Slashdot Mirror
Feds Working to Stop Worms
mbenzi writes "This article from GovExec describes how the feds worked to prevent a worm that could have been orders of magnitude worse than Code Red. Short on details, but an interesting timeline."
← Back to Stories (view on slashdot.org)
With a gang of zombies at his command, the creator of a superworm could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.
Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting.
With writing like this it sounds like someone trying to scare up funds to keep this department up and running.
In all seriousness I don't understand how they can tell if a worm was "more serious" than code red. The best thing about most worms is that most of them are "so wonderful" that they leave out a few details and never make it anywhere but the authors test system.
It's not worms I'm afraid of, it's next gen virii. With problem solving and logic bots that use AI it's just a matter of time before you train a program to do malicious things and give it multiple ways of accomplishing one goal of infection with a prime directive of selfpreservation, that would be the 'ultimate' worm.
We've all seen the AI programs ability to play chess, and that is impressive all in itself, can you imagine the same type of system loaded with every exploit ever documented, and then the ability to gain access via that list? Or imagine if somehow the program were able to recieve the notices of bugs (Cert, bugtraq, errata, and MS) and then learn of new potentially unpatched systems.
The problem would be not implementing the worm, nor stopping, but finding a reason for it's existence. Would it be used as a proof-of-concept only to be more horribly enacted in version 2? Would it be used for a massive DDoS attack on key internet systems thus disabling the net for a small amount of time? Or would the system dump all valueable information on a centralized server and then essentially commit suicide?
The only problem is how could this bug be 'harmful' to a host system if the prime directive was self perseverance? It's a little bit too deep of thinking for a friday morning, but we have yet to see what virii are actually capable of.
Ignore the "p2p is theft" trolls, they're just uninformed
http://www.grcsucks.com
nuff said
So the best government executives in the USA act like secret agents in cheap pulp detective novels?
Perhaps they should try:
a) alterting businesses and organisations that have vulnerable systems.
c) naming and shaming software manufacturers with poor security processes.
But I guess fighting faceless villans with wicked plots to destroy the world is a lot more fun.
It's not quite as exciting when you realise that most of the villans are actually just naughty children.
I'm not sure that this guy worked for the fbi but here is an interesting version of the same story
http://grc.com/dos/drdos.htm writting by the author Gibson
-- If i knew what i was doing i'd make sure not to do it again --
In the article, they make it sound as if the feds figured out everything about the worm. If they knew how it was supposed to recieve instructions, why not "upgrade" it to give them information about its creator. And after the arrest, command it to delete itself. It sounds like it's still out there at the end of the article. Or perhaps they do know how to control it and they like it that way :-)
Wow, this article's one juicy bunch of overwrought scare-mongering! It makes "Mr. Leaves" out to be some sort of James Bond super-villain, and then goes on to say "leaves" still took a back-seat to Code Red.
Once you peel back all the hyperbolistic prose, "leaves" seems to be just another run-of-the-IRC zombie that exploits PC already infected with Sub7. Numbers from the article itself show that it had nowhere near the infection rate or virulence of Code Red. The strange bit is at the end they imply, once the guy was caught, they just left the zombies out there rather than alert the owners of the infected PCs!? Odd that, wonder what the gov wants with all those waiting worms...
Since most of these large-scale DDoS attacks have been local in origin, the Bush administration's fear-mongering about Jihad's in cyberspace are little more than propaganda.
We should probably be more worried about socially stunted 15 year-old prodigies.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
Hang on - surely this should be mod'd at "+5 Funny?". Gibson is an uneducated, non technical, hype obsessed idiot. Check out grcsucks.com for more.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Genetic algorithms will have no harbor on OSses that are immune.
.....
:
The combinatorials are staggeringly against them stumbling on weaknesses.
Anyway, words such as the following, that describe the security choices made in the Macintosh OS to prevent worms are routinely marked down -1 by MS zealots. Therefore I had to post it again.
There has never been an automatic worm on the classic Mac OS and it exidently cannot be done based on historic evidence. From the Morris worm, to Code Red to all the latest worms, and even outlook flaws, Mac users are 100% immune and have been for many years. And the reasons are technical, not political.
I think its ironic that with every remote security hole and exploit, including the few that affect a majority of BSD installations, no one is addressing the fact that there are more secure platforms for webserving. Instead of focusing on the porous unix/linux offerings, or MS weaknesses.
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely.
That is why the US Army gave up on MS IIS and got a Mac for a web server.
I am not talking about FreeBSD derived MacOS X (which already had a more than a 30 exploits and potential exploits ) I am talking about current Mac OS 9.x and earlier. Apples Mac OS 9.2.2 is latest and came out rhis last summer. According to Google HTTP requests, Mac OS 9 users outnumber Mac OS X almost 9 to 1. Luckily for them they are all secure.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
2> No Root user. All Mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The Mac avoids C strings historically in most of all of its OS. In fact even its ROMs originally used Pascal strings. As you know Pascal strings (length prefixed) are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, especially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by design of creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
4> Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac compilers usually place return address in front or out of context of where the buffer would overrun. Much safer.
7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are MILLIONS of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac has ever been rooted in history of the internet, except with a strange 3rd party tool in 1995.
8> MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.
Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.
One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1996 (7?) and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event or a rouge 3rd party CGI tool ages ago in 1996 (7?), no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc. They few mistaken defacements recently attributed to Mac OS are actually Mac OS X (unix) events.
Mac programmers do not like CVS and prefer 10 year old legacy multimillion dollar quality tools like SourceSafe. Admittedly SourceSafe is a little slower than CVS in some benchmarks but it understands multiforks, resources, binaries, etc better and first and is better for highly collaborative use. (It locks text files, etc, and tries to avoid clobbering). It also merges better with clobberred files. But the BEST part of SourceSafe is that DOES NOT USE a single tcp/ip call directly or at all. Secure networking is allowed.
This CVS bug was by use of ANSI C library and "malloc"... something alsmot NO commercial mac products use. (Macintosh users use Mac OS routines to create memory, somtimes movable memory via handles)
The zlib bug was also immune on macs becuase mac world of software does not typically port from unix or ms code, and would not use semi-gpl code in commerical warez.
I think its quite amusing that there are over 200 or 300 known remote exploit vulnerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack. There are even vulnerabilities a month ago in OpenBSD! Each month vulnerabilities in XP arise.
Not one remote exploit. And that includes Webstar and other web servers on the Mac.
A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX. but all of his unix methods will find little to exploit on a traditional MacOS server.
BTW this is NOT an add for webstar.. the recent versions of webstar sold for over the last year are insecure and cannot run on Mac OS 9.x or 8.x, and only run on the repeatedly exploited MacOS X.
--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.
BugTraq concurs! As does the WWW consortium.
Just use a Mac, as many colleges and large media sites do, and most commercial airlines for there in-house security.
I am well aware that in theory transaction turnaround time might suffer a little under excessive loads if you do not use load balancing machines, but a 25% speedup is hardly worth it in comparison to years and years of hacker-proof history.
MicroSoft has acquired monopoly status in many aspects of IT, include net servers and OS.
Microsoft has monopoly status in the area of desktop OS's and certain enduser applications. It has no such status in the realm of servers, where it's market share is about 42%.
Here'e how the story looks to me:
Some Brit hacker (classican definition; one posession more intellectual curiosity than propriety) decides to write the best worm he can. He doesn't actually want to do anything bad, it's just an interesting challenge. He didn't attack anything, and the Brits didn't actually punish him or anything. Good thing he wasn't in the U.S., where he would undoubtedly be tossed in jail for a few years.
Anyhoo, meanwhile some less talented cracker releases Code Red. What do the Feds do? They keep whitehouse.gov up and running. Whee. In a real attack, the feds can't do anything. Anyone who seriously wants to do damage is not going to spend months prepping a live worm, they're going to test it privately then unleash a horde of destruction. In that case, the investigators are only going to be able to do anything after the damage has been done.
This story is a bit of propoganda fluff that tries to cover up the ineffectuality of law enforcement in this domain.