Slashdot Mirror
Worms Going Further, Faster
Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"
There's a lot that can't be done about these things because at the very bottom of every system is a human being who will forget to patch the system or stupidly open an executable.
There is no patch for human carelessness.
I have been pwned because my
I'm wonderfully happy to live in a world where the only large-scale communication network is prone to mass disruption and/or destruction at the drop of a pin. Great.
Fast moving worms are harder for those pesky birds to get at.
I thought this article was about Worms 2 being released for linux :(
It was terrible. I had to take lots of drugs.
Cut off their arms?
There is no god
obligatory dumb and dumber:
LLOYD
(smiling)
I got worms.
MARY
I beg your pardon?
LLOYD
That's what we're gonna call it: I
Got Worms. We're gonna specialize in
selling worm farms â" you know, like
ant farms. A lot of people don't
realize that worms make much better
pets than ants. They're quiet,
affectionate, they don't bite, and
they're super with the kids.
MARY
Aren't ants quiet, too?
Where it is the point in this matter nowadays? It really took talent to write malware in the old days, what with having to be able to get the virus in the executables and boot sectors of floppy disks, but now everything looks like a work of the VBScript cut-and-paste. Why is it so hard to find the author of these programs?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
A good set of vulnerabilities across multiple hardware configurations and OSes is a great start. An interesting idea would be to sync the worms up based upon a reading from a certain timezone on time.gov. Make them start scanning all IPs for vulnerable, uninfected machines at the same time. So not only do you get the chance to infect, but you DDoS. Fun stuff. Also, you could make it infect unprotected routers and give the virus 'priority' in transmissions, etc, etc.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
The nice part about Slammer is that it could just spew data - if it hit you, and you were vulnerable, you were infected. It didn't require any complicated TCP sessions, was MUCH nicer on host resources, and the entire hack fit inside a single packet. Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.
I want to delete my account but Slashdot doesn't allow it.
I'm still waiting for a Cisco IOS bug to be discovered that is present in all 12.x series code. I can't wait to see the worm for that one :D
http://www.cgisecurity.com/articles/worms.shtml
Thank God I've got a Mac! It's hard enough to get regular software ported, I doubt that many people would invest time to port a worm, except "Worms Blast" =D
Taking guns away from the 99% gives the 1% 100% of the power.
Some day, we will all curse like sailors and have to reboot every god damned machine we have - maybe even revert to latest backup. Some day, the apocalypse will hit us, and Internet will cough for a day like it had the SARS. And then you hope your mother wasn't in hearing range.
It's not even just that now. The latest rendition of Bugbear would send out an infected file named after a file on the computer it was sending from. I imagine the next generation mailers will check send records, or even incorporate spyware code, and mail themselves out using names of files the user sent recently, or selectively infect shared files to get loose on the network. For computers to be useful you have to have some level of trust, and as worms become smarter they can more easily exploit that fact.
We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.
For a world-wide problem with worms, cross-platform worms are not required - just a simultaneous release of single platform worms. The spreading algo would be common, the payload and infection mechanism platform specific.
One for windows, one for linux, one for routers/switches...
Imagine the impact. Would the internet survive?
The only things preventing this might be the fact that no single person has the required experience in all the platforms, and vulnerabilities in non-windows OS's are typically more difficult to exploit.
All bow to his Noodliness!! His Noodle Appendage has touched me!
We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.
Harsher punishments for virus writers?
Better system recovery process?
I have been pwned because my
One problem with saying that Slammer or any "flash worm" is that bandwidth and current infastructure isn't taken into account. Any worm taking on activity levels (as seen by how the whole Internet seemed to slow down) of this magnitude tend to self contain themselves at local router or node bottlenecks. As links go to fiber this won't hold, but atleast for now it does.
in THE Doomsday, those who don't believe will be wiped out.
so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?
and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.
Comment removed based on user account deletion
Don't confuse rate of scan with number of systems. As mentioned it was spewing it's exploit in a single UDP packet. The worm didn't care whether other worms had already spewed the packet at a given IP, it was just tossing it out there. Whether the number itself is valid, it's being calculated (probably, at least) by multipying the average bandwidth available to an infected host, times the number of infected hosts. X infected hosts spewing Y packets an hour is Z total packets per hour.
Perhaps not especially useful, but it does give an idea of the sheer scope of that beast.
Never attribute to malice what can as easily be the result of incompetence...
nature has evolved to fight biological infection by various means: genetic diversity, adaptive defensives. we could take a lesson from this.
The same kind that,when you are driving, lets you know in one glance how many miles per hour you will cover if you stay at your current speed.
Seems pretty informative to me.
Harsher spankings for the people that still haven't grasped the concept of NOT clicking that email attachment with a .vbs extension. :P
-blink-blink-
Connecting to AOL...
-blink-
You've got mail!
-blink-blink
"ooh, an attachment..."
The statistics does hold, the efficiency of the worm decreases because there simply aren't enough hosts on the internet (or in IPv4 for that sake) to keep the worm busy for several hours...
If the worm spews out X packets over Y minutes, why would it change in the Y+n next minutes ?
Think about it yourself, the worm doesn't suddenly stop and think "hey I've infected 3 bn. systems now, I better slow down", it keeps on going, but as only a fraction of the 4 bn available addresses in IPv4 are available and globally reachable it doesn't make sense to do an exhaustive test...
-- There is no patch for human carelessness.
The user isn't always to blame. What about the software developers who don't take even minimal efforts to protect their scripting systems?
Yes, there will always be someone who will open attachments no matter how often you tell them not to.
But perhaps the root issue isn't the fellow who can't stop clicking on Fireworks.exe files but the OS and application developers who enable and then don't patch systems that allow those users to be so easily exploited.
Actually, it's quite valid. Ask any cop who's ever pulled somebody over for doing 120KPH in a 40KPH zone, even though they only drove 5KMs. :)
BD Phone Home!
Shameless plug. Like you weren't expecting it.
Why doesn't someone just make a worm that goes around and downloads Windows and SQL server updates to patch against all these worms? I realize Microsoft doesn't have the best track record even with their updates, but it would still probably solve some problems. And yes, I realize there's something wrong with forcing people to install updates, but consider the alternative of reading these articles every week here.
If you're running Apache, and it looks like you are, you can avoid logging that crap (and minimize bandwidth and CPU waste) with this minor httpd.conf change. You can also block/ban email spiders (at least ones that report their agent name truthfully, which apparently is most of them) using the info at the same link.
everything in moderation
Stop listening to Art Bell, you'll rot your brain.
a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."'
A "Warhol" worm wouldn't infect the Internet in 15 minutes, it would infect it for only 15 minutes.
I think the root issue is the assholes who write the viruses in the first place, slack OS's and users just make their life easier.
sig's not here
I agree that it's not safe to rely on humans to keep systems patched. But, for one, if most systems are kept patched, a worm like SLAMMER would be useless. This is an obvious point you neglect, but not an interesting one.
More interesting, I think, is the debate over whether there is such a thing theoretically possible as a secure architecture. This is, of course, the idea behind "secure" systems designed to be so from the ground up, such as Palladium. Ethernet, TCP/IP, ARP, and most of the other protocols which make up the 'Net were not designed with security in mind from the bottom up, but rather designed for effectiveness, ease of implementation, and the like. For example, why do Ethernet cards allow promiscuous mode? It makes diagnosing certain problems easier, but it also represents a very big opportunity for all sorts of security vulnerabilities. Or why can MAC addresses be changed so easily? This represents an easy opportunity for mischeif.
But had the entire architecture of the 'Net been designed for security and accountability rather than ease of access and openness from the start (granted, two often-conflicting ideals), would absolute security be possible?
Many say that security is never truly possible without unplugging the computer from the 'Net, turning it off, and embedding it in concrete. This may be exaggeration, but of course it is quite difficult to prove something secure; RSA has not be proven secure, public-key cryptography has not been proven secure, and I don't really see how you could prove any other system secure, either.
This may not be necessary, however. We may not know for certain that RSA is secure, but we assume that the NSA does not know how to factor such large numbers any better than the rest of us, and we assume it to be secure (and such an assumption does appear valid). If enough evidence exists to assume a system to be "practically secure," that is enough for implementaiton.
I have no answers to these questions. But I think to assume such a problem is unanswerable is silly and is itself merely a non-answer. Security may not be an easy goal, but it may be acheivable. At least in some forms, this is clearly the case; it would quite evidently be possible to stop some sorts of attacks, like SLAMMER, in the future, even if theoretical, absolute, security remains un-obtainable.
If we're talking about ultra-fast worms in particular, only the first problem matters. A piece of malware that depends on users getting to their email is going to talke longer than 15 minutes to spread.
We could still be vulnerable even if everyone patched their systems, if someone writes the exploit before the patch comes out.
Scary stuff.
How to 0wn the Internet in Your Spare Time
Interesting topics: "Better" worms techniques
"A combination of hit-list and permutation scanning can create what we term a Warhol worm, capable of attacking most vulnerable targets in well under an hour, possibly less than 15 minutes. "
Brain is my second favorite organ.
A really nice way to make an extremely destructive worm would be to ensure that the great majority of computers connected to the internet are running the exact same operating software. This would guarantee that a vulnerability can reliably be exploited in pretty much any neighbor.
Unfortunately, such a scenario is but a dream. Modern operating systems are too secure!
This sounds like Ender's Worm. Very interesting read.
Your assumption is that true security is a theoretical impossibility. On what grounds?
Not to speak for the previous poster, but that's a pretty good assumption. No technological advance has ever succeeded in remaining secure for long.
(Example: plate armor probably seemed impregnable in practical terms, until the longbow came along. Yeah, okay, a stinking peasant could hamstring a warhorse and beat the knight to death with a rock while he lay helpless on the ground, but these possibilities were probably ignored with the same superstitious enthusiasm that sysadmins ignore the rarer kinds of attacks on their systems.)
I would think that the burden of proof falls on those who maintain that "true security" is attainable. And the minute you propose some system to guarantee that true security, some clever person will come along and propose a way to get around it.
Anyone designing a critical security system should probably start off with the assumption that security will eventually be breached, and make damn sure that when the breach occurs, catastrophe does not result.
It's not a description of an actual worm, it's not even a description of how to build a worm, it's a vague description of how a worm might be constructed:
1. Scan internet servers looking for vulnerable software
2. Infect said software.
Duh. The author writes, "I didn't write this paper to give people malicious ideas." -- It's okay! There's nothing in the paper that would assist people in doing anything useful!
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
Everyone knows that worms DO infect apples.
Actually, the new Bugbear does selectively infect shared files. On my network, two 98 boxes had their entire C drives shared, while someone else (a laptop) became infected with the new Bugbear. Those two computers had only a few infected files, including:
c:\program files\internet explorer\iexplore.exe
c:\program files\outlook express\msimn.exe
c:\program files\adobe\acrobat x.0\reader\acrord32.exe
So it looks like the new Bugbear already selectively infects shared files.
We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.
We don't need to stop stressing prevention, but some shops certainly do need to react faster when something hits.
Actually, this is exactly where a portion of the security community is currently focusing. With a deep enough level of protocol understanding, it's often possible to write generalized algorithms that detect (and presumably block) novel attempts to exploit a known vulnerability. For example, in the case of SQL Slammer, the buffer overflow vulnerability disclosure came many months before the worm hit, and at least a couple intrusion detection vendors were able to positively identify the exploit attempt without requiring an update -- one of the keys to protection against such a rapidly propagating worm.
I'm no historian, but I bet plate armor was more for intimidation factor than anything else.
:)
I bet a hundred shiny enemy knights on horses really does a lot to demoralize your thousand foot soldiers.
I think a lot of modern security is the same way, deter most attacks with shiny armor, and minimize damage on the inevitable attacks that will get through.
Now the real problem these days is the companies selling cheap tin armor and telling people it's the strongest steel. Some things never change.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
A multi-headed worm that can penetrate seven different networks at once, and steal 4 billion dollars from the Swordfish slush fund, all within ten seconds?
N4st0r, trixx0r h0bb1tz0rz! Th3y st0l3 0ur pr3c10uzz!
There are these things called, uh, let me think, they're often connected to wires in the wall, umm, sometimes people forget to turn them off in movie theaters, err, they make noise when someone wants to talk to you, uh, damnit I forget. But they were the big thing a few years ago. I think I can even remember using them for Internet access, but maybe that was just a bad dream.
Gates' Law: Every 18 months, the speed of software halves.
Name a security measure that is mere intimidation. Name a measure that has no added value and is just shiny armor. (This does, admittedly, apply to local security measures using biometrics; thumbprint scanners are less secure, at least on the consumer-grade, and just cooler looking, but I don't think it applies quite the same way to real network security measures.)
Your point is well-taken, that companies have no incentive to sell something that works above and beyond selling what sells, but it neglects that the two generally do go together and the leaders in the field tend to have true committment to security.
"The happiest day of my life was when the doctor said I didn't have worms anymore"
The problem with Ender's worm is that by design it is self-defeating. The idea of a "worm farm" of different units targetting different systems is effective, but with a common communications protocol, it negates the worms' ability to evolve and thwart detection. The writer of the paper talks about the worms' needs to change signatures to avoid AV detection, yet communicate with other units by a common question-and-response session, which would make it incredibly easy for any infected unit on the network to be easily identified.
To date, what gives away worm activity is the incessant talking they perpetrate, which is necessary to their propagation. So the key to any "super worm" isn't necessarily the speed at which it can infect nodes, but how quietly this can be done. I would argue that a slow, methodical infection, at a pace which makes the activity unsuspicious, has the potential to be much more dangerous.
Maybe this would be the ultimate worm.. two modes.. the first one slowly propagates and avoids detection, then a second phase which triggers a more aggressive frontal assault.
A key point of this article is patch-based security won't work, and signature-based virus scanning won't work, against a competent attacker. If someone discovers a new exploit and crafts a fast-spreading attack based on it, the attack can take over a vast number of hosts long before there's any response.
This issue is a bit more complicated than you think.
Hey, when is someone going to be nice enough to the world to make a purty li'l worm that actually shuts off all the security features that are exploited in Outlook...
I am sure there are plenty of reasons not to do this, but if you asked the person politely like.
"Hello, this is your friendly internet virus fighter coming to say hello and give you a hand! Would you like to turn off the features now that allowed me to hack into your computer?
| Yes | No |"
*click*
"Thank you and have a nice day! If I come back again that means a new hole/exploit was found in Outlook and I can give you another helping hand!"
"on the network. For computers to be useful you have to have some level of trust"
This is what Palladium is all about. Executable code is signed, and it can only run if you choose to trust the publisher. Viruses are less of a problem because an infected file will fail signiture verification.
Microsoft may be misguided with Palladium and the DRM goodies that it includes, but the underlying concept of trusted and untrusted code is a good one.
Might I add, however, that the same thing can be done without the complete hardware implementation of Microsoft's product. A simple signed executable system would do the trick. Microsoft already uses this for ActiveX controls.
Although Palladium may help with some worms, since Outlook Express is a "trusted application" (at least by Palladium...), those .vbs scripts will be run as trusted apps; this will allow better than half of the viruses currently circulating to continue to do so.
It's almost amusing to read my mail in kmail with HTML rendering turned off, and look over the attached scripts that arrive in my mailbox now and then. It makes me feel like an entomologist looking though a magnifying glass at a venomous spider pinned to a corkboard.
"Can't you see that everyone is buying station wagons?"
Scenario:
This code has not been signed (or is signed by an unknown publisher) Click OK in this box could transmit a virus, destroy your hard drive, subvert your nations economy, summon flesh eating aliens and damn us all to eternal hell.
Yes, checking signatures on code you execute is a good thing, but there are specifics to be concerned about in an implementation. How to you guarantee the signature? Obviously, some sort of authentication, and method of checking the signiture against, perhaps, a public key is needed. And to handle that you need a web of trust that's workable. But none of that matters a whit if users aren't careful about the trust, and don't investigate. Nor is it worth a darn if they ignore warnings. These problems (aka user education, and poorly designed secure systems) have to be taken care of before any of this will be useful.
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
DOC, XLS, MDB, BAT, ZIP, TAR.*...
Ok, so those aren't obvious carriers in the same way that you classified the filetypes that you listed. However, they are all potentially capable of carrying and delivering malicious code and, at the same time, all potentially valid attachment types.
The problem with blocking attachments is that certain filetypes are often used for virus distribution but also for valid email. Something like PIF can be blocked because no one sends PIF files as attachments. Blocking an EXE or a DOC file may have unforseen consequences, however. The solution isn't to block every suspicious filetype that comes through. Running those files through a virus scanner on the server side would probably be a good idea, though. Of course, that'd use more CPU time than just delivering the message, so messages might end up being delayed a few seconds, but it's a small price to pay.
Well, but it is the fault of the criminals. It's very sad that most of us live in societies where your point seems to implicitly make some sort of sense, but no one should lose sight of the fact that there is really no one to blame for this but the instigator. Because another parallel that works, unfortunately, is:
"You got raped because you were showing a little leg and walking down a dark street?"
You can dress more conservatively and only walk down lit streets, but by refusing to address the root issue, you give up some of your freedoms. Same thing here; there are a lot of neat, open things that we should be able to do with computers to make our lives easier without having to give in to the criminals who write these things. The parent post you are replying to has a good point--we shouldn't be putting more effort into locking ourselves down than we are in to finding and dealing with the offenders.
No relation to Happy Monkey
Ever since explorezip (the worm before that I Love You thing) appeared and wiped out most of our office network, I have thought that the whole anti-virus industry was on the back foot.
At work we all have this little anti-virus icon in our task bars, updating virus libraries from a central server (and slowing down all our machines as well). But if a new Outlook worm came out and we all started opening it, the anti-virus software would just ignore it until the patch came out. Even if the gap between us getting the worm and the patch was a few seconds, the damage would be done.
So why are we paying thousands of bucks a year for anti-virus when we know it probably will do nothing? Sure, it catches the occasional tired Word macro and maybe an antique trojan on an old floppy, but is that worth it?
Hmm.
"And the meaning of words; when they cease to function; when will it start worrying you?"