Curious Yellow, Superworm

jpmccord writes "Brandon Wiley's white paper, Curious Yellow, explains how "a superworm -- a worm that coordinates it actions among infected hosts and launches a massive distributed denial of service attack on any hosts it can't infect using those it can" (via disLEXia, a weblog by Maximillian Dornseif). The "doomsday scenario" frightens "even us", says Dornseif. An accompanying discussion rebukes Wiley's article a bit. Aaron Swartz's light-hearted take is rather entertaining: "So go read it now and find out how you can take over the whole Internet. And if you're going to, could you give me 24 hours notice?""

Re:This is a repeat ...

[devnullkac]

This is slightly OT, but it seems to happen often enough to warrant a comment on the point.

I don't know what tools the Slashdot editors have available to them already, but it seems that the Slashcode already extracts all the links from previous stories (the Related Links box), so it shouldn't be too difficult to compose a story posting utility which looks for stories posted in the last x days which contain any of the same links as the proposed story, flagging possible duplicates.

we are just lucky...

[Lumpy]

These worm and virii writers are pretty harmless... If they were really malicious we would have seen Nimbda doing things like delete *.doc *.xls or format the hard drive.

A very scary worm would simply spread it's self quietly and slowly, wait for a doomsday time to tick and then Boom... simply start a massive delete fest on the computers or to be even more sinister start changing numbers randomly in spreadsheets and documents... like simply adjusting up or down by a random amount.

Once a virus or worm has admin control or system control it can do anything and luckily we still havent had one of these buggers do any destructive things...

I am expecting it though... It's just like guns... most of the planet can safely own and use them and only a few lunatics start blowing people's heads off.

Applications of this......technology.........

[sonicsft]

Reading this the idea that it could use distributed communication to monitor and control the infection rate triggered the term "Distributed Computing" in my mind. The amount of processing power that could be harnessed by such a worm is tremendous. Even if the worm used a small fraction of procession time from a large infected base population its power would probably be enough to do some good calculations quickly. I don't think the algorithms are ready yet, but imagine if you can use this worm to distribute a distributed AI. Combine this with the concept of virus polymorphism, and you have a virus that could stay alive, possibly undetected in the open, and do some interesting stuff. Maybe I've been reading too much sci-fi (Ender's Game) but couldn't these concepts, which are now very real, be used to create an internet life form if you will. Anyway, I don't claim to be an expert on anything I just talked about but I wanted to get the idea out into the open.

-sonic

Re:It's happening

[freeweed]

I've been seeing rougly 150-200 netbios probes a day since the end of September. I used to get a consistent 10 or 20. And I've never been to QDI's webstie.

I suspect this *may* be due to that wonderful new bug, Opaserv, which Norton seems unable to clean out successfully, even though they know full well about it. Basically, it's a worm that looks for open C: shares, and brute-forces the password, one character at a time (or if there's no password, it infects). You get a couple of files in C:\windows (depending on variant), and some entries into your registry and/or win.ini (again depenting on variant).

I spend a few hours looking into this when one of our work machines refused to clean itself (frightening how many windows machines have accessible shares in my University :). Do any sort of search on 'Opaserv' or 'brasil.pif'.

This thing started showing up roughly a month ago, and it's the only thing I can connect with these insane netbios probes. It's also consistent with my observation that entire (or most of a) class C's seem to be infected and probing me - that's one of the fun parts of this worm - it basically scans anyone with a similar IP until it's infected everyone it can. Clean it off your system, and don't protect yourself, and within an hour you'll be infected again.

And once again, it all comes down to: don't run your file sharing over tcp/ip and firewall your netbios ports. Microsoft apparently has a patch for the password cracking issue, but so far no one has done much else to combat this thing.