Worms Going Further, Faster

Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"

Oh no! Shut the Interweb off!

[ObviousGuy]

There's a lot that can't be done about these things because at the very bottom of every system is a human being who will forget to patch the system or stupidly open an executable.

There is no patch for human carelessness.

Why do delinquents bother?

[Sheetrock]

Where it is the point in this matter nowadays? It really took talent to write malware in the old days, what with having to be able to get the virus in the executables and boot sectors of floppy disks, but now everything looks like a work of the VBScript cut-and-paste. Why is it so hard to find the author of these programs?

Re:Why do delinquents bother?

[aphor]

Why is it so hard to find the author of these programs?

Because there are so many no-talent hacks out there who *could* have written that lump of nasty crap.

In the beginning days, on the Apple ][ computers in my grade-school, we learned to guess our way through cracking floppy-disk copy-protected games by comparing a cracked game and a pristine byte-by-byte copy of the original. We eventually learned that a certain byte word combination was the first hardware keyboard access, and we could guess that spot was a good place to stick a jump. Then we tried a few addresses until it worked. In grade school.

Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

What really grabbed me was how a really good (insidious) virus could have such a low footprint that it could go undetected for so long. The programmers of those viruses were gifted binary ecologists. I knew then that the games I played were bloated when one year the game took one disk, and the second year you had to swap two disks even though there was little extra play for all the extra data. I envied the virus programmers for their wizardly and miserly command of the machine's meager resources. I even dreamt of the day that I could crank one out like putting together a jigsaw puzzle.

Now I am older, and the opportunity for that conquest was stolen by Moore's Law. The games (and all software in general) got bloatier and bloatier. There was so much waste, and the machines got so fast so fast, that I saw clever programming die. I was sad. It wasn't until (after I bought a student copy of Borland C++ and was stultified by the massive bloat of win16 API) that I became acquainted with Unix (FreeBSD in particular) around 1.2.1 vintage. I rediscovered elegant software.

Now, I understand the vulgar joy in duping someone else, but only a jackass gets off duping people who compare to invertibrates on an intellectual scale. VB worms are the modern-day equivalent of burning ants with a magnifying glass. "Letth thaw off hith tweeter Beavith! Hehehehehe Heheheheh..."

UDP all the way!

[Gothmolly]

The nice part about Slammer is that it could just spew data - if it hit you, and you were vulnerable, you were infected. It didn't require any complicated TCP sessions, was MUCH nicer on host resources, and the entire hack fit inside a single packet. Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.

Re:Oh no! Shut the Interweb off!

[laigle]

It's not even just that now. The latest rendition of Bugbear would send out an infected file named after a file on the computer it was sending from. I imagine the next generation mailers will check send records, or even incorporate spyware code, and mail themselves out using names of files the user sent recently, or selectively infect shared files to get loose on the network. For computers to be useful you have to have some level of trust, and as worms become smarter they can more easily exploit that fact.

We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.

Cross-platform not necessary?

[univgeek]

For a world-wide problem with worms, cross-platform worms are not required - just a simultaneous release of single platform worms. The spreading algo would be common, the payload and infection mechanism platform specific.

One for windows, one for linux, one for routers/switches...

Imagine the impact. Would the internet survive?

The only things preventing this might be the fact that no single person has the required experience in all the platforms, and vulnerabilities in non-windows OS's are typically more difficult to exploit.

Re:Cross-platform not necessary?

[gregfortune]

Oh, come on. From the quality of code we've seen in the recent "big" worms, any idiot with a little spare time can write a reasonably effective worm. We're lucky that no one really talented has had a motive for writing a really nasty worm (read cross-platform and well written with a huge number of attack vectors and a deadly payload).

Write a Windows worm?
Sure, watch the security bulletins from MS and associated companies and include a few exploits in your worm. You know we won't run out of people who haven't patched yet.

Write a Linux worm?
Sure... See above? It's the same.... There are platform differences as far as library calls, hooking into e-mail, etc, but a little time would solve that easily.

Write a .... worm?
Umm. See above? Just wash, rinse, repeat... All we're talking about is a little time.

Seriously, I'm waiting for someone slightly talented to get pissed off at technology in general. That will be the day people running automatic daily updates on (pick your platform) will be happy they've got a patched system and banging their head against the wall 'cause their ISP didn't.

Problems

[cfreeze]

One problem with saying that Slammer or any "flash worm" is that bandwidth and current infastructure isn't taken into account. Any worm taking on activity levels (as seen by how the whole Internet seemed to slow down) of this magnitude tend to self contain themselves at local router or node bottlenecks. As links go to fiber this won't hold, but atleast for now it does.

Re:No worms for me, please!

[dfj225]

I would imagine that worms and other viruses are not really a problem to most Windows users that you would find on this site. I know that a vast majority of the viruses are spread using holes in Outlook, which is probably unpopular with this crowd. Also, people here know enough that you really need a virus scanner for full protection. I use Windows XP, and haven't had a virus yet. I also use Mozilla mail instead of outlook.

Re:No worms for me, please!

[PhoenixFlare]

Oh please...

The installed base of Macs is so small compared to Windows PCs, there's no reason to write worms that affect Apple machines.

You can bet your ass that if Macs were as ubiqutous as x86 machines, they'd be getting slammed with worms too....That cocky attitude gets really grating.

Doomsday in a good way?

[maliabu]

in THE Doomsday, those who don't believe will be wiped out.

so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.

There is no such thing as cyberterrorism

[DmitriA]

Schneier raises some good points regarding this issue in this month's Crypto-Gram.

In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability. We simply don't understand the interactions well enough to predict which kinds of attacks could cause catastrophic results, and terrorist organizations don't have that sort of knowledge either -- even if they tried to hire experts. ...

Despite our predilection for calling anything "terrorism," these attacks are not. We know what terrorism is. It's someone blowing himself up in a crowded restaurant, or flying an airplane into a skyscraper. It's not infecting computers with viruses, forcing air traffic controllers to route planes manually, or shutting down a pager network for a day. That causes annoyance and irritation, not terror.

This is a difficult message for some, because these days anyone who causes widespread damage is being given the label "terrorist." But imagine for a minute the leadership of al Qaeda sitting in a cave somewhere, plotting the next move in their jihad against the United States. One of the leaders jumps up and exclaims: "I have an idea! We'll disable their e-mail...." Conventional terrorism -- driving a truckful of explosives into a nuclear power plant, for example -- is still easier and much more effective.

Re:There is no such thing as cyberterrorism

[sn00ker]

In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability.

Now, was it not the case that it was the network load, rather than the worm, that caused these problems?
It was contemporary knowledge that ATMs use(d?) dedicated networks, primarily to protect against intrusion. If ATM traffic is now being routed across the 'net, VPN'd or not, the possibilities are endless.

As for "cyber terrorism" being a bullshit term, not entirely. Fine, loss of ATMs or e-mail won't panic most people (unless you're in the middle of a multi-billion-dollar, must-happen-now deal that's being conducted through e-mail), but you can do things through the 'net that will result in public disorder. A coordinated effort to modify the sites of all major news organisations could easily start a mass panic if the "right" message was presented - Even more so if web radio broadcasts were also tampered with to back the news sites.

Re:Oh no! Shut the Interweb off!

[KrispyKringle]

Your assumption is that true security is a theoretical impossibility. On what grounds?

I agree that it's not safe to rely on humans to keep systems patched. But, for one, if most systems are kept patched, a worm like SLAMMER would be useless. This is an obvious point you neglect, but not an interesting one.

More interesting, I think, is the debate over whether there is such a thing theoretically possible as a secure architecture. This is, of course, the idea behind "secure" systems designed to be so from the ground up, such as Palladium. Ethernet, TCP/IP, ARP, and most of the other protocols which make up the 'Net were not designed with security in mind from the bottom up, but rather designed for effectiveness, ease of implementation, and the like. For example, why do Ethernet cards allow promiscuous mode? It makes diagnosing certain problems easier, but it also represents a very big opportunity for all sorts of security vulnerabilities. Or why can MAC addresses be changed so easily? This represents an easy opportunity for mischeif.

But had the entire architecture of the 'Net been designed for security and accountability rather than ease of access and openness from the start (granted, two often-conflicting ideals), would absolute security be possible?

Many say that security is never truly possible without unplugging the computer from the 'Net, turning it off, and embedding it in concrete. This may be exaggeration, but of course it is quite difficult to prove something secure; RSA has not be proven secure, public-key cryptography has not been proven secure, and I don't really see how you could prove any other system secure, either.

This may not be necessary, however. We may not know for certain that RSA is secure, but we assume that the NSA does not know how to factor such large numbers any better than the rest of us, and we assume it to be secure (and such an assumption does appear valid). If enough evidence exists to assume a system to be "practically secure," that is enough for implementaiton.

I have no answers to these questions. But I think to assume such a problem is unanswerable is silly and is itself merely a non-answer. Security may not be an easy goal, but it may be acheivable. At least in some forms, this is clearly the case; it would quite evidently be possible to stop some sorts of attacks, like SLAMMER, in the future, even if theoretical, absolute, security remains un-obtainable.

Re:Oh no! Shut the Interweb off!

[knobmaker]

Your assumption is that true security is a theoretical impossibility. On what grounds?

Not to speak for the previous poster, but that's a pretty good assumption. No technological advance has ever succeeded in remaining secure for long.

(Example: plate armor probably seemed impregnable in practical terms, until the longbow came along. Yeah, okay, a stinking peasant could hamstring a warhorse and beat the knight to death with a rock while he lay helpless on the ground, but these possibilities were probably ignored with the same superstitious enthusiasm that sysadmins ignore the rarer kinds of attacks on their systems.)

I would think that the burden of proof falls on those who maintain that "true security" is attainable. And the minute you propose some system to guarantee that true security, some clever person will come along and propose a way to get around it.

Anyone designing a critical security system should probably start off with the assumption that security will eventually be breached, and make damn sure that when the breach occurs, catastrophe does not result.

Re:Oh no! Shut the Interweb off!

[Gordo_1]

Actually, this is exactly where a portion of the security community is currently focusing. With a deep enough level of protocol understanding, it's often possible to write generalized algorithms that detect (and presumably block) novel attempts to exploit a known vulnerability. For example, in the case of SQL Slammer, the buffer overflow vulnerability disclosure came many months before the worm hit, and at least a couple intrusion detection vendors were able to positively identify the exploit attempt without requiring an update -- one of the keys to protection against such a rapidly propagating worm.

Re:Oh no! Shut the Interweb off!

[GigsVT]

I'm no historian, but I bet plate armor was more for intimidation factor than anything else.

I bet a hundred shiny enemy knights on horses really does a lot to demoralize your thousand foot soldiers.

I think a lot of modern security is the same way, deter most attacks with shiny armor, and minimize damage on the inevitable attacks that will get through.

Now the real problem these days is the companies selling cheap tin armor and telling people it's the strongest steel. Some things never change. :)

Re:Oh no! Shut the Interweb off!

[Mark+Bainter]

An excellent point. Worse, users aren't exactly careful about who they trust when it comes to computers.

Scenario:

• User opens email
• User clicks attachment
• Window pops up: <blink>WARNING<>
  This code has not been signed (or is signed by an unknown publisher) Click OK in this box could transmit a virus, destroy your hard drive, subvert your nations economy, summon flesh eating aliens and damn us all to eternal hell.
• User clicks Ok

Yes, checking signatures on code you execute is a good thing, but there are specifics to be concerned about in an implementation. How to you guarantee the signature? Obviously, some sort of authentication, and method of checking the signiture against, perhaps, a public key is needed. And to handle that you need a web of trust that's workable. But none of that matters a whit if users aren't careful about the trust, and don't investigate. Nor is it worth a darn if they ignore warnings. These problems (aka user education, and poorly designed secure systems) have to be taken care of before any of this will be useful.