Slashdot Mirror

← Back to Stories (view on slashdot.org)

Curious Yellow, Superworm

Posted by Hemos on from the destroying-the-world dept.

jpmccord writes "Brandon Wiley's white paper, Curious Yellow, explains how "a superworm -- a worm that coordinates it actions among infected hosts and launches a massive distributed denial of service attack on any hosts it can't infect using those it can" (via disLEXia, a weblog by Maximillian Dornseif). The "doomsday scenario" frightens "even us", says Dornseif. An accompanying discussion rebukes Wiley's article a bit. Aaron Swartz's light-hearted take is rather entertaining: "So go read it now and find out how you can take over the whole Internet. And if you're going to, could you give me 24 hours notice?""

18 of 167 comments (clear)

  1. Or post to slashdot... by morie · · Score: 4, Funny

    It could also submit every computer it couldn't infect as containing something of interest to the slashdot community. Who needs a ddos attack?

    --
    Sig (appended to the end of comments I post, 54 chars)
    1. Re:Or post to slashdot... by OrangeSpyderMan · · Score: 4, Funny

      Even if it just submitted the same story over and over again, it would probably manage to get it published a good few times :-) Enjoy.

      --
      Try NetBSD... safe,straightforward,useful.
  2. This is a repeat ... by sdr · · Score: 5, Informative

    of this article.

    1. Re:This is a repeat ... by devnullkac · · Score: 4, Interesting

      This is slightly OT, but it seems to happen often enough to warrant a comment on the point.

      I don't know what tools the Slashdot editors have available to them already, but it seems that the Slashcode already extracts all the links from previous stories (the Related Links box), so it shouldn't be too difficult to compose a story posting utility which looks for stories posted in the last x days which contain any of the same links as the proposed story, flagging possible duplicates.

      --
      What do you mean they cut the power? How can they cut the power, man? They're animals!
  3. Well. Okay. by torpor · · Score: 4, Funny

    Then I guess there's nothing we can do. The Internet is doomed.

    Still, I know I'll be able to read about the new one on MSNBC.newtld a day or two afterwards ... after I get a new Passport ID, that is.

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  4. Doomsday scenario? by Mika_Lindman · · Score: 5, Insightful

    The "doomsday scenario" frightens "even us", says Dornseif.

    Doomsday? Hey guys, it's the internet! Who's gonna die if the internet shuts down? Come on now, it's not like the next ice age or nuclear war! 99% of worlds population won't give a shit if the internet shuts down for a few days. Who cares if a bunch of nerds freak out 'cause they can't read their emails?

    The main question is, are YOU so addicted to the net, that you would use the term "doomsday", if it shuts down?

    1. Re:Doomsday scenario? by Shalome · · Score: 5, Insightful

      You apparently have no idea what the actual scope of the internet covers. Corporate and military communications, banking transactions, medical information tracking, etc, etc. Yes, we could live without the internet, but reverting to the "old fashioned" pen-and-paper snailmail transportation of information, even for short periods of time, could cost billions of dollars -- not to mention levels of annoyance it would cause in day-to-day life.

      --
      Moderation totals that amuse me for one of my posts: Flamebait=1, Insightful=2, Funny=2, Overrated=1, Underrated=1
    2. Re:Doomsday scenario? by Pike65 · · Score: 5, Informative

      Corporate and military communications, banking transactions, medical information tracking, etc, etc

      Actually in the UK each regional Trust communicates using direct lines between centres. If you send medical details between Trusts, it's still done via paperwork.

      They trust the Internet about as much as I do ; )

      --
      "If being a geek means being passionate about something, then I pity those who aren't geeks." - Pike65
    3. Re:Doomsday scenario? by Zocalo · · Score: 5, Insightful

      Quite. There seem to be quite a few people out yelling about the "death of the Internet", much like people used to go around with sandwich boards with "The end of the world is nigh!" written on them. Perhaps they should take a few minutes and go read this rather excellent article at the Register and get a dose of reality. And after that, perhaps a re-reading of "Chicken Little" just to hammer the point home.

      --
      UNIX? They're not even circumcised! Savages!
  5. Mmkay... Call me stupid, but.. by Bowie+J.+Poag · · Score: 5, Insightful



    If you really think about it, the math behind such an event may not work out....My guess is, there simply aren't enough hosts on the net that are simultaneously A) succeptible to infection B) sitting on static IPs, and C) unmonitored by human eyes. All three conditions must exist in order for the worm to propogate -- If any one of those factors is absent, that particular thread of the superworm is halted. It makes the scenario described in this article practically impossible. Sure, a superworm may exist, but it would be so slow-moving and predictable that it would be no more a threat than any other form of DoS attack.

    If you really want something abstract to think about, consider this: How is this "superworm" different than, say, a non-existant website mentioned on a nationwide TV broadcast? Instead of malicious code generating the resulting network congestion, its humans -- The net result is the same -- The effect will taper off as T increases. Nothing to really worry about, in other words.

    Yeah, I know. I'm sure someones gonna come back and read this 10 years from now and want to slap me silly with a 10 lbs. trout, for my lack of forethought.. But seriously, I think these sort of stories are more along the lines of interesting fiction than they are real-world possibilities.

    Cheers,

    --
    Bowie J. Poag

    1. Re:Mmkay... Call me stupid, but.. by chrestomanci · · Score: 5, Insightful

      If you really think about it, the math behind such an event may not work out....My guess is, there simply aren't enough hosts on the net that are simultaneously A) susceptible to infection B) sitting on static IPs, and C) unmonitored by human eyes. All three conditions must exist in order for the worm to propagate -- If any one of those factors is absent, that particular thread of the superworm is halted. It makes the scenario described in this article practically impossible. Sure, a superworm may exist, but it would be so slow-moving and predictable that it would be no more a threat than any other form of DoS attack.

      IMHO, there are plenty of susceptible computers out there.

      Most internet servers, both large and small are on static IPs, and only subject to occasional human monitoring. (That is occasional, relative to this worm's speed of propagation, which is estimated to be under a minute).

      I would include my home linux box in the category of susceptible computers. It is permanently connected (ADSL), on static IP, and I only use it every day or so. It it became infected with Curious Yellow, I would be unlikely to notice for 12 hours or so, (unless my ISP phoned me), and if the worm was stealthy enough not to monopolise any resource (CPU, disc, bandwidth etc), I might not notice for weeks until someone contacted me. Considering how infectious this hypothetical worm is, 12 hours would be enough to do huge damage.

      Ask yourself if the same would apply to any permanently connected computers in your control?

      As for "susceptible to infection". Curious Yellow would be designed to use some sort of zero day exploit, so we have no idea which computers are susceptible, and it would be complacent to assume that only windows boxes are. My system runs Debian Stable, and I regularly apply the security patches, but that does not make it completely invulnerable.

      Don't be complacent, Treat the risk seriously.

    2. Re:Mmkay... Call me stupid, but.. by JustKidding · · Score: 4, Insightful
      You may have noticed that the net has a lot of servers, like webservers, dns servers, proxies and such. Those are the kind of servers that are checked like, ones a week if they don't malfunction, are online 24/7, have a static ip, lots of bandwidth, and so much traffic that a little extra will go by unnoticed. Besides that, the ability to quickly propagate code patches would make it nearly impossible to install security patches on a system that is already infected.

      There is little point in having the worms detect when to go into turbo mode, since such a command could be quickly relayed trought the network. And ofcourse there is a chance that some of the worms would switch to turbo mode prematurely, leading to early detection.

      i find the idea of the worm spidering for new hosts rather interesting; obviously, it's a nearly ideal way to find other webservers. Also, since any host on the web has a reference to a dns server, it's very easy for any worm to find at least one of those. Once a dns server is compromised, the worm has a fairly complete and realtime list of webservers, with very few bad addresses. This way, many hosts may be infected with very little host- and portscanning.

      If such a superworm would ever get out in the wild, it may be very hard or nearly impossible to stop it.

  6. Re:Biological counterpart? by indecision · · Score: 4, Insightful
    There's a (biological) virus to which humans are either immune, or not - just like any other virus.
    The people who catch it, however, are turned into attack zombies primed to attack specifically the immune humans.

    Many novels based on vampires or zombies have this idea.

    I Am Legend by Richard Matheson is a personal favourite.

    Enjoy
    indecision

  7. tomorrow by anshil · · Score: 5, Funny

    Come on Pinky, let's prepare for tomorrow evening.

    Why Brain? What are we going to do tomorrow evening?

    Same as every evening, we try to take over the Internet!

    --

    --
    Karma 50, and all I got was this lousy T-Shirt.
  8. we are just lucky... by Lumpy · · Score: 5, Interesting

    These worm and virii writers are pretty harmless... If they were really malicious we would have seen Nimbda doing things like delete *.doc *.xls or format the hard drive.

    A very scary worm would simply spread it's self quietly and slowly, wait for a doomsday time to tick and then Boom... simply start a massive delete fest on the computers or to be even more sinister start changing numbers randomly in spreadsheets and documents... like simply adjusting up or down by a random amount.

    Once a virus or worm has admin control or system control it can do anything and luckily we still havent had one of these buggers do any destructive things...

    I am expecting it though... It's just like guns... most of the planet can safely own and use them and only a few lunatics start blowing people's heads off.

    --
    Do not look at laser with remaining good eye.
  9. Applications of this......technology......... by sonicsft · · Score: 4, Interesting

    Reading this the idea that it could use distributed communication to monitor and control the infection rate triggered the term "Distributed Computing" in my mind. The amount of processing power that could be harnessed by such a worm is tremendous. Even if the worm used a small fraction of procession time from a large infected base population its power would probably be enough to do some good calculations quickly. I don't think the algorithms are ready yet, but imagine if you can use this worm to distribute a distributed AI. Combine this with the concept of virus polymorphism, and you have a virus that could stay alive, possibly undetected in the open, and do some interesting stuff. Maybe I've been reading too much sci-fi (Ender's Game) but couldn't these concepts, which are now very real, be used to create an internet life form if you will. Anyway, I don't claim to be an expert on anything I just talked about but I wanted to get the idea out into the open.

    -sonic

  10. New Slashdot Worm found in wild! by MartyJG · · Score: 5, Funny

    Anti-virus companies Norton and Sophos today announced they had spotted a new virus in the wild. According to anti-virus experts a new virus known only as "Curious Yellow" has been attacking the popular Slashdot.org site.

    The site has already been hit twice, with a story appearing on their main 'articles' section. The virus has been spoofing known slashdot editors such as 'Hemos' and 'michael'. The site has yet to comment on these attacks, but have warned there is a risk that further variants may attack their 'slashback' section later this week.

    So far there is no known cure for this virus.

    --
    insignificant sig
  11. Re:It's happening by freeweed · · Score: 4, Interesting

    I've been seeing rougly 150-200 netbios probes a day since the end of September. I used to get a consistent 10 or 20. And I've never been to QDI's webstie.

    I suspect this *may* be due to that wonderful new bug, Opaserv, which Norton seems unable to clean out successfully, even though they know full well about it. Basically, it's a worm that looks for open C: shares, and brute-forces the password, one character at a time (or if there's no password, it infects). You get a couple of files in C:\windows (depending on variant), and some entries into your registry and/or win.ini (again depenting on variant).

    I spend a few hours looking into this when one of our work machines refused to clean itself (frightening how many windows machines have accessible shares in my University :). Do any sort of search on 'Opaserv' or 'brasil.pif'.

    This thing started showing up roughly a month ago, and it's the only thing I can connect with these insane netbios probes. It's also consistent with my observation that entire (or most of a) class C's seem to be infected and probing me - that's one of the fun parts of this worm - it basically scans anyone with a similar IP until it's infected everyone it can. Clean it off your system, and don't protect yourself, and within an hour you'll be infected again.

    And once again, it all comes down to: don't run your file sharing over tcp/ip and firewall your netbios ports. Microsoft apparently has a patch for the password cracking issue, but so far no one has done much else to combat this thing.

    --
    Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.