Slashdot Mirror
Defense and Detection Against Internet Worms
Publishing a book on a subject as dynamic as internet worms can never result in a complete volume. The near-weekly outbreaks of modified versions of old worms and completely new designs is enough to frustrate the efforts of even the most prolific anti-virus software developers, let alone those who try to provide an overview of their study.
Nevertheless, Nazario accomplishes a clear and concise summary of the state of worms today. Seeded by a paper ('The Future of Internet Worms', Nazario, Anderson, Connelly, Wash) written in 2001, Defense and Detection Strategies against Internet Worms encourages the reader to focus on the directions worm development might take in the future, with a specific view toward anticipation of, and prepartion for, future attacks.
The book begins with a discussion of the departure worms take from traditional computer virii. An outline of the benefits for the black-hat toward a worm-based attack, as well as a brief analysis of the threat model posed by worms, provide ample reason for the computer security professional to take the study of internet worms very seriously.
Beyond this introduction, the book is laid out in four major sections. The first introduces to the reader some background information crucial to the study of worms. The author discusses the history and taxonomy of past worm outbreaks, from their sci-fi origins (think John Brunner's Shockwave Rider) through modern-day outbreaks. A thorough analysis of various worms' traffic patterns is presented, with data broken down by infection rates, number of infected hosts, and number of sources probing specific subnets. Finally, the construction and lifecycle of worms are presented, with particular attention paid to the interaction between the worms' propagation techniques and the progression of their lifecycles.
The second section of the book (ch. 6 - 8) studies the trends exhibited by past worm outbreaks. Beginning with an examination of the processes and mechanisms of infection, it progresses on to a survey of the network topologies generated by a worm's distribution. Specific infection patterns are examined, along with case studies of worm outbreaks that have exhibited such patterns. Further, this section examines the common characteristics of vulnerable targets, from older UNIX and VMS mainframes through desktop systems onward to infrastructure equipment and embedded systems. A discussion of the payload transmission methods that have made recent worm attacks so devastatingly effective, and an explaination of why liberal use of a clue-hammer on users is not by itself enough to control and prevent further outbreaks, complement chapter nine's analysis and speculation of the future of internet worms.
Section three (ch. 9 - 11) focuses on worm detection strategies, and is more distinctly aimed at the already-overworked network security professional. Effective methods of detecting scans and analyzing a worm's scan engine are presented with a focus on timely and efficient protection from further infection. Monitoring techniques for quickly recognizing, analyzing and responding to worm outbreaks leads into a detailed description of well-placed honeypots and dark network monitors ("black holes"). Discussion of the (so-far) most effective method of worm detection, signature analysis, completes the section, and covers host-based and logfile signatures, along with a brief overview of analyzing logfiles using commonly available utilities.
The final section of the book (ch. 12 - 16), per the book's namesake, aims at defense strategies against worm outbreaks. Beginning with the obvious first steps which anyone reading the book ought to have implemented (firewalls, virus detection software, sandboxing, and patching-patching-patching), the section progresses into less widely used but equally important proxy-based defense methods, and continues on to cover slowing down infection rates and fighting back against existing worm networks. For the sake of thoroughness, an overview of the legal implications of attacking worm nodes receives its fair share of attention simply to alert the reader of the potential pitfalls of proactive defense.
Defense and Detection Strategies against Internet Worms is decidedly aimed at the experienced network security professional, but holds a much broader appeal than most technical books. With its thorough historical analysis of worm progression over the past thirty years, anyone with even a remote interest in the past, present or future of the only network security issues to consistently make headlines in the mainstream press will find this both an entertaining and enlightening read. Overall, it makes a valuable addition to any geek's bookshelf.
You can purchase Defense and Detection Strategies against Internet Worms from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Don't use Microsoft Windows.
Fdisk, Install Linux.
On 5 June 1995 an adult male frog collided with the facade of CmdrTaco's ass and died. An other frog raped the corpse almost continuously for 75 minutes. Then the author disturbed the scene and secured the dead frog. Dissection showed that the rape-victim indeed was of the male sex. It is concluded that the frogss were engaged in an 'Attempted Rape Flight' that resulted in the first described case of homosexual necrophilia in the frog.
I,for one,welcome...... .....This book and it's opinions on internet worms, no matter how obscure they may be.
wow another book review about security. the several billion we have arent good enough
Referral Link: Amazon has this book for the same price as bn ($85) and with free shipping
Some cheaper copies are available from the Amazon marketplace users.
to catch internet fish!
it's "the good grease".
comment on the book being reviewed because I haven't read it, but I know you can't go far wrong with
Inoculate your network against the viruses, worms, and Trojans of today -and tomorrow.
Virus writers are becoming craftier and more numerous every year, resulting in huge losses-in revenue, data, productivity, and reputation-for companies and organizations around the world. Going beyond the partial xes of today's off-the-shelf security solutions, this book delivers the hands-on strategies and tactics you need to foil malicious code-and protect the integrity of your network. Drawing on his day-to-day networking experience, security expert Douglas Schweitzer describes the threats-both current and projected-and offers detailed, practical advice for securing BIOS, boot sequences, e-mail, instant messaging, Web servers, and more. It's all you need to lock out viruses-and lock down security for your network.
You'll learn how to:
* Understand the threat virus writers and hackers pose
* Get a handle on various types of malicious code
* Protect BIOS, booting, le systems, memory, and other basics
* Secure e-mail, browsers, and le sharing
* Eliminate virus threats to instant messaging
* Mobilize staff against the threat of viruses and social engineering
* Strengthen rewalls, intrusion detection, and data recovery
* Defend against server-side exploits
* Prepare for cyberterrorism and the viruses of the future
The companion Web site contains multiple links to security software solutions.
A must for anyone with a small to medium sized network who wants to get caught up with the latest in network security.
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
....if DEET is as good of a defense against worms as it is against mosquitos. Hmmm....
Check AddAll.com
Windows is not secure. Linux is.
I'll bet nobody on slashdot knew this until this post pointed it out.
Head down to your local PC world to buy a new CDROM drive to replace the one that Linux destroyed.
Is it standard practice these days to remove links to amazon.com? There were several in the original article. Did I miss some sort of OSDN/bn.com tie-in?
is a good offense.
And I'm sure that if I were a smarter man, I could figure out how that applies here.
Blogzine
clifgriffin > blog
I met the good Dr (he has a PhD in the biomolecular sciences, IIRC) at a white-hat security conference a few years ago. He's probably not as well known as Dr Knuth or Dr. Bernestain, but his work is just as important, though sadly unrecognized. I guess when you do consulting/researching, you don't get the prestige that you do in acedemia.
Very good, troll...I think you've actually succeeded in parsing a few of my brain cells for reading that. Well done.
are created, waiting to be created, dormant, obsolete, or still running amok, they only run on one platform:
Windows.
There's food for thought.
So rise up, all ye lost ones, as one, we'll claw the clouds.
Wasn't the author previously a Defense Against the Dark Arts teacher at Hogwarts?
---
I type this every time.
Defense: Chastity belt!
yet ANOTHER WINNING POST from Sir Haxalot
Is the IP ban still in place?
I read an article, sorry don't have the link, that talked about research that NIST was doing on internet worms. Essentially, they were looking back over intrusion patterns and making some generalizations the patterns by which worms spread. They then attempted to create models that took variables such as link speeds, number of "seed sites", etc. and tuned them until they matched the real data. They then set their models up with other values to predict what would happen in different scenarios. At any rate, guess what seed-site scenario resulted in the most catastrophic situation given limited resources of 5 seed sites and 24 hours in which to deploy the worm?
Porn sites. Given how shady those guys are, this leaves me really hoping that they've got the sense to keep their systems secure.
-JT
It was dark in the Holland, Michigan office nestled deep within Slashdot's Geek Compound. Shifting and moaning, ESR laid sprawled over his filthy desk. Dried spittle stuck several Post-It notes to his cheek. His PC, running Linux, silently printed swap error after swap error to the screen, lighting ESR's sickly form. As he burped several times he attempted to recall the night before that had led to this stupor. Holding his head in his hands, he was interrupted by lights and doors slamming-- someone was in the office!
As Rob "CmdrTaco" Malda walked past ESR, he noticed the several empty bottles of Jgermeister and what appeared to be fecal stains on the floor and walls surrounding the recovering ESR-- nothing new. He also noticed the some semen bubbling in the cracks of ESR's chafed lips.
"Another all-night office orgy, Eric?" Rob asked coyly.
Tilting his head gingerly toward Rob and raising his eyebrows slowly, ESR spoke softly. "Oh shit. Is that what happened last night? I believe I blacked out at some point-- I can't remember anything. Who was here last night?"
"Well, CowboyNeil got there a little late last night, but he said that by the time he got there that Alan, Emad, Jamie, Michael, and Signal 11 were already pretty drunk," Rob said just a little too loudly for ESR's tender head.
Closing and opening his eyes gently, ESR muttered to himself about having not invited Signal 11. He also started sniffing the air and licking his lips. "I can smell dried feces on a dick a mile away. Just where were you last night, Robbie? You get a piece of ass last night and decide to ditch my party?"
"What's it to you? Your breath smells like semen and you don't hear me asking whose it is," Malda shot back.
ESR smiled and swiveled with a gleam in his eyes. "Ah, but you see, this is my own sperm!"
"And it must taste specfuckingtacular!" Rob shot back.
Eric interjected before Rob could go on. "Ah yes. You see, I like to add a shot of Jger to it to give it a little kick."
"No," Rob replied with anger rising in his voice, "you fucking raging alcoholic. Your semen tastes like unchanged 15,000 mile-old motor oil. I think you may have ruptured both of your testicles and now your colon is shooting diarrhea out of your cock-hole."
"What!? You little fudge-packing piece of shit!" ESR threatened, "Ditch one of my office parties because Hemos calls up and says he's lonely, will you? I bet that's what happened. Well, guess who I'll be recommending we lay off at the next LNUX board meeting? How do you like that, Taco?"
"Whatever, Eric. You don't scare anyone except your parents," Rob said as he stormed out of ESR's office, his green plaid flannel whipping in the wake behind him. "You would be nothing without Slashdot."
ESR stammered and shook. Ever since the LNUX stock had plummeted, things were so tense around the office. Relations were falling apart between he and the Slashdot admins. Last night, Michael and Jamie had pounded each other exclusively, ignoring ESR's crooked, erect penis, and Eric had to convince Emad and Alan to restrain CowboyNeil before he could engage in homosexual intercourse with him.
With a flick of his wrist, ESR popped a dozen extra-strength Bayers down his stinking gullet and washed them down with some Jger from the bottle he had woken up holding. Depressed, aching, and on the verge of vomiting up the entirety of last night's semen binge, ESR cried silently and went back to sleep at this desk, ignoring the pile of work that sullied the landscape of his desktop.
Clapping twice to darken his office, ESR curled into fetal position as best he could and rested, preparing to do it all over again later that night.
But this all does seem to be more and more like a battle between good (computer users) and evil (worm/virus programmers). How bad will it get when we have everything electronic talking to everything else electronic? Soon you will only need to be within 10 feet of something to get attacked by a worm or virus!
A good defense would be for Microsoft to set non-absurd default settings on its products. How many ports open by default on Windows, against Mac OS X ?
Even thoug worms are likely to target the mainstream OS, they can only do actual damage in an OS where foreign executable code is executed by default, and where most people log on with administration priviledge.
Making Linux the standard desktop OS would almost definitly solve the problem. When I think of it, it is amazing how many science-fiction films and book rely on the concept of viruses, a thing that should be history by now.
You apparently don't understand the definitions of "troll" or "parse". Parse means to break something like a sentence up into more easily understood components. I've never heard of parsing brain cells. Perhaps instead of using "big" words, you should stick to words you know, like "destroy", which is surely what you meant in your tripe-filled sentence.
You mean I have to pay $85 to read about stuff we know already and learn about practices all smart admins should take? Forget it.
But seriously, all of know already what we SHOULD do, it's just that we don't do it. How many people regularly work on their computer using an admin-level account, doing stuff that doesn't require admin level access? Far too many people do this, even techies.
I do everyday work logged onto a Limited account on Win XP, although I admit, it's a real pain to have to login to the root account to download an ActiveX control, configure hardware, do Windows Update, norton antivirus update, etc. But I do because I know it's safer to only use an admin level account when that type of access is required.
How many people do that? How many techies do that? How many college students in some tech-illiterate college (ex Liberal arts type majors) do this? What we need isn't a book, it's a good kick in the pants to force us to adopt good safety measures.
Please.
Trolling is a art,
YHBT, HAND.
This above post is entirely factually correct.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Not to nitpick or anything, but computers, radar, anything electronic doesn't work near Hogwarts, they "go haywire" according to Hermione.
Hermione really does say that. Check in book 4, where Harry is trying to figure out how Rita Skeeter is finding out loads of stuff about Hagrid, and he's going through the list of ways Rita could spy on Hogwarts without being detected. One of the things he mentions is an electronic bug, at which point Hermione butts in and says how electronic stuff won't work near Hogwarts.
Whoa... guess I've been reading too much 'Arry Potter myself...
Finding a half of a worm.
More stupid worm jokes to follow...
"If you think you have things under control, you're not going fast enough." --Mario Andretti
The book begins with a discussion of the departure worms take from traditional computer virii.
Dear Reviewer, you seem to have a virus known as 'W32.can't-spell-viruses', I suggest, performing a full scan using your virus^h^h^h^h^h spell checker, with up-to-date definitions^h^h^h^h^h^h^h^h^h^h^h dictionary.
Chapter 1: Firewall
Step 1: Get a firewall.
Step 2: Close all the ports you don't use.
Simple huh?
Causing Chaos Everywhere,
Nik J.
The strange world of a loner, in a populous city, drowning in society
Anyone who is going to be interested enough to purchase this book is already outside the class of people who are likely to benefit from purchasing the book...
:-(
The vast majority of worms spread via unmaintained systems. There is the occasional (one comes to mind) worm that exploited a novel problem, but most worms exploit already-patched issues. The problem is "admins" not maintaining the security level of their systems.
Unless basic security levels are increased (home users on ADSL/Cable modems without firewalls spring to mind) then worms (nefarious or otherwise) are going to be a problem, and the good Doctor's book may well aid in tracking down the perpetrator, but sadly, there seem to be an inexhaustible supply of them
Depressed.
Simon.
Physicists get Hadrons!
Jesus H Christ! The first chapter is 7,328 pages, over three volumes!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
This FAQ seems to have a lot of good information on Internet Worms:
http://www.networm.org/faq/
this post is so boring i think i've become a corpse with worms coming out of my nose...
And then there was E
With a unanimous vote, the panel concluded Moore violated judicial ethical standards and removed him halfway through his six-year elected term.
"This court hereby orders that Roy S. Moore be removed from his position as chief justice of the Supreme Court of Alabama," said Presiding Judge William Thompson. "The chief justice showed no signs of contrition for his actions."
--
Good riddance. The last thing this country needs is a fucking Christian radical judge - although GWB and his henchmen would probably love it.
Shai-hulud.... First you get the spice, then you see the future, then you get the women.
Count the bars on the flag for South Korea. You'll find three 6's. 666. It's right there!
What I'd like to know, is what is good software to use for anti-worm security in a linux (server) windows (desktop) environment. There's a lot I can do on the server (firewall, proxy, mail-filter, etc), but not so much on the client... how about antivirus software, what's good, what's bad, and what's affordable or open-source (linked articles are informative, but don't cover specific apps).
Anyone got some feedback on this, or perhaps whether the book covers good apps in significant depth?
Against Despots - The
Cheney-Rumsfeld Regime ?
Patriotically yours,
Kilgore Trout
Buy the book for the people whom you know need it. Dogtag/highlight relevant pieces in highlighter.
Leave gift-wrapped in the vicinity of the bathroom. It may take awhile, but eventually somebody will probably pick it up and start perusing (bathroom is the best place to plant reading material). If you're lucky, they may find it interesting, or at least stay long enough to catch some important points.
Oh, and if you want, you could speed up the reading process by also lacing the Xmas cookies/etc with a little X-lax icing.
Soon you will only need to be within 10 feet of something to get attacked by a worm or virus!
;)
Isn't that what BlueTooth is for?
Can you say intrusion prevention? I saw the Tipping Point UnityOne product stop in their tracks Blaster, Nachi, and SobigF. Just hours after the outbreak. I have personally put several of these in place at Colleges, City government and Medical facilites in the past 5 months and it works flawlesly! And I have yet to have a single false positive. Feel free to check it out at http://tippingpoint.com/ IT WORKS like nothing else I have seen yet. Granted I have only been doing network security for 5 years.
You clearly don't read The Register. They are forever forgetting to close anchor tags, resulting in many a bright blue, underlined page of text.
cook all pork thoroughly before feeding it to your computer. Or, better yet, only feed it SPAM!
The FAQ includes the interesting sentence:
Oddly, under the Bush administration, there has been a massive contraction in research funding into Internet Security.
It would be interesting to see details of this charge. Is it really true? If so, we should be publicising it.
Contrary to much of the marketing hype, the Internet was in fact developed primarily with US government funding. DoD funding, in particular, through (D)ARPA.
The commercial world is trying to take credit, but they did very little to help develop the Internet. So far, the commercial guys also seem to be not terribly interested in Internet security, with the obvious exception of the handful of companies that were created to sell after-the-fact security-related software. Meanwhile, the big vendors continue to turn out new network apps with little regard for the new security holes those apps may contain.
If history is any guide, the only likely source of real Internet security is the academic community that built it in the first place. And the only likely source of the funding is from the US and a few other governments.
Reading of cutbacks in this funding just as the really serious worms are appearing is somewhat unsettling.
So what are the numbers? What is the history of funding for Internet security research? Can we collect the details, and publicise the situation? Has it already been done?
(A quick check via google turned up a few tantalizing details, but no obvious site with a complete summary.)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
make your next book The Diamond Age and apply that idea, then you'll get really really scared.
"Nothing was broken, and it's been fixed." -- Jon Carroll
It's not at all obvious to me what this has to do with defending against and detecting Internet worms.
... ;-)
Yes, I've RtFTC (Read the F***ing Ten Commandments), and maybe I'm being dense, but I don't see anything there that is applicable to Internet worms. Not even the wildest metaphorical stretch seems to make any of them fit.
Maybe some kind soul can enlighten me
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
In 1981-1982 the first computer virus, Elk Cloner, started spreading in the wild but it was not until 1983 when Fred Cohen finally proved that the concept of a computer virus was viable. To my best knowledge the first worm spreading in the wild was IBM Christmas Worm in 1987 and the first Internet worm was Robert T. Morris' Worm in 1988.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
If you have a lot of worms around the office, all you need is a couple of chickens to get rid of them.
I am Monkey, the Great Sage, equal of heaven!
In case your mare get worms, just a simple medicine always helps!
At least that's what our vet recommends to keep our dog worm-free.
i am not kidding.
Rathumos:
;)
:)
Actually, links like the ones included with your review aren't the real problem. In a very slightly different universe, they'd have been completely fine. Yes, bn.com affliliate links are good for us (Slashdot), both for consistency (good to always have a link at the bottom to the reviewed book so people can find it, and confusing to have more than one) and because they make the site some small amount of money, but the bigger reason to me for not allowing affiliate links is to prevent abuse.
Allowing affiliate links ups the odds of link-stuffing. I don't want to run reviews that are built like Star Wars Episodes 1-3, thinly veiled links to products. You might be amazed by how many affiliate links some people try to jam into a single review
It's a free world though, and when a book is available elsewhere for a lower price, or to folks in e.g. the UK, it usually shows up quickly in the comments. Probably not to bn.com's taste, but Hey, them's the breaks
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
i haven't read this book, so i dont know if it covers this: if i'm an isp, can i stop worms for the benefit of my subscribers?
it seems like all the big time worms look the same to the network, cause each one uses the same vulnerability over and over. that means that the packets hit the same port, so you could just look at the port number in the header.
not only that, but so far worms aren't self-modifying (does that mean they're reentrant or non-reentrant? i always get that mixed up). that means that you could just write some code to watch for the same data packets by generating something that a standard intrusion detection system can read. that probably means you'd have to hash the packet's data in some smart way.
most of the worms so far also have gone from lots of infected hosts to lots of other hosts. so if you see packets that all look the same and are going to everywhere from everywhere, it's probably a worm. not for sure, but almost for sure. and then, if you want to stop worms that hit microsoft iis or things like that, they're probably just x86 assembly code, so you could look for assembly code, etc..
once you're pretty sure you have a worm on your hands, you could just filter them all out. (yeah yeah, so you'd have to be pretty sure it's worms you're filtering, but when a worm's loose, the net's going to suck anway).
i think this'd work darn well. it might end up missing some worms, but why not do this as a first step? am i missing something, or has this already been done? or if nobody's done it, i think someone should!
Too many developers for windows boxes (and I am one) have admin access to the development machine so they never have to think about security until someone tries to install their software in a locked down environment.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
always was.
Technology is the application of your knowledge of nature to modify it.
Magic, wether by people or "supernatural beings" (lovely oxymoron, that) is exactly the same, only with modified laws of nature.
The difference, I believe, is that science and tech are more democratic:
A normal person can, with a lot of work and help, understand and apply
some of the basic principles.
On the contrary, muggles and squibs just can't perform magic no matter
How hard they'll work.
Working for necessity's mother.
You: Yes, I've RtFTC, [...] but I don't see anything there that is applicable to Internet worms
:( He doesn't have to put up with this shit."
10 Comm: 2. Thou shalt not take the name of the Lord thy God in vain.
Now, me: "God Damn it! There's ANOTHER GOD DAMN worm loose, taking my servers to a crawl! Who do I have to smite to stop this crap?"
10C: 3. Remember thou keep the Sabbath Day.
Me: "Man, I hate coming in Sundays to fix these stupid PCs."
10C: 5. Thou shalt not kill.
Me: "If I ever catch the sonofabitch who wrote this thing..."
10C: 10. Thou shalt not covet thy neighbour's goods.
Me: "Jimmy, next door, just got a brand new Mac.
There you go. Not perfect, but you said "even the wildest metaphorical stretch." FYI, These are from the Catholic version of the 10 C's.
Ah! You've explained it in a memorable theological fashion.
;-)
So I guess it wasn't OT after all.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.