Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worms Going Further, Faster

Posted by timothy on from the thanks-for-your-attention dept.

Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"

21 of 301 comments (clear)

  1. Oh no! Shut the Interweb off! by ObviousGuy · · Score: 5, Insightful

    There's a lot that can't be done about these things because at the very bottom of every system is a human being who will forget to patch the system or stupidly open an executable.

    There is no patch for human carelessness.

    --
    I have been pwned because my /. password was too easy to guess.
  2. Ah, the lovely internet... by Qweezle · · Score: 5, Funny

    I'm wonderfully happy to live in a world where the only large-scale communication network is prone to mass disruption and/or destruction at the drop of a pin. Great.

  3. Good for the worms by Anonymous Coward · · Score: 5, Funny

    Fast moving worms are harder for those pesky birds to get at.

  4. Re:Oh no! Shut the Interweb off! by rkz · · Score: 5, Funny

    Cut off their arms?

    --
    There is no god
  5. I've got worms! by eupheric · · Score: 5, Funny

    obligatory dumb and dumber:
    LLOYD
    (smiling)
    I got worms.

    MARY
    I beg your pardon?

    LLOYD
    That's what we're gonna call it: I
    Got Worms. We're gonna specialize in
    selling worm farms â" you know, like
    ant farms. A lot of people don't
    realize that worms make much better
    pets than ants. They're quiet,
    affectionate, they don't bite, and
    they're super with the kids.

    MARY
    Aren't ants quiet, too?

  6. Equation for a good worm by Renraku · · Score: 5, Interesting

    A good set of vulnerabilities across multiple hardware configurations and OSes is a great start. An interesting idea would be to sync the worms up based upon a reading from a certain timezone on time.gov. Make them start scanning all IPs for vulnerable, uninfected machines at the same time. So not only do you get the chance to infect, but you DDoS. Fun stuff. Also, you could make it infect unprotected routers and give the virus 'priority' in transmissions, etc, etc.

    --
    Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
  7. UDP all the way! by Gothmolly · · Score: 5, Insightful

    The nice part about Slammer is that it could just spew data - if it hit you, and you were vulnerable, you were infected. It didn't require any complicated TCP sessions, was MUCH nicer on host resources, and the entire hack fit inside a single packet. Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.

    --
    I want to delete my account but Slashdot doesn't allow it.
  8. No worms for me, please! by XxtraLarGe · · Score: 5, Funny

    Thank God I've got a Mac! It's hard enough to get regular software ported, I doubt that many people would invest time to port a worm, except "Worms Blast" =D

    --
    Taking guns away from the 99% gives the 1% 100% of the power.
  9. Re:Why do delinquents bother? by Read+Icculus · · Score: 5, Interesting

    Maybe the "delinquents" are actually pretty damn smart. Smart enough to not get caught because they take proper security precautions. Like others have said this worm was a pretty smooth little hack. All over UDP and in a single packet. Anyway at least when a worm like this comes along people start paying attention to actually fixing the problem. If no one exploited the vulnerability then folks like MS might never get around to fixing it. When something like this is front-page news and on CNN normal folks sit up and take notice. Maybe enough notice to try and make their systems more secure, or perhaps switch to a more secure preogram/OS. Not that I like viruses and worms, quite the opposite is true. I remember when my ISP got a worm, (Code Red I think), and infected me. The incident certainly made me more security conscious, and I now have a new ISP that I hope has more of a clue than my old one.

    --
    Anti-social? My code is just platform-specific.
  10. Doomsday in a good way? by maliabu · · Score: 5, Insightful

    in THE Doomsday, those who don't believe will be wiped out.

    so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

    and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.

  11. Re:Why do delinquents bother? by PetiePooo · · Score: 5, Interesting

    Not to nitpick, but the SQL Slammer worm appeared to be written in assembly. It is quite interesting to read through the source. [alt] [alt]

    While the PRNG isn't of the highest quality, its brevity is what allowed it to spread so quickly. An infected system was sending out packets as fast as the outbound pipe could handle it. A smaller virus, even by a few bytes, would mean that much faster of an infection rate.

    By and large, you're right about VBScript making for simple virii, but this isn't the one to use as an example.

  12. Re:Oh no! Shut the Interweb off! by blix5 · · Score: 5, Funny

    Harsher spankings for the people that still haven't grasped the concept of NOT clicking that email attachment with a .vbs extension. :P

  13. Re:Oh no! Shut the Interweb off! by calennert · · Score: 5, Funny

    -blink-blink-
    Connecting to AOL...
    -blink-
    You've got mail!
    -blink-blink
    "ooh, an attachment..."

  14. Re:Oh no! Shut the Interweb off! by pixelgeek · · Score: 5, Interesting

    -- There is no patch for human carelessness.

    The user isn't always to blame. What about the software developers who don't take even minimal efforts to protect their scripting systems?

    Yes, there will always be someone who will open attachments no matter how often you tell them not to.

    But perhaps the root issue isn't the fellow who can't stop clicking on Fireworks.exe files but the OS and application developers who enable and then don't patch systems that allow those users to be so easily exploited.

  15. Re:Why do delinquents bother? by aphor · · Score: 5, Insightful

    Why is it so hard to find the author of these programs?
    Because there are so many no-talent hacks out there who *could* have written that lump of nasty crap.

    In the beginning days, on the Apple ][ computers in my grade-school, we learned to guess our way through cracking floppy-disk copy-protected games by comparing a cracked game and a pristine byte-by-byte copy of the original. We eventually learned that a certain byte word combination was the first hardware keyboard access, and we could guess that spot was a good place to stick a jump. Then we tried a few addresses until it worked. In grade school.

    Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

    What really grabbed me was how a really good (insidious) virus could have such a low footprint that it could go undetected for so long. The programmers of those viruses were gifted binary ecologists. I knew then that the games I played were bloated when one year the game took one disk, and the second year you had to swap two disks even though there was little extra play for all the extra data. I envied the virus programmers for their wizardly and miserly command of the machine's meager resources. I even dreamt of the day that I could crank one out like putting together a jigsaw puzzle.

    Now I am older, and the opportunity for that conquest was stolen by Moore's Law. The games (and all software in general) got bloatier and bloatier. There was so much waste, and the machines got so fast so fast, that I saw clever programming die. I was sad. It wasn't until (after I bought a student copy of Borland C++ and was stultified by the massive bloat of win16 API) that I became acquainted with Unix (FreeBSD in particular) around 1.2.1 vintage. I rediscovered elegant software.

    Now, I understand the vulgar joy in duping someone else, but only a jackass gets off duping people who compare to invertibrates on an intellectual scale. VB worms are the modern-day equivalent of burning ants with a magnifying glass. "Letth thaw off hith tweeter Beavith! Hehehehehe Heheheheh..."

    --
    --- Nothing clever here: move along now...
  16. Warhol by Anonymous Coward · · Score: 5, Funny

    a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."'
    A "Warhol" worm wouldn't infect the Internet in 15 minutes, it would infect it for only 15 minutes.

  17. Re:If it's so easy to write one... by FLoWCTRL · · Score: 5, Interesting

    There was a lot of speculation in the security community that this is effectively what the "Slammer" worm was -- a non-malicous worm that forced everyone to patch their software. Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload. All it did was propogate itself. The DoS effect was just a result of the massive increase in network traffic from its propogation. It could have been way, way worse.

    --
    http://oss.netmojo.ca

  18. But by commodoresloat · · Score: 5, Funny

    Everyone knows that worms DO infect apples.

  19. Re:Oh no! Shut the Interweb off! by Gordo_1 · · Score: 5, Insightful

    Actually, this is exactly where a portion of the security community is currently focusing. With a deep enough level of protocol understanding, it's often possible to write generalized algorithms that detect (and presumably block) novel attempts to exploit a known vulnerability. For example, in the case of SQL Slammer, the buffer overflow vulnerability disclosure came many months before the worm hit, and at least a couple intrusion detection vendors were able to positively identify the exploit attempt without requiring an update -- one of the keys to protection against such a rapidly propagating worm.

  20. Re:Oh no! Shut the Interweb off! by GigsVT · · Score: 5, Insightful

    I'm no historian, but I bet plate armor was more for intimidation factor than anything else.

    I bet a hundred shiny enemy knights on horses really does a lot to demoralize your thousand foot soldiers.

    I think a lot of modern security is the same way, deter most attacks with shiny armor, and minimize damage on the inevitable attacks that will get through.

    Now the real problem these days is the companies selling cheap tin armor and telling people it's the strongest steel. Some things never change. :)

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  21. a call to the white hats? by Vaughn+Anderson · · Score: 5, Interesting

    Hey, when is someone going to be nice enough to the world to make a purty li'l worm that actually shuts off all the security features that are exploited in Outlook...

    I am sure there are plenty of reasons not to do this, but if you asked the person politely like.

    "Hello, this is your friendly internet virus fighter coming to say hello and give you a hand! Would you like to turn off the features now that allowed me to hack into your computer?
    | Yes | No |"

    *click*

    "Thank you and have a nice day! If I come back again that means a new hole/exploit was found in Outlook and I can give you another helping hand!"