Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worms Going Further, Faster

Posted by timothy on from the thanks-for-your-attention dept.

Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"

24 of 301 comments (clear)

  1. Equation for a good worm by Renraku · · Score: 5, Interesting

    A good set of vulnerabilities across multiple hardware configurations and OSes is a great start. An interesting idea would be to sync the worms up based upon a reading from a certain timezone on time.gov. Make them start scanning all IPs for vulnerable, uninfected machines at the same time. So not only do you get the chance to infect, but you DDoS. Fun stuff. Also, you could make it infect unprotected routers and give the virus 'priority' in transmissions, etc, etc.

    --
    Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
  2. More platforms by Anonymous Coward · · Score: 2, Interesting

    I'm still waiting for a Cisco IOS bug to be discovered that is present in all 12.x series code. I can't wait to see the worm for that one :D

  3. Re:Why do delinquents bother? by oneishy · · Score: 4, Interesting

    Actually 'the Sapphire Worm' was just 376 bytes long. Not much extra code in that assembly program to track an author by.

  4. But there aren't 3 billion systems. by suso · · Score: 1, Interesting

    What kind of a statistic is that? How can it fully complete a 3 billion system per hour cycle if there are not 3 billion systems to infect (I'm guessing that there aren't). So it's true rate is how ever many systems it actually did infect, which is likely a lot less than 3 billion. You can't just calculate the speed over 2 minutes and multiply it by 30. That'd be like a starship that was able to travel at 15 billion light years per hour. Really? Where would it go?

    1. Re:But there aren't 3 billion systems. by Blkdeath · · Score: 2, Interesting
      What kind of a statistic is that? How can it fully complete a 3 billion system per hour cycle if there are not 3 billion systems to infect

      Actually, it's quite valid. Ask any cop who's ever pulled somebody over for doing 120KPH in a 40KPH zone, even though they only drove 5KMs. :)

      --
      BD Phone Home!

      Shameless plug. Like you weren't expecting it.

  5. Re:Why do delinquents bother? by Read+Icculus · · Score: 5, Interesting

    Maybe the "delinquents" are actually pretty damn smart. Smart enough to not get caught because they take proper security precautions. Like others have said this worm was a pretty smooth little hack. All over UDP and in a single packet. Anyway at least when a worm like this comes along people start paying attention to actually fixing the problem. If no one exploited the vulnerability then folks like MS might never get around to fixing it. When something like this is front-page news and on CNN normal folks sit up and take notice. Maybe enough notice to try and make their systems more secure, or perhaps switch to a more secure preogram/OS. Not that I like viruses and worms, quite the opposite is true. I remember when my ISP got a worm, (Code Red I think), and infected me. The incident certainly made me more security conscious, and I now have a new ISP that I hope has more of a clue than my old one.

    --
    Anti-social? My code is just platform-specific.
  6. Re:Why do delinquents bother? by Anonymous Coward · · Score: 1, Interesting

    Slammer and Code Red were blockable by patches released long before the outbreak happened.

    Or we can just ignore that and blame Microsoft. Yeah, that's the ticket.

  7. Re:Why do delinquents bother? by PetiePooo · · Score: 5, Interesting

    Not to nitpick, but the SQL Slammer worm appeared to be written in assembly. It is quite interesting to read through the source. [alt] [alt]

    While the PRNG isn't of the highest quality, its brevity is what allowed it to spread so quickly. An infected system was sending out packets as fast as the outbound pipe could handle it. A smaller virus, even by a few bytes, would mean that much faster of an infection rate.

    By and large, you're right about VBScript making for simple virii, but this isn't the one to use as an example.

  8. learn from evolution by Anonymous Coward · · Score: 3, Interesting

    nature has evolved to fight biological infection by various means: genetic diversity, adaptive defensives. we could take a lesson from this.

  9. Re:Oh no! Shut the Interweb off! by pixelgeek · · Score: 5, Interesting

    -- There is no patch for human carelessness.

    The user isn't always to blame. What about the software developers who don't take even minimal efforts to protect their scripting systems?

    Yes, there will always be someone who will open attachments no matter how often you tell them not to.

    But perhaps the root issue isn't the fellow who can't stop clicking on Fireworks.exe files but the OS and application developers who enable and then don't patch systems that allow those users to be so easily exploited.

  10. speaking of large attacks by Anonymous Coward · · Score: 1, Interesting

    I was just listening to a radio show. The host had an email from "an insider" we'll say, who related that just lately (ongoing) there is supposedly some big "attack" going on that is targeting some government database,allegedly the largest in the world, but no name-redacted of course- and also banks of all things. I emailed him with the latest bug bear exploit details, because it sounded like it. He mentioned my email after a station break, and was adamant that his source was saying it was NOT the latest bugbear variant, but something much larger and they think it's a state sponsored cyber warfare attack.

    Anyone hear of anything like this going on? I checked the usual security sites, I see nothing mentioned.

    My apologies for the sidetracking, just the timing and this thread gave me an opportunity to ask here.

  11. Re:Oh no! Shut the Interweb off! by Anonymous Coward · · Score: 1, Interesting

    There's a lot to be said for having diversity in a population to prevent a 100% infection rate.

  12. If it's so easy to write one... by DynamiteNeon · · Score: 4, Interesting

    Why doesn't someone just make a worm that goes around and downloads Windows and SQL server updates to patch against all these worms? I realize Microsoft doesn't have the best track record even with their updates, but it would still probably solve some problems. And yes, I realize there's something wrong with forcing people to install updates, but consider the alternative of reading these articles every week here.

    1. Re:If it's so easy to write one... by DynamiteNeon · · Score: 2, Interesting
      Hehe, I'm aware of that. I actually said it half-jokingly. I'm sure there are tons of obvious Microsoft jokes that could be inserted.

      The point was that a majority of the people being affected are probably those that don't even know what windows update is to begin with. They probably wouldn't even notice the changes being made in the background by this worm.

    2. Re:If it's so easy to write one... by FLoWCTRL · · Score: 5, Interesting

      There was a lot of speculation in the security community that this is effectively what the "Slammer" worm was -- a non-malicous worm that forced everyone to patch their software. Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload. All it did was propogate itself. The DoS effect was just a result of the massive increase in network traffic from its propogation. It could have been way, way worse.

      --
      http://oss.netmojo.ca

    3. Re:If it's so easy to write one... by PetWolverine · · Score: 4, Interesting

      Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload

      Let's think of a worst-case scenario, here...

      The worm had a program to propagate itself in a space of 376 bytes. It had up to, what, 1500 bytes to carry whatever program it wished? Let's say it used those 1500 bytes to set up a program that would listen on a particular TCP port for instructions from the author's computer. Then, rather than propagating itself as fast as possible, it sends out a packet every few minutes, gradually and insidiously infecting all MSSQL servers on the Internet.

      The 1100 extra bytes are used to write a program to disk, and then launch it. This program listens for connections on some high port, or perhaps just listens for UDP packets of a certain description (since it knows the firewall lets those through). At first, it simply catches all worm packets and records the IP addresses, so that it knows what other hosts are infected.

      The author's computer listens for these packets, and makes a similar list of infected hosts. Then, when the time is ripe, he starts sending additional instructions to those hosts.

      The hosts receive the new instructions, modify their program based on the contents, and then echo the packet out to the hosts in their lists. The author numbers the instruction packets, and the hosts make a note of which ones they've received and ignore repeats. That way, once all infected hosts are updated, the patches stop flying around.

      One of the first instructions to be sent out is to make the program launch at boot time. Then, the infected computers are sent instructions to stop propagating themselves. They're sent instructions to report back to the original source. The author looks at the hosts, sends out special non-propagating instructions to military hosts to send him their data. He sends out instructions to hosts that may have access to credit card databases to send him the numbers and expiration dates. He gathers whatever other information he deems useful.

      Then, he sends out an instruction for all hosts to delete all data from all databases.

      How difficult would it be to write the initial program for that? How difficult to make those patches, and make them work? My guess is, someone who knows assembly well could pull it off. It may take a fair amount of time and patience, but the amount of money to be made is pretty considerable and could make it worthwhile. Hey, if I were going to write a malicious worm, that's how I would go about it.

      But the most pertinent question is, how many MSSQL servers are still out there, unpatched, vulnerable, serving critical data?

      --
      I found the meaning of life the other day, but I had write-only access.
  13. Re:How to make super destructive worm by brian728s · · Score: 2, Interesting

    The worm I am afraid of is one that learns (or at least adapts) using some sort of evolution-based algorthm. Several million computers is a sufficient "population" for the worms to gain a lot of knowledge about what works and what doesn't.

  14. Re:Why do delinquents bother? by Tackhead · · Score: 3, Interesting
    > Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

    Grok!

    I still remember stunning some of my cow orkers by saying from two cubicles away, "Dude, run a virus scanner. There's no reason your floppy drive should be doing that many seeks across the entire width of the disk. Something's writing to the FAT or boot sector every time you access any files. Probably a virus. Kill it before it kills you."

    To this day, they still no idea how I knew about that without even looking at the screen or touching the box, but from where I sat it was just obvious (when I first heard that pattern of seeks and asked if the guy was copying 100 small files to the floppy, and he said "no") that something on that box was fucked up. (And fucked up in a way that MS-DOS, all by itself, wasn't :)

    Funny note - the virus in question was indeed a boot sector virus, and was pretty much harmless on Win3.1 boxen. Not so on an NT box. If only I'd come to work one day before. Yuk.

  15. Re:Sounds like.. by brian728s · · Score: 2, Interesting

    It is similar, but not quite the same (ender's worm). The worm would be based on a neural network capable of storing various infection and spreading techniques. Coupled with the neural network would be the âoestandardâ worm tools for infection and stealth. The core receives additional training information from other infected computers. The first time a worm is activated, it creates copies of itself on the host in various places using various techniques. Many of these may be discovered. Their loss is more valuable to the species. After a predefined time, the âoeprimary wormâ contacts all other worms on the system. The ones that survived are considered evidence that the particular method works on a particular system configuration. Next, it begins scanning the internet for other worms. When it finds one, it transmits a string containing two parts. One part describes various aspects of the system (operating system, versions of patches, versions of programs, versions of antivirus definitions, etc), the other describes the methods that successfully infected the computer. This information would be most certainly less than one packet. When a worm receives one of these packets, it first verifies it, and then adds it to its neural network. It then queries its neural network using its system configuration string and reinstalls itself onto the system based on those parameters. Then it waits a shorter time (maybe 15 minutes) before resuming port scanning (to make sure the updates don't reveal itself before it begins contributing to the "gene pool" again) This process allows the worm to evolve on its own and discover new ways to infect (assuming some sort of random mutation system).

  16. Re:Doomsday in a good way? by Waffle+Iron · · Score: 4, Interesting
    so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

    Um... what if the worm writer used a new vulnerability that he discovered himself? There would be no patches.

  17. Sapphire PRNG by Anonymous Coward · · Score: 1, Interesting
    Personally, when I read through the Slammer source and the analysis of the code (and the PRNG flaws), I immediately thought to myself "A couple more days of testing and enhancement, and this thing could be really interesting."

    I suppose the drive to release the worm while there is still a sizable pool of vulnerable hosts is one justification for the distinct lack of QA by worm developers.

    Specifically, I would have done more testing on the PRNG (run in a sandbox, check IP target coverage), added code to selectively target "nearby" hosts (bypass randomization of the first, second and sometimes third byte), and perhaps looked into spoofing the source port (lots of badly written firewalls allow inbound packets that show a source port of 53, etc).

    And to get really nasty, every few packets, set the fourth and sometimes third octet of the IP to .255/.127/.63, to get that whole smurf effect going in your favor.

    Nonesuch@Chicago

  18. Re:UDP all the way! by Anonymous Coward · · Score: 2, Interesting
    The nice thing about Slammer is that:
    1. It justifies our Corporate policy of "Absolutely no UDP packets cross the firewalls. Ever."
    2. There are not too many other UDP protocols out there to be exploited, so we won't see too many more "flash worms".

    The scary thing about UDP "flash worms":

    1. One of the highest usage protocols on the Internet is DNS, a UDP (mostly) protocol with a history of server and client vulnerabilities.

    My prediction: by the end of this year we will see a cross-platform (Linux/X86 and Solaris/Sparc?) "flash worm" targeting BIND...

    Nonesuch@Chicago

  19. *ring* hello? is virus there? Yea, hold on... by mabu · · Score: 2, Interesting

    The problem with Ender's worm is that by design it is self-defeating. The idea of a "worm farm" of different units targetting different systems is effective, but with a common communications protocol, it negates the worms' ability to evolve and thwart detection. The writer of the paper talks about the worms' needs to change signatures to avoid AV detection, yet communicate with other units by a common question-and-response session, which would make it incredibly easy for any infected unit on the network to be easily identified.

    To date, what gives away worm activity is the incessant talking they perpetrate, which is necessary to their propagation. So the key to any "super worm" isn't necessarily the speed at which it can infect nodes, but how quietly this can be done. I would argue that a slow, methodical infection, at a pace which makes the activity unsuspicious, has the potential to be much more dangerous.

    Maybe this would be the ultimate worm.. two modes.. the first one slowly propagates and avoids detection, then a second phase which triggers a more aggressive frontal assault.

  20. a call to the white hats? by Vaughn+Anderson · · Score: 5, Interesting

    Hey, when is someone going to be nice enough to the world to make a purty li'l worm that actually shuts off all the security features that are exploited in Outlook...

    I am sure there are plenty of reasons not to do this, but if you asked the person politely like.

    "Hello, this is your friendly internet virus fighter coming to say hello and give you a hand! Would you like to turn off the features now that allowed me to hack into your computer?
    | Yes | No |"

    *click*

    "Thank you and have a nice day! If I come back again that means a new hole/exploit was found in Outlook and I can give you another helping hand!"