the description, which seems very clear, I like the image the thought of "reverse-mapping" it back into meatspace evokes:

    There's a (biological) virus to which humans are either immune, or not - just like any other virus.
    The people who catch it, however, are turned into attack zombies primed to attack specifically the immune humans.

    ... yup, this dude's got all bases covered. Kenny's gonna die. (Sounds like a King novel. But mebbe a short one)

    --
    yes, we have no bananas
  3. Re:This is a repeat ... by devnullkac · · Score: 4, Interesting

    This is slightly OT, but it seems to happen often enough to warrant a comment on the point.

    I don't know what tools the Slashdot editors have available to them already, but it seems that the Slashcode already extracts all the links from previous stories (the Related Links box), so it shouldn't be too difficult to compose a story posting utility which looks for stories posted in the last x days which contain any of the same links as the proposed story, flagging possible duplicates.

    --
    What do you mean they cut the power? How can they cut the power, man? They're animals!
  4. we are just lucky... by Lumpy · · Score: 5, Interesting

    These worm and virii writers are pretty harmless... If they were really malicious we would have seen Nimbda doing things like delete *.doc *.xls or format the hard drive.

    A very scary worm would simply spread it's self quietly and slowly, wait for a doomsday time to tick and then Boom... simply start a massive delete fest on the computers or to be even more sinister start changing numbers randomly in spreadsheets and documents... like simply adjusting up or down by a random amount.

    Once a virus or worm has admin control or system control it can do anything and luckily we still havent had one of these buggers do any destructive things...

    I am expecting it though... It's just like guns... most of the planet can safely own and use them and only a few lunatics start blowing people's heads off.

    --
    Do not look at laser with remaining good eye.
  5. Re:Doomsday scenario? by crashnbur · · Score: 2, Interesting
    A lot of people died when the stock market "shut down" in 1929. Don't knock the significance of the Internet! Besides, in a world more dependent every day than yesterday on technology and connectivity, an Internet breakdown of even slight magnitude can be extremely detrimental... If it shut down completely all of a sudden, there would be chaos.

    I know it's a horrible thing to think about, but maybe we should, come to think of it... Anyone think we should devise a contigency plan for when/if the Internet does hit a brick wall? Not because I'm paranoid, but because I would rather be overprotected than regretfully and idiotically vulnerable.

  6. Re:Doomsday scenario? by oku · · Score: 3, Interesting
    Doomsday? Hey guys, it's the internet! Who's gonna die if the internet shuts down? Come on now, it's not like the next ice age or nuclear war!

    Not quite, but considering the amount of business that is done over the Internet these days, it is going to be pretty rough for many companies. Especially banks would be vulnerable, I guess, subsequently leading to massive drops of stock prices, leading to further bancrupticies. Not nice, not at all.

    Of course, it is uncertain if such a worm could really take down the Internet. But if it could, it would really hurt.

  7. Applications of this......technology......... by sonicsft · · Score: 4, Interesting

    Reading this the idea that it could use distributed communication to monitor and control the infection rate triggered the term "Distributed Computing" in my mind. The amount of processing power that could be harnessed by such a worm is tremendous. Even if the worm used a small fraction of procession time from a large infected base population its power would probably be enough to do some good calculations quickly. I don't think the algorithms are ready yet, but imagine if you can use this worm to distribute a distributed AI. Combine this with the concept of virus polymorphism, and you have a virus that could stay alive, possibly undetected in the open, and do some interesting stuff. Maybe I've been reading too much sci-fi (Ender's Game) but couldn't these concepts, which are now very real, be used to create an internet life form if you will. Anyway, I don't claim to be an expert on anything I just talked about but I wanted to get the idea out into the open.

    -sonic

  8. It's happening by FeatureBug · · Score: 3, Interesting

    Yes, something funny is definitely going on right now on the net. These statistics are solid and based on 4 years of data going back to 1998: my firewall has detected on average 1 probe every 3 hours.

    On 28th September this year I made the mistake of visiting the website of Taiwanese motherboard maker QDI Group website to download a newer BIOS. Literally within seconds my firewall started getting hit by netbios probes. It's been about two probes a minute all day every day from sites all over the world since 28th September. That's a 400-fold increase! It's getting worse. They're from all over the place but always TCP to netbios port 137.

    Does anyone else want to try vsiiting www.qdigrp.com?? Has anyone else seen the same pattern? I'll post a few of the IPs here. Maybe someone will recognise them.

    --
    Why oil price increase equals economic trouble (Score: Interesti
    1. Re:It's happening by freeweed · · Score: 4, Interesting

      I've been seeing rougly 150-200 netbios probes a day since the end of September. I used to get a consistent 10 or 20. And I've never been to QDI's webstie.

      I suspect this *may* be due to that wonderful new bug, Opaserv, which Norton seems unable to clean out successfully, even though they know full well about it. Basically, it's a worm that looks for open C: shares, and brute-forces the password, one character at a time (or if there's no password, it infects). You get a couple of files in C:\windows (depending on variant), and some entries into your registry and/or win.ini (again depenting on variant).

      I spend a few hours looking into this when one of our work machines refused to clean itself (frightening how many windows machines have accessible shares in my University :). Do any sort of search on 'Opaserv' or 'brasil.pif'.

      This thing started showing up roughly a month ago, and it's the only thing I can connect with these insane netbios probes. It's also consistent with my observation that entire (or most of a) class C's seem to be infected and probing me - that's one of the fun parts of this worm - it basically scans anyone with a similar IP until it's infected everyone it can. Clean it off your system, and don't protect yourself, and within an hour you'll be infected again.

      And once again, it all comes down to: don't run your file sharing over tcp/ip and firewall your netbios ports. Microsoft apparently has a patch for the password cracking issue, but so far no one has done much else to combat this thing.

      --
      Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  9. Ultimate P2P Windows Worm: The Unpatching Worm by Anonymous Coward · · Score: 1, Interesting

    A simple but devastating Windows worm design would be one that selected a local system DLL at random, asked a peer worm on a similar system for its timestamp for the same DLL, then replaced the newer DLL with the older one. Other than some minor details, that's it.

    This would be subtle and very damaging: systems in the worm network would progressively become unpatched against security vulnerabilities. It would be computer equivalent of an autoimmune deficiency like AIDS. Little harm would be done directly, but it would undermine sysadmin patches and open up the host to infection from all other earlier known forms of attack.

    The dynamics of such a P2P worm system as a whole would be to eventually seek the lowest common denominator patch level.

    Such a worm would ideally not render Windows systems inoperable/defunct, so maybe only a small subset of system DLL's would be considered and some date limit to the degree of DLL downgrading might need to be incorporated. This is all hypothetical, but such a worm would make maximum benefit of the "DLL hell" weakness of Windows.

  10. Re:Mmkay... Call me stupid, but.. by Bowie+J.+Poag · · Score: 2, Interesting



    Right, I agree, we should not be complacent...but by the same token, part of being pro-active on these sorts of things is to have discussions similar to the one we're having right now. :)

    While I agree with your observations, I dont think you quite "got' what I was trying to say. Allow me to clarify a few things:

    The threat Curious Yellow poses has to do with its ability to function _in tandem_ with other threads of itself. That means, the superworm can only be as strong as the number of threads that exist at any given point in time. It's not a cumulative effect, since the large majority of machines that will be infected are transient hosts--hosts which will pass in and out of existance fairly frequently, and will not be a functioning part of the worm for the vast majority of the superworm's overall lifespan. Keep in mind, the majority of the hosts on the Internet are not people like you and I. They are home PCs, which spend only a comparably slim amount of time connected to the net, and are therefore a "moving target" for the superworm.

    As I mentioned earlier, the three conditions must all be met, simultaneously, by all threads of the superworm. Any lapse of those three conditions can be equated with a corresponding drop in overall potency... In other words, the more it grows, the more weakened it becomes. As time goes on, the major threads of the worm die off as they are discovered, which effectively breaks down the ability of the superworm to function collaboratively with other instances of itself. Such a superworm would decay with time.

    The number of hosts which are sitting on the net, vulnerable, and untracked by their owners will be small, but never zero...so of course, the worm will still propogate. No ones arguing that. However, that doesn't change the decay process described above.

    In essence, this worm has its own demise built-in. Its growth will spike, and then slowly decay with time, eventually become no more of a threat than any other worm trying to eek out a living. :) Just like with any real-world pathogen, it's overall lifespan is going to be a function of the availability of infectable hosts, something i'm sure you'll agree will be bound to decline with time. After all, you and I have yet to succumb to HIV, West Nile, Bubonic Plague, Mad Cow, Hanta, Benge', Typhoid, Anthrax, or Ebola...despite the fact that they all exist.

    --
    Bowie J. Poag