Slashdot Mirror
When Will The Next Slammer Strike?
scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."
...why ATMs were affected? I've seen this mentioned in a few articles but I didn't think banks would use the Internet to connect ATMs on their systems.
I think we ought to make virus-protection code public and government funded.
I know way too many people who can't afford 50 bucks on a virus scanner or decent firewall software in College, and I saw Nimda infections up until the end of last year.
If people could get this type of thing for free - money that would ultimately ensure the safety of the net at large - I think it should be done.
The scariest thing is actually that this kind of damage is being done by a worm that doesn't actually do anything except spread itself (as far as I know, anyway).
Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)
I believe posters are recognized by their sig. So I made one.
This worm required rougly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.
I read that and my jaw just dropped.
This worm, from what I've read (these aren't my conclusions; I'm not that smart), did two very interesting things. The first is that it used one UDP to spread: no waiting around for the three-way TCP handshake, no hanging waiting for a reply, just send and move on to the next one. From what I understand, that's pretty new. Second, it caused most of its damage not by trashing filesystems or anything like that, but just by spewing *huge* amounts of traffic.
The first is interesting because as a tactic, it'll almost certainly be copied. The second is interesting because it probably won't be copied.
Well worth your time; it's fascinating -- and frightening -- reading. Get it here:
http://www.caida.org/analysis/security/sapphire
Carousel is a lie!
If we were to begin attacking either Iraq or North Korea, what amount of damage could they do by launching worms like this towards the US? Furthermore, what are the chances that they are busy looking for more exploits like this? After all, the US government does use a lot of M$ software.
Just my two cents though.
Give it about two weeks and everyone will forget what happened. Seems as though every time there is a net problem that effects 90% of the population it's big news and "a must fix problem." But we still have virii. Nothing has changed. So unless something is proposed in about 14 days, the masses will forget about it and it will loose it's panicy ferver that distrubing the masses unleashes.
I thought the whole reason worm writers release their creations in the weekend is so they have the best chance to spread before systadmins wake up and realise what is happening.
If it WAS let out during business hours, whould it have gotten so far? would it have caused much dammage at all?
-------
Drink Coffee - Do Stupid Things Faster And With More Energy!
My offtopic question is: why doesn't this happen with Linux ? (or does it happen with Linux?)
I don't use Linux and I'm not a bonafide geek (I've never had 'root' access, which seems to be one of the key requirements --- that may change now that I use Mac OS X), and I've always wondered why using fixes, new functions, patches, whatever, written by numerous different people hasn't turned Linux or other open source into a non-functioning morass of code. I read Eric Raymond's The Cathedral & the Bazaar but I didn't really feel like he answered the question, other than refering to the gospel of Linus "with enough eyes, any bug is shallow."
Isn't an operating system more complicated (or at least more fundamental) than an application? Why doesn't (or how often) does fixing one bug in Linux create two new ones?
blog-O-rama
foldplay your photos won't know what hit them.
1. The worm was strictly based on UDP 1434 transfer
.
I find it very difficult to believe major corporation firewalls would allow UDP 1434 inside from Internet. Some, maybe - but few.
So: I rule our direct penetration from the Internet for most corporate environments.
2. Worm was memory resident only. Reboot cleared it.
Most user PC's would be rendered useless by the worm. CPU and local Network saturation would do that. So I doubt that people got infected and THEN VPN'ed into work. They would reboot, clear the worm, possibly get re-infected - but I doubt
if they would be able to bring an already infected machine into work via VPN.
Note: If split tunneling was allowed then it is quite possible for an already conencted home PC to act as a vector into a company - my guess
is that this is NOT common.
So: I rule out employee remote access as a primary vector.
3. This leaves me with back-end connectivity across private "trusted" comm channels. ( i.e. Frame )
I know this was a vector in at least one case - and the circumstances ( misconfigured ACL's that were overly generous in what UDP traffic they
allowed from "trusted" business partners ) is something that I suspect is very common in large organizations.
The speed which this thing moved ( see: http://isc.sans.org/port1434start.gif ) and the actual vectors I saw make me very suspicious that
the large organizations of the world are massively linked by misconfigured routers/firewall that allow way too much UDP traffic flow between
trusted partners - affectively a "fuse" linking the worlds computing infrastructures.
That's it. Wacky and overly-speculative perhaps but I would be interested in getting some anonymous feedback about the successful attack vecors
other people saw in the propagation of the worm - particularly people in large organizations that have large "private" comm networks.
"very like a whale..."
The bigger question is why isn't Microsoft being held responsible? DSC was held resobsible when one of their faulty switches brought down the East coast's telephone lines, Ford/Firestone were held responsible for their faulty tires, vehicles. Sure they have statements that they aren't responsible in their EULA, but come on, doctors getted sued even though people sign waivers. We need to put blame where blame belongs, and that is the company that orginated this faulty and shoddy product
Boy, how fast would everyone drop MS once and for all if this worm had been written to corrupt filesystems and/or destroy data? As it is, everyone will just try to patch their systems and whine a little bit, but at the end of the day they will still write out a check to Microsoft. Eventually, along will come a worm that will cripple Microsoft's ability to sell products any longer: when it becomes clear that using MS software is practically a guarantee that your data is vulnerable and could even be destroyed, Windows is finished; Microsoft is finished.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
Just how difficult is it to comeup with some code that goes about finding vulnerable machines, makes them invulnerable, and tries to spend a modest amount of it's time finding more vulnerable machines.
Bring on the white-hat worms that actually fix problems, rather than cause them.
Sure - ethics must be a problem, but there must be some slightly-un-ethical white hats out there ready to give this a go?
After CodeRed a paper named How to 0wn the Internet in Your Spare Time was published. In part, it said that a worm could 0wn the internet in 30 seconds given the right conditions. 10 miniutes of Saphire seems like a pretty good proof of concept demonstration, given the limitations (only infected a database server with limited market, etc). Could be fun to go back and read some of the /. naysayers, anyone have links to /. discussion?
Bleh!