Slashdot Mirror
Defense and Detection Against Internet Worms
Publishing a book on a subject as dynamic as internet worms can never result in a complete volume. The near-weekly outbreaks of modified versions of old worms and completely new designs is enough to frustrate the efforts of even the most prolific anti-virus software developers, let alone those who try to provide an overview of their study.
Nevertheless, Nazario accomplishes a clear and concise summary of the state of worms today. Seeded by a paper ('The Future of Internet Worms', Nazario, Anderson, Connelly, Wash) written in 2001, Defense and Detection Strategies against Internet Worms encourages the reader to focus on the directions worm development might take in the future, with a specific view toward anticipation of, and prepartion for, future attacks.
The book begins with a discussion of the departure worms take from traditional computer virii. An outline of the benefits for the black-hat toward a worm-based attack, as well as a brief analysis of the threat model posed by worms, provide ample reason for the computer security professional to take the study of internet worms very seriously.
Beyond this introduction, the book is laid out in four major sections. The first introduces to the reader some background information crucial to the study of worms. The author discusses the history and taxonomy of past worm outbreaks, from their sci-fi origins (think John Brunner's Shockwave Rider) through modern-day outbreaks. A thorough analysis of various worms' traffic patterns is presented, with data broken down by infection rates, number of infected hosts, and number of sources probing specific subnets. Finally, the construction and lifecycle of worms are presented, with particular attention paid to the interaction between the worms' propagation techniques and the progression of their lifecycles.
The second section of the book (ch. 6 - 8) studies the trends exhibited by past worm outbreaks. Beginning with an examination of the processes and mechanisms of infection, it progresses on to a survey of the network topologies generated by a worm's distribution. Specific infection patterns are examined, along with case studies of worm outbreaks that have exhibited such patterns. Further, this section examines the common characteristics of vulnerable targets, from older UNIX and VMS mainframes through desktop systems onward to infrastructure equipment and embedded systems. A discussion of the payload transmission methods that have made recent worm attacks so devastatingly effective, and an explaination of why liberal use of a clue-hammer on users is not by itself enough to control and prevent further outbreaks, complement chapter nine's analysis and speculation of the future of internet worms.
Section three (ch. 9 - 11) focuses on worm detection strategies, and is more distinctly aimed at the already-overworked network security professional. Effective methods of detecting scans and analyzing a worm's scan engine are presented with a focus on timely and efficient protection from further infection. Monitoring techniques for quickly recognizing, analyzing and responding to worm outbreaks leads into a detailed description of well-placed honeypots and dark network monitors ("black holes"). Discussion of the (so-far) most effective method of worm detection, signature analysis, completes the section, and covers host-based and logfile signatures, along with a brief overview of analyzing logfiles using commonly available utilities.
The final section of the book (ch. 12 - 16), per the book's namesake, aims at defense strategies against worm outbreaks. Beginning with the obvious first steps which anyone reading the book ought to have implemented (firewalls, virus detection software, sandboxing, and patching-patching-patching), the section progresses into less widely used but equally important proxy-based defense methods, and continues on to cover slowing down infection rates and fighting back against existing worm networks. For the sake of thoroughness, an overview of the legal implications of attacking worm nodes receives its fair share of attention simply to alert the reader of the potential pitfalls of proactive defense.
Defense and Detection Strategies against Internet Worms is decidedly aimed at the experienced network security professional, but holds a much broader appeal than most technical books. With its thorough historical analysis of worm progression over the past thirty years, anyone with even a remote interest in the past, present or future of the only network security issues to consistently make headlines in the mainstream press will find this both an entertaining and enlightening read. Overall, it makes a valuable addition to any geek's bookshelf.
You can purchase Defense and Detection Strategies against Internet Worms from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Is it standard practice these days to remove links to amazon.com? There were several in the original article. Did I miss some sort of OSDN/bn.com tie-in?
I met the good Dr (he has a PhD in the biomolecular sciences, IIRC) at a white-hat security conference a few years ago. He's probably not as well known as Dr Knuth or Dr. Bernestain, but his work is just as important, though sadly unrecognized. I guess when you do consulting/researching, you don't get the prestige that you do in acedemia.
I read an article, sorry don't have the link, that talked about research that NIST was doing on internet worms. Essentially, they were looking back over intrusion patterns and making some generalizations the patterns by which worms spread. They then attempted to create models that took variables such as link speeds, number of "seed sites", etc. and tuned them until they matched the real data. They then set their models up with other values to predict what would happen in different scenarios. At any rate, guess what seed-site scenario resulted in the most catastrophic situation given limited resources of 5 seed sites and 24 hours in which to deploy the worm?
Porn sites. Given how shady those guys are, this leaves me really hoping that they've got the sense to keep their systems secure.
-JT
But this all does seem to be more and more like a battle between good (computer users) and evil (worm/virus programmers). How bad will it get when we have everything electronic talking to everything else electronic? Soon you will only need to be within 10 feet of something to get attacked by a worm or virus!
I distinctly recall the Autostart9805 worm that plagued Macs in May of '98 (9805, duh). It even made it onto the pack-in disc from MacAddict one month.
Of course, that worm didn't do any damage, IIRC. And it took advantage of one of the things Apple copied from Microsoft, which may explain why they're now hesitant to add things to OSX that "have been in Windows for ages."
But worms are certainly NOT a Windows-only problem.
I disagree. I'm not a sysadmin, but I highly benefitted from reading the book. This is NOT a "...for dummies" or "...in a nutshell" book. It's got much broader appeal. There's stuff in there that would tickle statisticians, epidemiologists, computer scientists, software engineers, historians, and even the occasional home user who wonders why the hell his network keeps dying.
The FAQ includes the interesting sentence:
Oddly, under the Bush administration, there has been a massive contraction in research funding into Internet Security.
It would be interesting to see details of this charge. Is it really true? If so, we should be publicising it.
Contrary to much of the marketing hype, the Internet was in fact developed primarily with US government funding. DoD funding, in particular, through (D)ARPA.
The commercial world is trying to take credit, but they did very little to help develop the Internet. So far, the commercial guys also seem to be not terribly interested in Internet security, with the obvious exception of the handful of companies that were created to sell after-the-fact security-related software. Meanwhile, the big vendors continue to turn out new network apps with little regard for the new security holes those apps may contain.
If history is any guide, the only likely source of real Internet security is the academic community that built it in the first place. And the only likely source of the funding is from the US and a few other governments.
Reading of cutbacks in this funding just as the really serious worms are appearing is somewhat unsettling.
So what are the numbers? What is the history of funding for Internet security research? Can we collect the details, and publicise the situation? Has it already been done?
(A quick check via google turned up a few tantalizing details, but no obvious site with a complete summary.)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
The first worm was the Morris Worm, in 1988,
Nah; I clearly recall being bemused by the release (on a couple of newsgroups) of PDP-11 and VAX worms and viri in '83. I know it was that year, because I know where I was working when they came out. I don't recall that we gave them official names then, though.
Needless to say, when the proof-of-concept was published, the main reaction back then was to study them, figure out how to prevent such things "in the wild", and tell the vendors in no uncertain terms that they would add the fixes to their systems or they would make no more sales. Since then, There have been only a handful of actual wild worms and viri in the entire unix part of the industry, and they used exploits that were fairly new at the time.
In a very real sense, tha majore reason that the Microsoft user community has such problems is that they permit Microsoft to continue to sell software that's full of security holes. As long as their customers continue to pay them good money for insecure software, they will continue to build and sell it.
Anyway, there were probably worm/virus prototypes before 1983. Anyone know of them?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
In 1981-1982 the first computer virus, Elk Cloner, started spreading in the wild but it was not until 1983 when Fred Cohen finally proved that the concept of a computer virus was viable. To my best knowledge the first worm spreading in the wild was IBM Christmas Worm in 1987 and the first Internet worm was Robert T. Morris' Worm in 1988.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
http://www.greyowltutor.com/essays/virus.html
That's an excerpt from a chapter of _Dealers of Lightning_ an account of Xerox Parc. According to that, it's the first network worm that has been accounted for (1978), albeit it was more like a benevolent worm that got a bug, rather than a malevolent one. Good reading in either event; jose actually reviewed the book for slashdot some time ago.
The 1983 stuff you mention is likely Cohen's initial research work, there have been some other worthwhile papers/talks/shows on worms and worm history recently as well e.g.
http://www.intrusec.com/goodworm081903.ppt (DJM's talk from toorcon this year, focusing on 'good worms' and history [primarily 1990's and beyond])
1978 might not even be the first, but it's darn close.