Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worms Going Further, Faster

Posted by timothy on from the thanks-for-your-attention dept.

Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"

12 of 301 comments (clear)

  1. Equation for a good worm by Renraku · · Score: 5, Interesting

    A good set of vulnerabilities across multiple hardware configurations and OSes is a great start. An interesting idea would be to sync the worms up based upon a reading from a certain timezone on time.gov. Make them start scanning all IPs for vulnerable, uninfected machines at the same time. So not only do you get the chance to infect, but you DDoS. Fun stuff. Also, you could make it infect unprotected routers and give the virus 'priority' in transmissions, etc, etc.

    --
    Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
  2. Re:Why do delinquents bother? by oneishy · · Score: 4, Interesting

    Actually 'the Sapphire Worm' was just 376 bytes long. Not much extra code in that assembly program to track an author by.

  3. Re:Why do delinquents bother? by Read+Icculus · · Score: 5, Interesting

    Maybe the "delinquents" are actually pretty damn smart. Smart enough to not get caught because they take proper security precautions. Like others have said this worm was a pretty smooth little hack. All over UDP and in a single packet. Anyway at least when a worm like this comes along people start paying attention to actually fixing the problem. If no one exploited the vulnerability then folks like MS might never get around to fixing it. When something like this is front-page news and on CNN normal folks sit up and take notice. Maybe enough notice to try and make their systems more secure, or perhaps switch to a more secure preogram/OS. Not that I like viruses and worms, quite the opposite is true. I remember when my ISP got a worm, (Code Red I think), and infected me. The incident certainly made me more security conscious, and I now have a new ISP that I hope has more of a clue than my old one.

    --
    Anti-social? My code is just platform-specific.
  4. Re:Why do delinquents bother? by PetiePooo · · Score: 5, Interesting

    Not to nitpick, but the SQL Slammer worm appeared to be written in assembly. It is quite interesting to read through the source. [alt] [alt]

    While the PRNG isn't of the highest quality, its brevity is what allowed it to spread so quickly. An infected system was sending out packets as fast as the outbound pipe could handle it. A smaller virus, even by a few bytes, would mean that much faster of an infection rate.

    By and large, you're right about VBScript making for simple virii, but this isn't the one to use as an example.

  5. learn from evolution by Anonymous Coward · · Score: 3, Interesting

    nature has evolved to fight biological infection by various means: genetic diversity, adaptive defensives. we could take a lesson from this.

  6. Re:Oh no! Shut the Interweb off! by pixelgeek · · Score: 5, Interesting

    -- There is no patch for human carelessness.

    The user isn't always to blame. What about the software developers who don't take even minimal efforts to protect their scripting systems?

    Yes, there will always be someone who will open attachments no matter how often you tell them not to.

    But perhaps the root issue isn't the fellow who can't stop clicking on Fireworks.exe files but the OS and application developers who enable and then don't patch systems that allow those users to be so easily exploited.

  7. If it's so easy to write one... by DynamiteNeon · · Score: 4, Interesting

    Why doesn't someone just make a worm that goes around and downloads Windows and SQL server updates to patch against all these worms? I realize Microsoft doesn't have the best track record even with their updates, but it would still probably solve some problems. And yes, I realize there's something wrong with forcing people to install updates, but consider the alternative of reading these articles every week here.

    1. Re:If it's so easy to write one... by FLoWCTRL · · Score: 5, Interesting

      There was a lot of speculation in the security community that this is effectively what the "Slammer" worm was -- a non-malicous worm that forced everyone to patch their software. Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload. All it did was propogate itself. The DoS effect was just a result of the massive increase in network traffic from its propogation. It could have been way, way worse.

      --
      http://oss.netmojo.ca

    2. Re:If it's so easy to write one... by PetWolverine · · Score: 4, Interesting

      Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload

      Let's think of a worst-case scenario, here...

      The worm had a program to propagate itself in a space of 376 bytes. It had up to, what, 1500 bytes to carry whatever program it wished? Let's say it used those 1500 bytes to set up a program that would listen on a particular TCP port for instructions from the author's computer. Then, rather than propagating itself as fast as possible, it sends out a packet every few minutes, gradually and insidiously infecting all MSSQL servers on the Internet.

      The 1100 extra bytes are used to write a program to disk, and then launch it. This program listens for connections on some high port, or perhaps just listens for UDP packets of a certain description (since it knows the firewall lets those through). At first, it simply catches all worm packets and records the IP addresses, so that it knows what other hosts are infected.

      The author's computer listens for these packets, and makes a similar list of infected hosts. Then, when the time is ripe, he starts sending additional instructions to those hosts.

      The hosts receive the new instructions, modify their program based on the contents, and then echo the packet out to the hosts in their lists. The author numbers the instruction packets, and the hosts make a note of which ones they've received and ignore repeats. That way, once all infected hosts are updated, the patches stop flying around.

      One of the first instructions to be sent out is to make the program launch at boot time. Then, the infected computers are sent instructions to stop propagating themselves. They're sent instructions to report back to the original source. The author looks at the hosts, sends out special non-propagating instructions to military hosts to send him their data. He sends out instructions to hosts that may have access to credit card databases to send him the numbers and expiration dates. He gathers whatever other information he deems useful.

      Then, he sends out an instruction for all hosts to delete all data from all databases.

      How difficult would it be to write the initial program for that? How difficult to make those patches, and make them work? My guess is, someone who knows assembly well could pull it off. It may take a fair amount of time and patience, but the amount of money to be made is pretty considerable and could make it worthwhile. Hey, if I were going to write a malicious worm, that's how I would go about it.

      But the most pertinent question is, how many MSSQL servers are still out there, unpatched, vulnerable, serving critical data?

      --
      I found the meaning of life the other day, but I had write-only access.
  8. Re:Why do delinquents bother? by Tackhead · · Score: 3, Interesting
    > Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

    Grok!

    I still remember stunning some of my cow orkers by saying from two cubicles away, "Dude, run a virus scanner. There's no reason your floppy drive should be doing that many seeks across the entire width of the disk. Something's writing to the FAT or boot sector every time you access any files. Probably a virus. Kill it before it kills you."

    To this day, they still no idea how I knew about that without even looking at the screen or touching the box, but from where I sat it was just obvious (when I first heard that pattern of seeks and asked if the guy was copying 100 small files to the floppy, and he said "no") that something on that box was fucked up. (And fucked up in a way that MS-DOS, all by itself, wasn't :)

    Funny note - the virus in question was indeed a boot sector virus, and was pretty much harmless on Win3.1 boxen. Not so on an NT box. If only I'd come to work one day before. Yuk.

  9. Re:Doomsday in a good way? by Waffle+Iron · · Score: 4, Interesting
    so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

    Um... what if the worm writer used a new vulnerability that he discovered himself? There would be no patches.

  10. a call to the white hats? by Vaughn+Anderson · · Score: 5, Interesting

    Hey, when is someone going to be nice enough to the world to make a purty li'l worm that actually shuts off all the security features that are exploited in Outlook...

    I am sure there are plenty of reasons not to do this, but if you asked the person politely like.

    "Hello, this is your friendly internet virus fighter coming to say hello and give you a hand! Would you like to turn off the features now that allowed me to hack into your computer?
    | Yes | No |"

    *click*

    "Thank you and have a nice day! If I come back again that means a new hole/exploit was found in Outlook and I can give you another helping hand!"