Worms Going Further, Faster

Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"

Oh no! Shut the Interweb off!

[ObviousGuy]

There's a lot that can't be done about these things because at the very bottom of every system is a human being who will forget to patch the system or stupidly open an executable.

There is no patch for human carelessness.

Ah, the lovely internet...

[Qweezle]

I'm wonderfully happy to live in a world where the only large-scale communication network is prone to mass disruption and/or destruction at the drop of a pin. Great.

Re:Ah, the lovely internet...

[mr3038]

I'm wonderfully happy to live in a world where the only large-scale communication network is prone to mass disruption and/or destruction at the drop of a pin.

I think that should have been moderated as "Sad" instead of "Funny"... However, the issue here isn't that one can easily cause mass distruption to the world wide web, but one can easily ask "other people" to automatically execute a piece of code that causes some distruption. The "other people" refers to users who use b0rken software.

It's like your car had a "feature" which caused it to go on full throttle and flash lights continuously in case somebody flashed lights at them. You'd see nationwide transportation systems go haywire very fast after someone flashing lights once. In this case the problem wouldn't be that the highways were baddly designed but majority of the users of those had malfunctioning devices (cars). It's the same thing here - except that software is much harder to do right than cars and practically any piece of software can send information to other computers at will. Firewalls cannot do a thing when the traffic is routed through HTTP and personal firewalls cannot do a thing if the worm asks the browser to send the information for it (browsers usually have access to other computers through the firewall).

Re:Ah, the lovely internet...

[blibbleblobble]

"I'm wonderfully happy to live in a world where the only large-scale communication network is prone to mass disruption and/or destruction at the drop of a pin"

Internet goes on drunken spree in town, returns home to drown sorrows. Communication down for the next week, ambulance crews take the holiday.

Good for the worms

Fast moving worms are harder for those pesky birds to get at.

Re:Good for the worms

[Saad+M]

Kinda makes the phrase "The early bird catches the worm", redundant doesn't it.

Re:Good for the worms

Slashpoll -- My favorite cowboy hero is:

[ ] Tom Mix
[ ] Gene Autry
[ ] Bill Boyd
[ ] Roy Rogers
[ ] Clayton Moore
[ ] Randolph Scott
[x] CowboyNeal

damn.

[wo1verin3]

I thought this article was about Worms 2 being released for linux :(

Re:damn.

[gregfortune]

Oh come on, that's not a troll... Worms 2? I'd open my firewall up for that one :)

Re:damn.

[bedessen]

Worms 2: The Reckoning

Coming soon to theatres near you

Re:damn.

[Inda]

Martyn Brown says "It will be ported sooooooooooooooooooooon"

Not a funny joke but funnier than waiting 3 years for the Armageddon patch.

I had worms once...

It was terrible. I had to take lots of drugs.

Re:I had worms once...

[PetWolverine]

Yeah, I have to take a lot of drugs too.

Wait, what's that about worms?

Re:Oh no! Shut the Interweb off!

[rkz]

Cut off their arms?

I've got worms!

[eupheric]

obligatory dumb and dumber:
LLOYD
(smiling)
I got worms.

MARY
I beg your pardon?

LLOYD
That's what we're gonna call it: I
Got Worms. We're gonna specialize in
selling worm farms â" you know, like
ant farms. A lot of people don't
realize that worms make much better
pets than ants. They're quiet,
affectionate, they don't bite, and
they're super with the kids.

MARY
Aren't ants quiet, too?

Re:I've got worms!

[antdude]

The lines are also on IMDb.

Re:I've got worms!

[ikkonoishi]

I liked that movie. It was as good as the original at the very least. Which is more than I can say about other movies. *COUGHMATRIXRELOADEDCOUGH*

Re:I've got worms!

[Jellybob]

Hmmmm... that link (Ants) looks like it could be interesting.

However I'm traumatised, and can't make self click on a .cx link anymore.

Re:I've got worms!

[Read+Icculus]

I hope that you were running the projector and didn't run out and actually pay for a ticket to see that piece-of-crap-looking-movie. Did the previews actually make you want to see it? The horror... the horror.

Re:I've got worms!

However I'm traumatised, and can't make self click on a .cx link anymore.

So true. Sad to say tubgirl and hick are starting make me feel the same way about .org links I don't recognize.

Re:I've got worms!

[ikkonoishi]

No unfortunatly I paid to see MR.

Why do delinquents bother?

[Sheetrock]

Where it is the point in this matter nowadays? It really took talent to write malware in the old days, what with having to be able to get the virus in the executables and boot sectors of floppy disks, but now everything looks like a work of the VBScript cut-and-paste. Why is it so hard to find the author of these programs?

Re:Why do delinquents bother?

[oneishy]

Actually 'the Sapphire Worm' was just 376 bytes long. Not much extra code in that assembly program to track an author by.

Re:Why do delinquents bother?

[Read+Icculus]

Maybe the "delinquents" are actually pretty damn smart. Smart enough to not get caught because they take proper security precautions. Like others have said this worm was a pretty smooth little hack. All over UDP and in a single packet. Anyway at least when a worm like this comes along people start paying attention to actually fixing the problem. If no one exploited the vulnerability then folks like MS might never get around to fixing it. When something like this is front-page news and on CNN normal folks sit up and take notice. Maybe enough notice to try and make their systems more secure, or perhaps switch to a more secure preogram/OS. Not that I like viruses and worms, quite the opposite is true. I remember when my ISP got a worm, (Code Red I think), and infected me. The incident certainly made me more security conscious, and I now have a new ISP that I hope has more of a clue than my old one.

Re:Why do delinquents bother?

Slammer and Code Red were blockable by patches released long before the outbreak happened.

Or we can just ignore that and blame Microsoft. Yeah, that's the ticket.

Re:Why do delinquents bother?

[PetiePooo]

Not to nitpick, but the SQL Slammer worm appeared to be written in assembly. It is quite interesting to read through the source. [alt] [alt]

While the PRNG isn't of the highest quality, its brevity is what allowed it to spread so quickly. An infected system was sending out packets as fast as the outbound pipe could handle it. A smaller virus, even by a few bytes, would mean that much faster of an infection rate.

By and large, you're right about VBScript making for simple virii, but this isn't the one to use as an example.

Re:Why do delinquents bother?

[aphor]

Why is it so hard to find the author of these programs?

Because there are so many no-talent hacks out there who *could* have written that lump of nasty crap.

In the beginning days, on the Apple ][ computers in my grade-school, we learned to guess our way through cracking floppy-disk copy-protected games by comparing a cracked game and a pristine byte-by-byte copy of the original. We eventually learned that a certain byte word combination was the first hardware keyboard access, and we could guess that spot was a good place to stick a jump. Then we tried a few addresses until it worked. In grade school.

Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

What really grabbed me was how a really good (insidious) virus could have such a low footprint that it could go undetected for so long. The programmers of those viruses were gifted binary ecologists. I knew then that the games I played were bloated when one year the game took one disk, and the second year you had to swap two disks even though there was little extra play for all the extra data. I envied the virus programmers for their wizardly and miserly command of the machine's meager resources. I even dreamt of the day that I could crank one out like putting together a jigsaw puzzle.

Now I am older, and the opportunity for that conquest was stolen by Moore's Law. The games (and all software in general) got bloatier and bloatier. There was so much waste, and the machines got so fast so fast, that I saw clever programming die. I was sad. It wasn't until (after I bought a student copy of Borland C++ and was stultified by the massive bloat of win16 API) that I became acquainted with Unix (FreeBSD in particular) around 1.2.1 vintage. I rediscovered elegant software.

Now, I understand the vulgar joy in duping someone else, but only a jackass gets off duping people who compare to invertibrates on an intellectual scale. VB worms are the modern-day equivalent of burning ants with a magnifying glass. "Letth thaw off hith tweeter Beavith! Hehehehehe Heheheheh..."

Re:Why do delinquents bother?

[Read+Icculus]

Well for the worm I got, I blame myself for not knowing about CR, or the patch, my ISP for being dipshits and being down for over a day, and the guy/guys who wrote it. However I can see how people might blame MS for writing some buggy pieces of software that in turn were at least partially to blame for them getting said worms. As I recall even MS's developers caught the slammer worm, (that's the SQL one?). BTW I just mentioned "folks like MS", in my post as I think that since they are a corporation they are swayed by public opinion/outrage that comes with each new worm/virus, as they want to make money, and people want to buy a more secure product. So my comment makes more sense with them as an example. But if you prefer "folks who sell software", will also work. Most linux developers I know couldn't about public opinion and try to write the most secure code that they can. I'm sure they sit up and take notice when the worms/viruses are being talked about on CNN, however I also think that they tend to hear about the exploits and whatnot that the general public doesn't hear about/couldn't give a rat's ass about and try and fix those too. MS on the other hand might not care about fixing something if it's not worth the $ to fix and if the general public doesn't care about it, or doesn't even know it exists.

Re:Why do delinquents bother?

[PhxBlue]

Actually, Microsoft had released a patch for the vulnerability that was exploited. Unfortunately, no one (including Microsoft) bothered to implement it.

Re:Why do delinquents bother?

[Tackhead]

> Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

Grok!

I still remember stunning some of my cow orkers by saying from two cubicles away, "Dude, run a virus scanner. There's no reason your floppy drive should be doing that many seeks across the entire width of the disk. Something's writing to the FAT or boot sector every time you access any files. Probably a virus. Kill it before it kills you."

To this day, they still no idea how I knew about that without even looking at the screen or touching the box, but from where I sat it was just obvious (when I first heard that pattern of seeks and asked if the guy was copying 100 small files to the floppy, and he said "no") that something on that box was fucked up. (And fucked up in a way that MS-DOS, all by itself, wasn't :)

Funny note - the virus in question was indeed a boot sector virus, and was pretty much harmless on Win3.1 boxen. Not so on an NT box. If only I'd come to work one day before. Yuk.

Re:Why do delinquents bother?

[b1t+r0t]

Actually 'the Sapphire Worm' was just 376 bytes long. Not much extra code in that assembly program to track an author by.

Not much room for extra code in a program that has to fit in a single UDP packet.

Re:Why do delinquents bother?

[buddha42]

Well aren't you just effing super!

pretentious ass

Re:Why do delinquents bother?

[KU_Fletch]

I dunno why it's so hard to find people who write the viruses, maybe we can get Hillary Rosen and her crack team at the RIAA on the case, they seem to be good at finding evil do-ers on the interweb

Re:Why do delinquents bother?

[aphor]

I love you... but now you broke my troll-loving heart with your wry sarcasm. Write more or I will ignore you. This is your chance.

Re:Why do delinquents bother?

Fascinating drivel. Your parlance of putting other's down on meager assumptions is paramount to Hitler striking down a few billion jews. Congrats.

Re:Why do delinquents bother?

[mlylecarlin]

All wonderful stuff, except "but only a jackass gets off duping people who compare to invertibrates on an intellectual scale" ... you and everyone else at slashdot must remember that your skills do not equate or even correlate with intelligence. Sure, they often require it, but not the other way around. Don't forget that the airy academic genius is perfectly capable of stupidly opening the worm, because he has no guru to tell him otherwise, doesn't know where to look, and doesn't have time to find out for himself.

Re:Why do delinquents bother?

The End of FreeBSD - The truth about why FreeBSD is dying

[ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

Discussion

I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

Shouts

To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

To the bulk of the FreeBSD committerbase and the developer community at large -

Re:Why do delinquents bother?

[Hater's+Leaving,+The]

But UDP packets can be massive (relative to 376 bytes anyway). Even if you restrict it to typical ethernet MTU size (1500 bytes) so that you can guarantee no fragmentation while on ether, that's still room for 376 useful bytes and 1.1kB of .PNG thumbnail of the author's girlfriend or whatever.
And when you consider most of the time is not spent going over ether, it's (1.5k, that is) a silly restriction anyway.

THL

Re:Why do delinquents bother?

[Hater's+Leaving,+The]

But you don't deny that MS took money off lots of people to sell them the _broken_ version in the first place, do you?

They are _not_ without blame, they wrote the bugs and sold them with a "if this software is crap, tough shit" EULA.

The logical conclusion, if you agree that they aren't without blame, is:
_yes_ they should be blamed.

THL

Re:Why do delinquents bother?

[Hater's+Leaving,+The]

Can't you replace
d4:b8 01 01 01 01 mov $0x1010101,%eax
d9:31 c9 xor %ecx,%ecx
db:b1 18 mov $0x18,%cl
dd:50 push %eax
de:e2 fd loop 0xdd
e0:

(Oooh look - objdump's got a bug, it says:
de:e2 fd loop 0xdd
e1:35 01 01 01 05 xor $0x5010101,%eax
e5:50 push %eax

It seems to think that the 1st instruction is 3 bytes, and the 2nd instruction is 4 bytes!
)

With something like
d4:31 c9 xor %ecx,%ecx
d6:b1 18 mov $0x18,%cl
d8:68 01 01 01 01 push $0x1010101
dd:e2 f9 loop 0xd8
df:

to save 1 byte?

OK, OK, it's pretty tight code.

THL

Re:Why do delinquents bother?

[armb]

> If no one exploited the vulnerability then folks like MS might never get around to fixing it

If _no one_ exploited it, it wouldn't matter if it wasn't fixed. That it gets used in a widespread exploit does reduce the risk of it being exploited in a few carefully chosen attacks that aren't noticed until much later though.

Re:Why do delinquents bother?

[amorsen]

Why not? Most people have MTU's in the 1500 range. And fragments get you to 64k.

Re:Why do delinquents bother?

[blibbleblobble]

"It really took talent to write malware in the old days but now everything looks like a work of the VBScript cut-and-paste."

Nothing like having a Word document around which sets peoples' default-save-format to RTF though...

Re:Why do delinquents bother?

[aphor]

Point taken, but I your argument is a bit of a non-squitur. Maybe I wasn't explicit enough, but worms spreading farther and faster means the airhead academic type is pushed into the wee tiny corners of the affected population's intelligence bell curve. Making a worm epidemic is doubtfully motivated by duping more and more airy academic geniuses. Moreover, the programmers who understand how to write the worm are still a generation ahead of the median victim in terms of awareness.

Another point lost in this medium is that I feel observation skills are the best measure of intelligence. Geniuses who are idiot-savant aren't really that bright in my book. Thus, if you corner yourself in your little specialty, you can actually get dumber as you pay less and less attention to your immediate world. That is my opinion on intelligence: "G" in psychological jargon.

Please be careful not to generalize my statements as expressions of everyone else at Slashdot. I am wierd, and any inferences you draw on such a generalization threaten to destroy your conclusions.

To further clarify my "jackass" statement, i give you an aphorizm from Nietzsche, "You seek followers? Seek ZEROES!" These victims, marks, are powerful stuff. Only a jackass toys with that kind of herd-power.

Furthermore, I didn't intend to toot my own horn, but rather to relate a personal experience of decline. Unless you are the aforementioned jackass, I apologise for any feelings of alienation you may have felt. However, the jackass may indeed be more intelligent than you (or I)--which is another discussion entirely.

Re:Why do delinquents bother?

I thought your narrative was good, perhaps because it seemed to so neatly echo my thoughts during the same period regarding copy protection and bloatware. Illegitimi non carborundum.

Re:Why do delinquents bother?

[mlylecarlin]

I'm not the jackass, nor a gifted programmer, nor the airy academic genius, but I'd guess I'm something between the last one and the second one (being too lazy and too indecisive to commit to one or the other).

I'll admit that worm programmers are ahead of their median victims. Whether they're a whole "generation" (or level, or deviation, or anything) ahead is questionable, given how easy it is to write a worm now.

As for your emphasis that observation is key to intelligence, and that idiot savants aren't really that smart... this is supposed to be MY point! A lot of the people you deride as hapless worm-dupes are in fact *vastly* more well rounded as thinking individuals than your average worm programmer or even your average programmer, both of whom tend to be socially immature, excessively computer-focused, and (as slashdot amply demonstrates) largely uneducated about or unaware about significantly bigger or more important or more interesting things (like general sciences). The worm-dupes just happen not to have learned to use their computers very well. I generally find, at least among the intelligent, that this is an isolated fault in an otherwise well rounded person.

I think we can agree that these people need to wake up and learn some things, but I also think that complaining about them, especially on slashdot, won't get much done. A balance is required. When I help people with their computer problems, I try to teach them the fundamental reasons certain things are happening, and I try to make them independent, but I never deride anyone for a having a lack of computer skill, even such a lack makes the person a dupe.

Sound good?

mlylecarlin

Re:Why do delinquents bother?

[Read+Icculus]

Read my post in response to the AC in this thread. I said I blamed myself, as well as the ISP and worm writer. But thanks for pointing out my cluelessness anyway.

Re:Why do delinquents bother?

[aphor]

That sounds good, but I don't think other people should need you or I to help them cover their asses. That creates a conflict of interest for you or I. If they demand that very situation, then it is a foolishness, possibly more significant than any accomplishment they could make.

Honestly, I have trouble finding sympathy for people who don't really care, and then whine about the consequences later. If this continues, I'm going to have to draw a dichotomy of people: black and white terms. However I admit that everyone lapses across the line from one category to the other. My point was the responsibility is on the dupes for being dupes (as we all are from time to time).

If the dupes say "I realize my mistake and the connection to these consequences" then it takes the onus from the worm programmer. Only a fool thinks "I have accomplished something" when they dupe someone else who is simply not even aware of what is going on until it is too late.

If the dupes say "Damn that worm programmer" and shake their fists, that is yet another foolish mistake. The worm programmers can claim responsibility for that. They can feel a sense of authentic accomplishment. The psychological "manipulation motive" is reinforced. Things are set to repeat. If you or I enter as "savior and champion" then we are actually escalating the situation, supporting the dupe and his shaking fist.

I say "stop being angry at the worm programmers, and go find the extent of your own involvement in the debacle. When and if you get stuck, come to me with a specific question, and I will do my best to get you unstuck."

Re:Why do delinquents bother?

[toddalert]

But that is like saying, "I am so glad your house was broken into because now maybe you will buy a lock!" In a world were security is an issue you must be secure. But if you believe security is a necessity in any world than you are creating a demand for criminal types.

Re:Why do delinquents bother?

[mlylecarlin]

This is absolutely true. I would hope to discourage anyone refusing to take the blame for a lack of interest or caring, and place it on the head of someone else.

Re:Why do delinquents bother?

[aphor]

This thread was weird. We started out with a minor disagreement. It seemed to escalate as we both illustrated our respective take on the differences. Then we discovered our common ground and the controversy dissipated. No trolls. No flames. Weiird.. like Usenet before the Internet was taken from the NSF.

Thanks!

Re:Why do delinquents bother?

[mlylecarlin]

No problem :-)

I suppose you can chalk it up to the fact that this was my first time replying at slashdot in about a year. This is more or less the standard mode of discussion I'm used to :-)

Equation for a good worm

[Renraku]

A good set of vulnerabilities across multiple hardware configurations and OSes is a great start. An interesting idea would be to sync the worms up based upon a reading from a certain timezone on time.gov. Make them start scanning all IPs for vulnerable, uninfected machines at the same time. So not only do you get the chance to infect, but you DDoS. Fun stuff. Also, you could make it infect unprotected routers and give the virus 'priority' in transmissions, etc, etc.

Re:Equation for a good worm

[xactoguy]

Hey! Thanks for the hints... heh heh heh... just kidding, maybe. ;)

UDP all the way!

[Gothmolly]

The nice part about Slammer is that it could just spew data - if it hit you, and you were vulnerable, you were infected. It didn't require any complicated TCP sessions, was MUCH nicer on host resources, and the entire hack fit inside a single packet. Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.

Re:UDP all the way!

[b1t+r0t]

Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.

Whatever you gain by compressing something that small, you lose in the space that the decompression code takes up, unless the OS provides a decompression service for you.

The way Slammer worked, it had to fit in a single packet, which meant it had about 1500 bytes to work with. That means it could have been more than four times bigger than it was, but no more.

Re:UDP all the way!

The nice thing about Slammer is that:

1. It justifies our Corporate policy of "Absolutely no UDP packets cross the firewalls. Ever."
2. There are not too many other UDP protocols out there to be exploited, so we won't see too many more "flash worms".

The scary thing about UDP "flash worms":

1. One of the highest usage protocols on the Internet is DNS, a UDP (mostly) protocol with a history of server and client vulnerabilities.

My prediction: by the end of this year we will see a cross-platform (Linux/X86 and Solaris/Sparc?) "flash worm" targeting BIND...

Nonesuch@Chicago

Re:UDP all the way!

[Hater's+Leaving,+The]

Slammer will not compress, it's too high entropy. (Although it can be tweaked to make it slightly smaller and the PRNG could be simplified too at no loss of workingness (as it doesn't work properly anyway!)).

However, don't confuse a UDP packet with an Ethernet MTU. Most of the time it's not being transported around framed as an ethernet packet, so that's a red herring. Slammer works as a UDP packet, and therefore was limitted by UDP's 64KB, not Ethernet's varying MTU size.

THL

Re:UDP all the way!

[WWWWolf]

Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.

Whatever you gain by compressing something that small,...

You made an adequate and well thought of point.

However, LZIP, the compressor the original poster mentioned, is an advanced compression scheme that, on its maximum possible compression level, uses a mathematical method known as uninvertability of collapsed matrix (or something) that makes all decompression systems unnecessary.

Using less advanced compression methods (UPX, for example) would indeed generate larger executables...

Re:UDP all the way!

[Ben+Hutchings]

Are you claiming that LZIP always produces shorter output? This is impossible - no compression algorithm can produce shorter output for more than half the possible input sequences of any given length (assuming binary encoding).

Re:UDP all the way!

[WWWWolf]

Oh, come on, read the site. The release date "April 1, 2000" and the text of the "Free Object-Oriented License" should have been good enough of clues. =)

Re:UDP all the way!

[Ben+Hutchings]

This is Slashdot - no-one follows links!

More platforms

I'm still waiting for a Cisco IOS bug to be discovered that is present in all 12.x series code. I can't wait to see the worm for that one :D

Re:More platforms

thank goodness I still haven't upgraded from 11.x. ha ha ha virus writers!!!

Anatomy of the Web application worm

http://www.cgisecurity.com/articles/worms.shtml

No worms for me, please!

[XxtraLarGe]

Thank God I've got a Mac! It's hard enough to get regular software ported, I doubt that many people would invest time to port a worm, except "Worms Blast" =D

Re:No worms for me, please!

[dfj225]

I would imagine that worms and other viruses are not really a problem to most Windows users that you would find on this site. I know that a vast majority of the viruses are spread using holes in Outlook, which is probably unpopular with this crowd. Also, people here know enough that you really need a virus scanner for full protection. I use Windows XP, and haven't had a virus yet. I also use Mozilla mail instead of outlook.

Re:No worms for me, please!

[SweetAndSourJesus]

If Slammer or it's ilk takes your subnet down, it doesn't matter if you're using a C64, you're getting hosed.

I use a Mac, too, but I have no illusion of immunity.

Re:No worms for me, please!

[PhoenixFlare]

Oh please...

The installed base of Macs is so small compared to Windows PCs, there's no reason to write worms that affect Apple machines.

You can bet your ass that if Macs were as ubiqutous as x86 machines, they'd be getting slammed with worms too....That cocky attitude gets really grating.

Re:No worms for me, please!

That makes sense, there has to be some advantages to using an operating system nobody likes :p

Re:No worms for me, please!

[blix5]

This crowd of geeks and nerds doesn't represent the average user on the web.
Go to pretty much any newsgroup, and you'll see that at least half of the people posting are using Outlook Express, which comes with every copy of Windows. To make matters worse, there are plenty of those people that are using outdated - unpatched - versions of OE and Internet Explorer.

So I think that it's safe to say that most viruses/virii [choose the spelling that makes you happy ;)] are targetted and spread by Windows machines because of Windows' popularity, and also because vulnerabilities tend to go unfixed until someone actually exploits it.

Re:No worms for me, please!

Granted that MS machines have a greater installed code base and are therefore a bigger target, but you also have to admit that most of these vulnerabilities should simply not exist.

Saying that a certain platform hasn't been hit simply because it has a lower market share isn't any more true than saying that Windows machines have been hit simply because they have a greater market share.

Decent development and security practices have more than a little bit to do with this.

I would bet that if Apple and Microsoft had reversed market share, Mac OS X would be suffering from fewer than 50% of the problems that Windows is suffering from now, simply because Apple has never done anything idiotic like say "Hey, let's include our web-server in our consumer OS, and then turn it ON by default! That way the exploits that already work on unpatched corporate servers can also infect our naive home users that don't know how to patch their machines and bring down the Net in the process!"

Re:No worms for me, please!

[dfj225]

I know this, and thats why I specified that my comment was directed to the /. crowd. If someone was to actually release a powerful virus for Mac OS, I'm sure it would probably cause just as much trouble for them.

Re:No worms for me, please!

[PhoenixFlare]

True, market share isn't the only reason, but I didn't say it was, now did I? :)

Personally, I think the feeling of invincibility that many Mac users have is just as dangerous as any Microsoft security vulnerability.

Re:No worms for me, please!

[budgenator]

yes but taking down a bunch of macs or linux machines should be good for a lot of bragging rights.

Re:No worms for me, please!

25 million people seem to like them (worldwide installed base)

Re:No worms for me, please!

[Chaset]

The difference, though, is that there aren't that many Macs out on the internet. (3%? 5%?) So any virus will have difficulty trying to find another Mac to infect, severely limiting its capability to spread.

Add to that the fact that virus written for OS 9 wouldn't work in X and vice versa.

Right now, the Mac platform is fairly hostile to rapid spread of viruses.

Re:No worms for me, please!

[ryanvm]

Also, people here know enough that you really need a virus scanner for full protection. I use Windows XP, and haven't had a virus yet.

I always hoped that people here knew enough to NOT need a virus scanner. I run Windows XP, keep it patched, and don't run a virus scanner. Never had an infection. I know because (out of curiousity) I have scanned my local hard drive from my laptop, which does run antivirus software.

Virus scanners are absolutely unnecessary IF you know what you're doing. 1) Keep your system patched; 2) don't open executables you can't trust; and 3) don't enable macros in any of Microsoft's products. It's that simple.

The antivirus industry is going to collapse as soon as the majority of computer operating systems behave in a secure manner. Until then, antivirus software is for people who don't understand their operating systems.

Please - someone challenge me on this.

Re:No worms for me, please!

[etcpasswd]

Until then, antivirus software is for people who don't understand their operating systems.

What percentage of the users do you think understand their operating systems? User-friendliness is all about not having to know how the internals of OS.

Re:No worms for me, please!

[sgifford]

Antivirus software is for people who, from time to time, make a mistake. Like mis-clicking on an attachment at 3am, or misreading a file type and running an unsafe file.

Antivirus software is for people who run software that has bugs in it. You mentioned you are using Windows...

Antivirus software is for people who believe in Security In Depth, a school of thought which says that you should use multiple layers of security, so that if one fails you aren't screwed.

Antivirus software is for people whose data is worth more than $50 (or $20 after rebate).

Re:No worms for me, please!

[Trusted+Content]

Apple does include a web server in their consumer OS.

It's called Apache. (OMG)

It just happens to not be turned on by default, and also not to be a total hackable POS like the horror that is IIS.

Re:No worms for me, please!

[hondo77]

I use a Mac, too, but I have no illusion of immunity.

I do. Woo hoo!

Re:No worms for me, please!

[Jarth]

Hmm, last time i looked a mac wich was only used for file/picture storage got infected really badly. Eventually it turned the mac-world is pretty much infested with a high concentration of viruses as well, while a worm is probably not as common indeed. Yes, you do need some AVirus software too, even on a Mac.

FYI : G4Laptop looks yummy, really yummy

When people say there's a lot of attention towards the pc/windows platform and this makes for a lot of attacks that's obviously true. Even Microsoft made a statement about it, though they forgot to mention they're attracting more hackers with every new release of there OS/Gui Platform. One could even suspect them of simply having lured most of the current generation of people-who-love-to-mess-in-transistorland.

You probably kind'of get what i'm getting at. This condition quite probably indicates the apple/macOS platform is a virgin island to hackers since the ploits never got exposed. And i'd say, only God knows how many MacOS-networks are a playgarden to those with the skills. Hence running a Mac is a really stupid thing to do when you're looking for some kind of trustworthy environment.

Haha.

Re:No worms for me, please!

[LittleBigLui]

but aren't apples pretty much natural targets for worms?

Re:No worms for me, please!

[Matthias+Wiesmann]

As other have pointed out, market share is not everything. There are also structural issues. One thing you learn when programming on Mac OS is that it is not a good idea to talk to the low-level hardware - all access is done using defined interfaces.

Low level access is difficult because a) Apple discourages this, and tends not to document how level stuff is organised b) the low level stuff tends to be very different from machine to machine. While the architecture has been uniformised quite a lot with the advent of the new-world machines (basically since the iMac), before this, Macintoshes tended to be very diverse: even more that the wide range of PC. Some had built in video cards, other used the main memory for video, some had certain chips for sounds, while other had completely different sound chips, there were no hardware standards like VGA or Soundblaser as for the memory layout it could change dramatically. Also what part of the OS was in RAM or in ROM could change depending on the model. Designing viruses or worms in such a setting was very difficult.

The fact that low-level access is difficult is the reason Apple could do all those transitions (68K->PPC, OS9->Classic) quite easily and is also the reason they were so few viruses. The main drawback was that games were rare, as they tend to do direct hardware access.

Even though the hardware is now more uniform - there are still major differences: for instance desktops use by default USB keyboards, while laptops use ADB keyboards. You probably guess how the low level stuff is done by looking at the darwin source, the OS is still a moving target a worm designed for OS9 will probably do nothing in classic, an OSX worm won't infect OS9 machines. Also since the transition to OSX, Apple has been quite aggressive with security patches.

So in conclusion, Yes Macintoshes have a low market share and this is partly the reason there are few viruses, but no this is not the only reason...

Re:No worms for me, please!

antivirus software is for people who are afraid to format their hard drive at the first evidence of viral infection. format is the ultimte a-v software.

Re:No worms for me, please!

[Ben+Hutchings]

That's what I used to think, but my work computer got infected last year because I ran an infected installer from a shared directory with lax permissions.

Re:No worms for me, please!

[ryanvm]

I absolutely agree. I recommend antivirus software to just about everybody I know. However, that's because almost everybody I know doesn't understand their OS enough to keep from infecting themselves.

I was arguing the original poster's claim that anybody who knows what they're doing understands that antivirus software is necessary. Not true - quite the opposite.

Re:No worms for me, please!

[ryanvm]

Antivirus software is for people who, from time to time, make a mistake. Like mis-clicking on an attachment at 3am, or misreading a file type and running an unsafe file.

Well, I guess it's harder for you then it is for me. You look at the sender, you look at the subject and body, and you look at the attachment. Then, your freaking mail client asks you, "Are you sure you want to open this?" IF you know what to watch out for, those should be plenty of "last chances".

Antivirus software is for people who run software that has bugs in it. You mentioned you are using Windows...

Not really, a better solution is to keep your system patched. I contend that most holes are patched quicker than most exploit-type viruses are identified and put into the signature updates. The security holes that cause Code Red, Nimda, etc. always seem to have patches long before the epidemics, don't they?

Antivirus software is for people who believe in Security In Depth, a school of thought which says that you should use multiple layers of security, so that if one fails you aren't screwed.

Well, so is encrypting your filesystem, having a locking screensaver, unplugging your network cable when idle, etc. Obviously another layer is a good thing. But at what point do you decide that it's not worth the money or slowdown to take that extra step. And yes, scanning for 50,000 (and growing) data patterns every time you open a file WILL slow your system down.

Antivirus software is for people whose data is worth more than $50 (or $20 after rebate).

No it's not - it's for people who would rather spend $50 than understand the internals of their operating system. Not that there's anything wrong with that. I'd rather spend $150 to fix my furnace than learn how to do it myself.

My point was not that most people don't need antivirus software. They do. I was just disagreeing with the original poster who claimed that knowledgable users understand the necessity of antivirus software. Not true. Knowledgable users don't engage in stupid behavior.

Re:No worms for me, please!

[jimsum]

I love these market share arguments. The number of Macs in the world now probably exceeds the number of Microsoft PCs that existed 15 years ago. 15 years ago, the PC market was big enough to support software companies and virus writers; why isn't the Mac market big enough now?

I would think a virus writer would be happy to infect millions of computers, even if they are all Macs. I think there are factors other than market share that help explain why there are fewer Mac worms.

Re:No worms for me, please!

[duggy_92127]

You can bet your ass that if Macs were as ubiqutous as x86 machines, they'd be getting slammed with worms too...

While your point seems logical, there are some glaring examples that disprove similar arguments. For example, Netcraft shows Apache running more than twice as many web servers as IIS, but when the exploits come around, which platform gets nailed?

All the recent worms I can remember use some sort of Windows hole to get in and then Outlook to spread themselves. You claim that's because Windows is far more common, but doesn't most email get routed by Unix boxen over the 'net? Why attack the endpoints when all the middle nodes are right there in front of you? Hack a Unix box, take over sendmail, and you have access to every piece of mail that passes through the machine. Why don't people do that?

The answer is that the endpoints, the Windows clients, are much easier to get into. MacOS X is built on top of BSD, which has a security track record that is way, way better than Windows. I believe you are incorrect, and if tomorrow everybody turned off their Windows boxen and turned on a Mac, you'd pretty much see the end of this kind of thing, at least for a long while.

Doug

Re:No worms for me, please!

[sgifford]

Antivirus software is for people who, from time to time, make a mistake. Like mis-clicking on an attachment at 3am, or misreading a file type and running an unsafe file.

Well, I guess it's harder for you then it is for me. You look at the sender, you look at the subject and body, and you look at the attachment. Then, your freaking mail client asks you, "Are you sure you want to open this?" IF you know what to watch out for, those should be plenty of "last chances".

I'm not saying I do this; I don't even run Windows or use a mail client that supports HTML. I'm pretty sure I've never received a virus that would run on my OS. I'm just saying a reasonable, smart, and prudent person should still plan for this, because it will happen someday.

Antivirus software is for people who believe in Security In Depth, a school of thought which says that you should use multiple layers of security, so that if one fails you aren't screwed.

Well, so is encrypting your filesystem, having a locking screensaver, unplugging your network cable when idle, etc. Obviously another layer is a good thing. But at what point do you decide that it's not worth the money or slowdown to take that extra step. And yes, scanning for 50,000 (and growing) data patterns every time you open a file WILL slow your system down.

At the point where it costs more than $50 ($20 after rebate) or where the cumulative slowdown is greater than the odds of getting a virus times the time it would take to recover from it. Many people's work (mine included) is close enough to irreplacable that the time-to-recover tends towards infinity, making the virus software a pretty obvious choice.

I guess the difference of opinion that we have is that you believe it's extremely unlikely that you will someday make a mistake, whereas I believe it's nearly certain that all of us make mistakes every day.

Re:No worms for me, please!

[ryanvm]

I guess the difference of opinion that we have is that you believe it's extremely unlikely that you will someday make a mistake, whereas I believe it's nearly certain that all of us make mistakes every day.

That about sums it up.

Re:No worms for me, please!

[jafac]

... not just that - lately, I've been TERRIFIED to actually allow Software Update to run on my mac. Each update, including the security updates, has been worse than the last - they break shit. Lots of shit.

Apple REALLY needs to include an update rollback mechanism.

Re:No worms for me, please!

[stanmann]

Antivirus software is for people who sometimes wish do run un-trusted executables... Game CD cracks/DVD rippers, etc(I run a file server, and don't like to have my CDs out).

Re:No worms for me, please!

[Arslan+ibn+Da'ud]

damn I don't have moderator points, pal...that post needs modded up badly!

I'll add that Mac users don't have a single favorite mail software application. (I suppose Apple's mail app is popular, but doesn't have the market share Outlook has)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Some day

Some day, we will all curse like sailors and have to reboot every god damned machine we have - maybe even revert to latest backup. Some day, the apocalypse will hit us, and Internet will cough for a day like it had the SARS. And then you hope your mother wasn't in hearing range.

Re:Oh no! Shut the Interweb off!

Future proofing?

Re:Oh no! Shut the Interweb off!

[laigle]

It's not even just that now. The latest rendition of Bugbear would send out an infected file named after a file on the computer it was sending from. I imagine the next generation mailers will check send records, or even incorporate spyware code, and mail themselves out using names of files the user sent recently, or selectively infect shared files to get loose on the network. For computers to be useful you have to have some level of trust, and as worms become smarter they can more easily exploit that fact.

We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.

Cross-platform not necessary?

[univgeek]

For a world-wide problem with worms, cross-platform worms are not required - just a simultaneous release of single platform worms. The spreading algo would be common, the payload and infection mechanism platform specific.

One for windows, one for linux, one for routers/switches...

Imagine the impact. Would the internet survive?

The only things preventing this might be the fact that no single person has the required experience in all the platforms, and vulnerabilities in non-windows OS's are typically more difficult to exploit.

Re:Cross-platform not necessary?

[molarmass192]

I disagree, too many variations in hardware, software on the Linux / router&switch side of things. One of the things that makes it easy to infect Windows systems is that if you know a server is running W2K, you can assume the hardware is x86, you know which files exist on that system, and (most importantly) you know the structure of those executables since they are identical across installations. With Linux, compiler optimizations and kernel configurations make code injection points almost impossible to assume. You could still target a particular distro release on a particular platform but your infection rate would be low. Of course, I read all the above on the back of a matchbook cover if anybody asks.

Re:Cross-platform not necessary?

[gregfortune]

Oh, come on. From the quality of code we've seen in the recent "big" worms, any idiot with a little spare time can write a reasonably effective worm. We're lucky that no one really talented has had a motive for writing a really nasty worm (read cross-platform and well written with a huge number of attack vectors and a deadly payload).

Write a Windows worm?
Sure, watch the security bulletins from MS and associated companies and include a few exploits in your worm. You know we won't run out of people who haven't patched yet.

Write a Linux worm?
Sure... See above? It's the same.... There are platform differences as far as library calls, hooking into e-mail, etc, but a little time would solve that easily.

Write a .... worm?
Umm. See above? Just wash, rinse, repeat... All we're talking about is a little time.

Seriously, I'm waiting for someone slightly talented to get pissed off at technology in general. That will be the day people running automatic daily updates on (pick your platform) will be happy they've got a patched system and banging their head against the wall 'cause their ISP didn't.

Re:Cross-platform not necessary?

[gregfortune]

So target x86 with one set of attack vectors, Alpha with another, VAX with another, etc... Can't figure out which system you are attacking? Include some fingerprint code in your virus. Sure, it's not completely reliable, but we're talking about a massive increase in the number of comprimised targets.

Vulnerabilities exist for all of them. Information exists for all of them. It's just a matter of time until someone with the talent decides to do it.

Re:Cross-platform not necessary?

[Timothy+Brownawell]

For a world-wide problem with worms, cross-platform worms are not required - just a simultaneous release of single platform worms.

A single cross-platform worm would be much more effective, though -- it'd be able to infect a much higher percentage of the hosts it hit, and therefore grow faster.

Tim

Re:Cross-platform not necessary?

[dbretton]

any idiot with a little spare time can write a reasonably effective worm.

OK, I'll nibble. Write a reasonably effective worm!

Otherwise, you're not even smart enough to be considered an idiot...

I dare ya!

Re:Cross-platform not necessary?

I thought that was what Java was for.

Re:Cross-platform not necessary?

The Internet might not survive simultaneous release of similar worms for multiple platforms, but my private network would. Cross-Platform is necessary to get full penetration into private networks, and really take down the whole shebang :)

To get to my W2K box, you have to get past (example) a Cisco router with extended ACLs, then the Unix-like "firewall" running Squid and DBJdns (both under Systrace, all outbound HTTP/FTP/DNS queries are logged/filtered/reported to catch any worms that might slip in) and finally, behind the proxy firewall sits the unprotected Microsoft products.

No protocols are passed inbound directly to the Windows system (no DNS at all, and HTTP/FTP function only via Squid), and only specific port/protocol responses are permitted inbound from the Cisco router to the firewall.

The elegance (threat) of cross-platform worms is in penetration of firewalls, extranets, VPNs, etc.

Nonesuch@Chicago

(P.S. Yes, I'd be a lot better off upgrading the Cisco to support true stateful filtering. I'd also be five hundred bucks poorer.)

Re:Cross-platform not necessary?

[burns210]

"One for windows, one for linux, one for routers/switches... "

So all that would be left are those darn mac users.... Good thing they Thought Different, aye?

Re:Cross-platform not necessary?

Seriously, I'm waiting for someone slightly talented to get pissed off at technology in general.

Two words: Ted Kaczynski.

Re:Cross-platform not necessary?

Thinked different, surely?

Re:Cross-platform not necessary?

[gregfortune]

he he. Nice try;o)

The difference between an idiot with spare time and myself is probably not the idiot part... But I *am* absolutely sure that I have no spare time. Real work that pays seems like it would be more rewarding in the long run anyway.

Re:Oh no! Shut the Interweb off!

[ObviousGuy]

We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.

Harsher punishments for virus writers?

Better system recovery process?

But there aren't 3 billion systems.

[suso]

What kind of a statistic is that? How can it fully complete a 3 billion system per hour cycle if there are not 3 billion systems to infect (I'm guessing that there aren't). So it's true rate is how ever many systems it actually did infect, which is likely a lot less than 3 billion. You can't just calculate the speed over 2 minutes and multiply it by 30. That'd be like a starship that was able to travel at 15 billion light years per hour. Really? Where would it go?

Re:But there aren't 3 billion systems.

They would put a spoiler on it with some neon and feature it in the next wack at the Fa$t and the Furious. its got NOS man!

Re:But there aren't 3 billion systems.

Which is the reason they said "it could infect the entire internet in 15 minutes". 3 billion divided by 4 is 750 million.

If you can do 50 million per minute then it's reasonable to extrapolate that to 3 billion per hour.

Re:But there aren't 3 billion systems.

[Vaystrem]

" That'd be like a starship that was able to travel at 15 billion light years per hour. Really? Where would it go?"

Probably across much of the known universe.

Re:But there aren't 3 billion systems.

[Bagheera]

Don't confuse rate of scan with number of systems. As mentioned it was spewing it's exploit in a single UDP packet. The worm didn't care whether other worms had already spewed the packet at a given IP, it was just tossing it out there. Whether the number itself is valid, it's being calculated (probably, at least) by multipying the average bandwidth available to an infected host, times the number of infected hosts. X infected hosts spewing Y packets an hour is Z total packets per hour.

Perhaps not especially useful, but it does give an idea of the sheer scope of that beast.

Re:But there aren't 3 billion systems.

[HornyBastard77]

What kind of a statistic is that?

The same kind that,when you are driving, lets you know in one glance how many miles per hour you will cover if you stay at your current speed.

Seems pretty informative to me.

Re:But there aren't 3 billion systems.

[cyb97]

The statistics does hold, the efficiency of the worm decreases because there simply aren't enough hosts on the internet (or in IPv4 for that sake) to keep the worm busy for several hours...
If the worm spews out X packets over Y minutes, why would it change in the Y+n next minutes ?
Think about it yourself, the worm doesn't suddenly stop and think "hey I've infected 3 bn. systems now, I better slow down", it keeps on going, but as only a fraction of the 4 bn available addresses in IPv4 are available and globally reachable it doesn't make sense to do an exhaustive test...

Re:But there aren't 3 billion systems.

[Blkdeath]

What kind of a statistic is that? How can it fully complete a 3 billion system per hour cycle if there are not 3 billion systems to infect

Actually, it's quite valid. Ask any cop who's ever pulled somebody over for doing 120KPH in a 40KPH zone, even though they only drove 5KMs. :)

Re:But there aren't 3 billion systems.

[suso]

No, I'm not confusing them, I'm saying that to say that the worm had a peak infection rate of 3 billion systems per hour is very misleading because the worm would never actually infect 3 billion systems as long as there are less than 3 billion. The difference between this and say what your speedometer reads on your car is that in your car, provided there is enough road, you can most likely transverse 120 miles in one hour. The statistic should have said that the worm had a peak rate of 50 million computers per minute or 833,333 per second. This would have been more accurate.

Re:But there aren't 3 billion systems.

Eh, six of one, half a dozen of another... Let's all agree that 3 billion an hour and 833,333 per second are both equally impressive numbers...

Re:But there aren't 3 billion systems.

[beavmetal]

new Momo product: vinyl "the Maatrix" graphics for you starship and matching Honda, scooter, quad-runner, snowmobile, and beaner bike.

Re:But there aren't 3 billion systems.

[Bagheera]

True, but they didn't say peak infection rate. They said the peak rate of scanning was 3 billion systems per hour. That's why I made my initial comment. While it seems like a huge number, it's not that outragous if you're just counting the level of traffic.

Incidently, I was a CIRT responder for a "small hardware manufacturer in the Valley" during the event. Having seen first hand how hard Slammer hit our firewalls, I don't doubt the claimed traffic level here.

Re:But there aren't 3 billion systems.

[PetWolverine]

Recently I got pulled over for speeding. The cop said, "Don't you know the speed limit is 55 miles per hour?"

I said, "Yeah, but I wasn't planning to be out that long."

Apologies to Steven Wright.

Clarity

Are we illiterate or what? I think 'better' to mean 'able to infect across a lot of platforms.'? How about some kind of voluntary proofreading layer here?

Re:Clarity

Clearly you were literate enough to write that comment.

Problems

[cfreeze]

One problem with saying that Slammer or any "flash worm" is that bandwidth and current infastructure isn't taken into account. Any worm taking on activity levels (as seen by how the whole Internet seemed to slow down) of this magnitude tend to self contain themselves at local router or node bottlenecks. As links go to fiber this won't hold, but atleast for now it does.

Re:Problems

So the solution is to lower the bandwidth caps on each system. Essentially make each point more fail-prone so that if something bad happens the node will crash and remove itself from the greater web.

No thanks.

Re:Problems

[cfreeze]

I said nothing of capping links, only that worms can't really achieve the "Warhol Worm" status due in large part to the current infastructure. As links go fiber or the next generation technology, the likely likelyhood of a worm giong Warhol, becomes more likely.

Re:Problems

Gotcha. I thought you were actually suggesting throttling bandwidth to prevent these things.

Re:Problems

[Imperator]

Easy way around that. If you're picking a target for a packet, give it a 90% chance of being in the same /24 as your IP, a 7% chance of being within the same /16, a 2% chance of being within the same /8, and a 1% chance of being anything at all. That will tend to reduce the bandwidth through slow links. (Those numbers are arbitrary of course; you'd want to do some empirical testing to find the best weighting--maybe even base it on time so it spreads more widely shortly after the planned release time, slows down to thoroughly infect networks for a few hours, then goes back to randomly spewing packets to bring even the biggest routers to a crawl.)

This isn't my idea; it was in the original paper I read about Warhol worms. Slammer didn't do it, perhaps to stay under 476. But it's a danger, and if there's someone writing a multi-attack worm for real gain, you bet they're working on something like that.

(Why someone would really be able to gain from bringing the Internet down for a day is beyond me. Maybe if it's a country with anti-satellite weapons, they could really impair communications for a day, but beyond making a point I fail to see the purpose. Watch the next Bond movie for the rest of the plot.)

Re:Problems

IP address space = 2^32. If every worm instance manages to infect at least 2 new targets, it takes less than 32 generations to touch every IP address out there. How long does it take to infect 2 machines? Multiply by 32. (Obviously the question isn't as easy as it sounds due to saturation, but still: the internet is massively parallel, so local limitations are next to meaningless for an "intelligent" warhol worm.)

Doomsday in a good way?

[maliabu]

in THE Doomsday, those who don't believe will be wiped out.

so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.

Re:Doomsday in a good way?

[SiO2]

so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.

Let the worms wipe out those who don't patch and maintain their servers properly? Put down the crack pipe and move away from the mouse. You obviously have the luxury of working in a non-Microsoft environment that doesn't require maximum uptime like banks, universities, hospitals, etc. require to function.

Microsoft releases some crucial security update almost literally every week. I simply can't down servers on a regular basis because Microsoft doesn't have the acumen to write a decently secure and stable OS. For instance, last week on Tuesday I built a new authentication server for our VPN connection. On Friday, I patched nonessential servers, the new one being one of them. The newly built server required one crucial security update and at least two nonessential updates.

Of course, there is also the matter of crucial security updates breaking something else. I've read numerous articles about how adverse many sysadmins have become to installing Microsoft patches as soon as they are available. One slashdotters sig sums it all up:

63,000 bugs in the code.
63,000 bugs.
You get one whacked with a service pack.
63,005 bugs in the code.

I know you'll say to switch to another OS, but those of us who have to keep things running don't always get to make platform decisions. Sure, I have input, but my boss is an old-schooler married to IBM. At least I've been able to keep him away from IBM and settled on Dell hardware, but that's on ongoing battle.

Re:Doomsday in a good way?

[Waffle+Iron]

so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

Um... what if the worm writer used a new vulnerability that he discovered himself? There would be no patches.

Re:Doomsday in a good way?

[Weirsbaski]

so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.

Except the nicely patched servers can't get any friggin' bandwidth.

Hm....

"Worms Going Further, Faster"

Former East German sports coaches now working on worm farms?

I'm still getting pestered by Code-Red.

[Chyeburashka]

216.31.149.142 - - [04/Jun/2003:17:15:29 -0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 392 "-" "-"
216.31.149.142 - - [04/Jun/2003:17:17:06 -0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 392 "-" "-"
172.182.46.212 - - [04/Jun/2003:17:46:09 -0600] "GET / HTTP/1.0" 200 7029 "-" "-"
217.230.180.171 - - [04/Jun/2003:22:05:36 -0600] "OPTIONS * HTTP/1.0" 200 0 "-" "-"
210.179.95.123 - - [07/Jun/2003:11:16:01 -0600] "GET /sumthin HTTP/1.0" 404 388 "-" "-"
216.60.56.84 - - [07/Jun/2003:19:38:47 -0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 392 "-" "-"

Re:I'm still getting pestered by Code-Red.

[cyb97]

how the kaboodle did you get this past /.'s notorious filterchecks when posting ?

Re:I'm still getting pestered by Code-Red.

[randyest]

If you're running Apache, and it looks like you are, you can avoid logging that crap (and minimize bandwidth and CPU waste) with this minor httpd.conf change. You can also block/ban email spiders (at least ones that report their agent name truthfully, which apparently is most of them) using the info at the same link.

Re:I'm still getting pestered by Code-Red.

[randyest]

how is this a troll? this is an excerpt from an apache (or other common-log format webserver, but probably apache) showing the footprints of the code red worm (or nimda, or similar). it's still a problem, enough so that webmasterworld.com has info for webmasters on how to minimize the effects (see my other post). it's still a hassle, it still wastes bandwidth, and it still clutters logs (until you learn how to disable logging of these things).

mods, please fix this.

Re:I'm still getting pestered by Code-Red.

[Chyeburashka]

Thanks for the previous information. Meta-moderation might fix the clueless moderators. In fact, they may have SCOed themselves right out of moderation rights. The post was completely on-topic for a story on worms, etc.

BTW, I only start up apache on this machine just to see who comes knocking. Judging from some of the reactions, some folks don't know (or care) about the footprints of still-virulent worms. If someone were to be so careless as to leave an unpatched IIS on the net long enough, it too would become another super-spreader.

Re:I'm still getting pestered by Code-Red.

[rossz]

That gets it out of the logs, but doesn't really deal with the problem. I configured my server to automatically slap an iptables DROP on ip addresses attempting codered, nimda, and a few other exploits. It also deals with evil harvesting bots that ignore robots.txt exclusions. Because the vast majority of this crap is from dynamic ip addresses, the blocks are only temporary. Details are here.

Re:I'm still getting pestered by Code-Red.

[Chyeburashka]

I just copied from the output of cat /var/log/httpd/access_log, pasted with middle mouse button, previewed as Plain Old Text, redacted a bunch of non-CodeRed (or Nimda) lines, leaving just enough to get the point across, then changed the post format to Code. That seemed to bypass the lameness filter quite effectively. It seems if you edit your post between previews, that gives it some non-lameness.

Re:I'm still getting pestered by Code-Red.

[jred]

I got all excited, because looking through all that crap in the log really bugs me. Then I clicked on the link, and the page ended up being for regged members only. Dude, don't you know this is /. ? We don't reg. for *anything* :)

Re:I'm still getting pestered by Code-Red.

Apache?

http://cr.yp.to/publicfile.html.

If that doesn't log enough info for your tasts, combine 'publicfile' with 'recordio'.

Nonesuch@Chicago

Re:I'm still getting pestered by Code-Red.

[randyest]

Sorry, there was no reg for me (straight outta google). Maybe the reg is a (new) attempt to ward off the /. effect? I'm sure someone will post it here for you soon :)

Comment removed

[account_deleted]

Comment removed based on user account deletion

learn from evolution

nature has evolved to fight biological infection by various means: genetic diversity, adaptive defensives. we could take a lesson from this.

Re:learn from evolution

Yeah, though even in nature, patching still takes place though it tends not to be pre-emptive, and not wholly acceptable, generally resulting in the death of the faulty line.

Re:Oh no! Shut the Interweb off!

[PickyH3D]

I agree with this 95%. However, there still needs to be a ton of work done on prevention. Look at the RE: support@microsoft.com virus/worm/whatever it was.

If people would stop and think, "hey, I never e-mailed them to begin with" then we'd have less problems. Obviously people will fall through the cracks, and then there are of course those that did e-mail Microsoft, but the body of those e-mails were patheticly obvious. "Here's the file" or some such idiocy. Who runs those?... oh sh... I didn't e-mail them did I?

The ladder people obviously then fall into your basket.

Re:Oh no! Shut the Interweb off!

[blix5]

Harsher spankings for the people that still haven't grasped the concept of NOT clicking that email attachment with a .vbs extension. :P

Re:Oh no! Shut the Interweb off!

[calennert]

-blink-blink-
Connecting to AOL...
-blink-
You've got mail!
-blink-blink
"ooh, an attachment..."

Re:Oh no! Shut the Interweb off!

[pixelgeek]

-- There is no patch for human carelessness.

The user isn't always to blame. What about the software developers who don't take even minimal efforts to protect their scripting systems?

Yes, there will always be someone who will open attachments no matter how often you tell them not to.

But perhaps the root issue isn't the fellow who can't stop clicking on Fireworks.exe files but the OS and application developers who enable and then don't patch systems that allow those users to be so easily exploited.

speaking of large attacks

I was just listening to a radio show. The host had an email from "an insider" we'll say, who related that just lately (ongoing) there is supposedly some big "attack" going on that is targeting some government database,allegedly the largest in the world, but no name-redacted of course- and also banks of all things. I emailed him with the latest bug bear exploit details, because it sounded like it. He mentioned my email after a station break, and was adamant that his source was saying it was NOT the latest bugbear variant, but something much larger and they think it's a state sponsored cyber warfare attack.

Anyone hear of anything like this going on? I checked the usual security sites, I see nothing mentioned.

My apologies for the sidetracking, just the timing and this thread gave me an opportunity to ask here.

Re:speaking of large attacks

Stop listening to Art Bell, you'll rot your brain.

Re:Oh no! Shut the Interweb off!

There's a lot to be said for having diversity in a population to prevent a 100% infection rate.

If it's so easy to write one...

[DynamiteNeon]

Why doesn't someone just make a worm that goes around and downloads Windows and SQL server updates to patch against all these worms? I realize Microsoft doesn't have the best track record even with their updates, but it would still probably solve some problems. And yes, I realize there's something wrong with forcing people to install updates, but consider the alternative of reading these articles every week here.

Re:If it's so easy to write one...

[gregfortune]

First, it's illegal and if you got caught, well... Second, and more importantly ('cause I really don't care if you get your butt thrown in jail), it would very likely break applications on a good sized portion of the machines you "updated"

Re:If it's so easy to write one...

[retto]

But what about patches that require a reboot or shut down services?

It may also cause more trouble than it would solve if the patch causes problems and the administrator did not have a chance to test it first in a non-production environment.

I guess the bigger question is with the rise of fast-spreading worms, does an unpatched server become a public nusance? If so, could you sue someone if they didn't keep up-to-date on security patches and get infected by something?

Re:If it's so easy to write one...

[DynamiteNeon]

Hehe, I'm aware of that. I actually said it half-jokingly. I'm sure there are tons of obvious Microsoft jokes that could be inserted.

The point was that a majority of the people being affected are probably those that don't even know what windows update is to begin with. They probably wouldn't even notice the changes being made in the background by this worm.

Re:If it's so easy to write one...

[FLoWCTRL]

There was a lot of speculation in the security community that this is effectively what the "Slammer" worm was -- a non-malicous worm that forced everyone to patch their software. Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload. All it did was propogate itself. The DoS effect was just a result of the massive increase in network traffic from its propogation. It could have been way, way worse.

--
http://oss.netmojo.ca

Re:If it's so easy to write one...

[Kadagan+AU]

You know, if I had mod points, I'd give you a +1 interesting. That's something that never would have crossed my mind. I suppose part of the reason it wouldn't have occured to me is because I didn't know (read: wasn't infected, didn't care) what exactly slammer did. I think I was playing paint ball the weekend it hit hard ;).

If the reason behind it had anything to do with getting people to patch more, or making people more aware of security holes, then I'd have to say I support this sort of worms. I'm relatively new to the "security" community, but it's all very intriguing (sp?) to me. I don't see how so very many people can be so very dumb/naive and leave glaring holes all over the place. Oh well, mine is not to ask questions. =D

Re:If it's so easy to write one...

[budgenator]

some one sent one to one of my website server and called it codeBlue, it was supposed to patch server vulnerable to codeRed. No idea if it did or not, we were on an Irix server.

Re:If it's so easy to write one...

[Adam9]

You reminded me of a point that someone else brought up awhile ago. The worm was released on a weekend. Some speculated because admins would be out of the office so it could spread quickly. OTOH, many more businesses/users would've been affected if it was released on Mon-Thur.

Re:If it's so easy to write one...

[Whyrph]

Instead of using buggy MS updates, simply cook up a fix yourself (for the hole you're using, and maybe some others) and have the virus update the system it's on after it propogates itself.

Re:If it's so easy to write one...

FlowCTRL writes:

There was a lot of speculation in the security community that this is effectively what the "Slammer" worm was -- a non-malicous worm that forced everyone to patch their software. Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload

If that was their point, they were a bit too subtle for their own good.

If I was going to do that, I'd stick a huge NOP slide into the payload followed by a JMP to skip over the text literal "INSERT MALICIOUS CODE HERE", just to make the point obvious :)

Nonesuch@Chicago

Re:If it's so easy to write one...

[PetWolverine]

Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload

Let's think of a worst-case scenario, here...

The worm had a program to propagate itself in a space of 376 bytes. It had up to, what, 1500 bytes to carry whatever program it wished? Let's say it used those 1500 bytes to set up a program that would listen on a particular TCP port for instructions from the author's computer. Then, rather than propagating itself as fast as possible, it sends out a packet every few minutes, gradually and insidiously infecting all MSSQL servers on the Internet.

The 1100 extra bytes are used to write a program to disk, and then launch it. This program listens for connections on some high port, or perhaps just listens for UDP packets of a certain description (since it knows the firewall lets those through). At first, it simply catches all worm packets and records the IP addresses, so that it knows what other hosts are infected.

The author's computer listens for these packets, and makes a similar list of infected hosts. Then, when the time is ripe, he starts sending additional instructions to those hosts.

The hosts receive the new instructions, modify their program based on the contents, and then echo the packet out to the hosts in their lists. The author numbers the instruction packets, and the hosts make a note of which ones they've received and ignore repeats. That way, once all infected hosts are updated, the patches stop flying around.

One of the first instructions to be sent out is to make the program launch at boot time. Then, the infected computers are sent instructions to stop propagating themselves. They're sent instructions to report back to the original source. The author looks at the hosts, sends out special non-propagating instructions to military hosts to send him their data. He sends out instructions to hosts that may have access to credit card databases to send him the numbers and expiration dates. He gathers whatever other information he deems useful.

Then, he sends out an instruction for all hosts to delete all data from all databases.

How difficult would it be to write the initial program for that? How difficult to make those patches, and make them work? My guess is, someone who knows assembly well could pull it off. It may take a fair amount of time and patience, but the amount of money to be made is pretty considerable and could make it worthwhile. Hey, if I were going to write a malicious worm, that's how I would go about it.

But the most pertinent question is, how many MSSQL servers are still out there, unpatched, vulnerable, serving critical data?

Warhol

a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."'
A "Warhol" worm wouldn't infect the Internet in 15 minutes, it would infect it for only 15 minutes.

Re:Warhol

[retto]

I think a virus with a 15 minute life would be a good idea. It could pop in, say 'gotcha,' a little 'how's your father,' and then retire with a little dignity. Too many viruses nowadays overstay their welcome and just wind up looking kind of pathetic. Every now and then I hear about Nimba or even Michelangelo trying to make a comeback with the Wizards and kind of ruins the memory of them from when they were in their prime. The good ones...they leave the game before the game leaves them...

There is no such thing as cyberterrorism

[DmitriA]

Schneier raises some good points regarding this issue in this month's Crypto-Gram.

In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability. We simply don't understand the interactions well enough to predict which kinds of attacks could cause catastrophic results, and terrorist organizations don't have that sort of knowledge either -- even if they tried to hire experts. ...

Despite our predilection for calling anything "terrorism," these attacks are not. We know what terrorism is. It's someone blowing himself up in a crowded restaurant, or flying an airplane into a skyscraper. It's not infecting computers with viruses, forcing air traffic controllers to route planes manually, or shutting down a pager network for a day. That causes annoyance and irritation, not terror.

This is a difficult message for some, because these days anyone who causes widespread damage is being given the label "terrorist." But imagine for a minute the leadership of al Qaeda sitting in a cave somewhere, plotting the next move in their jihad against the United States. One of the leaders jumps up and exclaims: "I have an idea! We'll disable their e-mail...." Conventional terrorism -- driving a truckful of explosives into a nuclear power plant, for example -- is still easier and much more effective.

Re:There is no such thing as cyberterrorism

[sn00ker]

In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability.

Now, was it not the case that it was the network load, rather than the worm, that caused these problems?
It was contemporary knowledge that ATMs use(d?) dedicated networks, primarily to protect against intrusion. If ATM traffic is now being routed across the 'net, VPN'd or not, the possibilities are endless.

As for "cyber terrorism" being a bullshit term, not entirely. Fine, loss of ATMs or e-mail won't panic most people (unless you're in the middle of a multi-billion-dollar, must-happen-now deal that's being conducted through e-mail), but you can do things through the 'net that will result in public disorder. A coordinated effort to modify the sites of all major news organisations could easily start a mass panic if the "right" message was presented - Even more so if web radio broadcasts were also tampered with to back the news sites.

Re:There is no such thing as cyberterrorism

[RedPhoenix]

Caveat:

Now that fairly complex operating systems are starting to appear in special-purpose devices (eg: Cameras, DVD's, Robots, HUD's in Cars), it's not too much of an extrapolation to envisage such an OS controlling critical infrastructure (eg: Traffic lights, Air Traffic Control systems, water purification plant scheduling), or even devices on which life may tangentially depend (eg: Automatic Insulin pumps, Patient vital staistics monitoring systems, etc.)

In situations where a non-special-purpose (read: potentially infectable by viruses) operating system is controlling critical infrastructure, there's certainly potential for the Terrorist label to stick when applied to virus writers.

Re:There is no such thing as cyberterrorism

Oh no? Look at this map of the systems infected by the sapphire worm What does this look like to the terrorists? All of their intended targets hit with some 'inconvenience' as you call it all at the same time. If a terrorist saw this map, I can imagine him sending a donkey up to Bin Laden's hideout with a copy saying, "Now we know how to it just the evil infidels"

Re:There is no such thing as cyberterrorism

[Duckling]

And from this, it is obvious that Schneier seems to have a much more rational view on the matter. Kolstad is simply way off the mark.

Why?
Well, simply because his "mental exercise" presents a bunch of worst case scenarios, but not a single piece of evidence or fact that shows how or when we would ever come into these situations.

The way it is presented, it looks more like unfounded paranoia than a sound analysis. He's repeatedly saying: what if is down for a week (or weeks)?
What makes him think they will be, even if hit by a serious attack?
Is he making the assumption that a more advanced worm would hit the Net with the initial force and speed of Slammer? Has he forgotten that Slammer effectively strangled itself?
Also, he seems to ignore the fact that infrastructure providers (comms, water, electricity etc.) have been prepared for most kinds of disasters since the dawn of time, including computer system failures.

However much the geeks of the world would like to think so, the world does not revolve around computers, and won't end without them.

Re:There is no such thing as cyberterrorism

[Carlos+Laviola]

If you think this through really hard, you'll realize how insane it is.

Re:There is no such thing as cyberterrorism

[sn00ker]

It's actually nowhere near as insane as you make out.
Fine, breaking into web radio broadcasts is pretty tough, but breaking into websites and altering them isn't terribly difficult for a skilled technician. Nation states tend to have access to such people, in numbers great enough to be able to take on all the foremost sites in a single raid.
Don't under-estimate the resources of a nation and their ability to find people who're very good at breaking into websites.

There's also the option of getting people who have access onto the routers controlling traffic to those sites. Redirection is so much easier.

Re:Oh no! Shut the Interweb off!

[The+Dark]

I think the root issue is the assholes who write the viruses in the first place, slack OS's and users just make their life easier.

Re:Oh no! Shut the Interweb off!

[KrispyKringle]

Your assumption is that true security is a theoretical impossibility. On what grounds?

I agree that it's not safe to rely on humans to keep systems patched. But, for one, if most systems are kept patched, a worm like SLAMMER would be useless. This is an obvious point you neglect, but not an interesting one.

More interesting, I think, is the debate over whether there is such a thing theoretically possible as a secure architecture. This is, of course, the idea behind "secure" systems designed to be so from the ground up, such as Palladium. Ethernet, TCP/IP, ARP, and most of the other protocols which make up the 'Net were not designed with security in mind from the bottom up, but rather designed for effectiveness, ease of implementation, and the like. For example, why do Ethernet cards allow promiscuous mode? It makes diagnosing certain problems easier, but it also represents a very big opportunity for all sorts of security vulnerabilities. Or why can MAC addresses be changed so easily? This represents an easy opportunity for mischeif.

But had the entire architecture of the 'Net been designed for security and accountability rather than ease of access and openness from the start (granted, two often-conflicting ideals), would absolute security be possible?

Many say that security is never truly possible without unplugging the computer from the 'Net, turning it off, and embedding it in concrete. This may be exaggeration, but of course it is quite difficult to prove something secure; RSA has not be proven secure, public-key cryptography has not been proven secure, and I don't really see how you could prove any other system secure, either.

This may not be necessary, however. We may not know for certain that RSA is secure, but we assume that the NSA does not know how to factor such large numbers any better than the rest of us, and we assume it to be secure (and such an assumption does appear valid). If enough evidence exists to assume a system to be "practically secure," that is enough for implementaiton.

I have no answers to these questions. But I think to assume such a problem is unanswerable is silly and is itself merely a non-answer. Security may not be an easy goal, but it may be acheivable. At least in some forms, this is clearly the case; it would quite evidently be possible to stop some sorts of attacks, like SLAMMER, in the future, even if theoretical, absolute, security remains un-obtainable.

Re:Oh no! Shut the Interweb off!

[Beryllium+Sphere(tm)]

If we're talking about ultra-fast worms in particular, only the first problem matters. A piece of malware that depends on users getting to their email is going to talke longer than 15 minutes to spread.

We could still be vulnerable even if everyone patched their systems, if someone writes the exploit before the patch comes out.

Scary stuff.

Worm Analysis paper - "prior art"

[versus]

This paper appears in the Proceedings of the 11th USENIX Security Symposium (Security '02)

How to 0wn the Internet in Your Spare Time

Interesting topics: "Better" worms techniques

• Localized scanning--Code Red II
• Multi-vector worms--Nimda
• Hit-list Scanning
• Permutation Scanning
• Simulation of a Warhol Worm

"A combination of hit-list and permutation scanning can create what we term a Warhol worm, capable of attacking most vulnerable targets in well under an hour, possibly less than 15 minutes. "

Re:Worm Analysis paper - "prior art"

[adamruck]

Permutation Scanning

Is that when a virus changes itself slightly every time its sent out?

Re:Oh no! Shut the Interweb off!

[ecalkin]

i would vote for a slowing down the release cycle of software products. with the idea of 'new versions' every 18 months becoming common, it seems that there is more writing of code than debugging/optimizing.

and i've said this before, certain software companies have not been very good about training administrators about patching, etc.

eric

How to make super destructive worm

[bigberk]

A really nice way to make an extremely destructive worm would be to ensure that the great majority of computers connected to the internet are running the exact same operating software. This would guarantee that a vulnerability can reliably be exploited in pretty much any neighbor.

Unfortunately, such a scenario is but a dream. Modern operating systems are too secure!

Re:How to make super destructive worm

[brian728s]

The worm I am afraid of is one that learns (or at least adapts) using some sort of evolution-based algorthm. Several million computers is a sufficient "population" for the worms to gain a lot of knowledge about what works and what doesn't.

Re:How to make super destructive worm

[bigberk]

The worm I am afraid of is one that learns (or at least adapts) using some sort of evolution-based algorthm

That would be frightening. Although, from my familiarity with evolutionary style programming (genetic, simulated annealing, evolution) you really can't get anything dramatic to come out of simply a software evolution algorithm. There needs to be that "touch of Gawd".

In other words, a worm with the capabilities you describe would still have to have programmed into it many different attack vectors targeted at different systems. Tt can not generate things this different on its own without human help.

So it is a very good thing to give it many hard targets, different OS'es.

Sounds like..

[dr+ttol]

This sounds like Ender's Worm. Very interesting read.

Re:Sounds like..

[brian728s]

It is similar, but not quite the same (ender's worm). The worm would be based on a neural network capable of storing various infection and spreading techniques. Coupled with the neural network would be the âoestandardâ worm tools for infection and stealth. The core receives additional training information from other infected computers. The first time a worm is activated, it creates copies of itself on the host in various places using various techniques. Many of these may be discovered. Their loss is more valuable to the species. After a predefined time, the âoeprimary wormâ contacts all other worms on the system. The ones that survived are considered evidence that the particular method works on a particular system configuration. Next, it begins scanning the internet for other worms. When it finds one, it transmits a string containing two parts. One part describes various aspects of the system (operating system, versions of patches, versions of programs, versions of antivirus definitions, etc), the other describes the methods that successfully infected the computer. This information would be most certainly less than one packet. When a worm receives one of these packets, it first verifies it, and then adds it to its neural network. It then queries its neural network using its system configuration string and reinstalls itself onto the system based on those parameters. Then it waits a shorter time (maybe 15 minutes) before resuming port scanning (to make sure the updates don't reveal itself before it begins contributing to the "gene pool" again) This process allows the worm to evolve on its own and discover new ways to infect (assuming some sort of random mutation system).

Re:Oh no! Shut the Interweb off!

[knobmaker]

Your assumption is that true security is a theoretical impossibility. On what grounds?

Not to speak for the previous poster, but that's a pretty good assumption. No technological advance has ever succeeded in remaining secure for long.

(Example: plate armor probably seemed impregnable in practical terms, until the longbow came along. Yeah, okay, a stinking peasant could hamstring a warhorse and beat the knight to death with a rock while he lay helpless on the ground, but these possibilities were probably ignored with the same superstitious enthusiasm that sysadmins ignore the rarer kinds of attacks on their systems.)

I would think that the burden of proof falls on those who maintain that "true security" is attainable. And the minute you propose some system to guarantee that true security, some clever person will come along and propose a way to get around it.

Anyone designing a critical security system should probably start off with the assumption that security will eventually be breached, and make damn sure that when the breach occurs, catastrophe does not result.

Oi, did anybody actually READ the link?

[schmaltz]

It's not a description of an actual worm, it's not even a description of how to build a worm, it's a vague description of how a worm might be constructed:

1. Scan internet servers looking for vulnerable software
2. Infect said software.

Duh. The author writes, "I didn't write this paper to give people malicious ideas." -- It's okay! There's nothing in the paper that would assist people in doing anything useful!

But

[commodoresloat]

Everyone knows that worms DO infect apples.

Re:But

[hayden]

There's nothing worse than finding half a worm in an Apple.

Re:But

There's nothing worse than finding an Apple in an auction lot.

It's bound to be obsolete, and with no salvagable parts usable in anything current.

Re:Oh no! Shut the Interweb off!

Actually, the new Bugbear does selectively infect shared files. On my network, two 98 boxes had their entire C drives shared, while someone else (a laptop) became infected with the new Bugbear. Those two computers had only a few infected files, including:

c:\program files\internet explorer\iexplore.exe
c:\program files\outlook express\msimn.exe
c:\program files\adobe\acrobat x.0\reader\acrord32.exe

So it looks like the new Bugbear already selectively infects shared files.

We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.

We don't need to stop stressing prevention, but some shops certainly do need to react faster when something hits.

Re:Oh no! Shut the Interweb off!

[Gordo_1]

Actually, this is exactly where a portion of the security community is currently focusing. With a deep enough level of protocol understanding, it's often possible to write generalized algorithms that detect (and presumably block) novel attempts to exploit a known vulnerability. For example, in the case of SQL Slammer, the buffer overflow vulnerability disclosure came many months before the worm hit, and at least a couple intrusion detection vendors were able to positively identify the exploit attempt without requiring an update -- one of the keys to protection against such a rapidly propagating worm.

Better. Stronger. Faster.

[ShieldW0lf]

This is about that new AOL 8.0 software, right?

Re:Oh no! Shut the Interweb off!

[GigsVT]

I'm no historian, but I bet plate armor was more for intimidation factor than anything else.

I bet a hundred shiny enemy knights on horses really does a lot to demoralize your thousand foot soldiers.

I think a lot of modern security is the same way, deter most attacks with shiny armor, and minimize damage on the inevitable attacks that will get through.

Now the real problem these days is the companies selling cheap tin armor and telling people it's the strongest steel. Some things never change. :)

Honeypots

[Tackhead]

> >Fast moving worms are harder for those pesky birds to get at
>
> Kinda makes the phrase "The early bird catches the worm", redundant doesn't it.

Honeypots: The early bird may get the worm, but the second mouse gets the cheese.

*BOFH-like evil grin*

Re:Oh no! Shut the Interweb off!

[roystgnr]

For computers to be useful you have to have some level of trust,

I have never run any executable code I received in an email. What exactly have your friends been sending you?

Cross-platform worm?

[qbproger]

Does that mean they're going to start using Java?

What about a hydra?

[BitwizeGHC]

A multi-headed worm that can penetrate seven different networks at once, and steal 4 billion dollars from the Swordfish slush fund, all within ten seconds?

only large-scale communication network?

[Imperator]

There are these things called, uh, let me think, they're often connected to wires in the wall, umm, sometimes people forget to turn them off in movie theaters, err, they make noise when someone wants to talk to you, uh, damnit I forget. But they were the big thing a few years ago. I think I can even remember using them for Internet access, but maybe that was just a bad dream.

Re:only large-scale communication network?

[Oscar_Wilde]

There are these things called, uh, let me think, they're often connected to wires in the wall,

Bah! Wires indeed, back in my day we had to use a wooden stick to make marks on dead trees and pass those through holes in the walls. We even had to wait for another person to come and move them to other homes, none of this "over wires" stuff.

Re:only large-scale communication network?

[term8or]

And what was that thing... Um, it's something like "Snail", or possibly "Male", um...

As we point fingers

Sure it's the developers' fault...
It's big business' fault...
It's the sysadmin's fault...

why not blame canada?

Re:As we point fingers

[m1chael]

dont belittle yourself.

ummm

Remember how long it took for the good guy virus, in the movie 'Independance Day', to crawl into the alien systems and do bad?

Seemed like minutes to me... too bad they didn't have the expertise of the Slammer writer to put to use then, eh? Those filthy off-world slime would have been heading for the exists much sooner me thinks....

Re:Oh no! Shut the Interweb off!

[KrispyKringle]

I'm not sure I'd agree with that assessment. With the shiny knights metaphor, anyone, regardless of education or background (or military experience, in this example) is intimidated simply on a gut level. But with computer security, if you are ignorant, you aren't indimidated by the latest firewall or the highest-encryption VPN. And if you know enough to be a threat, you know enough to know what armor works and what doesn't. Unlike your metaphor with medieval knights, the actual conflict is combat, and the defenses are secondary. With computer security, the conflict is the armor; anyone who is a "soldier" is also an armorer who knows what is strong and what is weak.

Name a security measure that is mere intimidation. Name a measure that has no added value and is just shiny armor. (This does, admittedly, apply to local security measures using biometrics; thumbprint scanners are less secure, at least on the consumer-grade, and just cooler looking, but I don't think it applies quite the same way to real network security measures.)

Your point is well-taken, that companies have no incentive to sell something that works above and beyond selling what sells, but it neglects that the two generally do go together and the leaders in the field tend to have true committment to security.

Sapphire PRNG

Personally, when I read through the Slammer source and the analysis of the code (and the PRNG flaws), I immediately thought to myself "A couple more days of testing and enhancement, and this thing could be really interesting."

I suppose the drive to release the worm while there is still a sizable pool of vulnerable hosts is one justification for the distinct lack of QA by worm developers.

Specifically, I would have done more testing on the PRNG (run in a sandbox, check IP target coverage), added code to selectively target "nearby" hosts (bypass randomization of the first, second and sometimes third byte), and perhaps looked into spoofing the source port (lots of badly written firewalls allow inbound packets that show a source port of 53, etc).

And to get really nasty, every few packets, set the fourth and sometimes third octet of the IP to .255/.127/.63, to get that whole smurf effect going in your favor.

Nonesuch@Chicago

Re:Sapphire PRNG

[LiquidCoooled]

I personally think the majority of virii escape through lax security on the creators system.
In the good old days of floppy disc virii, where a slow leasurely developement cycle could occur this kind of thing didnt happen, but with something as infectious as Slammer, it simply takes one home machine still connected and *BANG*

heh

[Poofat]

"The happiest day of my life was when the doctor said I didn't have worms anymore"

Re:Oh no! Shut the Interweb off!

> Cut off their arms?

Cut off their access.
Ã

The "Warhol Worm"

[Zrech]

You want to know where slammer went wrong and the next one is gona hit? If you really wana cause internet hell, do not infect the machine, do not even get to it. ONLY infect the switches and routers. Not the ones that joe shmoe has at home, no, the ones that are on the fiber, the ones on the backbone. Make them send random junk data to each other at the 'spec limits that the OEM put on the hardware. Then the hardware the net is based on will kill itself - latency hell. The only way to fix it would be to reset each one by hand. It WILL happen, only a matter of time till some moron will think of this and feel inclined to do it. Just the right code in an ICMP packet and we are down for the count and shipped away in the ambulance.

Re:Oh no! Shut the Interweb off!

It figures. The BOFH not only has a /. account, but is reading it during 'work'.

*ring* hello? is virus there? Yea, hold on...

[mabu]

The problem with Ender's worm is that by design it is self-defeating. The idea of a "worm farm" of different units targetting different systems is effective, but with a common communications protocol, it negates the worms' ability to evolve and thwart detection. The writer of the paper talks about the worms' needs to change signatures to avoid AV detection, yet communicate with other units by a common question-and-response session, which would make it incredibly easy for any infected unit on the network to be easily identified.

To date, what gives away worm activity is the incessant talking they perpetrate, which is necessary to their propagation. So the key to any "super worm" isn't necessarily the speed at which it can infect nodes, but how quietly this can be done. I would argue that a slow, methodical infection, at a pace which makes the activity unsuspicious, has the potential to be much more dangerous.

Maybe this would be the ultimate worm.. two modes.. the first one slowly propagates and avoids detection, then a second phase which triggers a more aggressive frontal assault.

the super virus has its own song

[humble]

Check out the song "Virus" by Deltron 3030.

Lyrics include:

"I want to devise a virus
that brings dire straits to your environment
crush the corporations with a mild touch
crash the whole computer system and revert us to papyrus"

enjoy!

A redundant post

[fm6]

Or to put it another way: You can't make a system foolproof, because fools are so fiendishly clever!

Yeah, I know that's what you said. My way is cuter.

Patching-based security won't work.

[Animats]

A key point of this article is patch-based security won't work, and signature-based virus scanning won't work, against a competent attacker. If someone discovers a new exploit and crafts a fast-spreading attack based on it, the attack can take over a vast number of hosts long before there's any response.

It was inevitable...

[NotQuiteReal]

The worms must have crossbred with the spam... after all, lots of them promise to make my worm go farther, faster, and LONGER!

Re:Oh no! Shut the Interweb off!

[SN74S181]

Whoops. So much for 'release early, release often.'

I guess that does it. No more Open Source projects freely released and enthusiastically and continually updated.

a call to the white hats?

[Vaughn+Anderson]

Hey, when is someone going to be nice enough to the world to make a purty li'l worm that actually shuts off all the security features that are exploited in Outlook...

I am sure there are plenty of reasons not to do this, but if you asked the person politely like.

"Hello, this is your friendly internet virus fighter coming to say hello and give you a hand! Would you like to turn off the features now that allowed me to hack into your computer?
| Yes | No |"

*click*

"Thank you and have a nice day! If I come back again that means a new hole/exploit was found in Outlook and I can give you another helping hand!"

Re:a call to the white hats?

[NexusTw1n]

Is it actually fair to blame Outlook these days?

Outlook is not Outlook Express. Outlook 2002 SP2 is pretty secure out of the box. Executable attachements are blocked with no option anywhere at all to disable this feature - you want to send someone an executable who's running Office XP, you send it zipped or you don't send it at all.

The HTML vulnerability which allowed code to run just by using the preview pane to view an email was patched in either SP1 or SP2.

I'd be interested to know how many people get infected while using Outlook 2002 SP2.

Re:a call to the white hats?

[Vaughn+Anderson]

Perhaps the latest Outlook is fine, but it seems there are still people running windows 95, 98, Me, etc, out there... I am not sure about which versions are actually insecure but this article from MSN

http://www.msnbc.com/news/922529.asp?0cv=CB10&cp1= 1

In an attempt to avoid detection, BugBear attempts to turn off all antivirus programs, and it shuts down other security software. In addition, it uses a particularly nasty flaw in Microsoftâ(TM)s Internet Explorer program and its implementation by Microsoftâ(TM)s Outlook e-mail reader that allows the virus to infect machines whenever a victim simply previews an e-mail message loaded with the program.

It seems that it's not just Outlook but IE as well, and just "previewing" the email, not even opening the attachement, is causing problems... This is very recent...only 1 week ago, so even though the newest versions are patched, it seems to matter very little cause most of the outlook apps out there are not patched....

Re:a call to the white hats?

[term8or]

"Hello, this is your friendly internet virus fighter coming to say hello and give you a hand! Would you like to turn off the features now that allowed me to hack into your computer? | Yes | No |"

*click*


"Thank you and have a nice day! If I come back again that means a new hole/exploit was found in Outlook and I can give you another helping hand!"

whirring shound, as all your friends get e-mailed by the worm


Back at BlackHat HQ : "Ok, fred, Let's start playin'"

Re:a call to the white hats?

[Vaughn+Anderson]

How about this then, they could include a link to their website with an application you can download to verify that the virus they are indeed clicking "yes" to is the real thing... :)

(a side note, the "good" virus would have to be sent to all their friends... otherwise how else would it spread? Eventually it would close up enough insecure systems that it couldn't spread anymore... that's was my initial idea anyways... the reality may be somewhat different...)

Re:a call to the white hats?

[Vaughn+Anderson]

Outlook is not Outlook Express.

I know I already replied to this post but there is one really stupid thing to note here.... you have to have outlook express installed on your system before you can install outlook... (as at one point I uninstalled Express and later installed Office 2000 and it wouldn't install Outlook because Express wasn't installed... I doubt I did something wrong...

So is there really a seperation of Express and regular Outlook?

Re:Oh no! Shut the Interweb off!

[buffer-overflowed]

Security that works (err, was supposed to work?) through intimidation: The Windows 9x login prompt. I don't know how many end users I talked through hitting escape there during my days on a helpdesk.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Oh no! Shut the Interweb off!

[RzUpAnmsCwrds]

"on the network. For computers to be useful you have to have some level of trust"

This is what Palladium is all about. Executable code is signed, and it can only run if you choose to trust the publisher. Viruses are less of a problem because an infected file will fail signiture verification.

Microsoft may be misguided with Palladium and the DRM goodies that it includes, but the underlying concept of trusted and untrusted code is a good one.

Might I add, however, that the same thing can be done without the complete hardware implementation of Microsoft's product. A simple signed executable system would do the trick. Microsoft already uses this for ActiveX controls.

So?

That's the price you pay for supporting a monoculture. I run a Linux and Macintosh network here, and we were entirely -- let me repeat that, *entirely* -- untouched by this toy virus. Even our two Windows users were untouched because I tell Postfix to strip scripts from their mail.

So the Wintel world got hit with a script virus du jour. Tell me -- what's the problem? Sympathy: zero.

Re:Oh no! Shut the Interweb off!

[LiquidCoooled]

In all the places that stress not opening unsolicited attachments, there is usually a note about sharing the entire C Drive.
Good networking practice says only share what you want people to access.

Re:Oh no! Shut the Interweb off!

[Hater's+Leaving,+The]

"""
This is what Palladium is all about. Executable code is signed, and it can only run if you choose to trust the publisher.
"""

How do you know if you trust them or not?

THL

Re:Oh no! Shut the Interweb off!

[Hater's+Leaving,+The]

Until someone configures their linux system to recognise .exe's in mail, and automatically launch Wine for them.

Don't laugh, it _will_ happen.
THL

Re:FP

[HellKrisp]

What kind of a monkey?

Re:Oh no! Shut the Interweb off!

[Hater's+Leaving,+The]

Fatuous argument. Nuke the server. No machine can survive a direct nuking therefore no software can be secure.

You've got to specify your threat modal before you judge security. You can't just bring in arbitrary threats post-facto.

Phil

Re:Oh no! Shut the Interweb off!

Technically, yes. However, the issue isn't really the worm du jour but the potential of break-ins. What freaks people out is that they are sitting ducks for data-thieves and vandals. The possible (not necessarily real) existence of an attacker is enough. Slack OS's and users are responsible for that problem.

Re:Oh no! Shut the Interweb off!

[Negatyfus]

Remotely exploitable vulnerability found in IIS!

"Hmpf! Grrr! Must... install... patch!"

-Clickity click click-

"Raaaah! Damn nose! I didn't want to donate $20 to the RIAA!"

-Clicky clicky click-

"Nooo! Now I have deleted all my files! Why must my nose be so flat?!"

One ring to rule them all....

[billstewart]

... well, anyway, one somewhat movtivated gang of authors. The hardest part is probably finding somebody with Cisco hacking experience. At least the last couple of worms weren't that malicious - they got their 15 minutes of fame, but didn't wipe the disk drives of the machines they'd infected.

Re:Oh no! Shut the Interweb off!

[mr3038]

For example, why do Ethernet cards allow promiscuous mode? It makes diagnosing certain problems easier, but it also represents a very big opportunity for all sorts of security vulnerabilities. Or why can MAC addresses be changed so easily?

I think it's a good thing that even so many NICs allow promiscuous mode and changing MAC address. If they didn't some lame-ass designer would think those are security features and rely on them while designing a new security model. Have you noticed how some very old protocols rely on IP numbers for "authentication" or "security". Perhaps when those protocols were designed the IP numbers were fixed and couldn't be changed easily? Or perhaps the security wasn't an issue back then when everybody had to trust everybody in the net to make it work, or something. Compare fixed MAC or IP to public key security and you'll immediately notice that those two are from totally different ballparks when it comes to the security. For example, the RSA is even in theory hard to crack to the best of our knowledge -- fixed MAC or IP is "hard" to crack because the "hardware doesn't allow you to change it". In cases like these, it's always the blackhats who have have the hardware that allows those "impossible changes" and whitehats just think they're safe.

You cannot trust on obscure hardware if you want security - it just quarantees that every issue is much harder to notice in advance, not that those issues didn't exist. (See also: DeCCS)

Re:Oh no! Shut the Interweb off!

You have stated a truth. I am pointing this out to bring this reality to the masses. Yes, I am willing to spend a few Kharma points to propagate this and point out a fact to the Slashdot community.

Many eggheads will debate the truth of my action.

I stand by it.

Matrix2110

Re:Oh no! Shut the Interweb off

[zoward]

Although Palladium may help with some worms, since Outlook Express is a "trusted application" (at least by Palladium...), those .vbs scripts will be run as trusted apps; this will allow better than half of the viruses currently circulating to continue to do so.

It's almost amusing to read my mail in kmail with HTML rendering turned off, and look over the attached scripts that arrive in my mailbox now and then. It makes me feel like an entomologist looking though a magnifying glass at a venomous spider pinned to a corkboard.

grammatical a mishmash of on slashdot not rare

[kahei]

I quote:

a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"

I love the way, after creating a chaotic sentence by leading into a quote the wrong way, he then tries to fix it up by writing another sentence that also contains an error. He didn't press the left arrow key a few times to go back and fix the first sentence, he just kept writing :)

Way Behind You.

Sophisticated methods of dealing with intrusions abound here. We're way behind you. My Big Boss issued an edict last week asking that we "log in at 8:00Am, not 8:05Am" Well, no one unlocks the door until 8:00Am, so they Cannot get logged in until say, 8:05Am. If that is the current state of IT/Management directives here, then how in the hell are we to even begin to run with the big boys on /.?

Doesn't matter.

[k2r]

> You can bet your ass that if

I'm not really interested in WHY there are no worms that try to infect my Mac.
Actually the fact THAT there are no worms capable of infecting my Mac is absolutely sufficient to make me a happy customer.

And - by the way - since the SystemUpdate on MacOSX works close to absolute flawlessly*, I doubt that there is a significant percentage of unpatched Macs out there.

Compared to the heaps of unpatched Windows-PCs AND Linux-Boxen I know of. (But am not responsible for.)

k2r

* Of course the no-login-button bug in the last update was funny, but since most people use the return-key to finish entering their password, it didn't matter.

Re:Oh no! Shut the Interweb off!

[Moraelin]

No offense, but you seem to have gotten your "facts" from Hollywood, instead of from actual history.

1) The longbow did not make plate armour obsolete, it was one of the factors which made it _necessary_. I.e., quite the exact opposite. What longbows, crossbows and impact weapons did make obsolete was chain armour.

What eventually made plate obsolete was the constant evolution of firearms. When it got to the point that an armour thick enough to stop a bullet was too heavy to run around with, armour was discarded.

2) About the knight laying helpless on the ground, that's utter and total BS. It originated in Mark Twain's wild imagination, and is not supported by any historical or achaeological data.

A full suit of combat plate weighed about 60 pounds. Even if you're a total geek, you don't collapse helplessly under 60 pounds. Knights in full armour could and did fight on foot when needed.

What helped make this stupidity seem believable, were two things:

A) Tournament armour. Unlike real combat, a tournament was a sport with rules. Thus the equipment for it didn't have to be the same as actual combat equipment. (The US Marines do not wear the same gear as a US football team, either.)

Tournament armour was considerably thicker on likely points of impact, i.e., on the front, but thinner to the point of offering almost no protection on the back and sides. Still, on the whole it was heavier than regular combat armour.

B) Firearms era breastplates. As firearms became more and more powerful, the first counter-step was to concentrate all those 60 pounds into just a super-thick breastplate and helmet.

_But_ at that point that was _all_ that the soldier would wear. Those super-thick breastplates did _not_ have a matching back plate, nor leg or arm protection.

I.e., taking one of those breastplates and extrapolating its weight to a full suit that thick is just pointless. Such a suit never existed. Ever.

3) The comparison to computer security is pointless anyway. Armour (plate or otherwise) was _never_ supposed to make one 100% bullet (or sword) proof. At that point you'd also be too immobile to actually fight well.

So in fact what happened there is simply trying to give those troops enough of an edge. If your knight in a plate suit was more survivable than one without armour, then you paid for a plate suit. When, on the other hand, armour became a liability (too heavy and still didn't stop a bullet), they just discarded it.

Again, the purpose _never_ was to make the wearer invulnerable.

Re:Oh no! Shut the Interweb off!

The problem is, the original poster made a very strong and unfounded statement. If you say something is theoretically impossible, you are saying that is can never be done no matter what, not just that it cannot currently be done.

For example, by your argument it is theoretically impossible to put a man on Mars, because no technological advance has so far enabled us to do it.

Re:Oh no! Shut the Interweb off!

[Aceticon]

You car is stolen because the manufacturer installed no locks in the doors. You say "It's the fault of the criminals"

See the parallel here???

Re:Oh no! Shut the Interweb off!

[blibbleblobble]

"There is no patch for human carelessness."

Some fairly simple patches would go a long way

cp /home/username/* /backup/home/username/* -rf
chown backup_user /backup/* -r

Maybe some more lines to make each person's backups readable by that user and only that user.

Re:Oh no! Shut the Interweb off!

[Mark+Bainter]

An excellent point. Worse, users aren't exactly careful about who they trust when it comes to computers.

Scenario:

• User opens email
• User clicks attachment
• Window pops up: <blink>WARNING<>
  This code has not been signed (or is signed by an unknown publisher) Click OK in this box could transmit a virus, destroy your hard drive, subvert your nations economy, summon flesh eating aliens and damn us all to eternal hell.
• User clicks Ok

Yes, checking signatures on code you execute is a good thing, but there are specifics to be concerned about in an implementation. How to you guarantee the signature? Obviously, some sort of authentication, and method of checking the signiture against, perhaps, a public key is needed. And to handle that you need a web of trust that's workable. But none of that matters a whit if users aren't careful about the trust, and don't investigate. Nor is it worth a darn if they ignore warnings. These problems (aka user education, and poorly designed secure systems) have to be taken care of before any of this will be useful.

Re:Oh no! Shut the Interweb off!

[aridhol]

-- There is no patch for human carelessness.

The user isn't always to blame. What about the software developers who don't take even minimal efforts to protect their scripting systems?

Last I checked, software developers tend to be human.

Re:Oh no! Shut the Interweb off!

[4of12]

That's an excellent idea.

If new releases came out less frequently, there would be more time for the developers to test their code in the different configurations, to throw it to Aunt Tillie the sysadmin and to see how it might hose their internal corporate network.

Re:Oh no! Shut the Interweb off!

There is no patch for human carelessness.

Full Scale Nuclear Destruction is a good patch for the folly of humans.

Critiquing your example.

[Medievalist]

plate armor probably seemed impregnable in practical terms, until the longbow came along. Yeah, okay, a stinking peasant could hamstring a warhorse and beat the knight to death with a rock while he lay helpless on the ground, but these possibilities were probably ignored with the same superstitious enthusiasm that sysadmins ignore the rarer kinds of attacks on their systems.

Unsuprisingly, I can't pass this one up....

OK, first up, the longbow predates the use of plate armor by quite a bit. And there were composite bows (horn/bone/wood/sinew laminates, don't confuse composite with compound aka pulley-type bows) in military use that were capable of penetrating plate long before the English/Welsh longbow became the terror of Crecy and Agincourt. The Parthian horse-archers used composite bows against the armies of the Greek city-states in ancient times!

Second, the knightly class certainly did not ignore the possibility of being brought down by the peasantry. Feudal European military castes preferred to capture their opponents alive whenever possible, because of the practice of ransoming captured enemies for enormous sums. The knighthood would claim that they only wanted to fight their equals for reasons of honor, but more practically they stood a better chance of surviving a defeat by a "gentle-man" than by a peasant levy armed with a hammer or spear (who would be unlikely to gain any significant fraction of a ransom). It's a classic risk/benefit analysis: don't start bar-fights with little guys, you have little to gain and much to lose!

Note: I don't disagree with your point, but rather with the example you used to illustrate it. Defense in depth is better than Maginot lines, combined arms are better than reliance on a single weapon, and the history of conflict is an infinite loop of thesis/counter-thesis/synthesis.

Re:Critiquing your example.

[knobmaker]

I appreciate the correction. You learn something everyday, if you can keep the beans out of your ears.

Re:Oh no! Shut the Interweb off!

[Metasquares]

DOC, XLS, MDB, BAT, ZIP, TAR.*...

Ok, so those aren't obvious carriers in the same way that you classified the filetypes that you listed. However, they are all potentially capable of carrying and delivering malicious code and, at the same time, all potentially valid attachment types.

The problem with blocking attachments is that certain filetypes are often used for virus distribution but also for valid email. Something like PIF can be blocked because no one sends PIF files as attachments. Blocking an EXE or a DOC file may have unforseen consequences, however. The solution isn't to block every suspicious filetype that comes through. Running those files through a virus scanner on the server side would probably be a good idea, though. Of course, that'd use more CPU time than just delivering the message, so messages might end up being delayed a few seconds, but it's a small price to pay.

A white hat response

Look, we white hats are legit because we have houses, and kids, and real lives outside of computing.

The black hats rarely have more than one of the above...

We don't write worms and viruses because of the legal liabilities involved. Take Slammer, (probably written by a grey hat because the average SQL admin is apparently so incompetent they were putting the whole infrastructure at risk by never patching) for instance; do you think a big bank would care that your motives were pure when you brought down their ATM network as a side effect of your "good" worm's propagation?

Releasing good exploit code is very dangerous, and white hats are very careful how they do it. Black hats don't care, the code is the point for them and destructiveness provides an easy measure for code effectiveness. Grey hats dance on a taut line... and get reviled whenever they fall off it (see recent slashdot interview with Fyodor for an example).

Re:A white hat response

[Vaughn+Anderson]

I understand, I also have a family and so far the worst that has happened with these viruses isn't so bad.... I personally would not stick my neck out for something like this.

Let's just hope the grey hats stay ahead of the black hats then. :)

Re:Oh no! Shut the Interweb off!

[ScuzzMonkey]

Well, but it is the fault of the criminals. It's very sad that most of us live in societies where your point seems to implicitly make some sort of sense, but no one should lose sight of the fact that there is really no one to blame for this but the instigator. Because another parallel that works, unfortunately, is:

"You got raped because you were showing a little leg and walking down a dark street?"

You can dress more conservatively and only walk down lit streets, but by refusing to address the root issue, you give up some of your freedoms. Same thing here; there are a lot of neat, open things that we should be able to do with computers to make our lives easier without having to give in to the criminals who write these things. The parent post you are replying to has a good point--we shouldn't be putting more effort into locking ourselves down than we are in to finding and dealing with the offenders.

Slow corruption is much more destructive

[khchung]

Then, he sends out an instruction for all hosts to delete all data from all databases.

It will be 1000 times more destructive to slowly corrupt say, 2% of the database every week, then wipe them out after a year. That way, by that time, probably all backups they kept are corrupted, and even if they keep year old tapes, it is horribly out of date.

Re:Slow corruption is much more destructive

[Zeriel]

Based on the rest of the post, I'd say the "delete all" is less for destructive purposes and more to cause a massive oh-shit! reaction that has the side effect (when restoring backups) of making forensics on the worm difficult-to-impossible.

Personally, if I was writing a data-gathering worm, I'd write its final instruction to delete all log data of itself, then delete all code of itself, then delete itself permanantly.

No one ever need know I have all their data. =)

Re:Slow corruption is much more destructive

[PetWolverine]

Mmm, total havoc. Yes, that's a better way to do it. No less feasible, obviously, so the question remains, was my original proposition feasible?

Re:Oh no! Shut the Interweb off!

[Simon+Brooke]

You car is stolen because the manufacturer installed no locks in the doors. You say "It's the fault of the criminals"

It is.

No-one forces criminals to steal someone else's property just because it doesn't happen to be locked up, tied down, or otherwise secured. Theft is a choice.

Re:Oh no! Shut the Interweb off!

[chrestomanci]

I agree that it's not safe to rely on humans to keep systems patched. But, for one, if most systems are kept patched, a worm like SLAMMER would be useless. This is an obvious point you neglect, but not an interesting one.

I would disagree there. Computer worms actively seek out computers to infect, compared with viruses that only spread by contagion.

With human diseases, if most potential hosts are immune, then an epidemic cannot develop. The minimum immunisation level is generally considered to be about 95%. At that level, the chance that an infections person will meet and infect a non immune person in the week or so that they are infections but not obviously sick is low. The situation is similar with old style (boot sector) viruses.

On the other hand, modern worms, are designed to seek out susceptible hosts, so even if only 1% of computers are susceptible, then they will all become infected, quite quickly.

The rest of us, who have patched our systems, now have to put up with constant probing from the infected systems out there. What we need to do, is to find a way to quarantine infected hosts as close to source as possible so that they are less of an hazard to the rest of us.

Re:Oh no! Shut the Interweb off!

[Yet+Another+Smith]

And harsh spankings for MS for making 'hide file extensions' the default. Seriously, this is one of the biggest reasons stuff gets clicked on. Everyone says '.jpg files are safe' and so something comes in .jpg.vbs which MS shows as .jpg, since it hides the file extension, and even somebody who's folloing the instructions regarding .vbs files doesn't realize they're getting duped by the UI.

I know that MS is thinking, 'People don't like to see all those .doc and .ppt and .jpg extensions! People think extensions are confusing!' Which is true. A lot of casual users don't like file extensions. But the answer is not to hide them. If they're bad, they should be replaced with a less confusing system. Whenever I get on a coworker's machine where they're hidden, I usually just quietly unhide them and the say 'make all folders like this one'. Admittedly I'd hate it if somebody changed my UI settings without asking me, but no one has complained, so they probably just hadn't realized they could do it. And since we all use Solaris machines as well, they're all more than capable of coping with a few file extensions.

Re:Oh no! Shut the Interweb off!

[Zeriel]

I would hope that the grandparent, when talking about longer release cycles, was referring to major version release cycles.

The open source model of release early, release often is great, when people don't inflate version numbers. =P

You'll note that even the Linux kernel has a very long major version release cycle, and a respectably long MINOR release cycle. The revision/patches keep flowing, but basic kernel functions (mostly) dont' get revved in 18mo or less unless they're severely and completely broken.

Commercial/Cathedral-style software might be better served by lengthening severely the amount of time between 1.x and 2.x, instead of releasing a new one every 18 months or so (Microsoft Office).
Especially since most Office users would be happy with Office 97 (and many are!)...what are they adding that makes it slower every year?

Get the good guys back.

[homesage]

I'd say get rid of all the youngsters that are too busy bitheading about all the latest languages and "technology" constantly flooding our industry, and put the old time quality coders back to work. Then we can focus on quality of things which include security. 23 years software and I'm doing bike mechanics to pay the bills. Thanks Seattle.

Re:Oh no! Shut the Interweb off!

[knobmaker]

I appreciate the correction.

Re:Oh no! Shut the Interweb off!

[ConceptJunkie]

Ultimately you are just adding another layer that must be circumvented.

If your computer only runs trusted code, you need to figure out how to fake trust.

It will get harder, but unless the computer becomes an appliance that can only run what's built in at the factory can virus prevention even be possible. And then that assumes the software still can't be exploited. And when has Microsoft (or anyone else) ever written flawless software.

Moving protection into hardware will made it harder, sure, but just like DRM, you can never eliminate the problem 100%.

Re:Oh no! Shut the Interweb off!

[WeblionX]

[...] (or anyone else) ever written flawless software.
I'm pretty sure that Pong was flawless... It might not be the best game anymore, but when was the last time you saw it get infected?

Rob is a thoughtful guy, BUT

One paragraph ends:

It's easy to imagine... could dwarf the depression of 1929.

And the next one begins

Let's take a rational....

I am in favor of the latter, but I think Rob's gone a little over the top on this subject.

Which is more likely:

1. A worm or virus shuts down banking everywhere for a week (example from article)
   
2. A worm or virus penetrates the banking industry and transfers a BUNCH of money to an offshore bank
   

I think the latter, and banking already has existing infrastructure to deal with that.

As far as food deliveries held up for a week (or a month) in large areas, floods and earthquakes do that more effectively than an internet loss would and we cope. When it happens, it's not even usually a week's worth of CNN-level coverage when it happens. Why? Because we have existing infrastructure for that too.

Is Cyberterrorism a potential issue? Yes. But at a level (yet) where even a very, very clever terrorist could cause national-level difficulties? This AC doesn't think so, because in most cases we do actually have existing infrastructure to recover

Re:Oh no! Shut the Interweb off!

[Lennie]

Running those files through a virus scanner on the server side would probably be a good idea, though. Of course, that'd use more CPU time than just delivering the message, so messages might end up being delayed a few seconds, but it's a small price to pay.

Speak for yourself, it really depends on the amount of mail your server processes.

Re:Oh no! Shut the Interweb off!

[SN74S181]

Office 2000 is fast enough to still be usable on my 486DX-100 laptop. The 'slower every year' meme is often exaggerated. Granted, if that laptop were my only machine I wouldn't be very happy running Office on it. And it's installed without all the croft they dump in.

Re:Oh no! Shut the Interweb off!

[Zeriel]

Conceded...however, it was my experience that
Office 95 = much faster than Office 97, but Office 95 = teh suckz.
Office 97 = marginally faster than Office 2k.
Office 2k = arguably best of them, much faster than Office XP
Office XP = dog slow, but not as slow as Office 2k3.

This is based on personal experience with the machines at work, where we have licenses to all of the above (The horror!)

Design...

SQLSlammer was a work of professional virus design, but it was not a flash or Warhol worm.

These terms describe particular exact techniques which it is projected will infect all or most infectable machines on the 'net within 3, or 15 minutes, fusions of using a prescanned "supernode" structure to get fast machines first, and intelligently split IP scanning horizons to distribute the load (which is much more efficient than random scanning - if you don't understand why, do you understand why quicksort is "quick"?).

SQLSlammer was a conventional actively infectious internet worm, and possibly at or near the very pinnacle of it's class of worm in terms of rate of infections. A work of art.

A vulnerability which runs arbitary code immediately on receiving one single IP packet (UDP).

This is important. No unusual backwards communication whatsoever - no TCP handshakes, no "it went okay, I'm infected" messages. Literally fire and forget - if it's infectable, it's probably infected (if the packet got through) - doesn't matter, onto the next host. Worm doesn't need to know.

A worm small enough to easily fit into the overflow payload - which means being smart about what you have to lose for extreme small code size.

Prescanned tables are right out. Split horizons are right out. Most smart stuff is right out. Jettison all forms of stealth, polymorphism, multipartitism - even reset recovery! No smart injoke messages or badly spelled CVs for this worm. No remote control or update, no botnets and absolutely no smegging peer-to-peer encrypted proxy networks. It disdained modern principles of virus design (big and bloated) for the KISS approach. Check the RNG. Simple, classic, very small, no very obvious patterns that cause the traffic to clump - predictable but quasi-random enough to work and above all, small and fast.

It all goes out for an assembly-language coded classic worm whose entire purpose is to reproduce as insanely quickly and proflificly as possible, with no regard to the survival of the host. It wasn't aiming for longevity, it was aiming for fame - for exactly this Slashdot article, and for the hysterical news reports about it despite the fact that, bluntly, it didn't do any actual damage that script kiddies don't already (just more so).

Slammer's goal was to go for one vector, all out greedy, and do it as quickly as possible - even to saturate the network completely with infectious packets, creating a huge red flag, possibly causing massive denial-of-service on networks with infected machines connected.

It was a case study of experimental peak potential infection times for a known patched hole. An upper limit if you will. One would note that the AV companies were the ones collecting the data in this experiment, and the professionalism and sheer to-the-point nature of the code points, in my view, towards one of them.

It was either a real-world research experiment and/or or it was the antivirus companies just blagging for massive PR, but it was not a bored little kid. Most bored little kids don't code that tight these days, and they really don't tend to design that well. And the bored little kids that do code worms that tight... well we just hope they grow up before they release their projects.

Slammer is chickenfeed next to a flash worm that uses all of the sneaky techniques above. Slammer is irritating, but it does serve a useful purpose - you know when you've got a machine vulnerable to that exploit on the network, because when you plug it into the network, the network stops. (Even today, note that it still only takes one packet, and one infected host on a cable modem could go through the whole net in a week. Fancy your chances?)

Get infected with something like the Curious Yellow paper describes (only smarter because that paper was frankly, a bit shite) and you have a very serious problem...

By the way, for any worm authors out there, now is the perfect time to strike. There is a known vulnerability in the super

Another nail in the anti-virus coffin

[gilgongo]

Ever since explorezip (the worm before that I Love You thing) appeared and wiped out most of our office network, I have thought that the whole anti-virus industry was on the back foot.

At work we all have this little anti-virus icon in our task bars, updating virus libraries from a central server (and slowing down all our machines as well). But if a new Outlook worm came out and we all started opening it, the anti-virus software would just ignore it until the patch came out. Even if the gap between us getting the worm and the patch was a few seconds, the damage would be done.

So why are we paying thousands of bucks a year for anti-virus when we know it probably will do nothing? Sure, it catches the occasional tired Word macro and maybe an antique trojan on an old floppy, but is that worth it?

Hmm.

Re:Oh no! Shut the Interweb off!

[ConceptJunkie]

Pong wasn't software... it was implemented in hardware.

The Pong machine had no CPU.

Re:Oh no! Shut the Interweb off!

[ConceptJunkie]

Pong wasn't software... it was implemented in hardware.

The Pong machine had no CPU.

In all seriousness though, the idea "flawless software" only has meaning when we are talking about non-trivial software. Pong, or Tic-tac-toe, or Nim, etc are trivial.

Of course, in Microsoft's case, calling memcpy( ) must count as non-trivial software since they seem to screw it up so much.

(Sorry for the double post...)

Re:Oh no! Shut the Interweb off!

[Smoovious]

Well... blocking files like .zip and .tar and other archive files aren't quite the danger you make them out to be, themselves not being carriers... the worst that could happen opening up one of those files is to launch the archive program to check out what's inside, but merely opening those files won't infect you...

As far as .exe files go however, those should be blocked. At the very least, you should have to confirm whether or not to allow that file to come through.

If one needs to send an exe file to someone else, it should be packaged in a zip or other archive if for no other reason than to prevent the program from running accidentally.

I'm not so suspicious of exe files sent to me inside archives. I can toss the archive around, open it and close it at will and not worry about an accidental infection before I can get around to scanning the contents for virii. An exe file, however, all it takes is a little keybounce on a mouse button at the wrong moment, and its too late.

BAT, VBS, EXE, COM files are all executables and should be treated with suspicion...
ZIP, ZOO, LHA, TAR, CAB, RAR files are all archive files and, by themselves, aren't dangerous... it is the files contained within that may or may not be dangerous, but you don't have to worry about them as much, since being within an archive, the risk of accidental execution just isn't there.

The differences are in how the files are treated... for example, a GIF, JPG, BMP, WAV or AVI file isn't dangerous... even if someone imbedded a virus code within those files, those types are never executed so any virus code within is inert. At most, the program reading those files will report an error in the file. The same goes with ZIP, LHA, ZOO, CAB and RAR files.

That's just beautiful.

[DesertFalcon]

I think I'm going to cry, it's so lovely. Why don't people who can write this kind of stuff apply themselves to other things?

Re:Oh no! Shut the Interweb off!

[knobmaker]

Fatuous argument. Nuke the server. No machine can survive a direct nuking therefore no software can be secure.

Did you mean to say "Fatuous argument:" (Note the colon.) I would have to say that a well-nuked server would be extremely secure. Certainly the data on that server would never be used for any malicious purpose.

Palladium/TCPA approach

No, this simply won't work.

1) You can still execute unsigned code, the system is then just going to "compromised mode" and some crypto stuff is turned off (like the encrypted parts of your hard drive where media is stored)

2) If you want to run code not signed by Micro$oft like the "evil" Kazaa-lite, as promised possible there will just be a box appearing like the "this word document might contain macro viruses - run anyways?"-box, that morons will click away with "yes" anyways.

Re:Oh no! Shut the Interweb off!

[plover]

My employer not only deletes EXE, DLL, OCX, BAT, VBS, PIF, etc., but also deletes them from within any ZIP attachments.

While it sounds draconian, it's not even much of a problem. If someone needs to send executables, we already know in advance, and so we rename the ZIP to a ZAP or somesuch and it goes through just fine. For the bigger stuff, we just dump it on an FTP server somewhere and exchange it that way (bigger than a few hundred K doesn't belong in email anyway.)

When I first heard about it I thought it would be much more of a problem. It wasn't. It's actually quite nice, because I don't even see most of the crap worms, etc. I just wish they'd block more of the stuff from within DOC files, such as blocking any Office documents that have scripts or macros in them. (I've ony had one resume show up that had a macro virus, but it was old and my antivirus software patched it.)