Slashdot Mirror
When Will The Next Slammer Strike?
scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."
It's seems to be every 3 months or change of season. I'm betting on am IIS bug in March.
...why ATMs were affected? I've seen this mentioned in a few articles but I didn't think banks would use the Internet to connect ATMs on their systems.
I think we ought to make virus-protection code public and government funded.
I know way too many people who can't afford 50 bucks on a virus scanner or decent firewall software in College, and I saw Nimda infections up until the end of last year.
If people could get this type of thing for free - money that would ultimately ensure the safety of the net at large - I think it should be done.
The scariest thing is actually that this kind of damage is being done by a worm that doesn't actually do anything except spread itself (as far as I know, anyway).
Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)
I believe posters are recognized by their sig. So I made one.
The same unpatched Microsoft networks that Howard Schmitt was so recently quoted as dismissing irresponsible those who failed to apply the 6-mo old patch?
Bullshit! Only an idiot would have 'key' business functions exposed like that. Maybe ISP's should by default block all non-standard ports to end-users unless specifically requested not to?
Maybe then people might *think* before exposing critical serivces.
This worm required rougly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.
I read that and my jaw just dropped.
This worm, from what I've read (these aren't my conclusions; I'm not that smart), did two very interesting things. The first is that it used one UDP to spread: no waiting around for the three-way TCP handshake, no hanging waiting for a reply, just send and move on to the next one. From what I understand, that's pretty new. Second, it caused most of its damage not by trashing filesystems or anything like that, but just by spewing *huge* amounts of traffic.
The first is interesting because as a tactic, it'll almost certainly be copied. The second is interesting because it probably won't be copied.
Well worth your time; it's fascinating -- and frightening -- reading. Get it here:
http://www.caida.org/analysis/security/sapphire
Carousel is a lie!
Any mission-cricial app simply shouldn't be on a MS system. They don't do what they say they do (Outlook 2000 can't even get sync over e-mail right given a dedicated in-house POP3 server) and charge you for tech support when you want to figure out how to work around their fucked-up code.
Sigmentation fault - core dumped
If we were to begin attacking either Iraq or North Korea, what amount of damage could they do by launching worms like this towards the US? Furthermore, what are the chances that they are busy looking for more exploits like this? After all, the US government does use a lot of M$ software.
Just my two cents though.
Give it about two weeks and everyone will forget what happened. Seems as though every time there is a net problem that effects 90% of the population it's big news and "a must fix problem." But we still have virii. Nothing has changed. So unless something is proposed in about 14 days, the masses will forget about it and it will loose it's panicy ferver that distrubing the masses unleashes.
QB is just a script that runs in IE. Wait till some clown writes a virus that screws with the tax tables on the last payday in March. Since QB autoupdates tables and code, nobody will be suspicious. In fact, they'll be gratified it worked the first time because the updates usually crash.
The quarterly return is filed shortly thereafter, ever try correcting a quarterly? It's fuckin' fun.
Many, it'll kick everybody in the nuts.
I always liked the idea of releasing a worm that fixed the exploit it exploited, and then removes itself. I beleive someone did this in the past? But then I guess there's also the extra traffic it induces which'd be problematic in itself. Software vendors can't be expected to release perfect code all of the time (if ever), and people will always find bugs which can be exploited. I don't see any solution to this, other than the backup & recovery techniques.
I thought the whole reason worm writers release their creations in the weekend is so they have the best chance to spread before systadmins wake up and realise what is happening.
If it WAS let out during business hours, whould it have gotten so far? would it have caused much dammage at all?
-------
Drink Coffee - Do Stupid Things Faster And With More Energy!
With security concerns, some production data centers have multiple networks. With a number of networks designed for a sole purpose. One of these networks is for "Control & Billing" (Terminal Servers, Telnet, SSH, etc) network for the sole purpose of controlling a box, no Internet traffic at all. All it takes is one group of people, and plugging servers that a MS product that can open your whole network.
So a well planned billion dollar network, can be taken down by a group of people. The command network is safe, it doesnt sit on the Internet. Right?
Have a vendor plugin a laptop with a ms trojan, now your entire network is infected. This is only one of a number of ways to bypass all the good security procedures in place.
This happens every year, multiple times, multiple networks thought as safe. People are looking at statistics about Uptime, and outages. MS Products are being phased out at an alarming rate.
You wont hear this in the news, or the journal magazines. Megacorporations wont talk about it outside the company. Do you know how many hack attempts go unreported? How many trojans never make the news?
SARC will only work on the public security problems. This only scratches the surfice.
My offtopic question is: why doesn't this happen with Linux ? (or does it happen with Linux?)
I don't use Linux and I'm not a bonafide geek (I've never had 'root' access, which seems to be one of the key requirements --- that may change now that I use Mac OS X), and I've always wondered why using fixes, new functions, patches, whatever, written by numerous different people hasn't turned Linux or other open source into a non-functioning morass of code. I read Eric Raymond's The Cathedral & the Bazaar but I didn't really feel like he answered the question, other than refering to the gospel of Linus "with enough eyes, any bug is shallow."
Isn't an operating system more complicated (or at least more fundamental) than an application? Why doesn't (or how often) does fixing one bug in Linux create two new ones?
blog-O-rama
foldplay your photos won't know what hit them.
does not mean this
Nearly two orders of magnitude faster means almost 100 times faster, not twice faster.
Raf
1. The worm was strictly based on UDP 1434 transfer
.
I find it very difficult to believe major corporation firewalls would allow UDP 1434 inside from Internet. Some, maybe - but few.
So: I rule our direct penetration from the Internet for most corporate environments.
2. Worm was memory resident only. Reboot cleared it.
Most user PC's would be rendered useless by the worm. CPU and local Network saturation would do that. So I doubt that people got infected and THEN VPN'ed into work. They would reboot, clear the worm, possibly get re-infected - but I doubt
if they would be able to bring an already infected machine into work via VPN.
Note: If split tunneling was allowed then it is quite possible for an already conencted home PC to act as a vector into a company - my guess
is that this is NOT common.
So: I rule out employee remote access as a primary vector.
3. This leaves me with back-end connectivity across private "trusted" comm channels. ( i.e. Frame )
I know this was a vector in at least one case - and the circumstances ( misconfigured ACL's that were overly generous in what UDP traffic they
allowed from "trusted" business partners ) is something that I suspect is very common in large organizations.
The speed which this thing moved ( see: http://isc.sans.org/port1434start.gif ) and the actual vectors I saw make me very suspicious that
the large organizations of the world are massively linked by misconfigured routers/firewall that allow way too much UDP traffic flow between
trusted partners - affectively a "fuse" linking the worlds computing infrastructures.
That's it. Wacky and overly-speculative perhaps but I would be interested in getting some anonymous feedback about the successful attack vecors
other people saw in the propagation of the worm - particularly people in large organizations that have large "private" comm networks.
"very like a whale..."
The bigger question is why isn't Microsoft being held responsible? DSC was held resobsible when one of their faulty switches brought down the East coast's telephone lines, Ford/Firestone were held responsible for their faulty tires, vehicles. Sure they have statements that they aren't responsible in their EULA, but come on, doctors getted sued even though people sign waivers. We need to put blame where blame belongs, and that is the company that orginated this faulty and shoddy product
The ubiquitous presence of Microsoft products, coupled with their notorious vulnerabilities, is what puts the Internet environment in such a precarious state. This predicament is analogous to the supposed insidious danger for which environmentalists criticize so-called "frankenfoods."
The argument against genetically modified organisms in commercial farming says that big business will curtail bio-diversity by settling on one or two strains for each crop or livestock. A single virus or other bug could then wipe out that entire food supply in one fell swoop.
(Everyone is familiar with the potato famines in Europe and how it affected the impoverised who had come to rely on the potato as the sole staple in their diet.)
Personally, I'm fine with GMO's, but I think we are risking something along the lines of an "Internet potato famine" when we rely on a particular breed of computer products (a.k.a. Microsoft) that is riddled with such fatal flaws.
A little more "binary diversity" on the Internet would be a good thing.
quiquid id est, timeo puellas et oscula dantes.
The only reason we weren't killed this time was because a database product was exploited, not a core internet product.
Boy, how fast would everyone drop MS once and for all if this worm had been written to corrupt filesystems and/or destroy data? As it is, everyone will just try to patch their systems and whine a little bit, but at the end of the day they will still write out a check to Microsoft. Eventually, along will come a worm that will cripple Microsoft's ability to sell products any longer: when it becomes clear that using MS software is practically a guarantee that your data is vulnerable and could even be destroyed, Windows is finished; Microsoft is finished.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
I don't think it would set a disturbing precedent, lawsuits are about MONEY, plain and simple. Lawyers don't file lawsuits unless they can get money (for the most part, sure occasionally there is something filed for priciple, but it is a rarity). A class action against an OpenSource project wouldn't garner much more then maybe a couple thousand if even that. Which is by no means worth a lawyers time. Microsoft on the other hand......BILLIONS........
Just how difficult is it to comeup with some code that goes about finding vulnerable machines, makes them invulnerable, and tries to spend a modest amount of it's time finding more vulnerable machines.
Bring on the white-hat worms that actually fix problems, rather than cause them.
Sure - ethics must be a problem, but there must be some slightly-un-ethical white hats out there ready to give this a go?
After CodeRed a paper named How to 0wn the Internet in Your Spare Time was published. In part, it said that a worm could 0wn the internet in 30 seconds given the right conditions. 10 miniutes of Saphire seems like a pretty good proof of concept demonstration, given the limitations (only infected a database server with limited market, etc). Could be fun to go back and read some of the /. naysayers, anyone have links to /. discussion?
Bleh!
Consider this: you do not need to go through a complete connect() in order to scan TCP services. Instead, you can use raw sockets, spew out millions of SYN packets at once, and await the responses to trickle in. You don't need a whole lot of code - a complete TCP stack with retransmissions, etc. is not necessary since it can get its work done without them. You do not need to keep any state - don't keep a sequence number for each host: just set ISN = 0, and always increment what the response contained in the acknowledgement number field. If you're worried about someone figuring out about the scan and sending you crap data to foil it, just encrypt the destination IP and port into the ISN and see if the reponses decode correctly.
UDP services are the exception - DNS, part of MS-SQL, streaming media - the next worms are going to attack very widespread TCP services and may use techniques to scan thousands of hosts in seconds, just like Slammer. This is not over yet.
(On the other hand, writing a stealth worm is probably harder than it looks. Some sites carefully scrutinize their network traffic, and it only takes one of them to spot you. But would they tell anyone else?)
You know, what scares me isn't this is possible, but it was an accident. Remeber this worm spreads out _fast_. What if the guy making it didn't meant for it to go out _yet_. What if he was testing it, and somehow forgot to keep it off the net. The worm seems to have 2 bugs in it, this could indicate it wasn't done. What if the original idea was to inject malicous code? Now thats scary.