Slashdot Mirror
Defense and Detection Against Internet Worms
Publishing a book on a subject as dynamic as internet worms can never result in a complete volume. The near-weekly outbreaks of modified versions of old worms and completely new designs is enough to frustrate the efforts of even the most prolific anti-virus software developers, let alone those who try to provide an overview of their study.
Nevertheless, Nazario accomplishes a clear and concise summary of the state of worms today. Seeded by a paper ('The Future of Internet Worms', Nazario, Anderson, Connelly, Wash) written in 2001, Defense and Detection Strategies against Internet Worms encourages the reader to focus on the directions worm development might take in the future, with a specific view toward anticipation of, and prepartion for, future attacks.
The book begins with a discussion of the departure worms take from traditional computer virii. An outline of the benefits for the black-hat toward a worm-based attack, as well as a brief analysis of the threat model posed by worms, provide ample reason for the computer security professional to take the study of internet worms very seriously.
Beyond this introduction, the book is laid out in four major sections. The first introduces to the reader some background information crucial to the study of worms. The author discusses the history and taxonomy of past worm outbreaks, from their sci-fi origins (think John Brunner's Shockwave Rider) through modern-day outbreaks. A thorough analysis of various worms' traffic patterns is presented, with data broken down by infection rates, number of infected hosts, and number of sources probing specific subnets. Finally, the construction and lifecycle of worms are presented, with particular attention paid to the interaction between the worms' propagation techniques and the progression of their lifecycles.
The second section of the book (ch. 6 - 8) studies the trends exhibited by past worm outbreaks. Beginning with an examination of the processes and mechanisms of infection, it progresses on to a survey of the network topologies generated by a worm's distribution. Specific infection patterns are examined, along with case studies of worm outbreaks that have exhibited such patterns. Further, this section examines the common characteristics of vulnerable targets, from older UNIX and VMS mainframes through desktop systems onward to infrastructure equipment and embedded systems. A discussion of the payload transmission methods that have made recent worm attacks so devastatingly effective, and an explaination of why liberal use of a clue-hammer on users is not by itself enough to control and prevent further outbreaks, complement chapter nine's analysis and speculation of the future of internet worms.
Section three (ch. 9 - 11) focuses on worm detection strategies, and is more distinctly aimed at the already-overworked network security professional. Effective methods of detecting scans and analyzing a worm's scan engine are presented with a focus on timely and efficient protection from further infection. Monitoring techniques for quickly recognizing, analyzing and responding to worm outbreaks leads into a detailed description of well-placed honeypots and dark network monitors ("black holes"). Discussion of the (so-far) most effective method of worm detection, signature analysis, completes the section, and covers host-based and logfile signatures, along with a brief overview of analyzing logfiles using commonly available utilities.
The final section of the book (ch. 12 - 16), per the book's namesake, aims at defense strategies against worm outbreaks. Beginning with the obvious first steps which anyone reading the book ought to have implemented (firewalls, virus detection software, sandboxing, and patching-patching-patching), the section progresses into less widely used but equally important proxy-based defense methods, and continues on to cover slowing down infection rates and fighting back against existing worm networks. For the sake of thoroughness, an overview of the legal implications of attacking worm nodes receives its fair share of attention simply to alert the reader of the potential pitfalls of proactive defense.
Defense and Detection Strategies against Internet Worms is decidedly aimed at the experienced network security professional, but holds a much broader appeal than most technical books. With its thorough historical analysis of worm progression over the past thirty years, anyone with even a remote interest in the past, present or future of the only network security issues to consistently make headlines in the mainstream press will find this both an entertaining and enlightening read. Overall, it makes a valuable addition to any geek's bookshelf.
You can purchase Defense and Detection Strategies against Internet Worms from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Referral Link: Amazon has this book for the same price as bn ($85) and with free shipping
Some cheaper copies are available from the Amazon marketplace users.
Is it standard practice these days to remove links to amazon.com? There were several in the original article. Did I miss some sort of OSDN/bn.com tie-in?
is a good offense.
And I'm sure that if I were a smarter man, I could figure out how that applies here.
Blogzine
clifgriffin > blog
Yes, he got his PhD in biochemistry from Case Western Reserve University, and currently works as a network security researcher at Arbor Networks in Ann Arbor, Michigan. He most recently spoke at Pacsec in Tokyo.
I read an article, sorry don't have the link, that talked about research that NIST was doing on internet worms. Essentially, they were looking back over intrusion patterns and making some generalizations the patterns by which worms spread. They then attempted to create models that took variables such as link speeds, number of "seed sites", etc. and tuned them until they matched the real data. They then set their models up with other values to predict what would happen in different scenarios. At any rate, guess what seed-site scenario resulted in the most catastrophic situation given limited resources of 5 seed sites and 24 hours in which to deploy the worm?
Porn sites. Given how shady those guys are, this leaves me really hoping that they've got the sense to keep their systems secure.
-JT
But this all does seem to be more and more like a battle between good (computer users) and evil (worm/virus programmers). How bad will it get when we have everything electronic talking to everything else electronic? Soon you will only need to be within 10 feet of something to get attacked by a worm or virus!
You mean I have to pay $85 to read about stuff we know already and learn about practices all smart admins should take? Forget it.
But seriously, all of know already what we SHOULD do, it's just that we don't do it. How many people regularly work on their computer using an admin-level account, doing stuff that doesn't require admin level access? Far too many people do this, even techies.
I do everyday work logged onto a Limited account on Win XP, although I admit, it's a real pain to have to login to the root account to download an ActiveX control, configure hardware, do Windows Update, norton antivirus update, etc. But I do because I know it's safer to only use an admin level account when that type of access is required.
How many people do that? How many techies do that? How many college students in some tech-illiterate college (ex Liberal arts type majors) do this? What we need isn't a book, it's a good kick in the pants to force us to adopt good safety measures.
Not to nitpick or anything, but computers, radar, anything electronic doesn't work near Hogwarts, they "go haywire" according to Hermione.
Hermione really does say that. Check in book 4, where Harry is trying to figure out how Rita Skeeter is finding out loads of stuff about Hagrid, and he's going through the list of ways Rita could spy on Hogwarts without being detected. One of the things he mentions is an electronic bug, at which point Hermione butts in and says how electronic stuff won't work near Hogwarts.
Whoa... guess I've been reading too much 'Arry Potter myself...
Anyone who is going to be interested enough to purchase this book is already outside the class of people who are likely to benefit from purchasing the book...
:-(
The vast majority of worms spread via unmaintained systems. There is the occasional (one comes to mind) worm that exploited a novel problem, but most worms exploit already-patched issues. The problem is "admins" not maintaining the security level of their systems.
Unless basic security levels are increased (home users on ADSL/Cable modems without firewalls spring to mind) then worms (nefarious or otherwise) are going to be a problem, and the good Doctor's book may well aid in tracking down the perpetrator, but sadly, there seem to be an inexhaustible supply of them
Depressed.
Simon.
Physicists get Hadrons!
I distinctly recall the Autostart9805 worm that plagued Macs in May of '98 (9805, duh). It even made it onto the pack-in disc from MacAddict one month.
Of course, that worm didn't do any damage, IIRC. And it took advantage of one of the things Apple copied from Microsoft, which may explain why they're now hesitant to add things to OSX that "have been in Windows for ages."
But worms are certainly NOT a Windows-only problem.
This FAQ seems to have a lot of good information on Internet Worms:
http://www.networm.org/faq/
Buy the book for the people whom you know need it. Dogtag/highlight relevant pieces in highlighter.
Leave gift-wrapped in the vicinity of the bathroom. It may take awhile, but eventually somebody will probably pick it up and start perusing (bathroom is the best place to plant reading material). If you're lucky, they may find it interesting, or at least stay long enough to catch some important points.
Oh, and if you want, you could speed up the reading process by also lacing the Xmas cookies/etc with a little X-lax icing.
Soon you will only need to be within 10 feet of something to get attacked by a worm or virus!
;)
Isn't that what BlueTooth is for?
The FAQ includes the interesting sentence:
Oddly, under the Bush administration, there has been a massive contraction in research funding into Internet Security.
It would be interesting to see details of this charge. Is it really true? If so, we should be publicising it.
Contrary to much of the marketing hype, the Internet was in fact developed primarily with US government funding. DoD funding, in particular, through (D)ARPA.
The commercial world is trying to take credit, but they did very little to help develop the Internet. So far, the commercial guys also seem to be not terribly interested in Internet security, with the obvious exception of the handful of companies that were created to sell after-the-fact security-related software. Meanwhile, the big vendors continue to turn out new network apps with little regard for the new security holes those apps may contain.
If history is any guide, the only likely source of real Internet security is the academic community that built it in the first place. And the only likely source of the funding is from the US and a few other governments.
Reading of cutbacks in this funding just as the really serious worms are appearing is somewhat unsettling.
So what are the numbers? What is the history of funding for Internet security research? Can we collect the details, and publicise the situation? Has it already been done?
(A quick check via google turned up a few tantalizing details, but no obvious site with a complete summary.)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
The first worm was the Morris Worm, in 1988,
Nah; I clearly recall being bemused by the release (on a couple of newsgroups) of PDP-11 and VAX worms and viri in '83. I know it was that year, because I know where I was working when they came out. I don't recall that we gave them official names then, though.
Needless to say, when the proof-of-concept was published, the main reaction back then was to study them, figure out how to prevent such things "in the wild", and tell the vendors in no uncertain terms that they would add the fixes to their systems or they would make no more sales. Since then, There have been only a handful of actual wild worms and viri in the entire unix part of the industry, and they used exploits that were fairly new at the time.
In a very real sense, tha majore reason that the Microsoft user community has such problems is that they permit Microsoft to continue to sell software that's full of security holes. As long as their customers continue to pay them good money for insecure software, they will continue to build and sell it.
Anyway, there were probably worm/virus prototypes before 1983. Anyone know of them?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
In 1981-1982 the first computer virus, Elk Cloner, started spreading in the wild but it was not until 1983 when Fred Cohen finally proved that the concept of a computer virus was viable. To my best knowledge the first worm spreading in the wild was IBM Christmas Worm in 1987 and the first Internet worm was Robert T. Morris' Worm in 1988.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."