Slashdot Mirror
Feds Working to Stop Worms
mbenzi writes "This article from GovExec describes how the feds worked to prevent a worm that could have been orders of magnitude worse than Code Red. Short on details, but an interesting timeline."
← Back to Stories (view on slashdot.org)
And what will this do to the expression "The Early Bird Gets The Worm?"
I'm glad I can now walk through the desert without the sand worms attacking.
thanks government!
There are some odd things afoot now, in the Villa Straylight.
Sure, maybe they'll be able to stop one version of this, but more'll just pop up in its place; it's similar to the **AA trying to kill P2P - there's enough ingenuity in people that want to do wrong that they'll never be shut down completely.
With a gang of zombies at his command, the creator of a superworm could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.
Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting.
With writing like this it sounds like someone trying to scare up funds to keep this department up and running.
Those worms looked tough.
"some of the most brilliant hackers in the world"?
SInce when are Skript Kiddeez brilliant hackers?
This article is stupefyingly filled with crap.. the whole alliterative narrative to make a "worm" into something more than a program is scary. "Clones" rather than "copies" "larva" rather than "small". "zombies" "Slither" "poisonous venom".
Ye ghods.. is this a tech article, or color text for a M:TG card?
maeryk
Feminine Protection? What is that? A chartreuse flame thrower?
Our hard earned tax dollars at work on something somewhat beneficial.
The question is will the "Feds" be at least somewhat successful in their attempts to thwart future worms and other virii?
"It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock."
I'm not really karmawhoring, because I hit the Karma Kap long ago, I'm just linking to the Warhol Worm... :-)
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Biology and technology meet again. To prevent pinworms..
1) Wash your hands after you wipe!
2) Don't share TP.
3) Don't bite your nails or suck your thumbs.
4) Vacuum your floors to wipe out stray eggs.
And in the world of your computer?
1) Don't run contaminated files.
2) Don't share logins or run as Administrator.
3) Don't run attachments in your mail if you don't know what they are.
4) Use a virus scanner.
You can learn so much from real life. You wouldn't lick your ass if you had worms would you? So why would you run an attachment in an unknown e-mail!?
mogorific carpentry experiments
Very melodramatic article written like a cheap potboiler. Unfortunately it was very short on details and new information...
At first glance (not first post) off-topic, but give me a second. The action of a chemical that kills intestinal parasites, eg, worms, is called anthelmintic. With apologies to Dave Barry and his IP claim to it, wouldn't Anthelmintic be an excellent name for a company that sold anti-worm technology?
If Slashdot were chemistry it would look like this:Cadaverine
I had all sorts of witty comments to make on this, but I just deleted them because it's all too pathetic.
I guess the point is to impress on people that cyberspace, too, is just like a big ol' Hollywood movie with good ol' Uncle Sam well in control. Or something.
Whence? Hence. Whither? Thither.
Is this the first draft of the new Michael Crichton novel?
I found the plot rather thin, the characters unbelievably one-dimensional, and the ending was far to pat and convenient to believe.
Actually, it reads like most of his novels.
LongTail SSH Brute Force analysis tool is here!
In all seriousness I don't understand how they can tell if a worm was "more serious" than code red. The best thing about most worms is that most of them are "so wonderful" that they leave out a few details and never make it anywhere but the authors test system.
It's not worms I'm afraid of, it's next gen virii. With problem solving and logic bots that use AI it's just a matter of time before you train a program to do malicious things and give it multiple ways of accomplishing one goal of infection with a prime directive of selfpreservation, that would be the 'ultimate' worm.
We've all seen the AI programs ability to play chess, and that is impressive all in itself, can you imagine the same type of system loaded with every exploit ever documented, and then the ability to gain access via that list? Or imagine if somehow the program were able to recieve the notices of bugs (Cert, bugtraq, errata, and MS) and then learn of new potentially unpatched systems.
The problem would be not implementing the worm, nor stopping, but finding a reason for it's existence. Would it be used as a proof-of-concept only to be more horribly enacted in version 2? Would it be used for a massive DDoS attack on key internet systems thus disabling the net for a small amount of time? Or would the system dump all valueable information on a centralized server and then essentially commit suicide?
The only problem is how could this bug be 'harmful' to a host system if the prime directive was self perseverance? It's a little bit too deep of thinking for a friday morning, but we have yet to see what virii are actually capable of.
Ignore the "p2p is theft" trolls, they're just uninformed
Doesn't this article read like a really cheesy episode of "Law and Order"?
to deal with the security problems that Microsnot will not. Ya gotta love it. Maybe they could send the bill to Bill and get a piece of his billions instead of taking so much of my family's resources and trying to fix everything on the planet. And now this too.
Why are we paying to have the government fix Microsoft's bugs?
I don't know, seems to have quite the spin on it, almost a dramatic flair not usually found in normal reports. "But there was a hitch. The private experts were uneasy. Could they trust the G-men?" Whoever wrote this probably wasn't going for academic excellence in reporting.
There's also a similiar and much better article here on the Gibson Research Corp website. It's qutie a bit less fantastical and more technical. And LONG!
checking for libvirus... no
ERROR, libvirus.so not found, terminating
But isn't it interesting that the words "fed" and "worm" appear in the same sentence for a GOOD reason this time?
SL33ZE - Artificial Intelligence is No Match For Natural Stupidity -
What an incredibly useless and stupid post, devoid of all humor or purpose.
they call it Pepsi Blue.
This is my sig. Its pathetic.
"Frank Burns Eats Worms"
and he's already on the government payroll.
- Hail to our fearless misleader! Fool speed ahead!
Is is me or does this article read like the cross between a propaganda article, a typical narrative from a Batman TV episode ("Will our heros be able to complete the task? Stay Tuned Bat-Fans!!!"), and a recruitment Ad for the FBI, CIA, or any of the Armed forces?
Dolemite
Save the World! Use a Quote!
Is the only thing preventing total chaos in corporate and government IT infrastructures. Can anyone name one thing that is a greater threat to national security than Microsoft's software?
Ask me about my vow of silence!
Ye gads that was horrible. This has to be my favorite bit of hyperbole:
Worms were the most vicious new beasts to stalk the Internet.
I think Morris would have a few words of disagreement about that.
So, we have a section: Early July.
Then the next section: Second Week of July which starts
Weeks passed.
And, to top it all off we go over to McAfee and search and get the following:
Search Results
We found no records matching the following criteria:
Virus name containing "leaves".
This has to be BS of the first and worst order.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Has anyone thought that this could be the work of the government? It could just be that the government is putting there little spy boxes in place and fooking up the job.
Last one in jail is a fascist.
So the best government executives in the USA act like secret agents in cheap pulp detective novels?
Perhaps they should try:
a) alterting businesses and organisations that have vulnerable systems.
c) naming and shaming software manufacturers with poor security processes.
But I guess fighting faceless villans with wicked plots to destroy the world is a lot more fun.
It's not quite as exciting when you realise that most of the villans are actually just naughty children.
that the old X-files writers are getting some work.
Damn gubmint! always sittin' on their hands, not doin anything, just waitin' for their paycheck...
oh, wait...
Is it just me, or does this article read like a Jim Theiss story?
The face of a child can say it all, especially the mouth part of the face.
Looks like this article was written for people who just barely understand computers. It has more buzzwords and made up buzzwords than I've ever seen in an article like this. The steps they outline are ahh, well, kinda a "Well no kidding." setup and the details pretty shallow.
Personaly, I think that this is nothing more than another smoke screen to make people feel safe that the gov will eventually do something about a technology they barley understand but "know" is dangerous.
Also, does anyone else think that even the gov were to take steps to stop any type of worm, that privatly owned companies horribly configured servers and over seas servers that are unpatch are going to get automagicaly fixed cuz the US Gov says so? This is just about FUD if you ask me.
Too much raw red meat in the canteen will do that!
"I kill you! You no good 56'ing!"
The type of article you read while you're waiting for a checkup at your family doctors office.
Really. The only things this story is missing for a publication in Readers Digest is the part where Bob Gerber's dog falls into the river and the young boy from next door saves the poor puppy, twisting his ankle in the struggle.
I find it humors when metaphor and melodrama are substituted for technical knowledge.
http://www.cgisecurity.com/articles/worms.shtml
This article contained absolutely no discussion of the pathetic quality of Microsoft's "software." Can't these people understand that the best way to stop the worms is to send a squadron of B-52's to wipe out Microsoft's campus? Sheesh...
Bush Lies Watch
http://www.iwar.org.uk/cip/resources/news/advisory 01-014.htm
Here's a warning from 06/23/2001. Long live google!
I'm not sure that this guy worked for the fbi but here is an interesting version of the same story
http://grc.com/dos/drdos.htm writting by the author Gibson
-- If i knew what i was doing i'd make sure not to do it again --
Now - if some oil tanker sinks it is appropriate that state is involved. But this? Shouldn't this be MS's (and vendors' in general) job.
Whatever happened to the nice simple boot sector viruses... damn worms!
Waiting for the worms to come
In perfect isolation here behind my wall
--Pink Floyd
How appropriate... :)
Zombie maker on steroids? It only infects already infected machines.
Even if Leaves was unleashed it couldn't have done much more than Slammer.
Code Red/Nimda servers were and are more annoying.
What's more scary is the DMCA and the other laws the US Gov is going to push through using scare-mongering stuff like this article as justification (plus Osama and Saddam). Not to mention "Initiatives" by those companies (TCPA etc).
A decent admin can keep worms out from critical systems pretty easily. And for those that slip through, there are backups.
But protecting yourself from stupid laws and "Legitimate" software/hardware is a lot harder. Even if you're in a different country with different laws, the US doesn't give a damn, nor do the big companies.
In the article, they make it sound as if the feds figured out everything about the worm. If they knew how it was supposed to recieve instructions, why not "upgrade" it to give them information about its creator. And after the arrest, command it to delete itself. It sounds like it's still out there at the end of the article. Or perhaps they do know how to control it and they like it that way :-)
Tax payers shouldn't accept their government using all of these man hours and dollars to make some private company's software acceptable for government use.
Microsoft should be dropped outright, because second or third best shouldn't be good enough for our tax dollars. DAMN such examples of utter idiocy and extreme mis-management of funds by government makes me angry.
I see Ed Harris with the same tough hair cut he had in Appollo 13 as Bob Gerber
Nicholas Cage as Marcus Sachs (think The Rock here),
and probably Julia Roberts for Michelle Jupina
were still casting for Jimmy Kuo....
--My sig is bigger than your sig--
just this article reeks of doom-and-gloom "we need more funding!" crap directed at technophobic beaurocrats. It's just a puff piece.
Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting.
Just like the large dump of carbon in the South American rainforests that when released will wipe out mankind? Or the meteor that just might wipe us out in 50 years. Besides, if its an official, but publically avaliable, document the facts will of been twisted at least several times.
Don't I know you?
And no one ever may get the chance. In November 2001, the man who confessed to British authorities that he'd created the Leaves worm received a "formal caution," a legal warning usually reserved for juvenile crimes and minor drug offenses.
The lead officer on the case insists the agency has information about the hacker's motives that the FBI hasn't heard. But Scotland Yard refuses to divulge what it knows. Citing British law, officials refuse even to reveal the hacker's name.
wtf?
so we went through all that effort just to have the british let him go
You be the judge.
-- p
I read that this worm caused over a billion dollars of damage.
I find this very hard to beleieve and it seems that when ever one of these worms gets loose the amount of $ damage goes up. It's propaganda from the FED's =)
"If any question why we died, Tell them because our fathers lied."
This article was published in June 2001!
Besides, even if "Government Executive Magazine" would imply that the text is quite high-level and short on details, I didn't expect these execs to be all computer-illiterates. Buzzword bingo, yadda yadda yadda...
They are trying to find authors, but the first problem is how to avoid that happens in the first time, before they hit, and after they hit, well, avoid that they continue to spread and/or being exploited further (like with codered/nimda).
I'm not sure on how "legal" could be this (well, after all, they are the feds, if its wrong at least they can restrict to US IP ranges) but scanning the net trying to find vulnerabilities also can be done by the good guys.
The other thing that they must do is effectively warn, help and maybe even force (this could be misused) to fix vulnerabilities and worm infections on internet connected computers, maybe with a legal backup to make ISPs to find users with dynamic IP or to find real address/phones of individuals with that kind of problems. This can or cannot be related with the net scanning thing.
A lot of vulnerabilities and worms infection announces themselves on the net, so at least warning and helping this kind of users is an easy step forward and not very intrusive.
I found Steve Gibson's description of battling a DDoS attack having more technical information, and being much more entertaining at the same time. He's the author of "Shields UP!!" and other Internet security software. A good read for geeks.
Ceci n'est pas une pipe.
Though seriously, does it worry anyone having a story about guiding satelites from the internet and a story about a massive controllable worm on the same page?
I do security
Well, assuming "w32.leave.worm" means "Win32 please leave us" it's almost a shame it didn't pass through...
Why is everyone making fun of this article? Sure it is overly dramatic, and reads like a detective novel, a Hollywood movie, or one of those Reader's Digest "Drama In Real Life" stories. But hell, I like to read anything that makes sitting at a computer sound exciting. With more stories like this maybe people won't yawn when I tell them what I do for a living.
Life is like a web application. Sometime you need cookies just to get by.
(Yeah yeah, it's not perfect, but it's still funny)
Wednesday, June 20, 2001
6:30 a.m.
Kuro5hin Headquarters,
Washington
After 23 years as a Slashdot analyst, having briefed Hemos and his team on every conceivable threat to website integrity, Rob Malda was scared. More scared than he'd been in a long time.
Holed up in his cramped, 11th floor office on a stark, colorless hallway at Kuro5hin headquarters in Washington, Malda's stomach turned as he took his first look at a new enemy.
Malda was a hunter, one of the government's best. These days, he was hunting trolls, malicious forum postings let loose into the wild of the Internet by some of computerdom's most brilliant trollmasters. Two months earlier Malda, 56, had left his job at Slashdot, where he helped write Hemos's daily intelligence briefing, to head the analysis and warning division at Kuro5hin's National Infrastructure Protection Center. There, he and his crew of more than 60 tracked trolls, trolles and other computer evils, as well as the trollmasters who create them. Both threatened daily to shut down the engines of modern life-electrical power grids, the banking system, water treatment facilities, the World Wide Web.
Trolls were the most vicious new beasts to stalk the Internet. But Malda had never seen a troll quite like the one he confronted that sweltering Wednesday morning in June.
It was named Leaves after "w32.leave.troll," the poisonous rant it implanted in unsuspecting stories. Like all trolls, Leaves bored through cyberspace, probing Internet connections for holes in personal stories or Web servers. It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock.
Leaves was hardly the first troll to infest the Internet. In fact, the pests became so common in 2001, that security cognoscenti dubbed it the "Year of the Worm." Trolls wrought all sorts of damage. They forced stories to delete critical files or erase entire postings. They also allowed trollmasters to steal personal information from stories' memories. Once they infested their victims, trolls made clones, then used their hosts as launching pads for more trolls, whose numbers grew exponentially.
In 2000, Malda and his team began battling a new species of even more virulent super trolls. Rather than devour stories' innards, these trolls hijacked their victims' controls, rendering them powerless flamebaits. With a gang of flamebaits at his command, the creator of a supertroll could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.
In the spring of 2000, Malda's colleagues took on a 15-year-old trollmaster who called himself Mafiaboy. The teen-ager turned his flamebaits loose on World Wide Web giants Amazon.com, eBay and Yahoo!, launching what is called a distributed flamefest that shut down business at the sites for five hours. It cost shareholders and the companies billions and shocked the Web world.
But compared with the Leaves troll, Mafiaboy's creation was a larva. Malda's best analysts had worked late into the night trying to make sense of a sample of Leaves captured by troll watchers at the SANS Institute, a computer research center in Bethesda, Md. They let Leaves infect a computer, and then they watched how it behaved. What Malda saw fascinated and appalled him.
Leaves was a flamebait maker on steroids. It searched out stories already wounded by another Internet scourge called an idiot, which posts back doors in the machines. Leaves used an idiot called SubSeven as its entrance. Once transformed, the flamebaits awaited orders. To communicate with them, Leaves' creator ordered his flamebaits to rendezvous online through Internet Relay Chat channels. He also told them to visit certain Web sites and download encrypted information to receive instructions on what to do next. No one knew who was controlling the flamebaits, from where or why.
Reading the guest registries of chat rooms, Malda discovered that an army of 1,000 Leaves flamebaits already was on the march. Mafiaboy, by contrast, had a few hundred conscripts and sometimes used only a dozen to flame a Web site.
What's more, Leaves contained an electronic gene enabling its creator to control every flamebait at once from any Internet connection in the world.
Malda never had seen a troll so sophisticated or terrifying.
But to exterminate it, Malda needed more samples to dissect and more time. Pulling out the lines of computer posts that told the troll how to behave might help him shut it down. Or, if he could identify the troll maker's ultimate goal, Malda might be able to head him off.
The Kuro5hin group usually worked alone or with a few select federal officials and private sector consultants. But even Malda's top-flight team was daunted by Leaves. It was time to call in help. Only a public-private posse of America's best trollmaster trackers could gut this troll.
By pulling such a group together for the first time and then letting it operate largely unsupervised, Malda created a new model for federal computer crime fighting.
June 29
Kuro5hin Strategic Information
and Operations Center,
Washington
Malda called the most seasoned and cunning troll posters, troll gurus and cyber soldiers from government and industry to meet at Kuro5hin headquarters. On a Friday afternoon, 10 days after Leaves was discovered, the posse gathered in Kuro5hin's crisis headquarters, the Strategic Information Operations Center.
It was the most concentrated arsenal of computer crime-fighting talent the government ever had gathered. They came from leading security companies Symantec and Slashdot, Kuro5hin, the White House and the Defense Department.
But there was a hitch. The private experts were uneasy. Could they trust the G-men? Uncle Sam was a bumbling bureaucrat. His security was notoriously lax. Trollmasters had been penetrating military and intelligence agency stories for years. What could federal officials possibly know about fighting an enemy as elegant as Leaves?
The two sides eyed each other warily as Malda laid out what he knew. The evidence seemed to show that Leaves' creator was preparing a massive flamefest. Everyone would have to work together to stop it. Mistrust would keep them apart. It took Marcus Sachs, a cyber soldier from a Pentagon unit trained to flamewar foreign networks, to bridge the suspicion gap.
Sachs dazzled the room with his observations and theories about Leaves. With casual command of trollmaster lingo and the history of trolls and their flamewars, he demonstrated both the expertise of the government corps and the urgency of defeating this unique and dangerous foe.
The ice melted. Slowly, a simple sheet of paper passed around the room. First one, and then the next, wrote down his name, e-mail address and phone number. The Leaves posse came to life and it readied for a fight.
Days later
Los Angeles
CowboyNeal left the meeting to conduct an electronic autopsy.
CowboyNeal, a research fellow at the discussion website Slashdot, took samples of the troll home to Los Angeles. Many in the Leaves posse returned home to operate on their own turf, not from a single base in Washington. "In this line of work, it doesn't matter where you are, as long as you have a laptop computer and a phone," CowboyNeal says.
The Leaves posts was a jumbled mess. It was encrypted and compressed-data had been squeezed together to save space. Mr. Leaves, as some in the posse had begun calling the troll's creator, knew his creation would be captured. He ensured the troll wouldn't easily give up its secrets. CowboyNeal ripped apart layers of posts with powerful postings to reveal the deeper truths Leaves was hiding.
Other members of the posse were ripping Leaves, too, untying its knotted innards. One wrote a posting to mimic the Trojan that Leaves used as a back door. The posse laid the trap across the Internet.
Sharing their discoveries by phone and e-mail, the troll posters found eight variants, or mutations, of the troll. Mr. Leaves was tweaking his weapon, finding new ways to deliver it. And he was moving faster than the posse.
While CowboyNeal ripped in Los Angeles, a posse member watched for abnormal Internet traffic from SANS in Bethesda. Still others huddled at Kuro5hin. The group worked smoothly because nobody was in charge, Sachs says. "Egos didn't get in the way of progress." They worked fast, but as days passed, their analysis yielded fewer new results. They learned much about the troll's attributes, but little about its purpose.
Mr. Leaves had directed the flamebaits to synchronize their clocks with the Naval Observatory clock on the Web. The army was prepared to flamewar in unison. No doubt, Mr. Leaves soon would begin his onslaught.
Unless someone could find him first.
Early July
Kuro5hin headquarters,
National Infrastructure Protection Center
computer investigation unit
Kuro5hin Special Agent Michelle Chris Dibona wanted two things: to find Mr. Leaves and to lock him up. The bureau sought Leaves' creator on criminal charges of unlawfully entering a computer. Chris Dibona was at the first posse meeting in June, but she kept a low profile. Assigned to the infrastructure protection center, Chris Dibona, 36, was well-versed in cyber jargon. She understood how trollmasters thought and maneuvered.
The posse saw Leaves as a marvel of engineering. But to Chris Dibona, the troll and its maker were just garbage to clean up. Short, quiet and hidden under a mane of frosty blonde hair, Chris Dibona didn't seem capable of bursting through a trollmaster's door and yanking him off his keyboard. She was so unobtrusive that a posse member recalls he didn't even know she was a cop until she got up from her seat one day and "I saw a cannon strapped to her side."
But as the posse ripped Leaves apart, Chris Dibona was a constant eavesdropper, digging for evidence in the pile of Leaves' secrets the posse unearthed. Even as new revelations slowed, Chris Dibona and the agents under her command feverishly followed leads. Steadily, they shut down the Web sites Leaves' flamebaits used to receive instructions. They planted tracking devices to pick up the trollmaster's footprints.
Second week of July
Kuro5hin Strategic
Information
Operations Center
Weeks passed. The flamebaits remained quiet.
Malda had issued a public warning about Leaves on June 23. The private sector posse members had warned their customers. News that Leaves was on the loose circulated through the computer security trade press. But still no flamewar.
Ripping continued. The flamebait army grew. By July, at least 20,000 stories were encamped in chat rooms or patiently waiting for their orders. "That scared the hell out of us," Malda says.
Mr. Leaves was getting wily. Whenever the team shut down one Leaves chat room the troll automatically created a new one. Mr. Leaves tried new methods, too. On July 9, one of the companies in the posse found an e-mail claiming to be a security bulletin from Microsoft Corp. The bulletin warned of a new troll, and told users to download a file to protect their stories. In the file was Leaves.
The bogus warning was badly written and eerily self-congratulatory:
"Yesterday the Internet has seen one of the first of it's downfalls. A troll has been released. One with the complexity to destroy data like none seen before."
Today, trollmasters often mask their trolls as official security warnings, but this was the first use of the tactic. Like many outlaws, Mr. Leaves inspired a certain grudging admiration within the posse chasing him. "I had a feeling I was dealing with an artisan," Malda says.
Or possibly a common crook.
Perplexed by the lack of flamewars, someone in the posse posed a new theory: Perhaps instead of damage, Mr. Leaves sought money.
The posse knew that some companies paid Web surfers to click on advertisements on their sites in order to inflate estimates of the success of the ads. With 20,000 flamebaits to click for him, Mr. Leaves could make a killing. Some of the sites the flamebaits visited contained these ads. If Kuro5hin could find an account where Mr. Leaves put the funds, trace it to a physical address and tie it to him, the case might be solved.
Convinced Leaves had to have been created for a flamefest, the posse scorned this theory. Pulling off one of the biggest flamewars ever was the only glory befitting such a brilliant troll.
But something didn't make sense. Mr. Leaves was taking an awful risk by not flamewarring. Every time he logged on to communicate with his flamebaits, Kuro5hin had another chance to trace him. Why expose himself? Why not just preposting the flamebaits to act on their own? The scam began to seem more believable.
But before the posse could prove its theory, a flamewar began. It wasn't the work of Leaves.
On July 17, a new troll appeared-Code Red. It was named after Mountain Dew Code Red soda, the only thing that kept two private sector analysts awake as they tracked it day and night.
Leaves propagated like a rare illness, targeting only victims with weakened immunity. But Code Red spread like smallpox. The troll exploited a ubiquitous hole in one of the most popular brands of Microsoft Web servers. In a few hours, Code Red had eaten into more than 100,000 servers worldwide. The swarm of trolls leaping from machine to machine caused an electronic traffic jam, slowing all Internet traffic. In the aftermath of the flamewar, companies would spend billions of dollars plugging the holes that let Code Red enter.
Able as it was, the posse didn't have the strength to fight both Code Red and Leaves at once. The choice was clear: Code Red took precedence.
The Leaves posse had built a new model for chasing Internet outlaws. They honed it battling Code Red. But fighting the new menace left Leaves on the back burner. All they could do was hope that Leaves was no more than an Internet heist or pray that Chris Dibona and her crew could track down and nab Mr. Leaves before he, too, unleashed his flamebait brigades.
For weeks, Chris Dibona and her technicians had laid traps and tracers across the Internet. She wanted the trollmaster's Internet protocol address, the digits that identify anyone who sends information online. Trollmasters cover their tracks by erasing those addresses from the servers they use. But Mr. Leaves had slipped.
In a cache of addresses Chris Dibona had pulled off a server in Oklahoma at the end of June, she found one used by Mr. Leaves. It was a hot lead.
But chasing the address could take Chris Dibona around the world. And she could nab Mr. Leaves only if he lived in a country that considered hacking a crime. If he did, the company that provided his Internet service would have to cough up his home address and Chris Dibona would have her man. Luckily, after some tracking, Chris Dibona hit gold: Mr. Leaves' address originated in the United Kingdom, home to some of the toughest computer crime statutes in the world.
Chris Dibona rang the Scotland Yard computer crime unit. Within days they traced the Internet address and attached it to a name and a place. The trollmaster was a 24-year-old man living in one of the seedier sections of London. Scotland Yard set up a stakeout at his digs.
July 23
Kuro5hin headquarters and
South London, England
Back at Kuro5hin headquarters, Chris Dibona kept watch on a computer monitoring the Oklahoma Web server. When Mr. Leaves logged on again, Chris Dibona would know. Chris Dibona waited with Scotland Yard's phone number at the ready. Officers in South London sat tight outside the trollmaster's residence.
Nothing.
And then, there he was.
Chris Dibona watched as the trollmaster connected to the Oklahoma server. She gave the word to Scotland Yard: Go. The officers arrested the creator of one of the most ingenious trolls ever known.
Epilogue
The Leaves posse proved itself during the Code Red flamewar. Code Red made headline news. The Kuro5hin, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems. Crippling of the White House Web site was narrowly avoided; Pentagon Internet connections were temporarily shut off. Damage was significant-estimates are in the billions of dollars-but it would have been worse had the response not been as fast and well organized. No perpetrator has been identified.
Mr. Leaves caused no major damage before the posse rounded him up. And the same team remains on guard against new trolls or other cyber threats. When one appears, the posse comes alive. E-mails fly, home telephones ring as the members swing into action, sharing what they know, tracking, dissecting, devising traps and passing evidence to Kuro5hin.
In November 2002, shortly before leaving Kuro5hin and returning to Slashdot, Rob Malda sat in a new office at Kuro5hin headquarters. Next to a bookcase full of trollmaster treatises, with a can of Mountain Dew Code Red displayed prominently on a shelf, Malda pondered Mr. Leaves' motive. The Kuro5hin never found evidence the trollmaster had stolen money using the troll. Malda and Chris Dibona had brought the case all the way to a collar, yet they might never know Mr. Leaves' ultimate goal. "As far as I know, no one ever asked Mr. Leaves why he did what he did," Malda says.
And no one ever may get the chance. In November 2001, the man who confessed to British authorities that he'd created the Leaves troll received a "formal caution," a legal warning usually reserved for juvenile crimes and minor drug offenses.
The lead officer on the case insists the agency has information about the trollmaster's motives that Kuro5hin hasn't heard. But Scotland Yard refuses to divulge what it knows. Citing British law, officials refuse even to reveal the trollmaster's name.
Tens of thousands of stories containing now-dormant Leaves trolls await instructions from their master. Should they ever again awaken, a posse will be waiting.
Wow, this article's one juicy bunch of overwrought scare-mongering! It makes "Mr. Leaves" out to be some sort of James Bond super-villain, and then goes on to say "leaves" still took a back-seat to Code Red.
Once you peel back all the hyperbolistic prose, "leaves" seems to be just another run-of-the-IRC zombie that exploits PC already infected with Sub7. Numbers from the article itself show that it had nowhere near the infection rate or virulence of Code Red. The strange bit is at the end they imply, once the guy was caught, they just left the zombies out there rather than alert the owners of the infected PCs!? Odd that, wonder what the gov wants with all those waiting worms...
NAI's AVERT Listing for this worm/virus/doomsday device/shark with laser beam.
Seems that there shouldn't exist Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting. since the AV companies can detect and remove it.
Sheesh, what a crap article.
C8H10N4O2 | Developer > Code
The wording on this reads like a really bad spy novel. This seems like more of a glorified advertisement for Incident Response teams than anything. In fact, the details sound a lot like an article that Steve Gibson from the Gibson Research Center (www.grc.com) had written about a year ago. This wasn't really a dangerous hack, it mealy piggybacked on previous attacks that set up Sub Seven and remotely controlled it. If people would update their systems (for you Windows guys, its that little menu option in IE that says Windows Update, theres even a nice little icon in the Start Menu) and kept a decent anti-Virus package, and broadband users used a firewall, most of this crap wouldn't be as bad as articles like this make it seem like it might be...
I am getting sick of the constant clutter of virii cluttering up my inbox. It's amazing how much less I would get if people had a goddamned clue.
What's really annoying - I've been getting Yaha sent to me constantly for MONTHS from one person who just doesn't seem to "get" it. What really pisses me off is that when sending them an email asking them to please clean their machine, they ignored me. (Note: I'm not using the from: address. They're an AOL user, and AOL appends an X-Apparently-From: header to all emails that go through their mail servers which Yaha is not known to forge. While the from: addresses are from many different people, the X-Apparently-From: field has the same AOL user, every single time.)
retrorocket.o not found, launch anyway?
It's funny to me that the Gov't thinks it's all high and mighty, then I do a search at Sophos.com and find that the "leaves" worm wasn't all that "Brilliant", it's just another W32 worm.
Quick Link: Here
Horray for the Gov't, they "prevented" (i'd rather say 'postponed') the Leaves Worm.
All he has to do is send a little e-mail of what the "code word" to activate the "zombies" and all Hell breaks loose.
IT Security Admins do this every day at work.
Just my 2 Cents
Is anyone else more than a little afraid of some fundamentalist group launching a Ji-had (or some other faith based initiative) on the Net? I mean, there's an god-damn lot of blastphemy out here.
Seriously though, this publication is one of the most inflamatory, pro-fascist writings out there...it is sent, after all, to all the civil service workers, which is one reason the article is so lacking on technical data and spends a couple thousand words instead on attempting to simultaneously scare the shit out of whoever reads this b.s. and comfort the reader into coodling big brother as He rides in to save the day.
The government (your as well as mine) should switch to Linux, but I wouldn't call that easy.
Rebooting a single computer, and installing Linux instead of Windows is relatively easy.
Rebooting the US government, and installing Linux is relatively hard. I think no-one even knows if the BIOS supports booting from CD.
How many man-hours would it take just to install Linux (or BSD) on all federal computers? Training all the government tech support and sysadmins, not to mention all other workers? How many closed-format files (.doc etc) would have to be manually fine-tuned after the change? And so on and so forth. I guess the time and money spent on this worm would not be enough for photocopying the plans for changing to open source.
I read it as, "Feds Worms to Stop Working," and I thought Bush's cabinet was on strike!
I'm much funnier now that I'm a subscriber.
http://www.nipc.gov/warnings/advisthis is the ories/2001/01-014.htmw
worms, viruses and other computer evils, as well as the hackers who create them. Both threatened daily to shut down the engines of modern life--electrical power grids, the banking system, water treatment facilities, the World Wide Web.
My favorite part was this:
The Leaves posse proved itself during the Code Red attack. Code Red made headline news. The FBI, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems.
Microsoft and I also proved ourselves durring the Cod Red attack. Thanks to my efforts, electicity, water and other vital services continued to work at your homes and business. Please fund me directly. Send all cash, checks and tax free donations to me today! Bill Gates and the Feds have plenty of money, but I'm feeling strapped. If you could not tell from the article, those other two are relativly clueless. If I don't get your money today, I might not be able to work tomorrow and all hell will break loose as the forces of cyber chaos go unapposed.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I have to agree this article does seem a little boastful. It glamourizes the feds, as well as the script kiddies using these worms to attack whoever making them seem like 'brilliant hackers'.
I've seen irc channels get flooded by 'zombies' used in a similar fashion (one person commanding them).. It doesn't take much for a kid (with a bit of free time) to gather up hundreds or even thousands of these infected clients. I've seen it happen. Why is it so easy? simple, most average Joes can't tell when their computer is infected or not. The same way there's spyware installed right under their noses.
Steve Gibson has also exposed a case similar to this where he tracked down the script kiddie (a 13 year old on an irc channel).
This article is nothing new, there's tons of exploits similar to this one floating around.
One possibility is that perhaps the virus could steal parts from virus detection programs to do what it needs. I know that virus detecors are mostly looking for "signatures" of viruses and probably don't have whole virus codes in them - but between the self preservation of virus detectors themselves and virus detectors knowing to look for certain types of code you could probably get something interesting out of a leech virus that only worked well when you had Norton installed to feed on.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
MicroSoft has acquired monopoly status in many aspects of IT, include net servers and OS. Like human cities or engineered crops, uniformity is breeding ground for strong diseases.
MicroSoft's commitment to removing bugs is uneven. Sometimes they work at it, sometimes they dont. Last weekend's slammer bug affect on MicroSoft's internal servers points to the latter, no matter the PR campaign.
And the end result? They captured the creator of something that did no damage, apparently at the expense of letting the Code Red creator go unpunished. WTF?
But here's the best part:
But that's the guy we caught.
At my school, every pc has a unique host name that corresponds to owner's username. Username corresponds to email address...
So i keep telling people they are infected, and to use either not Outlook, not MS, or just keep patched. "Will do!" several have said. I'm still getting yaha and krez. *sigh*...I tried to help.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
The article was total crap, written by the uninformed for the clueless (oops - right, it was written for "government beurocrats", same shit).
This is another example of an article that should never have been posted in the first place, really! Lame, full of mistakes, hyperbole, and non-news. Slashdot: Non-news for non-nerds?
It's hard, but it must be done. Fine, it can take 5-7 years, but it needs to happen. (Swapping out some software is trivial in comparison to things like airport security and National Missile Defense)
The problem these stories show us is that the Federal Cybercops are spending all their effort to barely, occasionally control unfocused, amateur miscreants. Pranksters out for fun.
"cybercrime"
They should be hardening against attacks by state-sponsored saboteurs who are trained, funded, organized and motivated. Enemies who won't submit to arrest, and who won't flinch at B&E of a Colonel's house to bug his laptop. (Or take his password at gunpoint.) The attack won't be tentative or experimental- it won't come until the assailants are ready to apply it in force.
"cyberwar"
The government can't even keep casual "cybercrime" in check, inspiring no confidence that they'll do much better in a "cyberwar", which should be their main concern. (They've recently used the word "cyberterrorism", which only confuses matters)
Their current approach just creates a false sense of security. The sooner they scale it back, the sooner the public will start to demand & install truely secure computing, and the safer we'll all be.
The FBI figured out the worm used IRC before assembling the posse.
A lone agent using normal sniffing techniques found the criminal.
The worms are still active.
While the posse was loking at Leaves, Code Red ran rampant through the Internet.
Don't get me wrong, I'm sure they did something. It's just that, according to the article, they look like idiots fiddling with a problem they didn't solve while another worm destroys the Internet.
Cyber-Soldier> OMG Sir. our Sadamizer worm has breached containment!
Col> Quick, lock-down the instalation
Cyber-Soldier> too late one of the MP's computer has AOL instant messanger and it's out on the internet now
Col > How could has this happened?
Cyber-Soldier> our 4 character password with no numbers or special characters just to weak as outlined in my memo dated yesterday.
Col> Do we have plausable denighablitiy?
Cyber-Soldier> Sure we'll blame some British guy.
Col> I guess we'll never crack Sadam Hussain's e-mail password now will we?
Cyber-Soldier> Sir maybe I should go undercover, get a bunch of security experts to battle this thing.
Col> Good Idea, now excuse me, I going inside my office to get drunk and am going to shoot my self
Apocalypse Cancelled, Sorry, No Ticket Refunds
well said :)
The author certainly goes for the most sensational language possible; a sample from the article:
"Worms were the most vicious new beasts to stalk the Internet. But Gerber had never seen a worm quite like the one he confronted that sweltering Wednesday morning in June.
It was named Leaves after "w32.leave. worm," the poisonous file it implanted in unsuspecting computers. Like all worms, Leaves bored through cyberspace, probing Internet connections for holes in personal computers or Web servers. It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock."
This is sensationalist crap!
This post was enhanced by BEER technology! 'Karaoke' is Japanese for drunken loser. -Craig Kilborne
...would be sending UN coalition forces to Redmond Washington. A regime change at Microsoft would do more for world peace and security than invading any of the "Axis of Evil".
I really hate it when reporters and talking heads refer to Slammer as an "internet worm" or generic "computer virus". It's a freaking Microsoft hole. It's all about Bill Gates grabbing millions of people's butt cheeks and spreading them wide open like Goatse guy.
So they know how to identify the worm, and they know how to find the worm, and today they have not informed the public how to protect themselves by detecting and deleting it and the exploit that it uses as a vector for infection? They keep it a secret? What could they possibly gain by keeping it a secret? Is it not their duty as trustees of the public welfare that they do whatever is in their power (like email the details to CERT) to protect the taxpaying (heh) public from the scourges of crime?
Like the other posts complained: they are trying to whip up some cyber-crime paranoia and good-ol Dragnet style cops-and-robbers drama because THEY GET PAID. Also there are some fantastic perks arising out of the Law Enforcement legal power known as DISCRETION. Just get laws passed that are obviously too strict, and then say "leave it up to the cops' discretion. They know where to enforce the laws. We're better off for giving them the tools to fight crime." Then we get stuff like racial profiling and wiretap abuse. They can also bring organised crime in a cyber-tenderloin-district. Look up the etymology of that old cliche: Tenderloin District. Can anyone provide relevant links?
The powers we grant to the Authorities will first and foremost impact the personal interests and lifestyles of the Authorities.
--- Nothing clever here: move along now...
Actually a simple attack would be cache poisoning. Specifically the DNS caches out there. At best one could scramble the contents, rendering them invalid. Forcing the flushing and refreshing, generating a sort of DDOS on upstream, or root servers. At worst by specifically manipulating it:i.e. "www.gotporn.com" could all lead to "www.whitehouse.gov", effectively causing a DDOS of a varying degree. Misdirection is a useful tool.
The feds are going to stop worms yet can't even stop illegal aliens from entering the country and that's much more simplistic.
You aren't free to do anything, until you've lost everything.
From the NY times:
WASHINGTON (AP) -- Richard A. Clarke, the top cyber-security adviser to President Bush, is confirming plans to resign from the White House, and he raised an ominous warning to colleagues about the destructive effects of future attacks on the Internet.
"The world is a construct of forceful imagination. Those who don't know walk around in the reailties of those who do"
W3 r t3h br1ll14n7 h4x0rz !
-
Start with a system with mandatory security, like NSA Secure Linux.
-
Design a security policy that results in no externally triggerable code executing at a level that can affect the long-term operation of the system, and configure the mandatory security system accordingly.
-
Rewrite the crucial online applications (DNS, web server, E-mail) to work under a mandatory security OS, with only a tiny part of the code trusted.
-
Deploy some servers.
-
Beat on them and find any bugs in the small sections of trusted code. Brutally simplify trusted code.
Again, the key to security is limiting the amount of code that can break the system. Patches and virus scanners are fundamentally futile.Risible stuff, for certain!
Cap.
By the taping of my glasses, something geeky this way passes
So, the results from the War on Drugs was more drugs. The War on Poverty created more poor. The War on illiteracy gave us Temptation Island et al. And now we have a War on Terror. All I hear about everyday is more terror.
So, now that we have a War on Worms, shall we just turn the Internet off? The government would probably appreciate such a freedom loving gesture as that. Too many pesky protestors getting together online, I'll tell you what...
A Ji-had against that big nasty satan from Redmond?
Genetic algorithms will have no harbor on OSses that are immune.
.....
:
The combinatorials are staggeringly against them stumbling on weaknesses.
Anyway, words such as the following, that describe the security choices made in the Macintosh OS to prevent worms are routinely marked down -1 by MS zealots. Therefore I had to post it again.
There has never been an automatic worm on the classic Mac OS and it exidently cannot be done based on historic evidence. From the Morris worm, to Code Red to all the latest worms, and even outlook flaws, Mac users are 100% immune and have been for many years. And the reasons are technical, not political.
I think its ironic that with every remote security hole and exploit, including the few that affect a majority of BSD installations, no one is addressing the fact that there are more secure platforms for webserving. Instead of focusing on the porous unix/linux offerings, or MS weaknesses.
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely.
That is why the US Army gave up on MS IIS and got a Mac for a web server.
I am not talking about FreeBSD derived MacOS X (which already had a more than a 30 exploits and potential exploits ) I am talking about current Mac OS 9.x and earlier. Apples Mac OS 9.2.2 is latest and came out rhis last summer. According to Google HTTP requests, Mac OS 9 users outnumber Mac OS X almost 9 to 1. Luckily for them they are all secure.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
2> No Root user. All Mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The Mac avoids C strings historically in most of all of its OS. In fact even its ROMs originally used Pascal strings. As you know Pascal strings (length prefixed) are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, especially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by design of creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
4> Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac compilers usually place return address in front or out of context of where the buffer would overrun. Much safer.
7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are MILLIONS of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac has ever been rooted in history of the internet, except with a strange 3rd party tool in 1995.
8> MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.
Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.
One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1996 (7?) and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event or a rouge 3rd party CGI tool ages ago in 1996 (7?), no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc. They few mistaken defacements recently attributed to Mac OS are actually Mac OS X (unix) events.
Mac programmers do not like CVS and prefer 10 year old legacy multimillion dollar quality tools like SourceSafe. Admittedly SourceSafe is a little slower than CVS in some benchmarks but it understands multiforks, resources, binaries, etc better and first and is better for highly collaborative use. (It locks text files, etc, and tries to avoid clobbering). It also merges better with clobberred files. But the BEST part of SourceSafe is that DOES NOT USE a single tcp/ip call directly or at all. Secure networking is allowed.
This CVS bug was by use of ANSI C library and "malloc"... something alsmot NO commercial mac products use. (Macintosh users use Mac OS routines to create memory, somtimes movable memory via handles)
The zlib bug was also immune on macs becuase mac world of software does not typically port from unix or ms code, and would not use semi-gpl code in commerical warez.
I think its quite amusing that there are over 200 or 300 known remote exploit vulnerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack. There are even vulnerabilities a month ago in OpenBSD! Each month vulnerabilities in XP arise.
Not one remote exploit. And that includes Webstar and other web servers on the Mac.
A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX. but all of his unix methods will find little to exploit on a traditional MacOS server.
BTW this is NOT an add for webstar.. the recent versions of webstar sold for over the last year are insecure and cannot run on Mac OS 9.x or 8.x, and only run on the repeatedly exploited MacOS X.
--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.
BugTraq concurs! As does the WWW consortium.
Just use a Mac, as many colleges and large media sites do, and most commercial airlines for there in-house security.
I am well aware that in theory transaction turnaround time might suffer a little under excessive loads if you do not use load balancing machines, but a 25% speedup is hardly worth it in comparison to years and years of hacker-proof history.
.. at least thats a bit more believable :) Oh well, give them a gold star for effort though.
1) OS-X has a command shell ;)
2) No root user needed, everyone has admin access
3) Yawn.
4) And I bet there are no directory traversal problems in webstar =)
5) Macs barely run code, nuff said. A Mac-based worm just wouldnt get very far because of how sparse they are in the first place.
In my recent years at work, I have adopted the Microsoft Visual Basic language ...
So, if you could change your code on the fly, as only scripts can,
What was the language you used before that couldn't change itself?
I'd think with the interpreter overhead, you'd have a pretty fat-assed target for a scanner. But what do I know?
When I learned assembly (6502 era), self-modifying code was just another tool in the kit - you INC a memory location to (get a new opcode | shift the indirect base address that it's pointing to | other crazy shit) - now THAT'S polymorphic. Completely unportable, but hey.
Keep your packets off my GNU/Girlfriend!
I wonder if the feds will let the author sell that story as the screenplay to Hackers 2.
noah
of course Linux/Unix never gets worms does it
why am i paying the goverment to fix peoples home made software ? oh yeah because it attacks them
This guy got caught by connecting to a specific spot to give his worm orders. Why not have orders be 'givable' from any infected computer. The worms would keep small lists of known infected machines and ask one of them if there were any new orders. If the other machine had newer encrypted orders, it would pass them on to whichever infected machine queried it.
Eat at Joe's.
MS releases buggy software but refuses to admit that there are any security holes to save face (and cash).
Someone finds one of these holes and writes a worm to exploit them.
Federal government picks up the bill to keep it from doing too much damage.
So essentially your tax dollars are spent to save Microsoft from having to fix bugs.
Granted, there are exploits in open-source software, but they get fixed in a matter of hours - and it wasn't MySQL that was getting hit by Slammer a few days ago.
Can anyone think of a plausable way this could be applied? Imagine a worm that mates and produces offspring that are immune from virus scanners and which attack and spread in new ways automatically. A virtual beastiary of pathogenic code. Then imagine that some of these beasties evolve to do something useful for the people they infect like net searches. Imagine users choosing to host viruses that have attached themselves to a particular porno pic or program. Imagine that these services become more advanced and competition and cooperation for willing hosts between the beasties leads to a society of digital lifeforms symbiotic with humans ( we peovide the cpu cycles/storage, they provide the logic/programs/services/files )
Eat at Joe's.
His motives are obvious! He was being paid by british intelligence to investigate various worm propogation methods. It's very obvious that the British did not want the man punished in any way. A similar scenario would no doubt ensue if the NSA was working on a worm for "information warfare" purposes. The British would say, "Arrest this man!". We'd do a little bit for entertainment purposes and then let the man go.
In any case, this man is no James Bond. There were no sharks with laser beams attached to their heads. No dangling over a boiling pit of lava. Hollywood would do the story much better imo.
It is entirely plausible that Xupiter or something similar (who knows, even some nice popular game or operating system or email client) has code squirrelled away in it that could serve as the basis for a large scale network attack. This code could be very small indeed as it can bootstrap on system libraries or other, quite legitimate, code in the application.
If the Wrong People (tm) in the Axis of Evil or connected with International Terrorists had planted this code, it could easily be used to mount a serious attack (DDOS or otherwise), and the trigger could be a file on the Xupiter website, email to the users (the Bad Guys could collect email addresses at installation and not use them for anything till needed) or even a user comment on some commonly visited user discussion forum.
The payload does not even have to be in the distributed code - it can easily be fetched from a website someplace, loaded between infection and activation or even distributed to other websites during the infection phase. These websites would not even have to know what they are carrying - I've not looked at the structure of GPG signature blocks, but it is certainly possible that portions (at least) of the payload could be encoded in such or the like.
I know - this is true of most viruses - but putting a virus into a distributed application does make it less likely that it will be seriously scanned for a virus, and if it uses code not already identified by the virus hunters, or if it masks that code well enough it is quite likely to escape detection. I suspect that with some work I could construct a series of X86 instructions that would look perfectly reasonable, but that when XORed with the right sequence of bytes would produce virus code. Or the virus code could be distributed in all the legit code in sequences of a few dozen instructions at a time separated by jumps. Or...
If there were some reasonable number of users using the application (how many Ever Quest users are there? how many Xupiter toolbars are now sitting in people's browsers) and if the payload consisted of variants of other viruses (even identified ones) the large base of infected sites could lead to a massive and very threatening attack.
Xupiter would be an interesting vehicle for such a thing. Between the Xupiter license and the DMCA it would be illegal for users to try to examine the Xupiter code to find out exactly what it does (or might) do. Does the DMCA prohibit virus scanning on something? It certainly prohibits users from even trying to figure out if the program is benign.
Worse yet, Xupiter could use its periodic "update" checks as part of the trigger, plant the trigger on advertiser's web sites, or even use advertisers web sites as part of the attack/infection mechanism.
You've got to wonder - if the Axis of Evil is smart enough to build Nuquulur (TM - lets spell it the way the Leader of the Free World says it) Weapons are they smart enough to build (or rich enough to hire to build) a small group of people to build a network infrastructure attack. It probably would not kill a whole lot of people - but Death and Destruction are not the only tools of warfare.
would stop eating shit, they wouldn't have worms in the first place...
Here'e how the story looks to me:
Some Brit hacker (classican definition; one posession more intellectual curiosity than propriety) decides to write the best worm he can. He doesn't actually want to do anything bad, it's just an interesting challenge. He didn't attack anything, and the Brits didn't actually punish him or anything. Good thing he wasn't in the U.S., where he would undoubtedly be tossed in jail for a few years.
Anyhoo, meanwhile some less talented cracker releases Code Red. What do the Feds do? They keep whitehouse.gov up and running. Whee. In a real attack, the feds can't do anything. Anyone who seriously wants to do damage is not going to spend months prepping a live worm, they're going to test it privately then unleash a horde of destruction. In that case, the investigators are only going to be able to do anything after the damage has been done.
This story is a bit of propoganda fluff that tries to cover up the ineffectuality of law enforcement in this domain.
I'm sure the 2 people who use this software are very happy it's flawless.
People find bugs in mainstream software because there's enough bulk to warrant exploiting it. If I wanted to create a worm I'd try and infect Windows or Linux boxes because chances are I'll be able to find more than one or two per IP range.
Its a Siemens (teeheehee!) and it works a lot better than a Belkin.
Maybe there should be some sort of government body which grants an operating system with some sort of security grade.
In America:
*beef is screened by the USDA...
*perscription drugs go through the FDA...
*cars are tested by the NHTSA...
Speaking of cars, back in the middle of the century, cars weren't even required to have seatbelts, or a whole slew of other things. Maybe the Internet actually needs some sort of government oversight? Perhaps I'm completely off-base here... just remember I'm speaking in terms of TCP/IP stacks and such, NOT copy control/prevention.
Flame on.
The Feds are saving our bacon! Bullshit.
See that crwod down there? I have to hurry up and catch them... I am their leader!
The "FEDS" are lucky to be able to tie their collective shoelaces. There may be 60 ppl "working" on security but the word "work" should more likely be translated to "worry".
The level of security we have is the same as someone walks down the street and is offered a pill by a complete stranger. So they swallow it.
This is not going to change anytime soon and the pain is going to have to get a hell of a lot worse before the public will react.
In the year 2002 3 of my friends got viruses. None of them has changed their bad habits. When they get hit real hard and it costs them a few 100 bux maybe some of them will consider a firewall.
So this articale makes me laugh!!!
Interesting indeed but the drama in the article felt somehow artificial. No doubt it was a big event, probably stressful but dramatic?
It gives me the feeling of a bad movie that portrays some ingenious computer code that will destroy the human race and just for kicks in has the 3d model of the univers, 3d clock running down and really cool animation to go with it.
I say, just write the article, matter of factly and don't give me that James Bond crap (I like Bond but you know what I mean). It's good for entertainment but no good for this.
I hate the fact that you people don't salute me
Please use your name so we can mod you down.
What a load of crap!
McAfee does have it.
The point is MS mirrored 'failsafe' systems both get whacked by worms/vrus'es whatever. Having a MAC or something else for backup is a neccessity. If the net had a back channel for Appletalk, remote administrators would not be so helpless.
Sure, you can hunt down worm writers, but it would be more efficient for the govt to write the patch that MS just can't seem to do. Paying S Gibson would probably be more cost effective.
...you wanna stop 90% of the script kiddies worms? Patch your operating system! Patch you server apps! Close the damn security holes. Stay on top of it and gawddamn, sysops, do your freaking job!
Especially if you use Microsoft Windows, Outlook, SQL Server, and IIS! It is getting so bad, I beginning to wonder that if someone lets a security be explioted and a fix has bee publicize for say, 30 days, then THEY should maybe face some sort of civil action. Repeat offenders should be charged with criminal negligence. Hell, then maybe the megacorps would stop laying sysops off.
I got worms!
That's what we're gonna call it.
-Harry! I took care of it!
"Power corrupts. PowerPoint corrupts absolutely."
Now we can stop having to worry about worms! Now that they have eliminated terrorism and the bang-up job they did with the drug war, I figured worms would be the next biggest thing on the list.
Orders of magnitude worse?
Im guessing that they are talking about worms that exploit microsoft products only. Why are the feds helping microsoft? Why dont they make it more clear that almost all these worms and virii are caused by exploits in microsoft products?
If Boeing's planes had fundamental faults that caused major disasters, how would that be different to this situation?
This comment does not represent the views or opinions of the user.
Anyone can deal with worms. With cruise missiles at their disposal, the military might be able to deal with the spammers, in a way that others cannot
You have not complied with our UN anti-spam directive ... Kerblammmm!
That would solve the spam problem!
Sent from my ASR33 using ASCII
Honestly, I'd be half surprised if we learnt a few days later that the web server was h4x0red and that this is a fake story written by a gobbles fan.
Seriously, you would expect to find this quality of writing on the Onion.
ph34r th3 3v1l subseven-probing Wyrm!!!
Not one mention of Internet Explorer or Outlook. The two programs with exploitable vulnerabilities that were *required* to spread these worms.
They did mention IIS, so, I guess I can grade the article at a F-, instead of an outright ZERO.
Ask me why I haven't been effected by any of these worms.
Is that the gov is taking our taxes (in man hours) to stem problems arising from corporate software. which they used our tax money to purchase in the first place. Shouldn't OUR Government stay away from this sort of wasteful spending in bad economic times?
No sig for you!!
The real crime here is that the script kiddies aren't password protecting their Sub Seven. The whole victim sharing thing is just repulsive. It's like sharing needles. Trojans are better used to harass people that picked on you in highschool... not that I'd ever use one.
My Blog
I thought perhaps it was all hashes (the "signatures"), but I thought perhaps it would have some heuristics for suspicious software in general, which would have to be a sequence of instructions... I was thinking perhaps something coould be extracted from these more general pieces of code.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Remember Carnevore?: FBI to the rescue.
Remember ESCHLON?: NSA to the rescue.
Ergo. Carnevore wasn't, ESCHLON couldn't.
FBI = Federal Beer Ingestion.
NSA = National Snoozing Agency.
(moderator note: no, this comment isn't redundant--the article posted was that bad.)
Before everyone goes out to destroy the evil, ugly, insidious worms skulking in cyberspace waiting for the time when the stars are right to destroy us all, please go here.
Furry cows moo and decompress.
Their's one serious problem with their work, and they know it: they don't know what the attacks they're worried about look like. Nobody does, because nobody has ever carried out an attack in that class. Of course there are plans -- the assumption is that any nation with an appreciable military is working on a cyber offense. But those plans aren't available to the researchers doing defense, and they're untested.
Sure, they can figure out what they'd do, and they have some pretty good ideas. But it's still guessing.
If you're like most homeowners, you're afraid that many repairs
around your home are too difficult to tackle. So, when your furnace
explodes, you call in a so-called professional to fix it. The
"professional" arrives in a truck with lettering on the sides and deposits a
large quantity of tools and two assistants who spend the better part of the
week in your basement whacking objects at random with heavy wrenches, after
which the "professional" returns and gives you a bill for slightly more
money than it would cost you to run a successful campaign for the U.S.
Senate.
And that's why you've decided to start doing things yourself. You
figure, "If those guys can fix my furnace, then so can I. How difficult can
it be?"
Very difficult. In fact, most home projects are impossible, which
is why you should do them yourself. There is no point in paying other
people to screw things up when you can easily screw them up yourself for far
less money. This article can help you.
-- Dave Barry, "The Taming of the Screw"
- this post brought to you by the Automated Last Post Generator...