Worms Going Further, Faster

Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"

Oh no! Shut the Interweb off!

[ObviousGuy]

There's a lot that can't be done about these things because at the very bottom of every system is a human being who will forget to patch the system or stupidly open an executable.

There is no patch for human carelessness.

Why do delinquents bother?

[Sheetrock]

Where it is the point in this matter nowadays? It really took talent to write malware in the old days, what with having to be able to get the virus in the executables and boot sectors of floppy disks, but now everything looks like a work of the VBScript cut-and-paste. Why is it so hard to find the author of these programs?

Re:Why do delinquents bother?

[aphor]

Why is it so hard to find the author of these programs?

Because there are so many no-talent hacks out there who *could* have written that lump of nasty crap.

In the beginning days, on the Apple ][ computers in my grade-school, we learned to guess our way through cracking floppy-disk copy-protected games by comparing a cracked game and a pristine byte-by-byte copy of the original. We eventually learned that a certain byte word combination was the first hardware keyboard access, and we could guess that spot was a good place to stick a jump. Then we tried a few addresses until it worked. In grade school.

Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

What really grabbed me was how a really good (insidious) virus could have such a low footprint that it could go undetected for so long. The programmers of those viruses were gifted binary ecologists. I knew then that the games I played were bloated when one year the game took one disk, and the second year you had to swap two disks even though there was little extra play for all the extra data. I envied the virus programmers for their wizardly and miserly command of the machine's meager resources. I even dreamt of the day that I could crank one out like putting together a jigsaw puzzle.

Now I am older, and the opportunity for that conquest was stolen by Moore's Law. The games (and all software in general) got bloatier and bloatier. There was so much waste, and the machines got so fast so fast, that I saw clever programming die. I was sad. It wasn't until (after I bought a student copy of Borland C++ and was stultified by the massive bloat of win16 API) that I became acquainted with Unix (FreeBSD in particular) around 1.2.1 vintage. I rediscovered elegant software.

Now, I understand the vulgar joy in duping someone else, but only a jackass gets off duping people who compare to invertibrates on an intellectual scale. VB worms are the modern-day equivalent of burning ants with a magnifying glass. "Letth thaw off hith tweeter Beavith! Hehehehehe Heheheheh..."

Re:Why do delinquents bother?

[Read+Icculus]

Well for the worm I got, I blame myself for not knowing about CR, or the patch, my ISP for being dipshits and being down for over a day, and the guy/guys who wrote it. However I can see how people might blame MS for writing some buggy pieces of software that in turn were at least partially to blame for them getting said worms. As I recall even MS's developers caught the slammer worm, (that's the SQL one?). BTW I just mentioned "folks like MS", in my post as I think that since they are a corporation they are swayed by public opinion/outrage that comes with each new worm/virus, as they want to make money, and people want to buy a more secure product. So my comment makes more sense with them as an example. But if you prefer "folks who sell software", will also work. Most linux developers I know couldn't about public opinion and try to write the most secure code that they can. I'm sure they sit up and take notice when the worms/viruses are being talked about on CNN, however I also think that they tend to hear about the exploits and whatnot that the general public doesn't hear about/couldn't give a rat's ass about and try and fix those too. MS on the other hand might not care about fixing something if it's not worth the $ to fix and if the general public doesn't care about it, or doesn't even know it exists.

Re:Why do delinquents bother?

[b1t+r0t]

Actually 'the Sapphire Worm' was just 376 bytes long. Not much extra code in that assembly program to track an author by.

Not much room for extra code in a program that has to fit in a single UDP packet.

UDP all the way!

[Gothmolly]

The nice part about Slammer is that it could just spew data - if it hit you, and you were vulnerable, you were infected. It didn't require any complicated TCP sessions, was MUCH nicer on host resources, and the entire hack fit inside a single packet. Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.

Re:Oh no! Shut the Interweb off!

[laigle]

It's not even just that now. The latest rendition of Bugbear would send out an infected file named after a file on the computer it was sending from. I imagine the next generation mailers will check send records, or even incorporate spyware code, and mail themselves out using names of files the user sent recently, or selectively infect shared files to get loose on the network. For computers to be useful you have to have some level of trust, and as worms become smarter they can more easily exploit that fact.

We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.

Cross-platform not necessary?

[univgeek]

For a world-wide problem with worms, cross-platform worms are not required - just a simultaneous release of single platform worms. The spreading algo would be common, the payload and infection mechanism platform specific.

One for windows, one for linux, one for routers/switches...

Imagine the impact. Would the internet survive?

The only things preventing this might be the fact that no single person has the required experience in all the platforms, and vulnerabilities in non-windows OS's are typically more difficult to exploit.

Re:Cross-platform not necessary?

[gregfortune]

Oh, come on. From the quality of code we've seen in the recent "big" worms, any idiot with a little spare time can write a reasonably effective worm. We're lucky that no one really talented has had a motive for writing a really nasty worm (read cross-platform and well written with a huge number of attack vectors and a deadly payload).

Write a Windows worm?
Sure, watch the security bulletins from MS and associated companies and include a few exploits in your worm. You know we won't run out of people who haven't patched yet.

Write a Linux worm?
Sure... See above? It's the same.... There are platform differences as far as library calls, hooking into e-mail, etc, but a little time would solve that easily.

Write a .... worm?
Umm. See above? Just wash, rinse, repeat... All we're talking about is a little time.

Seriously, I'm waiting for someone slightly talented to get pissed off at technology in general. That will be the day people running automatic daily updates on (pick your platform) will be happy they've got a patched system and banging their head against the wall 'cause their ISP didn't.

Re:Oh no! Shut the Interweb off!

[ObviousGuy]

We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.

Harsher punishments for virus writers?

Better system recovery process?

Problems

[cfreeze]

One problem with saying that Slammer or any "flash worm" is that bandwidth and current infastructure isn't taken into account. Any worm taking on activity levels (as seen by how the whole Internet seemed to slow down) of this magnitude tend to self contain themselves at local router or node bottlenecks. As links go to fiber this won't hold, but atleast for now it does.

Re:No worms for me, please!

[dfj225]

I would imagine that worms and other viruses are not really a problem to most Windows users that you would find on this site. I know that a vast majority of the viruses are spread using holes in Outlook, which is probably unpopular with this crowd. Also, people here know enough that you really need a virus scanner for full protection. I use Windows XP, and haven't had a virus yet. I also use Mozilla mail instead of outlook.

Re:No worms for me, please!

[SweetAndSourJesus]

If Slammer or it's ilk takes your subnet down, it doesn't matter if you're using a C64, you're getting hosed.

I use a Mac, too, but I have no illusion of immunity.

Re:No worms for me, please!

[PhoenixFlare]

Oh please...

The installed base of Macs is so small compared to Windows PCs, there's no reason to write worms that affect Apple machines.

You can bet your ass that if Macs were as ubiqutous as x86 machines, they'd be getting slammed with worms too....That cocky attitude gets really grating.

Doomsday in a good way?

[maliabu]

in THE Doomsday, those who don't believe will be wiped out.

so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.

Re:But there aren't 3 billion systems.

[HornyBastard77]

What kind of a statistic is that?

The same kind that,when you are driving, lets you know in one glance how many miles per hour you will cover if you stay at your current speed.

Seems pretty informative to me.

There is no such thing as cyberterrorism

[DmitriA]

Schneier raises some good points regarding this issue in this month's Crypto-Gram.

In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability. We simply don't understand the interactions well enough to predict which kinds of attacks could cause catastrophic results, and terrorist organizations don't have that sort of knowledge either -- even if they tried to hire experts. ...

Despite our predilection for calling anything "terrorism," these attacks are not. We know what terrorism is. It's someone blowing himself up in a crowded restaurant, or flying an airplane into a skyscraper. It's not infecting computers with viruses, forcing air traffic controllers to route planes manually, or shutting down a pager network for a day. That causes annoyance and irritation, not terror.

This is a difficult message for some, because these days anyone who causes widespread damage is being given the label "terrorist." But imagine for a minute the leadership of al Qaeda sitting in a cave somewhere, plotting the next move in their jihad against the United States. One of the leaders jumps up and exclaims: "I have an idea! We'll disable their e-mail...." Conventional terrorism -- driving a truckful of explosives into a nuclear power plant, for example -- is still easier and much more effective.

Re:There is no such thing as cyberterrorism

[sn00ker]

In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability.

Now, was it not the case that it was the network load, rather than the worm, that caused these problems?
It was contemporary knowledge that ATMs use(d?) dedicated networks, primarily to protect against intrusion. If ATM traffic is now being routed across the 'net, VPN'd or not, the possibilities are endless.

As for "cyber terrorism" being a bullshit term, not entirely. Fine, loss of ATMs or e-mail won't panic most people (unless you're in the middle of a multi-billion-dollar, must-happen-now deal that's being conducted through e-mail), but you can do things through the 'net that will result in public disorder. A coordinated effort to modify the sites of all major news organisations could easily start a mass panic if the "right" message was presented - Even more so if web radio broadcasts were also tampered with to back the news sites.

Re:There is no such thing as cyberterrorism

[Duckling]

And from this, it is obvious that Schneier seems to have a much more rational view on the matter. Kolstad is simply way off the mark.

Why?
Well, simply because his "mental exercise" presents a bunch of worst case scenarios, but not a single piece of evidence or fact that shows how or when we would ever come into these situations.

The way it is presented, it looks more like unfounded paranoia than a sound analysis. He's repeatedly saying: what if is down for a week (or weeks)?
What makes him think they will be, even if hit by a serious attack?
Is he making the assumption that a more advanced worm would hit the Net with the initial force and speed of Slammer? Has he forgotten that Slammer effectively strangled itself?
Also, he seems to ignore the fact that infrastructure providers (comms, water, electricity etc.) have been prepared for most kinds of disasters since the dawn of time, including computer system failures.

However much the geeks of the world would like to think so, the world does not revolve around computers, and won't end without them.

Re:Oh no! Shut the Interweb off!

[The+Dark]

I think the root issue is the assholes who write the viruses in the first place, slack OS's and users just make their life easier.

Re:Oh no! Shut the Interweb off!

[KrispyKringle]

Your assumption is that true security is a theoretical impossibility. On what grounds?

I agree that it's not safe to rely on humans to keep systems patched. But, for one, if most systems are kept patched, a worm like SLAMMER would be useless. This is an obvious point you neglect, but not an interesting one.

More interesting, I think, is the debate over whether there is such a thing theoretically possible as a secure architecture. This is, of course, the idea behind "secure" systems designed to be so from the ground up, such as Palladium. Ethernet, TCP/IP, ARP, and most of the other protocols which make up the 'Net were not designed with security in mind from the bottom up, but rather designed for effectiveness, ease of implementation, and the like. For example, why do Ethernet cards allow promiscuous mode? It makes diagnosing certain problems easier, but it also represents a very big opportunity for all sorts of security vulnerabilities. Or why can MAC addresses be changed so easily? This represents an easy opportunity for mischeif.

But had the entire architecture of the 'Net been designed for security and accountability rather than ease of access and openness from the start (granted, two often-conflicting ideals), would absolute security be possible?

Many say that security is never truly possible without unplugging the computer from the 'Net, turning it off, and embedding it in concrete. This may be exaggeration, but of course it is quite difficult to prove something secure; RSA has not be proven secure, public-key cryptography has not been proven secure, and I don't really see how you could prove any other system secure, either.

This may not be necessary, however. We may not know for certain that RSA is secure, but we assume that the NSA does not know how to factor such large numbers any better than the rest of us, and we assume it to be secure (and such an assumption does appear valid). If enough evidence exists to assume a system to be "practically secure," that is enough for implementaiton.

I have no answers to these questions. But I think to assume such a problem is unanswerable is silly and is itself merely a non-answer. Security may not be an easy goal, but it may be acheivable. At least in some forms, this is clearly the case; it would quite evidently be possible to stop some sorts of attacks, like SLAMMER, in the future, even if theoretical, absolute, security remains un-obtainable.

Re:Oh no! Shut the Interweb off!

[Beryllium+Sphere(tm)]

If we're talking about ultra-fast worms in particular, only the first problem matters. A piece of malware that depends on users getting to their email is going to talke longer than 15 minutes to spread.

We could still be vulnerable even if everyone patched their systems, if someone writes the exploit before the patch comes out.

Scary stuff.

Re:Oh no! Shut the Interweb off!

[ecalkin]

i would vote for a slowing down the release cycle of software products. with the idea of 'new versions' every 18 months becoming common, it seems that there is more writing of code than debugging/optimizing.

and i've said this before, certain software companies have not been very good about training administrators about patching, etc.

eric

Re:Oh no! Shut the Interweb off!

[knobmaker]

Your assumption is that true security is a theoretical impossibility. On what grounds?

Not to speak for the previous poster, but that's a pretty good assumption. No technological advance has ever succeeded in remaining secure for long.

(Example: plate armor probably seemed impregnable in practical terms, until the longbow came along. Yeah, okay, a stinking peasant could hamstring a warhorse and beat the knight to death with a rock while he lay helpless on the ground, but these possibilities were probably ignored with the same superstitious enthusiasm that sysadmins ignore the rarer kinds of attacks on their systems.)

I would think that the burden of proof falls on those who maintain that "true security" is attainable. And the minute you propose some system to guarantee that true security, some clever person will come along and propose a way to get around it.

Anyone designing a critical security system should probably start off with the assumption that security will eventually be breached, and make damn sure that when the breach occurs, catastrophe does not result.

Re:Oh no! Shut the Interweb off!

[Gordo_1]

Actually, this is exactly where a portion of the security community is currently focusing. With a deep enough level of protocol understanding, it's often possible to write generalized algorithms that detect (and presumably block) novel attempts to exploit a known vulnerability. For example, in the case of SQL Slammer, the buffer overflow vulnerability disclosure came many months before the worm hit, and at least a couple intrusion detection vendors were able to positively identify the exploit attempt without requiring an update -- one of the keys to protection against such a rapidly propagating worm.

Re:Oh no! Shut the Interweb off!

[GigsVT]

I'm no historian, but I bet plate armor was more for intimidation factor than anything else.

I bet a hundred shiny enemy knights on horses really does a lot to demoralize your thousand foot soldiers.

I think a lot of modern security is the same way, deter most attacks with shiny armor, and minimize damage on the inevitable attacks that will get through.

Now the real problem these days is the companies selling cheap tin armor and telling people it's the strongest steel. Some things never change. :)

Re:Oh no! Shut the Interweb off!

[KrispyKringle]

I'm not sure I'd agree with that assessment. With the shiny knights metaphor, anyone, regardless of education or background (or military experience, in this example) is intimidated simply on a gut level. But with computer security, if you are ignorant, you aren't indimidated by the latest firewall or the highest-encryption VPN. And if you know enough to be a threat, you know enough to know what armor works and what doesn't. Unlike your metaphor with medieval knights, the actual conflict is combat, and the defenses are secondary. With computer security, the conflict is the armor; anyone who is a "soldier" is also an armorer who knows what is strong and what is weak.

Name a security measure that is mere intimidation. Name a measure that has no added value and is just shiny armor. (This does, admittedly, apply to local security measures using biometrics; thumbprint scanners are less secure, at least on the consumer-grade, and just cooler looking, but I don't think it applies quite the same way to real network security measures.)

Your point is well-taken, that companies have no incentive to sell something that works above and beyond selling what sells, but it neglects that the two generally do go together and the leaders in the field tend to have true committment to security.

Re:No worms for me, please!

[sgifford]

Antivirus software is for people who, from time to time, make a mistake. Like mis-clicking on an attachment at 3am, or misreading a file type and running an unsafe file.

Antivirus software is for people who run software that has bugs in it. You mentioned you are using Windows...

Antivirus software is for people who believe in Security In Depth, a school of thought which says that you should use multiple layers of security, so that if one fails you aren't screwed.

Antivirus software is for people whose data is worth more than $50 (or $20 after rebate).

Re:Oh no! Shut the Interweb off!

[RzUpAnmsCwrds]

"on the network. For computers to be useful you have to have some level of trust"

This is what Palladium is all about. Executable code is signed, and it can only run if you choose to trust the publisher. Viruses are less of a problem because an infected file will fail signiture verification.

Microsoft may be misguided with Palladium and the DRM goodies that it includes, but the underlying concept of trusted and untrusted code is a good one.

Might I add, however, that the same thing can be done without the complete hardware implementation of Microsoft's product. A simple signed executable system would do the trick. Microsoft already uses this for ActiveX controls.

Re:Oh no! Shut the Interweb off

[zoward]

Although Palladium may help with some worms, since Outlook Express is a "trusted application" (at least by Palladium...), those .vbs scripts will be run as trusted apps; this will allow better than half of the viruses currently circulating to continue to do so.

It's almost amusing to read my mail in kmail with HTML rendering turned off, and look over the attached scripts that arrive in my mailbox now and then. It makes me feel like an entomologist looking though a magnifying glass at a venomous spider pinned to a corkboard.

Re:Oh no! Shut the Interweb off!

[Mark+Bainter]

An excellent point. Worse, users aren't exactly careful about who they trust when it comes to computers.

Scenario:

• User opens email
• User clicks attachment
• Window pops up: <blink>WARNING<>
  This code has not been signed (or is signed by an unknown publisher) Click OK in this box could transmit a virus, destroy your hard drive, subvert your nations economy, summon flesh eating aliens and damn us all to eternal hell.
• User clicks Ok

Yes, checking signatures on code you execute is a good thing, but there are specifics to be concerned about in an implementation. How to you guarantee the signature? Obviously, some sort of authentication, and method of checking the signiture against, perhaps, a public key is needed. And to handle that you need a web of trust that's workable. But none of that matters a whit if users aren't careful about the trust, and don't investigate. Nor is it worth a darn if they ignore warnings. These problems (aka user education, and poorly designed secure systems) have to be taken care of before any of this will be useful.

Re:Oh no! Shut the Interweb off!

[ScuzzMonkey]

Well, but it is the fault of the criminals. It's very sad that most of us live in societies where your point seems to implicitly make some sort of sense, but no one should lose sight of the fact that there is really no one to blame for this but the instigator. Because another parallel that works, unfortunately, is:

"You got raped because you were showing a little leg and walking down a dark street?"

You can dress more conservatively and only walk down lit streets, but by refusing to address the root issue, you give up some of your freedoms. Same thing here; there are a lot of neat, open things that we should be able to do with computers to make our lives easier without having to give in to the criminals who write these things. The parent post you are replying to has a good point--we shouldn't be putting more effort into locking ourselves down than we are in to finding and dealing with the offenders.

Re:No worms for me, please!

[sgifford]

Antivirus software is for people who, from time to time, make a mistake. Like mis-clicking on an attachment at 3am, or misreading a file type and running an unsafe file.

Well, I guess it's harder for you then it is for me. You look at the sender, you look at the subject and body, and you look at the attachment. Then, your freaking mail client asks you, "Are you sure you want to open this?" IF you know what to watch out for, those should be plenty of "last chances".

I'm not saying I do this; I don't even run Windows or use a mail client that supports HTML. I'm pretty sure I've never received a virus that would run on my OS. I'm just saying a reasonable, smart, and prudent person should still plan for this, because it will happen someday.

Antivirus software is for people who believe in Security In Depth, a school of thought which says that you should use multiple layers of security, so that if one fails you aren't screwed.

Well, so is encrypting your filesystem, having a locking screensaver, unplugging your network cable when idle, etc. Obviously another layer is a good thing. But at what point do you decide that it's not worth the money or slowdown to take that extra step. And yes, scanning for 50,000 (and growing) data patterns every time you open a file WILL slow your system down.

At the point where it costs more than $50 ($20 after rebate) or where the cumulative slowdown is greater than the odds of getting a virus times the time it would take to recover from it. Many people's work (mine included) is close enough to irreplacable that the time-to-recover tends towards infinity, making the virus software a pretty obvious choice.

I guess the difference of opinion that we have is that you believe it's extremely unlikely that you will someday make a mistake, whereas I believe it's nearly certain that all of us make mistakes every day.

Another nail in the anti-virus coffin

[gilgongo]

Ever since explorezip (the worm before that I Love You thing) appeared and wiped out most of our office network, I have thought that the whole anti-virus industry was on the back foot.

At work we all have this little anti-virus icon in our task bars, updating virus libraries from a central server (and slowing down all our machines as well). But if a new Outlook worm came out and we all started opening it, the anti-virus software would just ignore it until the patch came out. Even if the gap between us getting the worm and the patch was a few seconds, the damage would be done.

So why are we paying thousands of bucks a year for anti-virus when we know it probably will do nothing? Sure, it catches the occasional tired Word macro and maybe an antique trojan on an old floppy, but is that worth it?

Hmm.