Slashdot Mirror
Defense and Detection Against Internet Worms
Publishing a book on a subject as dynamic as internet worms can never result in a complete volume. The near-weekly outbreaks of modified versions of old worms and completely new designs is enough to frustrate the efforts of even the most prolific anti-virus software developers, let alone those who try to provide an overview of their study.
Nevertheless, Nazario accomplishes a clear and concise summary of the state of worms today. Seeded by a paper ('The Future of Internet Worms', Nazario, Anderson, Connelly, Wash) written in 2001, Defense and Detection Strategies against Internet Worms encourages the reader to focus on the directions worm development might take in the future, with a specific view toward anticipation of, and prepartion for, future attacks.
The book begins with a discussion of the departure worms take from traditional computer virii. An outline of the benefits for the black-hat toward a worm-based attack, as well as a brief analysis of the threat model posed by worms, provide ample reason for the computer security professional to take the study of internet worms very seriously.
Beyond this introduction, the book is laid out in four major sections. The first introduces to the reader some background information crucial to the study of worms. The author discusses the history and taxonomy of past worm outbreaks, from their sci-fi origins (think John Brunner's Shockwave Rider) through modern-day outbreaks. A thorough analysis of various worms' traffic patterns is presented, with data broken down by infection rates, number of infected hosts, and number of sources probing specific subnets. Finally, the construction and lifecycle of worms are presented, with particular attention paid to the interaction between the worms' propagation techniques and the progression of their lifecycles.
The second section of the book (ch. 6 - 8) studies the trends exhibited by past worm outbreaks. Beginning with an examination of the processes and mechanisms of infection, it progresses on to a survey of the network topologies generated by a worm's distribution. Specific infection patterns are examined, along with case studies of worm outbreaks that have exhibited such patterns. Further, this section examines the common characteristics of vulnerable targets, from older UNIX and VMS mainframes through desktop systems onward to infrastructure equipment and embedded systems. A discussion of the payload transmission methods that have made recent worm attacks so devastatingly effective, and an explaination of why liberal use of a clue-hammer on users is not by itself enough to control and prevent further outbreaks, complement chapter nine's analysis and speculation of the future of internet worms.
Section three (ch. 9 - 11) focuses on worm detection strategies, and is more distinctly aimed at the already-overworked network security professional. Effective methods of detecting scans and analyzing a worm's scan engine are presented with a focus on timely and efficient protection from further infection. Monitoring techniques for quickly recognizing, analyzing and responding to worm outbreaks leads into a detailed description of well-placed honeypots and dark network monitors ("black holes"). Discussion of the (so-far) most effective method of worm detection, signature analysis, completes the section, and covers host-based and logfile signatures, along with a brief overview of analyzing logfiles using commonly available utilities.
The final section of the book (ch. 12 - 16), per the book's namesake, aims at defense strategies against worm outbreaks. Beginning with the obvious first steps which anyone reading the book ought to have implemented (firewalls, virus detection software, sandboxing, and patching-patching-patching), the section progresses into less widely used but equally important proxy-based defense methods, and continues on to cover slowing down infection rates and fighting back against existing worm networks. For the sake of thoroughness, an overview of the legal implications of attacking worm nodes receives its fair share of attention simply to alert the reader of the potential pitfalls of proactive defense.
Defense and Detection Strategies against Internet Worms is decidedly aimed at the experienced network security professional, but holds a much broader appeal than most technical books. With its thorough historical analysis of worm progression over the past thirty years, anyone with even a remote interest in the past, present or future of the only network security issues to consistently make headlines in the mainstream press will find this both an entertaining and enlightening read. Overall, it makes a valuable addition to any geek's bookshelf.
You can purchase Defense and Detection Strategies against Internet Worms from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Referral Link: Amazon has this book for the same price as bn ($85) and with free shipping
Some cheaper copies are available from the Amazon marketplace users.
....if DEET is as good of a defense against worms as it is against mosquitos. Hmmm....
Check AddAll.com
Is it standard practice these days to remove links to amazon.com? There were several in the original article. Did I miss some sort of OSDN/bn.com tie-in?
is a good offense.
And I'm sure that if I were a smarter man, I could figure out how that applies here.
Blogzine
clifgriffin > blog
I met the good Dr (he has a PhD in the biomolecular sciences, IIRC) at a white-hat security conference a few years ago. He's probably not as well known as Dr Knuth or Dr. Bernestain, but his work is just as important, though sadly unrecognized. I guess when you do consulting/researching, you don't get the prestige that you do in acedemia.
Wasn't the author previously a Defense Against the Dark Arts teacher at Hogwarts?
---
I type this every time.
I read an article, sorry don't have the link, that talked about research that NIST was doing on internet worms. Essentially, they were looking back over intrusion patterns and making some generalizations the patterns by which worms spread. They then attempted to create models that took variables such as link speeds, number of "seed sites", etc. and tuned them until they matched the real data. They then set their models up with other values to predict what would happen in different scenarios. At any rate, guess what seed-site scenario resulted in the most catastrophic situation given limited resources of 5 seed sites and 24 hours in which to deploy the worm?
Porn sites. Given how shady those guys are, this leaves me really hoping that they've got the sense to keep their systems secure.
-JT
there have been unix and linux worms.
there's your dessert for thought.
But this all does seem to be more and more like a battle between good (computer users) and evil (worm/virus programmers). How bad will it get when we have everything electronic talking to everything else electronic? Soon you will only need to be within 10 feet of something to get attacked by a worm or virus!
You mean I have to pay $85 to read about stuff we know already and learn about practices all smart admins should take? Forget it.
But seriously, all of know already what we SHOULD do, it's just that we don't do it. How many people regularly work on their computer using an admin-level account, doing stuff that doesn't require admin level access? Far too many people do this, even techies.
I do everyday work logged onto a Limited account on Win XP, although I admit, it's a real pain to have to login to the root account to download an ActiveX control, configure hardware, do Windows Update, norton antivirus update, etc. But I do because I know it's safer to only use an admin level account when that type of access is required.
How many people do that? How many techies do that? How many college students in some tech-illiterate college (ex Liberal arts type majors) do this? What we need isn't a book, it's a good kick in the pants to force us to adopt good safety measures.
Please.
Trolling is a art,
Food for thought: Linux Slapper Worm doesn't run on Windows.
Windows.
There's food for thought.
I think this is more like junk food for thought (say, like cotton candy): not much substance, and if it is all you ever eat, your brain will starve. The only reason we see swarms of worms on windows is it is the number one used platform of home users who download stuff willy-nilly, as well as read their email using outlook.
I Am My Own Worst Enemy
Not to nitpick or anything, but computers, radar, anything electronic doesn't work near Hogwarts, they "go haywire" according to Hermione.
Hermione really does say that. Check in book 4, where Harry is trying to figure out how Rita Skeeter is finding out loads of stuff about Hagrid, and he's going through the list of ways Rita could spy on Hogwarts without being detected. One of the things he mentions is an electronic bug, at which point Hermione butts in and says how electronic stuff won't work near Hogwarts.
Whoa... guess I've been reading too much 'Arry Potter myself...
Finding a half of a worm.
More stupid worm jokes to follow...
"If you think you have things under control, you're not going fast enough." --Mario Andretti
Oh my god, it happened. Slashdot has given mod points to windows users. Oh, sweet lord, the end is nigh!
"Note: RMA the cdrom drive that linux "destroyed" since it was a problem with the drive not being up to standard."
The book begins with a discussion of the departure worms take from traditional computer virii.
Dear Reviewer, you seem to have a virus known as 'W32.can't-spell-viruses', I suggest, performing a full scan using your virus^h^h^h^h^h spell checker, with up-to-date definitions^h^h^h^h^h^h^h^h^h^h^h dictionary.
Chapter 1: Firewall
Step 1: Get a firewall.
Step 2: Close all the ports you don't use.
Simple huh?
Causing Chaos Everywhere,
Nik J.
The strange world of a loner, in a populous city, drowning in society
You Dumbass. The first worm was the Morris Worm, in 1988, which attacked VMS and Sun machines.
Anyone who is going to be interested enough to purchase this book is already outside the class of people who are likely to benefit from purchasing the book...
:-(
The vast majority of worms spread via unmaintained systems. There is the occasional (one comes to mind) worm that exploited a novel problem, but most worms exploit already-patched issues. The problem is "admins" not maintaining the security level of their systems.
Unless basic security levels are increased (home users on ADSL/Cable modems without firewalls spring to mind) then worms (nefarious or otherwise) are going to be a problem, and the good Doctor's book may well aid in tracking down the perpetrator, but sadly, there seem to be an inexhaustible supply of them
Depressed.
Simon.
Physicists get Hadrons!
Jesus H Christ! The first chapter is 7,328 pages, over three volumes!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
While I agree with your overall gist, I wouldn't say it is the *only* reason we see so many Windows worms... The fact remains, there are serious issues with the MS Windows code base, as evidenced by the ridiculous number of MS Security Advisories coming out every month... The major reason for this is the fact that MS Windows XP still supports Windows 95, and even MS-DOS programs, so there is most likely still native code that is eight or more years old in there. Regardless of MS' supposed committment to secure programming, they would have to perform a major code review to clean everything up.
I distinctly recall the Autostart9805 worm that plagued Macs in May of '98 (9805, duh). It even made it onto the pack-in disc from MacAddict one month.
Of course, that worm didn't do any damage, IIRC. And it took advantage of one of the things Apple copied from Microsoft, which may explain why they're now hesitant to add things to OSX that "have been in Windows for ages."
But worms are certainly NOT a Windows-only problem.
This FAQ seems to have a lot of good information on Internet Worms:
http://www.networm.org/faq/
I'm not a US citizen myself but I read it somewhere that the majority of Americans believe that you cannot be a good person if you don't believe in the (vengeful) Christian God.
If that's not scary, I don't know what is.
Well if you read it somewhere, by all means, it must be true.
Shai-hulud.... First you get the spice, then you see the future, then you get the women.
What I'd like to know, is what is good software to use for anti-worm security in a linux (server) windows (desktop) environment. There's a lot I can do on the server (firewall, proxy, mail-filter, etc), but not so much on the client... how about antivirus software, what's good, what's bad, and what's affordable or open-source (linked articles are informative, but don't cover specific apps).
Anyone got some feedback on this, or perhaps whether the book covers good apps in significant depth?
What if I read it on BBC?
Buy the book for the people whom you know need it. Dogtag/highlight relevant pieces in highlighter.
Leave gift-wrapped in the vicinity of the bathroom. It may take awhile, but eventually somebody will probably pick it up and start perusing (bathroom is the best place to plant reading material). If you're lucky, they may find it interesting, or at least stay long enough to catch some important points.
Oh, and if you want, you could speed up the reading process by also lacing the Xmas cookies/etc with a little X-lax icing.
Although I would not mind seeing all these pre-historic laws in a museum, they have no place in the place of modern justice. Even if no explicit religious reference is being made.
Indeed, and for me, just running Linux doesn't go far enough. My webserver is running a relatively obscure (but secure) httpd on a relatively obscure (but secure) OS on a relatively obscure hardware platform. Further, the httpd is running as nobody in a chroot jail, and is behind a DMZ with no access to the outside Internet, let alone my LAN.
I'm so belt-and-suspenders that I don't trust ssh to sit on a port by itself, and I wrote a separate authorization program that only enables ssh temporarily, for a single IP address at a time.
I won't say it's unhackable, but it's about as close as I can get without cutting off the electricity...
PHEM - party like it's 1997-2003!
It doesn't have to be, but as you admit that is what it was there for.
In any case, a courtroom should not be a showcase for laws of years past. It should be where present-day laws are applied.
Soon you will only need to be within 10 feet of something to get attacked by a worm or virus!
;)
Isn't that what BlueTooth is for?
Can you say intrusion prevention? I saw the Tipping Point UnityOne product stop in their tracks Blaster, Nachi, and SobigF. Just hours after the outbreak. I have personally put several of these in place at Colleges, City government and Medical facilites in the past 5 months and it works flawlesly! And I have yet to have a single false positive. Feel free to check it out at http://tippingpoint.com/ IT WORKS like nothing else I have seen yet. Granted I have only been doing network security for 5 years.
I wouldn't put all of them in a museum. Thou shalt not kill is more relevant than ever these days. I wonder how a Born Again Christian Commander in Chief justifies that one to himself.
You clearly don't read The Register. They are forever forgetting to close anchor tags, resulting in many a bright blue, underlined page of text.
cook all pork thoroughly before feeding it to your computer. Or, better yet, only feed it SPAM!
The FAQ includes the interesting sentence:
Oddly, under the Bush administration, there has been a massive contraction in research funding into Internet Security.
It would be interesting to see details of this charge. Is it really true? If so, we should be publicising it.
Contrary to much of the marketing hype, the Internet was in fact developed primarily with US government funding. DoD funding, in particular, through (D)ARPA.
The commercial world is trying to take credit, but they did very little to help develop the Internet. So far, the commercial guys also seem to be not terribly interested in Internet security, with the obvious exception of the handful of companies that were created to sell after-the-fact security-related software. Meanwhile, the big vendors continue to turn out new network apps with little regard for the new security holes those apps may contain.
If history is any guide, the only likely source of real Internet security is the academic community that built it in the first place. And the only likely source of the funding is from the US and a few other governments.
Reading of cutbacks in this funding just as the really serious worms are appearing is somewhat unsettling.
So what are the numbers? What is the history of funding for Internet security research? Can we collect the details, and publicise the situation? Has it already been done?
(A quick check via google turned up a few tantalizing details, but no obvious site with a complete summary.)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
The first worm was the Morris Worm, in 1988,
Nah; I clearly recall being bemused by the release (on a couple of newsgroups) of PDP-11 and VAX worms and viri in '83. I know it was that year, because I know where I was working when they came out. I don't recall that we gave them official names then, though.
Needless to say, when the proof-of-concept was published, the main reaction back then was to study them, figure out how to prevent such things "in the wild", and tell the vendors in no uncertain terms that they would add the fixes to their systems or they would make no more sales. Since then, There have been only a handful of actual wild worms and viri in the entire unix part of the industry, and they used exploits that were fairly new at the time.
In a very real sense, tha majore reason that the Microsoft user community has such problems is that they permit Microsoft to continue to sell software that's full of security holes. As long as their customers continue to pay them good money for insecure software, they will continue to build and sell it.
Anyway, there were probably worm/virus prototypes before 1983. Anyone know of them?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
make your next book The Diamond Age and apply that idea, then you'll get really really scared.
"Nothing was broken, and it's been fixed." -- Jon Carroll
The only reason we see swarms of worms on windows is it is the number one used platform ...
<SIGH/> Time to debunk this argument once again.
The most blatantly-obvious counter example is web servers. These are tremendously attractive to attackers, for obvious reasons, and a lot of web sites have been defaced or brought down by security holes in the web server.
The main web server is apache. It is on nearly three times as many sites as Microsoft's IIS server, the second-place server. But almost all of the successful attacks have been on IIS servers. Despite its overwhelming numeric lead, apache is hardly ever compromised. When it is, it's because someone has done something stupid that's outside of apache's control (such as installing CGI programs with holes). The fault has hardly ever been with apache itself.
It's true that you can point at a good list of apache security holes. But if you look closely, you'll find that almost all are fixed before an exploit appears. And webmasters have been good enough at upgrading apache servers that when an exploit appears in the wild, it only finds a few servers that are vulnerable.
Meanwhile, over in IIS land, security holes tend to be kept secret until Microsoft has a patch. Users don't hear about potential exploits, and programmers outside Microsoft can't work on fixes. Also, IIS webmasters seem to be exceedingly lax about installing the patches. The result is that IIS worms can flood large parts of the Internet and DoS large neighborhoods, often before anyone outside Microsoft is aware that there's a problem.
This situation is made worse by Microsoft's tendency to prosecute people who do the work that it takes to find and document security holes.
It takes more than a large installed base for attacks to work. The popular software also has to be vulnerable to attack. The support programmers have to be slow at fixing the holes. And the users have to be lax about installing the fixes. These properties often hold for the Microsoft developer and user communities. They usually don't hold for any of the other platforms.
The main effect of Microsoft's market lead is that it gives them the arrogance to market software with major holes. They know that they won't be held liable for the results. The smaller vendors know that serious security problems are likely to wipe out their business. The Open Source community doesn't have this worry, but it's full of people who take security very seriously, want their own computers to be secure, and have access to the source code.
This situation isn't going to end soon.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
It's not at all obvious to me what this has to do with defending against and detecting Internet worms.
... ;-)
Yes, I've RtFTC (Read the F***ing Ten Commandments), and maybe I'm being dense, but I don't see anything there that is applicable to Internet worms. Not even the wildest metaphorical stretch seems to make any of them fit.
Maybe some kind soul can enlighten me
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
In 1981-1982 the first computer virus, Elk Cloner, started spreading in the wild but it was not until 1983 when Fred Cohen finally proved that the concept of a computer virus was viable. To my best knowledge the first worm spreading in the wild was IBM Christmas Worm in 1987 and the first Internet worm was Robert T. Morris' Worm in 1988.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
If you have a lot of worms around the office, all you need is a couple of chickens to get rid of them.
I am Monkey, the Great Sage, equal of heaven!
In case your mare get worms, just a simple medicine always helps!
At least that's what our vet recommends to keep our dog worm-free.
i am not kidding.
Rathumos:
;)
:)
Actually, links like the ones included with your review aren't the real problem. In a very slightly different universe, they'd have been completely fine. Yes, bn.com affliliate links are good for us (Slashdot), both for consistency (good to always have a link at the bottom to the reviewed book so people can find it, and confusing to have more than one) and because they make the site some small amount of money, but the bigger reason to me for not allowing affiliate links is to prevent abuse.
Allowing affiliate links ups the odds of link-stuffing. I don't want to run reviews that are built like Star Wars Episodes 1-3, thinly veiled links to products. You might be amazed by how many affiliate links some people try to jam into a single review
It's a free world though, and when a book is available elsewhere for a lower price, or to folks in e.g. the UK, it usually shows up quickly in the comments. Probably not to bn.com's taste, but Hey, them's the breaks
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
http://www.greyowltutor.com/essays/virus.html
That's an excerpt from a chapter of _Dealers of Lightning_ an account of Xerox Parc. According to that, it's the first network worm that has been accounted for (1978), albeit it was more like a benevolent worm that got a bug, rather than a malevolent one. Good reading in either event; jose actually reviewed the book for slashdot some time ago.
The 1983 stuff you mention is likely Cohen's initial research work, there have been some other worthwhile papers/talks/shows on worms and worm history recently as well e.g.
http://www.intrusec.com/goodworm081903.ppt (DJM's talk from toorcon this year, focusing on 'good worms' and history [primarily 1990's and beyond])
1978 might not even be the first, but it's darn close.
i haven't read this book, so i dont know if it covers this: if i'm an isp, can i stop worms for the benefit of my subscribers?
it seems like all the big time worms look the same to the network, cause each one uses the same vulnerability over and over. that means that the packets hit the same port, so you could just look at the port number in the header.
not only that, but so far worms aren't self-modifying (does that mean they're reentrant or non-reentrant? i always get that mixed up). that means that you could just write some code to watch for the same data packets by generating something that a standard intrusion detection system can read. that probably means you'd have to hash the packet's data in some smart way.
most of the worms so far also have gone from lots of infected hosts to lots of other hosts. so if you see packets that all look the same and are going to everywhere from everywhere, it's probably a worm. not for sure, but almost for sure. and then, if you want to stop worms that hit microsoft iis or things like that, they're probably just x86 assembly code, so you could look for assembly code, etc..
once you're pretty sure you have a worm on your hands, you could just filter them all out. (yeah yeah, so you'd have to be pretty sure it's worms you're filtering, but when a worm's loose, the net's going to suck anway).
i think this'd work darn well. it might end up missing some worms, but why not do this as a first step? am i missing something, or has this already been done? or if nobody's done it, i think someone should!
Too many developers for windows boxes (and I am one) have admin access to the development machine so they never have to think about security until someone tries to install their software in a locked down environment.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
always was.
Technology is the application of your knowledge of nature to modify it.
Magic, wether by people or "supernatural beings" (lovely oxymoron, that) is exactly the same, only with modified laws of nature.
The difference, I believe, is that science and tech are more democratic:
A normal person can, with a lot of work and help, understand and apply
some of the basic principles.
On the contrary, muggles and squibs just can't perform magic no matter
How hard they'll work.
Working for necessity's mother.
are created, waiting to be created, dormant, obsolete, or still running amok, they only run on one platform:
Funny thing, is. No matter how many people I hear say that (as a matter of fact the more people say that). The more logic says that when it happens it will DEVASTATE the community of leet wannabe linux dorks. The people who are serious networking types that use Linux already CAN AND DO take proactive measures to detect, minimize the possible damage. But I pity the penguin when someone writes a blast for Linux worm. Simply running Linux is only security through obscurity right now, grow up and treat every internet connection as a potential security breach. I am guessing that my XP workstation is more secure than your Linux box just because I take it seriously...you should too.
Thank you soapbox
> I'm not a US citizen myself but
This isn't an insult/attack, but that is plainly obvious, considering what follows.
> the majority of Americans believe that you cannot be a good person if you don't believe in [...] God.
Wherever you read that is lieing or misinformed. The majority of Americans don't care what religion you are. I've been an atheist for about 6 years, and have no problem telling anyone this and have never received a negative reply, or any indication that I'm a bad person. I even live in a relatively religious state, far, FAR, from liberal, but still have no problems.
> I just hope my point is taken about it doesn't have to be viewed as a religious symbol.
When it includes "Thou shalt have no God above me," that pretty much limits it to religion. If those kinds of things weren't on it, I wouldn't care. Unfortunately, with that one line, it should not be displayed on public property.
You: Yes, I've RtFTC, [...] but I don't see anything there that is applicable to Internet worms
:( He doesn't have to put up with this shit."
10 Comm: 2. Thou shalt not take the name of the Lord thy God in vain.
Now, me: "God Damn it! There's ANOTHER GOD DAMN worm loose, taking my servers to a crawl! Who do I have to smite to stop this crap?"
10C: 3. Remember thou keep the Sabbath Day.
Me: "Man, I hate coming in Sundays to fix these stupid PCs."
10C: 5. Thou shalt not kill.
Me: "If I ever catch the sonofabitch who wrote this thing..."
10C: 10. Thou shalt not covet thy neighbour's goods.
Me: "Jimmy, next door, just got a brand new Mac.
There you go. Not perfect, but you said "even the wildest metaphorical stretch." FYI, These are from the Catholic version of the 10 C's.
> they would have to perform a major code review to clean everything up.
I know to take everything MS says at face value, but isn't that what they claim to be doing now?
Ah! You've explained it in a memorable theological fashion.
;-)
So I guess it wasn't OT after all.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.