Worms Going Further, Faster

Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"

Oh no! Shut the Interweb off!

[ObviousGuy]

There's a lot that can't be done about these things because at the very bottom of every system is a human being who will forget to patch the system or stupidly open an executable.

There is no patch for human carelessness.

Ah, the lovely internet...

[Qweezle]

I'm wonderfully happy to live in a world where the only large-scale communication network is prone to mass disruption and/or destruction at the drop of a pin. Great.

Good for the worms

Fast moving worms are harder for those pesky birds to get at.

damn.

[wo1verin3]

I thought this article was about Worms 2 being released for linux :(

Re:Oh no! Shut the Interweb off!

[rkz]

Cut off their arms?

I've got worms!

[eupheric]

obligatory dumb and dumber:
LLOYD
(smiling)
I got worms.

MARY
I beg your pardon?

LLOYD
That's what we're gonna call it: I
Got Worms. We're gonna specialize in
selling worm farms â" you know, like
ant farms. A lot of people don't
realize that worms make much better
pets than ants. They're quiet,
affectionate, they don't bite, and
they're super with the kids.

MARY
Aren't ants quiet, too?

Why do delinquents bother?

[Sheetrock]

Where it is the point in this matter nowadays? It really took talent to write malware in the old days, what with having to be able to get the virus in the executables and boot sectors of floppy disks, but now everything looks like a work of the VBScript cut-and-paste. Why is it so hard to find the author of these programs?

Re:Why do delinquents bother?

[oneishy]

Actually 'the Sapphire Worm' was just 376 bytes long. Not much extra code in that assembly program to track an author by.

Re:Why do delinquents bother?

[Read+Icculus]

Maybe the "delinquents" are actually pretty damn smart. Smart enough to not get caught because they take proper security precautions. Like others have said this worm was a pretty smooth little hack. All over UDP and in a single packet. Anyway at least when a worm like this comes along people start paying attention to actually fixing the problem. If no one exploited the vulnerability then folks like MS might never get around to fixing it. When something like this is front-page news and on CNN normal folks sit up and take notice. Maybe enough notice to try and make their systems more secure, or perhaps switch to a more secure preogram/OS. Not that I like viruses and worms, quite the opposite is true. I remember when my ISP got a worm, (Code Red I think), and infected me. The incident certainly made me more security conscious, and I now have a new ISP that I hope has more of a clue than my old one.

Re:Why do delinquents bother?

[PetiePooo]

Not to nitpick, but the SQL Slammer worm appeared to be written in assembly. It is quite interesting to read through the source. [alt] [alt]

While the PRNG isn't of the highest quality, its brevity is what allowed it to spread so quickly. An infected system was sending out packets as fast as the outbound pipe could handle it. A smaller virus, even by a few bytes, would mean that much faster of an infection rate.

By and large, you're right about VBScript making for simple virii, but this isn't the one to use as an example.

Re:Why do delinquents bother?

[aphor]

Why is it so hard to find the author of these programs?

Because there are so many no-talent hacks out there who *could* have written that lump of nasty crap.

In the beginning days, on the Apple ][ computers in my grade-school, we learned to guess our way through cracking floppy-disk copy-protected games by comparing a cracked game and a pristine byte-by-byte copy of the original. We eventually learned that a certain byte word combination was the first hardware keyboard access, and we could guess that spot was a good place to stick a jump. Then we tried a few addresses until it worked. In grade school.

Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

What really grabbed me was how a really good (insidious) virus could have such a low footprint that it could go undetected for so long. The programmers of those viruses were gifted binary ecologists. I knew then that the games I played were bloated when one year the game took one disk, and the second year you had to swap two disks even though there was little extra play for all the extra data. I envied the virus programmers for their wizardly and miserly command of the machine's meager resources. I even dreamt of the day that I could crank one out like putting together a jigsaw puzzle.

Now I am older, and the opportunity for that conquest was stolen by Moore's Law. The games (and all software in general) got bloatier and bloatier. There was so much waste, and the machines got so fast so fast, that I saw clever programming die. I was sad. It wasn't until (after I bought a student copy of Borland C++ and was stultified by the massive bloat of win16 API) that I became acquainted with Unix (FreeBSD in particular) around 1.2.1 vintage. I rediscovered elegant software.

Now, I understand the vulgar joy in duping someone else, but only a jackass gets off duping people who compare to invertibrates on an intellectual scale. VB worms are the modern-day equivalent of burning ants with a magnifying glass. "Letth thaw off hith tweeter Beavith! Hehehehehe Heheheheh..."

Equation for a good worm

[Renraku]

A good set of vulnerabilities across multiple hardware configurations and OSes is a great start. An interesting idea would be to sync the worms up based upon a reading from a certain timezone on time.gov. Make them start scanning all IPs for vulnerable, uninfected machines at the same time. So not only do you get the chance to infect, but you DDoS. Fun stuff. Also, you could make it infect unprotected routers and give the virus 'priority' in transmissions, etc, etc.

UDP all the way!

[Gothmolly]

The nice part about Slammer is that it could just spew data - if it hit you, and you were vulnerable, you were infected. It didn't require any complicated TCP sessions, was MUCH nicer on host resources, and the entire hack fit inside a single packet. Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.

Anatomy of the Web application worm

http://www.cgisecurity.com/articles/worms.shtml

No worms for me, please!

[XxtraLarGe]

Thank God I've got a Mac! It's hard enough to get regular software ported, I doubt that many people would invest time to port a worm, except "Worms Blast" =D

Re:No worms for me, please!

[dfj225]

I would imagine that worms and other viruses are not really a problem to most Windows users that you would find on this site. I know that a vast majority of the viruses are spread using holes in Outlook, which is probably unpopular with this crowd. Also, people here know enough that you really need a virus scanner for full protection. I use Windows XP, and haven't had a virus yet. I also use Mozilla mail instead of outlook.

Re:No worms for me, please!

[PhoenixFlare]

Oh please...

The installed base of Macs is so small compared to Windows PCs, there's no reason to write worms that affect Apple machines.

You can bet your ass that if Macs were as ubiqutous as x86 machines, they'd be getting slammed with worms too....That cocky attitude gets really grating.

Re:No worms for me, please!

[hondo77]

I use a Mac, too, but I have no illusion of immunity.

I do. Woo hoo!

Re:Oh no! Shut the Interweb off!

[laigle]

It's not even just that now. The latest rendition of Bugbear would send out an infected file named after a file on the computer it was sending from. I imagine the next generation mailers will check send records, or even incorporate spyware code, and mail themselves out using names of files the user sent recently, or selectively infect shared files to get loose on the network. For computers to be useful you have to have some level of trust, and as worms become smarter they can more easily exploit that fact.

We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.

Cross-platform not necessary?

[univgeek]

For a world-wide problem with worms, cross-platform worms are not required - just a simultaneous release of single platform worms. The spreading algo would be common, the payload and infection mechanism platform specific.

One for windows, one for linux, one for routers/switches...

Imagine the impact. Would the internet survive?

The only things preventing this might be the fact that no single person has the required experience in all the platforms, and vulnerabilities in non-windows OS's are typically more difficult to exploit.

Re:Cross-platform not necessary?

[gregfortune]

Oh, come on. From the quality of code we've seen in the recent "big" worms, any idiot with a little spare time can write a reasonably effective worm. We're lucky that no one really talented has had a motive for writing a really nasty worm (read cross-platform and well written with a huge number of attack vectors and a deadly payload).

Write a Windows worm?
Sure, watch the security bulletins from MS and associated companies and include a few exploits in your worm. You know we won't run out of people who haven't patched yet.

Write a Linux worm?
Sure... See above? It's the same.... There are platform differences as far as library calls, hooking into e-mail, etc, but a little time would solve that easily.

Write a .... worm?
Umm. See above? Just wash, rinse, repeat... All we're talking about is a little time.

Seriously, I'm waiting for someone slightly talented to get pissed off at technology in general. That will be the day people running automatic daily updates on (pick your platform) will be happy they've got a patched system and banging their head against the wall 'cause their ISP didn't.

Problems

[cfreeze]

One problem with saying that Slammer or any "flash worm" is that bandwidth and current infastructure isn't taken into account. Any worm taking on activity levels (as seen by how the whole Internet seemed to slow down) of this magnitude tend to self contain themselves at local router or node bottlenecks. As links go to fiber this won't hold, but atleast for now it does.

Doomsday in a good way?

[maliabu]

in THE Doomsday, those who don't believe will be wiped out.

so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.

Re:Doomsday in a good way?

[Waffle+Iron]

so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

Um... what if the worm writer used a new vulnerability that he discovered himself? There would be no patches.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Oh no! Shut the Interweb off!

[blix5]

Harsher spankings for the people that still haven't grasped the concept of NOT clicking that email attachment with a .vbs extension. :P

Re:Oh no! Shut the Interweb off!

[calennert]

-blink-blink-
Connecting to AOL...
-blink-
You've got mail!
-blink-blink
"ooh, an attachment..."

Re:But there aren't 3 billion systems.

[cyb97]

The statistics does hold, the efficiency of the worm decreases because there simply aren't enough hosts on the internet (or in IPv4 for that sake) to keep the worm busy for several hours...
If the worm spews out X packets over Y minutes, why would it change in the Y+n next minutes ?
Think about it yourself, the worm doesn't suddenly stop and think "hey I've infected 3 bn. systems now, I better slow down", it keeps on going, but as only a fraction of the 4 bn available addresses in IPv4 are available and globally reachable it doesn't make sense to do an exhaustive test...

Re:Oh no! Shut the Interweb off!

[pixelgeek]

-- There is no patch for human carelessness.

The user isn't always to blame. What about the software developers who don't take even minimal efforts to protect their scripting systems?

Yes, there will always be someone who will open attachments no matter how often you tell them not to.

But perhaps the root issue isn't the fellow who can't stop clicking on Fireworks.exe files but the OS and application developers who enable and then don't patch systems that allow those users to be so easily exploited.

If it's so easy to write one...

[DynamiteNeon]

Why doesn't someone just make a worm that goes around and downloads Windows and SQL server updates to patch against all these worms? I realize Microsoft doesn't have the best track record even with their updates, but it would still probably solve some problems. And yes, I realize there's something wrong with forcing people to install updates, but consider the alternative of reading these articles every week here.

Re:If it's so easy to write one...

[FLoWCTRL]

There was a lot of speculation in the security community that this is effectively what the "Slammer" worm was -- a non-malicous worm that forced everyone to patch their software. Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload. All it did was propogate itself. The DoS effect was just a result of the massive increase in network traffic from its propogation. It could have been way, way worse.

--
http://oss.netmojo.ca

Re:If it's so easy to write one...

[PetWolverine]

Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload

Let's think of a worst-case scenario, here...

The worm had a program to propagate itself in a space of 376 bytes. It had up to, what, 1500 bytes to carry whatever program it wished? Let's say it used those 1500 bytes to set up a program that would listen on a particular TCP port for instructions from the author's computer. Then, rather than propagating itself as fast as possible, it sends out a packet every few minutes, gradually and insidiously infecting all MSSQL servers on the Internet.

The 1100 extra bytes are used to write a program to disk, and then launch it. This program listens for connections on some high port, or perhaps just listens for UDP packets of a certain description (since it knows the firewall lets those through). At first, it simply catches all worm packets and records the IP addresses, so that it knows what other hosts are infected.

The author's computer listens for these packets, and makes a similar list of infected hosts. Then, when the time is ripe, he starts sending additional instructions to those hosts.

The hosts receive the new instructions, modify their program based on the contents, and then echo the packet out to the hosts in their lists. The author numbers the instruction packets, and the hosts make a note of which ones they've received and ignore repeats. That way, once all infected hosts are updated, the patches stop flying around.

One of the first instructions to be sent out is to make the program launch at boot time. Then, the infected computers are sent instructions to stop propagating themselves. They're sent instructions to report back to the original source. The author looks at the hosts, sends out special non-propagating instructions to military hosts to send him their data. He sends out instructions to hosts that may have access to credit card databases to send him the numbers and expiration dates. He gathers whatever other information he deems useful.

Then, he sends out an instruction for all hosts to delete all data from all databases.

How difficult would it be to write the initial program for that? How difficult to make those patches, and make them work? My guess is, someone who knows assembly well could pull it off. It may take a fair amount of time and patience, but the amount of money to be made is pretty considerable and could make it worthwhile. Hey, if I were going to write a malicious worm, that's how I would go about it.

But the most pertinent question is, how many MSSQL servers are still out there, unpatched, vulnerable, serving critical data?

Re:I'm still getting pestered by Code-Red.

[randyest]

If you're running Apache, and it looks like you are, you can avoid logging that crap (and minimize bandwidth and CPU waste) with this minor httpd.conf change. You can also block/ban email spiders (at least ones that report their agent name truthfully, which apparently is most of them) using the info at the same link.

Warhol

a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."'
A "Warhol" worm wouldn't infect the Internet in 15 minutes, it would infect it for only 15 minutes.

There is no such thing as cyberterrorism

[DmitriA]

Schneier raises some good points regarding this issue in this month's Crypto-Gram.

In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability. We simply don't understand the interactions well enough to predict which kinds of attacks could cause catastrophic results, and terrorist organizations don't have that sort of knowledge either -- even if they tried to hire experts. ...

Despite our predilection for calling anything "terrorism," these attacks are not. We know what terrorism is. It's someone blowing himself up in a crowded restaurant, or flying an airplane into a skyscraper. It's not infecting computers with viruses, forcing air traffic controllers to route planes manually, or shutting down a pager network for a day. That causes annoyance and irritation, not terror.

This is a difficult message for some, because these days anyone who causes widespread damage is being given the label "terrorist." But imagine for a minute the leadership of al Qaeda sitting in a cave somewhere, plotting the next move in their jihad against the United States. One of the leaders jumps up and exclaims: "I have an idea! We'll disable their e-mail...." Conventional terrorism -- driving a truckful of explosives into a nuclear power plant, for example -- is still easier and much more effective.

Re:There is no such thing as cyberterrorism

[sn00ker]

In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability.

Now, was it not the case that it was the network load, rather than the worm, that caused these problems?
It was contemporary knowledge that ATMs use(d?) dedicated networks, primarily to protect against intrusion. If ATM traffic is now being routed across the 'net, VPN'd or not, the possibilities are endless.

As for "cyber terrorism" being a bullshit term, not entirely. Fine, loss of ATMs or e-mail won't panic most people (unless you're in the middle of a multi-billion-dollar, must-happen-now deal that's being conducted through e-mail), but you can do things through the 'net that will result in public disorder. A coordinated effort to modify the sites of all major news organisations could easily start a mass panic if the "right" message was presented - Even more so if web radio broadcasts were also tampered with to back the news sites.

Re:Oh no! Shut the Interweb off!

[KrispyKringle]

Your assumption is that true security is a theoretical impossibility. On what grounds?

I agree that it's not safe to rely on humans to keep systems patched. But, for one, if most systems are kept patched, a worm like SLAMMER would be useless. This is an obvious point you neglect, but not an interesting one.

More interesting, I think, is the debate over whether there is such a thing theoretically possible as a secure architecture. This is, of course, the idea behind "secure" systems designed to be so from the ground up, such as Palladium. Ethernet, TCP/IP, ARP, and most of the other protocols which make up the 'Net were not designed with security in mind from the bottom up, but rather designed for effectiveness, ease of implementation, and the like. For example, why do Ethernet cards allow promiscuous mode? It makes diagnosing certain problems easier, but it also represents a very big opportunity for all sorts of security vulnerabilities. Or why can MAC addresses be changed so easily? This represents an easy opportunity for mischeif.

But had the entire architecture of the 'Net been designed for security and accountability rather than ease of access and openness from the start (granted, two often-conflicting ideals), would absolute security be possible?

Many say that security is never truly possible without unplugging the computer from the 'Net, turning it off, and embedding it in concrete. This may be exaggeration, but of course it is quite difficult to prove something secure; RSA has not be proven secure, public-key cryptography has not been proven secure, and I don't really see how you could prove any other system secure, either.

This may not be necessary, however. We may not know for certain that RSA is secure, but we assume that the NSA does not know how to factor such large numbers any better than the rest of us, and we assume it to be secure (and such an assumption does appear valid). If enough evidence exists to assume a system to be "practically secure," that is enough for implementaiton.

I have no answers to these questions. But I think to assume such a problem is unanswerable is silly and is itself merely a non-answer. Security may not be an easy goal, but it may be acheivable. At least in some forms, this is clearly the case; it would quite evidently be possible to stop some sorts of attacks, like SLAMMER, in the future, even if theoretical, absolute, security remains un-obtainable.

Worm Analysis paper - "prior art"

[versus]

This paper appears in the Proceedings of the 11th USENIX Security Symposium (Security '02)

How to 0wn the Internet in Your Spare Time

Interesting topics: "Better" worms techniques

• Localized scanning--Code Red II
• Multi-vector worms--Nimda
• Hit-list Scanning
• Permutation Scanning
• Simulation of a Warhol Worm

"A combination of hit-list and permutation scanning can create what we term a Warhol worm, capable of attacking most vulnerable targets in well under an hour, possibly less than 15 minutes. "

Re:Oh no! Shut the Interweb off!

[knobmaker]

Your assumption is that true security is a theoretical impossibility. On what grounds?

Not to speak for the previous poster, but that's a pretty good assumption. No technological advance has ever succeeded in remaining secure for long.

(Example: plate armor probably seemed impregnable in practical terms, until the longbow came along. Yeah, okay, a stinking peasant could hamstring a warhorse and beat the knight to death with a rock while he lay helpless on the ground, but these possibilities were probably ignored with the same superstitious enthusiasm that sysadmins ignore the rarer kinds of attacks on their systems.)

I would think that the burden of proof falls on those who maintain that "true security" is attainable. And the minute you propose some system to guarantee that true security, some clever person will come along and propose a way to get around it.

Anyone designing a critical security system should probably start off with the assumption that security will eventually be breached, and make damn sure that when the breach occurs, catastrophe does not result.

But

[commodoresloat]

Everyone knows that worms DO infect apples.

Re:Oh no! Shut the Interweb off!

[Gordo_1]

Actually, this is exactly where a portion of the security community is currently focusing. With a deep enough level of protocol understanding, it's often possible to write generalized algorithms that detect (and presumably block) novel attempts to exploit a known vulnerability. For example, in the case of SQL Slammer, the buffer overflow vulnerability disclosure came many months before the worm hit, and at least a couple intrusion detection vendors were able to positively identify the exploit attempt without requiring an update -- one of the keys to protection against such a rapidly propagating worm.

Re:Oh no! Shut the Interweb off!

[GigsVT]

I'm no historian, but I bet plate armor was more for intimidation factor than anything else.

I bet a hundred shiny enemy knights on horses really does a lot to demoralize your thousand foot soldiers.

I think a lot of modern security is the same way, deter most attacks with shiny armor, and minimize damage on the inevitable attacks that will get through.

Now the real problem these days is the companies selling cheap tin armor and telling people it's the strongest steel. Some things never change. :)

only large-scale communication network?

[Imperator]

There are these things called, uh, let me think, they're often connected to wires in the wall, umm, sometimes people forget to turn them off in movie theaters, err, they make noise when someone wants to talk to you, uh, damnit I forget. But they were the big thing a few years ago. I think I can even remember using them for Internet access, but maybe that was just a bad dream.

a call to the white hats?

[Vaughn+Anderson]

Hey, when is someone going to be nice enough to the world to make a purty li'l worm that actually shuts off all the security features that are exploited in Outlook...

I am sure there are plenty of reasons not to do this, but if you asked the person politely like.

"Hello, this is your friendly internet virus fighter coming to say hello and give you a hand! Would you like to turn off the features now that allowed me to hack into your computer?
| Yes | No |"

*click*

"Thank you and have a nice day! If I come back again that means a new hole/exploit was found in Outlook and I can give you another helping hand!"

Re:Oh no! Shut the Interweb off!

[Mark+Bainter]

An excellent point. Worse, users aren't exactly careful about who they trust when it comes to computers.

Scenario:

• User opens email
• User clicks attachment
• Window pops up: <blink>WARNING<>
  This code has not been signed (or is signed by an unknown publisher) Click OK in this box could transmit a virus, destroy your hard drive, subvert your nations economy, summon flesh eating aliens and damn us all to eternal hell.
• User clicks Ok

Yes, checking signatures on code you execute is a good thing, but there are specifics to be concerned about in an implementation. How to you guarantee the signature? Obviously, some sort of authentication, and method of checking the signiture against, perhaps, a public key is needed. And to handle that you need a web of trust that's workable. But none of that matters a whit if users aren't careful about the trust, and don't investigate. Nor is it worth a darn if they ignore warnings. These problems (aka user education, and poorly designed secure systems) have to be taken care of before any of this will be useful.