Slashdot Mirror
Analysis of the Witty Worm
DavidMoore writes "The Cooperative Association for Internet Data Analysis (CAIDA) and the University of California, San Diego Computer Science Department have an
analysis of the recent Witty worm. Among other things, Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous Internet worm."
And BASH thanks you for it! Keeping FP power away from those dirty gay homosexual negros is the first step to curing them of their nergocity and their homosexuality. You're doing the work of Jesus, my son! Glory!
The end of the worm seems to have bytes suggesting a flaw in the original worm code.
I'm still getting data points for the infected by analyzing the worms victims who contact my IP.
Conclusion:
The Witty worm incorporates a number of dangerous characteristics. It is the first widely spreading Internet worm to actively damage infected machines. It was started from a large set of machines simultaneously, indicating the use of a hit list or a large number of compromised machines. Witty demonstrated that any minimally deployed piece of software with a remotely exploitable bug can be a vector for wide-scale compromise of host machines without any action on the part of a victim. The practical implications of this are staggering; with minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts.
While many of these Witty features are novel in a high-profile worm, the same virulence combined with greater potential for host damage has been a feature of bot networks (botnets) for years. Any vulnerability or backdoor that can be exploited by a worm can also be exploited by a vastly stealthier botnet. While all of the worms seen thus far have carried a single payload, bot functionality can be easily changed over time. Thus while worms are a serious threat to Internet users, the capabilities and stealth of botnets make them a more sinister menace. The line separating worms from bot software is already blurry; over time we can expect to see increasing stealth and flexibility in Internet worms.
Witty was the first widespread Internet worm to attack a security product. While technically the use of a buffer overflow exploit is commonplace, the fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end-users apply patches to plug security holes is not viable.
It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert. Yet the current mechanism for dealing with security holes expects an end user to constantly monitor security alert websites to learn about security flaws and then to immediately download and install patches. The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order.
The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves. When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.
You can find more information here.
Sort of a natural counterpoint to "What would the world be like without Microsoft", isn't it?
It makes you wonder what this means for future vulnerabilities. If worms are propagating this quickly after vulnerabilities are discovered, it might not be so fun in the future.
Comment removed based on user account deletion
In contrast, the Witty worm infected a population of hosts that were proactive about security -- they were running firewall software.
This makes me feel a bit safer, since we used to run Windows-based boxen directly on the Internet but now they all hide behind a Linksys NAT Router and firewall.
From what I've learned, the general rule is NEVER to put a Windows machine directly on an unsecure network. Unfortunately, the machine I'm typing on here at the University of Virginia is directly connected and yes, it runs Windows. I turned on the Internet Connection Firewall...but this kind of worm vulnerability makes me nervous. Today, someone attacks the eEye security software; tomorrow, someone takes out Microsoft's ICF.
Similarly, end users may also be unaware that perceived slowness of their computer or Internet connection is caused by a worm, and they may reboot their computers in the hope that that will fix the problem.
I find this problem with spyware and adware too. I recently cleaned out the computer of a family friend that was very slow and would no longer connect to the Internet. Removed a huge gob of spyware with Ad-Aware and Bazooka, and BAM! we were back online.
Goes to show you. I'm thinking that Microsoft's security model in Windows may need to be revised, considering in XP Home at least, all users run as Administrator (root) and system services have way too many privileges.
Makes me glad I replaced my aging NT file server with Linux/Samba.
Dunno, but it sure sounds cool and important, doesn't it?
i believe it's the first host to be infected, the 'master server', but it might just be that the master server just had server 'baby' master servers.
Runnin' On Empty
[ Insert witty comment here. ]
They state that the most important thing is to force users into a security mindset and this is near impossible. Also, they point out that even security-aware users may be at risk because of the risk of infection before the ability to patch the firewall/AV software is possible.
This leads to the conclusion that firewall/AV software should be included as part of the baseline system, whether with the operating system or as an additional package at system build time. Also it leads to the conclusion that user-assisted updates are useless and only automatic updates can effectively patch fast enough to block worms of this sort.
This is one of the most depressing stories about the state of the Internet that I've read in a while.
I have been pwned because my
Interesting. An article at zdnet suggests that the Witty was in fact a prototype, and could be the first example of cyber-terrorism. The combination of
a)The destructive payload
b)Time from disclosure to deploymentc)Large number of Ground Zero hosts
suggests capabilities far beyond that of an autistic 17 year old in his parent's basement. Could this be the start of internet based Al Quaeda action, that anti terrorism experts have so long stated was coming?
the rate of worm creation on this one was almost a little TOO quick. This time to creation would almost suggest that the author of the worm perhaps had inside knowledge. It's not entirely outside the realm of reason that the vulnerability leaked from ISS before the announcement was made.
A ground zero host/vector is a host that wasn't infected by another machine, but by an individual who wished the machine to infect other machines. A ground zero host does not necessarily need to have the same exact code as the code it sends out, for example, in this case, it would be unproductive for the ground zero host to have the original code since it erodes the filesystem of the host.
The entire article doesn't mention the word "windows" once! Aren't you lucky.
Man, I am so used to seeing IIS in a security vulnerability I had to give it a second glace. I guess people shouldn't use those letters in software abbreviations anymore. It's becoming bad luck!
Seriously, worms like this that damage computers are very un-cool. As a freelancer I got to see this on only a few machines and by gratuitous use of recovery console, fixmbr, and (alas) one format and reinstall later I was able to fix them all.
While doing this onsite at a realty company I asked what they used as a firewall. Seeing blank stares from them all wasn't the highlight of the day. Not having a hardware firewall handy it was quite fun to race against the vermin as I downloaded patches off of the net on a virgin XP install! I actually thought I heard giggling echoing from the DSL modem as the DL percentage ticked higher slowly but surely....
"This food is problematic."
Another day, another virulent internet worm utilizing an unaccounted-for "buffer overflow" to propagate itself throughout the internet. Users suffer and system administrators grind their teeth to clean out their networks.
By now I am sure it has been noticed that the "buffer overflow" is a very common "exploit" used by these internet worms to infect machine after machine. One simple way to address this problem would be to replace these vulnerable "buffers" with something that will not overflow, perhaps something spongy and highly absorbent. Isn't anyone working on a solution along these lines? You never seem to hear about any progress being made. Honestly, sometimes it seems like no one in the technology industry has any common sense.
The similarity of CAIDA to al-Qaida along with the mention of "ground zero" in the summary makes me think we have more to worry about than worms...
So the worm infects people who are behind firewalls, and you're happy because that's what you're doing?
Network Telescope
The UCSD Network Telescope consists of a large piece of globally announced IPv4 address space. The telescope contains almost no legitimate hosts, so inbound traffic to nonexistent machines is always anomalous in some way. Because the network telescope contains approximately 1/256th of all IPv4 addresses, we receive roughly one out of every 256 packets sent by an Internet worm with an unbiased random number generator. Because we are uniquely situated to receive traffic from every worm-infected host, we provide a global view of the spread of Internet worms.
They have 1/256th of all the IPv4 space?!?
Thats alot of IPs that could be freed up for other purposes.
Its great that they are doing this. And it is an interesting project. But I've been hearing about the lack of IPs for the last 5 years, and this one group has 1/256th of them.
------------
www.ComicSmash.com
The article stated that a good number of request came from behind NAT firewalls. Many devices like the linksys allow you to DMZ a host, which would end up being an attack vector behind your firewall. Also many people turn on port forwarding, done incorrectly, is an attack vector.
Might be time to make a security model that stops a firewall application from writing to the Harddisk or deleting files. Why should it after all? Or a limiting just how many emails a user can send, how many times do you send thousands in a minute?
Perhaps even a delete mechanism that doesn't allow destruction of data without a password.
Paranoid? 12.000 machines just went Poof in half an hour with this virus if the story tells it right. Doesn't exactly cheer me.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
What that probably means is that the author released it originally via a few places with high-bandwidth which were preselected. The article mentions an initial infection of 110 hosts, which is obviously not natural.
By doing this, you speed up the onset phase by starting with a larger base of infected machines, thus propagating *much* faster that you would otherwise if you only started with a few low-bandwidth hosts which would take time to get the infection spread very far.
Take a look at the graph they put on the site to see the rate of infection if you like, by the way.
The highest packet rate they saw was more than 23,000 per hour, sustained for at least one hour. The worm came out one day after eEye announced the vulnerability. It just went ahead and started erasing the hard drive, rather than just grep for passwords or credit card numbers. And this thing targeted and 0wned people who cared about the security of their computer!
If you've read nothing else, check out the conclusion:
I was thinking the other day about all the precautions you need to go through with a Windows box just to get a new install up-to-date; I was smug, and thinking that a Windows box without a firewall was like a person without a skin: no protection from infection, no way of stopping the most basic of attacks.
And now reading this I feel that smugness just draining in a really hideous way. I use Linux and FreeBSD...what of it? I realize there is still a big difference between Unix and Microsoft, between a local and a remote exploit, between an ordinary user account and root. But I'm no longer convinced those differences are enough: there's a thousand programs available on my machines, and all that stands between me and 0wnership is a programming error and someone who decides that, you know what, seven thousand hosts is worth it.
Nothing more to say at this point...I'm still staring uneasily at the blinking cable modem lights, wondering when it'll be my turn.
Carousel is a lie!
This is the best named worm i've ever seen. When I first read headlines about it they said things like "witty worm attacks firewall." It took me a while to realize that was the name of the worm and not a judgement by the reporter (no I didn't read the articles)
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
Since I deal more with our internal software/services (opposed to dealing with the customers) I don't do really have to fix anything other than wipe a machine or two. However, for me, the worse part of this is the kneejerking that occurs right afterward.
:)
Now that this worm hit, management is crying for more security without really thinking it through. Now all staff machines need to be behind hardware firewalls. ALL machines. Linux, Solaris (95% of our boxes), Windows. Not such a big deal except they bought us cheapo netgear cable/dsl firewalls that I'm convinced will do nothing more than ipf/iptables to stop a determined cracker. These netgear firewalls stop me from mounting NFS of anything, they have no trusted hosts options. In fact, I can only port forward from everywhere, so in a sense it is lowering my security.
Does anyone else experience reactionary steps like this from the PHBs?
(THanks for reading my rant
"when life gets complicated, I like to take a nap in a tree and wait for dinner" - Hobbes.
I'm a Teaching Fellow (TF) in the Harvard Law School, and I believe that the hackers behind the witty worm can be caught and brought to justice.
With a bit of work, I believe that the hackers can be brought to justice. The question is, what happens next week when the next bored teenager releases the next worm?
analysis of the witty worm has revealed that it is wittier than most posts on slashdot
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The proper term in epidemiology would probably be "index cases."
Well, for starters, I don't use the DMZ feature. Second, the only thing behind the firewall is a bunch of Windows 2000/XP workstations (properly secured, except no firewall software), a Linux file server, and any other Linksys network devices I feel like using (like my print server).
I realize that if something penetrates my network then I'll probably become an attack mechanism but... that's why I'm paranoid about internal network security and keep a very close watch on it. This is probably a horrible security policy, and I'll eventually get around to changing it, but for right now, I'm kinda busy with my studies.
Please note that I have considered adding an additional router/firewall (based on one of the *BSDs or Linux, running on an old 486 or Pentium) in between the Linksys router and internal LAN.
I'd be making snide remarks to the owner of the machine i was deliciously invading, such as "nice windows".
You misunderstood me.
I said that I feel a bit safer sitting behind a closed firewall/NAT router. In general, it keeps most of the riff-raff out. I've configured it to more or less reject anything inbound that hasn't been initiated by an internal machine, while letting outbound stuff go through.
I am a bit nervous about my college dorm machine here, though, since it is directly on the Internet (no dorm firewall, only the MS ICF).
I'm also happy that I'm partially migrating my network infrastructure to Linux, etc. (i.e., non-MS products) because they are generally more secure by default.
This is what appears when the worm wipes you hard drive.
Rather than "Why did you let this happen, Billy boy?" or something it just says that.
Just because you don't understand it doesn't mean it's off topic.
The Spread of the Witty Worm
March 19, 2004
An analysis by Colleen Shannon (cshannon@caida.org) and David Moore (dmoore@caida.org) of the spread of the Witty Internet Worm in March 2004. The network telescope and associated security efforts are a joint project of the UCSD Computer Science and Engineering Department and the Cooperative Association for Internet Data Analysis.
We would like to thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project; Mike Gannis, Nicholas Weaver, Wendy Garvin, Team Cymru, and Stefan Savage for feedback on this document; and the Cisco PSIRT Team, Wendy Garvin, Team Cymru, Nicholas Weaver, and Vern Paxson for discussion as events unfolded. Support for this work was provided by Cisco Systems, NSF, DARPA, DHS, and CAIDA members.
Introduction
Background
As Witty Worm sends packets to random generated IP address, because of the relatively small and quite dense IPv4 space, it can quite easily hit a venerable host. I am not sure if using IPv6 will render this kind of attack impossible? Can anyone clear this for me?
i have no idea why you think there would be useful information on those machines. even if they were logging to the max (an extremely unlikely supposition) it would have been trivial for the authors to deploy the worm to all those machines through some random open wifi.
be reasonable.
That's a very good suggestion, except that in this case, the firewall software was the vulnerable component. No BlackICE, no Witty worm.
I'm deeply troubled by this; we piss and moan about how the average windoze luser doesn't have a firewall or AV software, and then this pops up.
Much as I would like to, I can't blame this on Microsoft. It's just sloppy programming, the sort of practice that M$ has made prevalent. There, I blamed M$ after all. Still, changing the permission model of Windoze wouldn't have helped this; BlackICE is exactly the sort of software that needs access to the network protocol stacks; it's supposed to be one of the trusted portion of the system, as compared to all those VBScript viruses that run as admin/root, but shouldn't.
If I were designing a new CPU, I would think about including some hard-core stack protection. A no-execute bit in the MMU is a very good start, but still not bullet-proof. I'm thinking something (with OS assistance) to disallow all access beyond the link pointer for the current function call. Every CALL sets a new boundary, and every RET pops back to the last boundary. Try to write past the boundary, and you get a machine exception. Much finer granularity than 4K pages that most 32-bit MMU's provide.
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
come on now - there is no way that that end users would be financially liable for their computers.
Oh?
If you run someone down with your SUV, while so drunk you didn't even know you were driving, are you not by that responsible?
If you crash your Cessna 182 into the middle of a city, while chatting with mom on the phone about what a dork JWB is, would you not be responsible?
If you leave your Microsoft "empowered" computer, which is proven to both attract and spread both virii and worms like no other platform in the history of mankind (as such, Microsoft _is_ the undisputable market-leaders), should you not be responsible for this?
it reaffirms a lot of "common sense" security approaches that were ultimately superior to the naive idea that if you dump yet another piece of software on your machine, you'll be "protected".
1. Don't run ANY software that you aren't very comfortable with and has a long track record of being solid and stable.
2. Turn your computer off when you're not using it.. so simple, yet so many people just leave their machines on. A computer not online when not in use is a secure computer.
Read Gibson's report of the DDOS on his website, and you'll have a completely different view of the possible reach of a 17-year-old in our current times of insecure computing.
http://www.grc.com/dos/grcdos.htm
In short, anyone with basic scripting knowledge and some time can create a reasonably-sized network (of a few hundred system, at least) of remote-controlled "bots" or zombies, generally home users on cable modems. Quickly-propagating worms are more easily come by. It doesn't take much to add a "delete IMPORTANTFILE.SYS" to one of those.
It takes even less effort to then combine the two.
While this action may appear to require large-scale planning and intent, it can accomplished fairly easily by one kid with issues and a bit of time to work on it. Not to say that it *isn't* an easy way for cyber-terrorists to strike (if a kid can do it well, a trained terrorist could probably add something more interesting), but it is definitely within the reach of an oddball kid.
Comment removed based on user account deletion
Interesting: one could have had the feeling that it was 'stupid' for these worms to destroy their hosts so rapidly. Why not wait for a few hours or days and then do it in a synchronized manner?
In fact, the overall number of host that could be infested was low (~12,000): there was no need for waiting.
It seems that those who launched it had a very good knowledge of what they where doing.
Definitely interesting.
Under that conditions, if a similar flaw is found in i.e. iptables, ssh, bind, apache or postfix, it could have a similar impact, be the OS Linux, FreeBSD, MacOSX or whatever you consider "safe" and widely enough used.
Of course, if the same would happened to a really popular software out there (clients are more popular than servers, we know the effect of outlook worms, and even by default installed servers, like IIS, or maybe even the Win XP SP2's bundled firewall) the effect would be much worse, but no OS connected to internet is safe against this. Maybe releasing policies will change putting the "when its ready" release date over the "when the marketing people say" on the light or the widespread of this kind of things.
A very interesting article, and what some great lines that I quote a few here:
"The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software."
There it is. The users pay good money to be on the internet, but they are not ready to be on the internet in its current unsafe condition. So to help fix the problem we want them to be security experts? The authors are correct, we have a totally failed security model that requies too much expertise out of the average joe blow end users.
The major targetted firewall of this worm, Black ICE Defender, has been shown on multiple occasions to do a very poor job of actually protecting a system from attack, either by an outside worm or an internet trojan. So, while the users may have been concerned about their security, they were not, apparently, concerned enough to research before buying their security products.
http://www.grc.com/lt/scoreboard.htm
I understood you perfectly. It's just an odd time to be saying that you feel safe behind a firewall, after a worm comes out that's infected a lot of machines behind firewalls.
We tend to think of the M$ monopoly, and the subsequent homogenous pool of hosts, as being the reason for the rapid spread of worms. Actually, the monopoly means that most virus will be targeted for that platform because it is obvious, but a virus well targeted even for a niche platform like ISS can take off because there internet itself is now almost completely transparent.
What this suggests is that the combination of 1) bandwidth commonly available and 2) CPU speed are now more than sufficient for a virus to find almost all of the hosts it needs to anywhere these are on the internet. When a few early, fast hosts can spew 11,000,000 pps to random IP addresses then it doesn't take long to find what one is looking for.
No doubt this is part of the reason for the observation that when 2% of Windows sysadmins fail to patch for a known vuln, then the next worm to come along and exploit that vuln has a field day. 2% of a really big number is in turn a lot of hosts, millions of Windows hosts for example.
And a million of anything, be it Mac OSX or NetScreen or Checkpoint or BeOS or OS/2 or Amiga or anything, is fair game when a smartly written virus can get them all.
I guess I'll have to go back and review my Mac for system updates.
=^..^= all your rodent are belong to us
These infections were on a small population of the net. It seems to me that we should expect a serious worm across all/most versions of Linux some time in the next couple of years. Probably the same for BSDs and that would include Mac OS X as well. Yep, we shouldn't sleep so well these days or be complacent thinking its just a Microsoft problem.
The ONLY practical way to eliminate buffer overflow exploits is to develop and use a compiler that does not permit buffer overflows. This means proper compiler design (optimized for functionality, not speed), thorough audits of the compiler code and a robust test program for the compiler.
Even with this approach, it will be years before all the 'bad' code out there is replaced by new code that cannot cause buffer overflows. But I see no other way to put an end to this 'madness'.
What's most disturbing to me is that this worm appeared on about 200+ distinct hosts at such a rate of speed that it could not have done so that fast using it's main random-checking method. There clearly was some plan to pre-seed the worm into at least that many places before the worm started to spread on its own.
I doubt whomever programmed this worm had legit access to that many well-destributed computers... so it appears that some carrier hack occured before this worm was released, which effectively took about 12 hours off of the reaction time clock before the white hats even realized what was hitting them. Are we about to see a rash of compound attacks where one worm has a second worm baked in?
Wasn't it software firewall software that was compromised? They're completly different things.
Let me penetrate your network. I have the common decency to give your attack mechanism a reach-around.
This sounds like something concocted at theonion.com
I'm a long time UNIX/Linux hacker (I first programmed on UNIX on a VAX). I've written a lot of C/C++ code. But long ago I used Pascal and more recently I've been using Java more.
Both Pascal and Java do range checking. That is, they check the bounds of arrays (buffers) when they are accessed. This means that about half of the security exploits (including the one, targeted at BlackIce etc...) would not be exist if our software base was implemented in languages with bounds checking.
The original reason that bounds checking was not implemented in C was that the early compilers were very basic (little in the way of optimization) and bounds checking overhead slows execution. Bounds checking overhead can be reduced through optimization, but Ritchie's original C compiler only did simple optimization.
Another problem is that in C pointers and arrays are more or less interchangable. So bounds checking becomes difficult or impossible in all cases (C provides way too much pointer flexibility when it comes to enforcing bounds checking).
If we were to add up the cost of all of the buffer overflow security attacks it must run in the billions. So the "power" of the C programming model has extracted a pretty high price. This puts an interesting retrospective slant on Brian Kernighan's 1981 article Why Pascal is Not My Favorite Programming Language .
I have to confess that I would not go back to using Pascal. But native compiled Java, with Java's bounds checks, would be far safer than C++. And it would result in software that is more robust against security attacks.
Yes we can all learn to use fgets, strncpy and other safer library routines. But this only makes our code safer. It does not provide the complete protection against buffer overflow attacks. So perhaps it is time to reconsider the programming languages we are using. Perhaps unrestricted pointers and no bounds checking has become too costly.
Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.
How many Linux, BSD, and Mac machines were infected?
who are those slashdot people? they swept over like Mongol-Tartars.
In order to be hit by this worm, you would have had to have installed a product that, according to its box label, makes Windows more secure. These boxes were 0wned by a flaw in firewall software.
A key point of modern tactical doctrine is to act faster than the opposition can react. Special operations types talk about the "period of vulnerability", which begins when the defender notices an attack and ends when the attacker achieves relative superiority. Most attacks fail during the period of vulnerability. So modern tactical doctrine says that it's worth huge amounts of effort and money to cut that time down. This is why special ops people rehearse and train to a level that seems unreasonable. It's not to make them good, athough it does. It's to make them fast, so they get through those first seconds and minutes at the beginning of an attack before the defenders can react.
That's exactly what we saw with this worm. The attack was launched in a way that rendered the usual strategies of anti-virus companies ineffective. Anti-virus companies, (and Microsoft), have known response and patching cycle times. The creators of this worm got inside that cycle time, by building both a fast-propagating worm and by starting it from multiple points.
Military doctrine gives us some insights on what to expect next. This worm invoved a campaign, a series of battles fought to achieve a goal. One attack acquired machines to be used as bases in a later attack. That's standard doctrine. Other relevant military concepts include mutual support, feints, and diversions. We are starting to see worms and viruses that support each other, so that if one is removed, another attack lets it back in. We may see feints and diversions, where a big noisy attack is launched to divert attention from something more subtle.
Another doctrinal concept is that of combined arms. So far, virus writers generally haven't utilized other hacking techniques, like dumpster diving, social engineering, or wiretapping. That may change.
We may well see an attack that wipes out most of the Internet-connected Windows machines in the world in a single day.
"Unfortunately, the machine I'm typing on here at the University of Virginia is directly connected and yes, it runs Windows."
... Engineering? Business? What?
Why?
UV has good people. Why do they let you (require you to (??)) use Windows? Are you in CS, Math or Applied Math?
Based on the IPs of computers spreading virus, worms, etc. in the past, my impression is the engineering departments (& "institutes") are among the most common academic sources of this garbage. (Earlier today, unl.edu was a problem.)
It is realistic to think that there is quite a bit of IPV4 space inside DARPA and many other places, which operate unconnected in all ways to the common internet. The problem with a single Class A is that it would require a purely random virus addressing scheme, since they indicated that they expect a broad cross section of the net traffic. If not, a virus could exploit that by skipping that address space entirely - which, I am sure, is why they are so vague about the project. They could just use the "10." space, since it is used on local networks.
That said - WAY COOL, MAN!
Imagine the ability to capture such a sample from the world's human population to check and trace viruses IRL. An epidemiologist's dream.
Faith is the very antithesis of reason, injudiciousness a critical component of spiritual devotion. Jon Krakauer
Someone must have read "How to own the internet in 15 minutes".
It was a good paper that focused on using a large start base to bring the net to a halt quickly..
I can't find my linky for it...
maybe someone out there remembers it..it was a slashdot article months ago..
So long as you DON'T get sumg and it's natural partner complacent, you should be fine. If you keep on top of security flaws, no matter what OS you use, you will probably get patched before you get hit. That's not to say you couldn't get hit so fast there is no chance to patch, but it's highly unlikely.
There are also other security measuers you can take:
1) Have a hardware firewall that protects your network. That way, should your software firewall fail for any reason, it's not your only line of defense. Also hardware firewalls are much simpler devices (they only do one thing) so it's much easier to produce robust, non-exploitable code. Even if it is exploited, all they've done is drop a layer of defense not get your system. Lock down any inbound ports you don't have a reason to use (which may be all of them in some cases).
2) Have software firewalls on all your computers. Don't rely on just a hardware firewall. It protects the network as a whole, so if one system falls, they are past it. Put good (as in Kerio quality, not Black ICE quality) firewalls on all your computers, and have them set to give the minimum amount of access that makes your life easy.
3) Along the lines of #2, don't trust your own computers, unless you need to to make your work easy. That way if one is compramised the others don't automatically get hit. This means things like using different passwords on all system. Don't need to be very different, a single character will do, just so that if they get the password on a given system it isn't valid on the others as is.
4) If possible, get a proactive security agent, like the Cisco Security Agent. Normal virus scanners are reactive, and rely on updates before they can detect new threats. The CSA is proactive and stops threats based on behaviour that ought not happen (like modifying system files or starting up an SMTP server). Unfortunately I'm not aware of any of these for the consumer yet (CSA is enterprice only), but keep your eye out.
More or less if you have good security and work to keep it good, you're probably pretty safe. The biggest problem is complanency in assuming that your setup is safe because it's Linux or because you have a firewall, etc.
I think it's about time some of these worms start being ultimately destructive, and destroying the host systems after they've spread themselves.
Does it suck for those infected? Yes, it surely does. But if you stop and think about it for the moment... if you have an unpatched machine, and you typically don't care about what happens to others because of your infection, which most Windows users do... either through ignorance or through apathy. Destroying the host machine will force the people to come to grips with their apathy or ignorance in the most obvious way possible.
After this happens once, twice, three times, the aforementioned person is going to sit up and take notice, and be proactive in keeping their system up to date, lest they lose everything again and again.
More destructive worms = less apathetic/ignorant users out there, as they lose their work and systems over and over. Either they'll be kept off the net for good, or they'll keep their systems updated and patched. One way or another, the world would be a better place in a lot of aspects.
I think we all have to come to terms with the fact that our current state of Computer Science is not up to the task of dealing with the Internet as it is becoming.
Linux/BSD has a somewhat better security record than MSFT, but even after all the auditing effort put out by the guys over at BSD/OpenSSH, there have *still* been a number of security vulnerabilities of recent!
The problem is not being viewed in the proper light. Something like a buffer overflow should not result in a compromisable host! Something like a misquoted SQL statement should not result in an SQL injection vulnerability!
Applications and programming environments need to be structured and developed with the understanding that people make mistakes and there needs to be allowance for that.
You can't expect a group of programmers to maintain 50,000, 500,000, or 5,000,000 lines of code without there being mistakes in there.
It just cannot be done.
So languages, programming techniques, and infrastructure needs to be developed that truly prevents the "bug==severe security risk" situation.
Really, as much as we all laud their security record, Microsoft is in a good position to trounce the OSS crowd if they can come up with a software language and security system that allows for programming mistakes.
The answer is NOT to make sure you input validate *everything* - although input validation is always a good thing.
The answer is to develop a system where common programming mistakes do not result in a security issue.
Get used to it. People are people. They make mistakes. We either cease being human, or develop a system that makes allowances for our humanity.
Can we do it?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Here are some hypotheticals and not-so hypotheticals.
Are there any products that will ghost my drive onto another drive inaccessible to the OS by ordinary means every day?
How can we teach people and developers the wonders of encryption so their credit card numbers and passwords can't be stolen?
What will it take for hardware and OS makers to find a solution to most/all buffer overflows.
Why are non-servers on the internet 24/7? A 'disconnect me after 1 hour of inactivity' would go a long way.
Should we be encouraging residential ISPs to temporarily block ports during major outbreaks?
Should ISPs be denying access to computers found to be spewing spam, viruses, or trojans?
Why are we storing data locally? A fire or a crashed disk could mean the loss of important data, photos, etc. The internet hasn't seemed to provided users with an easy way to upload/download/synch documents off-site securely and easily.
In other news, the Action League department of the Cooperative Association for Internet Data Analysis (AL CAIDA) today announced new threats of technological terrorist attacks. Among other things, they threatened to use illegally acquired funds to purchase the Microsoft Windows source code, insert viruses directly into the operating system, and release them to the unsuspecting world. The most frightening of their threats was to implement a technology called Windows Scripting Host, which would execute malicious code upon reception in an email inbox. Such a technology would allow viruses to spread faster than with earlier diskette-based methods.
Oh, wait... That's already been done for them. Back to the black hat drawing board with these computer crime organizations.
Haha, that is true.
At least I feel safer than if I were just running out there open and naked, without any protection at all.
It's funny though, I belive BlackICE Defender was one of the affected products, and that's what Steve Gibson used to tout so highly until he switched over to ZoneAlarm.
Is anyone else sensing the likelyhood that compromised MyDoom machines were the ground zero hosts?
An infinite number of monkeys will eventually come up with the complete works of
Usage patterns show there is quite a bit of unused space, from the perspective of traffic. And why should any one entity be alloacated 16 million externally visable addresses?
PS: Next time, try "vulnerable".
Faith is the very antithesis of reason, injudiciousness a critical component of spiritual devotion. Jon Krakauer
You can massively limit the damage done by a worm in Linux simply by running all processes that leave a port open in a chroot jail, or by doing so as a lesser privledeged user. This is one of the many simple solutions avaliable, while in Windows, its not so easy.
I'm in the Engineering School. I run Windows because I have to use such programs as Office, MathCAD, JCreator, Canon scanner software, Palm Desktop software, and the occasional game of Rise of Nations.
My roommate has a Mac PowerBook though, and it's so much sweeter than this Windows desktop.
Most of the campus uses Windows-based systems, although there are plenty of Macs and *nix boxes all over the place...they're just hidden behind the scenes.
There's nothing wrong with Windows when properly secured...it's when it's NOT properly secured that it becomes the problem. Same goes for any *nix or Mac box.
1. Create or acquire Internet security company
2. Publish security tools
3. Build large customer base
4. Profit
5. Release virus that exploits a hole you left in your product
6. Sit back and enjoy as havoc ensues
7. ???
*dons tin foil attire*
I'm sorry if I haven't offended anyone
On a side note: at home I run a combination of *nix and Windows boxes. I prefer to keep Windows on the desktop, but on the server side, it's all *nix (the licensing fees and incessant purchasing of server utility software, and the crashing and slowness and instability of Microsoft server software finally got to me).
Several of my friends from the Systems Lab at TJHSST introduced me to Debian, and I threw out my NT server in favor of Debian with Samba-TNG. Haven't looked back since.
Because Windows is so homogenized, and everyone is running as root, it makes it a lot easier for certain flaws to be exploited. It's just a simple example in biological systems; where systems are diverse, it's less likely to be adversely affected by outside threats.
Basically, it's good to have all the different distros (mandrake, red hat, suse, openbsd, freebsd, gentoo, debian, etc.) and all the different versionings, because this decreases the ability of black hats to attack *bsd and linux machines on a wide scale.
That's not to say it won't happen. You can't get lazy. Security is important, and you should be mindful of exploits and other issues. But for now, it looks like we're pretty secure.
Security through diversity, as opposed to security through obscurity, seems to be a pretty nice model for security. I'm willing to take security through diversity instead of obscurity any day.
I don't think that people shoudl be fined to death. But issuing a small fine 5-100 dollars (similar to traffic violations) + a mandatory class on computer security/safety/literacy and what not.
At the end of this course a student should be givena computer infected wiht a few viruses/malware/adware and have to remove them by obtaining and using tools available on the internet.
This is a some what good solution.
The only problem I see is who does the money go to?
I guess it might pay for the class or something.Who would provide the class? leave it up to private business just like defensive driving is.
Ok, but don't blame me when they crapflood with +2 karma bonus and mod up their own posts with mod points.
You have been wared.
1) Internet Information Services's track record has improved dramatically in the last couple of years... the last security patch for it was in May of last year, and then the one before that was in 2002.
2) Why didn't you enable XP's firewall before connecting to the Internet? That's a pretty effective way of preventing your machine from getting infected while collecting the various updates.
You might try Gentoo also. In our LUG lately, the merits of Debian and Gentoo have been of interest.
funny things:
next story on slashdot:
> What Would The World Be Like Without Microsoft?
scary things:
While Witty took 30 minutes longer than SQL Slammer to infect its vulnerable population, both worms spread far faster than human intervention could stop them.
ouch.
12 hours after the worm began to spread, half of the Witty hosts were already inactive.
double-ouch.
By infecting firewall devices, Witty proved particularly adept at thwarting security measures and successfully infecting hosts on internal networks.
great. besides point 2, wait until an xfiles kill switch or a modern day wintermute figures out how to mutate and evolve through all this.
I'll take you up on that suggestion.
Up until my intro to Debian, I had tried Red Hat, Mandrake, and SuSE, all of which were just plain horrible. The integration sucked, I couldn't get networking just right, and then...there was Debian.
I'll see about Gentoo. I'm looking for an excuse to try Linux on the desktop-side at home, prob. on one of my spare Pentium IIs.
From the article text:
"The worm payload of 637 bytes is padded with data from system memory to fill this random size..."
So you are seeing some random grabage that was in memory on the victim's machine while the worm was being sent out. That helps to avoid detection as it is harder to profile the worm.
"There have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked"
So if you buy a pos piece of software, like windows, that has security bugs included as a feature, you could be liable for damages. You buy a piece of software on good faith, and boom! You're bankrupt.
Yes, firewall software was the one that was compromised, I think. I used to trust ZoneAlarm, but then I figured that hardware firewalling is probably a safer bet than software firewalling, especially if the software firewall is running on a Windows box.
I do not use any of "Office, MathCAD, JCreator, Canon scanner software, Palm Desktop software, and the occasional game of Rise of Nations." I do use LaTeX (&TeX), xfig, Gimp, etc. I do not know if OOS products exactly duplicate your software. However, I was judging an engineering competition (for "junior high" students) with an engineering professor (and an engineering graduate student) last Saturday and we discussed some of these issues (viruses, CAD software running only on Windows, etc.). We agreed that Engineering colleges often do a poor job when it comes to software. (Our "engineering graphics" course for freshpersons is a complete joke. Security is not taken seriously; the (new) Dean decided he did not need an assistant/associate dean dedicated to network/software security and removed him soon after the (old) Dean decided this was a good idea. The list of "issues" in engineering is long.)
Mod this up; I think readers will find these links interesting.
Computer Systems Lab, Mr. Latimer FUCKING UP YOUR SHIT. Can I get an amen?
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
As the code leveraged "Buffer Overflow" techniques the conclusion to "turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention." is wrong.
... sure, but not for this!
Look.. you have always have to be concerned with "software vulnerabilities" but fixing every individual vulnerability is not something you can really do. Making memory pages containing code READ-ONLY is the only way to insure against any and all accidental buffer overflows as attempts to write to a protected page would take control away from the program and return it back to the OS.
Incidentally this is exactly what MS has realized and is preparing for XP SP-2 "The security edition" due out this summer.
In the meantime I've installed and analyzed BlackIce 3.6ccg with PAM1 3.6.16 and found that while ISS has recovered from getting smacked in the exploit BlackIce's code pages are STILL WRITABLE!
So when is ISS going to protect its own code by making it read-only? What other fire-walls and IDSs suffer from such low-level oversights? Who's auditing the vendors for such things?
"developing large-scale, robust and reliable infrastructure"
687
the first person infected with something rare and dangerous, say ebola popped up in america, would be patient zero.
its logical to conclude that the first computer in different locations to be the originators would be ground zeros or patient zeros if they were humans.
It's a Microsoft Windows worm. I am also on the Internet right now and my Windows platform (X Windows) cannot be infected by this worm. Get it straight. Windows is a generic English word and a generic computer marketing term.
"Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves."
I rarely criticize things I don't care about.
And, as somebody else has pointed out, there's nothing to prevent you from running both a hardware firewall and a software firewall. In the unlikely event that there's an unpatched vulnerability in the hardware firewall, you'd have the backup protection of the software firewall to protect you. The chance of both of them being vulnerable simultaneously and there being a worm written specifically to take advantage of the situation seems to be vanishingly small.
There's no point in questioning authority if you aren't going to listen to the answers.
We need to seriously consider the consequences of the firmware upgradability of modern computers and components. Imagine a worm like this one which instead of just wiping the hard disk, erased the system BIOS. In fact, worse is possible. There are software upgradable EEPROMS on the video card, CD-ROM, even the harddisk, printer, scanner etc. These EEPROMS can only be burned about 100 times. A malicious program could physically destroy all of them. If someone wrote such a worm payload, and released it after a 0-day exploit targeting millons of machines, the result could truly be a societal disaster. There would not be enough EEPROM chips, nor enough skilled workers to replace all of them. It would be worse than the 2003 blackout. I've felt for a long time that we need systems where no amount of malicious programing could destroy the hardware nor essential components of the software. One possibility is a hardware switch which would need to be pressed before any firmware modification could proceeed. A similar idea would provided a hardware write protection to certain portions of the operating system.
>This makes me feel a bit safer, since we used to run Windows-based boxen directly on the Internet but now they all hide behind a Linksys NAT Router and firewall.
But only a bit safer.
I'm guessing that you haven't obtained the source code for your firewall from Linksys and audited it for buffer overflows.
With some of the open-source products I can at least be assured that some brilliant anal-retentive paranoids have crawled over the packet filtering code looking for and fixing problems.
there is simply more you CAN do to secure Linux, versus Windows, in which almost all security has to be installed seperately.
You can massively limit the damage done by a worm in Linux simply by running all processes that leave a port open in a chroot jail, or by doing so as a lesser privledeged user. This is one of the many simple solutions avaliable, while in Windows, its not so easy.
It's very easy to to manage security for service processes under Windows. Different users can be created for the services, allowing whatever ACL restriction you'd like. For other processes, the "run as" option can provide the same function.
If you're having problems determining which services (or other process) are opening what ports, check out netstat -o.
This stuff is actually "easy" under Windows - maybe not Aunt Millie easy, but any power user can handle it. No MSCE required. The tools (and documentation) are there. There's even a fancy gee-wiz UI way to do it - no regedit necessary.
If you're a fan of software firewalls (I'm not), then yes, generally you have to buy these separately. But then software firewalls aren't really the answer, are they. Why do I need a separate piece of software to filter inbound connections. I can do that with the IPSECurity, or if I want redundancy, with a dedicated hardware firewall.
Call me over-confident, but I've had a Win 2000 Server on the net for 4 years, with no firewall of any kind, no NAT, no real-time anti-virus, and with open IIS ports. I run Outlook, IE6, VS.NET, SQL Server, and lots of other "notorious" MS software. The only illness this system has suffered was a code-red triggered DOS on my unpatched Cisco 675 router, and some nasty spyware installed with BearShare back before I knew what AdAware was. It's not magic - I just keep up with Windows Update and MBSA, and I try to be careful about what binaries I trust. Also, I back up religously. To be honest, the hardest part has been keeping up with mySQL, PHP, and ActiveState revs.
Thank you for not saying "boxen."
So what you're saying is that more users should install those patches that Microsoft emails to them? That's a joke.
Have you ever had a new Microsoft patch BSOD your server? I remember a BSOD caused by NT 4 Service Pack 6 and another (on another server) by NT 4 Post SP6a SRP (Security Rollup Package).
Not everyone has non-production test systems (which are duplicates of production systems) to beta test patches on.
I am far more cautious today deploying patches on Microsoft system than I have been in the past.
I use a method similar to @RISK: The Consensus Security Vulnerability Alert (from sans.org). I "keep my ear to the ground" Bugtrack for problems with the fixes for the problems. I use "test deployments" (patch a few systems to see if a problem develops).
With a bit of caution and lag time, all systems I manage are patched to current.
Who will guard the guards?
Look at the page you linked to. ZoneAlarm isn't listed as compromised product. It's not even made by the same company as the compromised programs.
Proud to be / Smiley-free / Since Nineteen / Ninety-Three
The patch model for Internet security has failed spectacularly.
Replace 'Internet' with 'Microsoft'. Yes, this is not a MS vulnerability, but shit does happen, even to the best of us, and I think we can calmly claim Unix security does in fact work most of the time.
I understand the panic of the authors of this article, but we're all burdened by watching Windows get the shit kicked out of it all the time.
Would that Windows were gone so we could heighten security in general and take a saner approach to things like Witty.
Goes to show you. I'm thinking that Microsoft's security model in Windows may need to be revised, considering in XP Home at least, all users run as Administrator (root) and system services have way too many privileges.
Oh definitely. I concur. But Lindows and Xandros both start you as root, and that's not smarter there, under Unix.
I think the situation with Windows is so bad it's beyond repair. I remember the US Federal Accounting Office condemned IIS a few years back as also being beyond repair. I think it's as Bill Joy said: 'they took systems meant for isolated use and put them on the Internet.'
The architecture of Windows is wrong. Cutler's NT was good - for what it was supposed to be: a LAN server. But Cutler's years in Redmond pre-date the net revolution, and he was forced to retrofit Prism onto what Gates insisted should remain: basic Windows system architecture. That simply cannot work.
Users don't have any default home directory. They can and do go anywhere. And if they can go anywhere, so can the intruders. And it's so easy to hide stuff on a Windows box. What AOL user regularly goes into the Registry to check the 'run' keys?
Windows is more of a hardware interface than a true and robust operating system, and I don't think it will ever be anything else.
Abandon ship. It's sinking fast.
Can the purpose of Witty be to test how successfully one can bring down Internet defences, in the event of a real attack on machines 'behind the lines'?
In light of this worm, I wonder if Microsoft is going to make any changes to the new Windows XP SP2 firewall? (i.e., a self-monitoring 'heurtistic' process that watches for 'exploited-process-like-behavior.')
is a quantity that a lot of people in this world need more of
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
It does not require very much inside knowledge to guess which network they are using.
/16). Those would not be registered by this /8 telescope because little or no victims will be in this particular range.
/8 you have 1/256'th of the address space, but that does not mean you get 1/256'th of the probes. You first have to find out if the worm is avoiding "unusable" addresses. For example, it could be it never uses addresses above 224.0.0.0 as they are unlikely to get routed to a victim. That would mean your /8 really is 1/224'th of the address space.
Sure a worm could skip that network. But why would a worm writer be interested in that?
In the past, other worms have used uneven distribution of target addresses. Sometimes because of random number generator deficiencies, sometimes to speed up traffic by favoring addresses that are "close" to the victim address (e.g. in the same
Another problem with extrapolation of the traffic statistics when the worm has not yet been fully analyzed: with a
Most tech places tell people about MSConfig, you can use it instead of the registry to find out what starts up. There are also services, which are less likely to be talked about. Users do have a default home directory (My Documents), but one of the ideas in Windows is sharing - so you can share information/programs in various places. There is also the ability to run programs as a restricted user via right click.
-]Phreak Out[-
About a week ago, we had a vulnerability announced in OpenSSL. I imagine most of us patched pretty quickly. But the Witty worm appeared within twenty-four hours of the announcement of the vulnerability it attacked, and it infected 95% of vulnerable machines within 45 minutes.
Yes, it's funny that it was a Windows firewall that was attacked. Yes, it's especially funny that it was an expensive Windows firewall that was attacked. Laugh.
But also think.
This could just as easily have been us. From my root logs I patched my servers for the OpenSSL vulnerability on Sunday 21st, which was four days after it had been announced. If the Witty worm had attacked OpenSSL, it would have got me. I suspect it would get most of us.
Linux (or BSD, or whatever) is not immune to this sort of attack. On the contrary, we're just as vulnerable as anyone else. Those of us who administer public-facing servers have got to learn to be still more cautious, and still more proactive about fixing holes as they are announced.
I'm old enough to remember when discussions on Slashdot were well informed.
You know unix so you should know off syslog. Syslog writes the logs not the firewall process. At least that is the way it is supposed to be. Syslog allows you to have the actual logs on another machine on a one way link (no deleting logs when the machine is comprimised). Suslog can only write only to the filesystem. Not to the HD itself. That in turn is not its job. That is the job off reiserfs? Perhaps you could even limit wich filesystem a process can write too. Syslog has no bussiness outside /var/log/ Further more it has no business overwriting existing files or deleting from files. Just append please.
Writing preferences? Again no, that is done with vi not by the firewall. IPTABLES can flush its settings but if I remember correctly this just flushes it to the standard output wich you can of course redirect. But no need for the firewall process to write to the HD. Even if have a nice config util then this is a userland tool not the firewall process itself. We are on unix not windows. Now a "make clean" will be a keyboard-bound process, yay!
Worse if you run a real firewall/dmz then you won't do this anyway. No compilers present. Hardened machines only have binaries placed on them. Why give a hacker a ready toolset to work with?
The solution won't be simple. Making stuff bug free or buffer overflow free would be nice but sadly seems impossible. I think if people still find bugs in openssl and openssh then we are just going to have to accept the fact that there will be holes.
I am just hoping, not sure as I just started on the subject, that I might be able to setup the first line of defence in such a way that any attacker who does get in finds himself unable to do anything. If SELinux does what I think it does then this would not have worked on it. SELinux would have detected that the firewall was doing something it was not allowed to and would have denied it.
Multiple layers of defence. I hate to think of my pc's as a warzone but thats the way it is.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Stupid name.
Is a driver still liable if someone breaks in, takes a screwdriver to the car's ignition and knocks over a Granny whilst joyriding? I don't think so.
You know unix so you should know off syslog. Syslog writes the logs not the firewall process.
Newsflash: there is no firewall process. iptables hooks itself to the low-level processing of the packet that just arrived in the network interface.
This way: packet --> network --> eth0 --> iptables will look at it, decide what to do with it, whether it should drop it, or reject it, or change some things and go on.
So, guess what! iptables is running as root? no, better yet! it's running in kernel space, with full destructive powers. Inject some code into iptables via some custom-crafted network package and voila... you have the same recipe for desaster.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
...anything that is called a "firewall":
1. Should NOT contain any attack analysis. The only attack that any security software not in the hands of security researcher has a legitimate reason to "analyze" is an attack that already succeeded, and the user is recovering from the destruction caused by it. Announcing "prevented" attacks or modifying the host's response to "suspicious" data is at least a useless toy, and at most a target for a real attack (though most often it's in the middle, a nuisance that reduces the reliability). Keep it simple, stupid!
2. Should be separated from the host that it protect by at least a virtual machine and (better) be on a separate device. Then the worst that can happen in the case of a firewall compromise is that the firewall will stop performing its functions. Running a "firewall" on the "firewalled" host is an equivalent of a person hiring himself as a bodyguard.
3. If running on the "protected" host, it should be passive, and merely prevent other software running on that host from receiving packets from the Internet even if that software listens on the ports that the author believes, should not be opened. Still, calling this a "firewall" stretches the definition way too far.
The original meaning of a firewall is a wall in the building that prevents fire from spreading when the building is already on fire, and firewall acts as a barrier for spreading it. It does not make a building non-flammable, and its design expects a building to contain flammable material, yet it prevents damage from spreading. A network firewall does something pretty close to this, it expect vulnerable hosts to be on either of its side, and merely reduces the probability of successful attack from "external" to "internal" network, yet being relatively simple, it is impossible or difficult to attack. Having a "firewall" full of "flammable" bells and whistles, and in the middle of a system that it assumes to be vulnerable is a very, very wrong kind of design.
Contrary to the popular belief, there indeed is no God.
That is true. Problem is, ZoneAlarm is kinda bloated these days and sometimes (just like Norton Antivirus) it will randomly stop working on a computer.
I may have mentioned this in another post, but I'm thinking of putting a *BSD or Linux box in between the Linksys firewall and custom-building that system myself.
I probably could replace MSOffice with OpenOffice, and there's probably a Java debugger and compiler for *nix systems. MathCAD? No idea where to replace that. Rise of Nations is MS-only (dammit), and there probably is Palm Pilot interfacing software for *nix. Have no idea if my Canon scanner is supported, but it need to use it. Well, if they're making a poor choice, that's too bad, but in the meantime, I have to get work done, so I just try and make do.
:P)
(and on the side, I tinker with Linux...
No, I haven't. I'm not quite that "advanced" a user.
Care to tell as to how to do this? I think some of the Linksys firewalls were Linux-based, or at least that's what I read a while back. Is this even possible?
See other post that says:
"I'm thinking of putting a *BSD or Linux box in between the Linksys firewall and custom-building that system myself."
We used FreeSCO at one point but then discovered that it had some nasty vulnerabilities.
http://www.microsoft.com/billgates/speeches/2004/
The parent comment caught my eye in particular because security was brought up as an issue when discussing the future roadmap for Visual Studio. Gates said the following: So, in a nutshell, Microsoft's next release of Visual Studio, 2005, will have new features that try to detect common flaws in development patterns and warn the programmer ahead of time.
Applications can also make a distinction between administration/user modes, and if this is what I think it is + Microsoft implements this correctly, then Windows security could move up a step closer to that of Unix-based permissions systems with a rough emulation of the relation between root/user modes.
And most importantly, with compiler options to automatically write in extra security checks, developers may not have to ever even know that a particular bug exists and still be a-ok.
Will this warn the developer of every bug? Probably, and almost 100% certainly not. For that matter, it's an extremely bad thing if you designed your code poorly and don't know that it is so- programmers should not be initially taught using tools like this.
But, as the parent mentions, this will lead to somewhat-more-secure code, and help in the long run.
In fact, I don't see anything bad about writing developer tools such that the environment can sensibly pop up a dialog asking "Are you sure you don't want to check input xyz?". At the very least, something like this is needed in both Microsoft and OSS development platforms.
Given, many hosts run the same OS (Linux, Windows, whatever) and the same binaries. Even if you compile the source from scratch the resulting binary is likely to be identical to other binaries on other machines.
This leads to a situation where malicious code can rely on things like stack position and such, enabling it to insert its code into it.
Idea:
Is it possible to modify the compiler or binary-format to gather some unique information from the host it is running on and modify the binary in a way that it behaves in a unique way on this machine?
For example in a way so that malicious code can not predict the position where it can insert itself, resulting in a crash rather than a compromise of the machine.
Pros:
- All malicious code would be obsolete if it doesnt know the "secret" of the machine and the method it uses to "scramble" its binaries and/or its memory.
- All remote/local exploits in any form would be converted to a DoS, which I think is not as dangerous as a compromise.
Cons:
- Would presumably make debugging of programs even worse than it is now.
- Insert "You stupid *%@&, you dont understand" here.
Please reply, as I feel that I may have missed something important.
--
LuckyStarr
Meme of the day: I browse "Disable Sigs: Checked". So should you.
If you put a Windows machine on a network, you just made your network insecure.
If you have to deal with networks that have Windows boxen on them (that would be most of us), even if they are behind a hardware firewall, you better be running iptables on your Linux boxes that are also on that network.
It's just a matter of time until...
(scenario deleted for security reasons)
You are being MICROattacked, from various angles, in a SOFT manner.
No to mention that most server services on properly-configured *NIX boxes don't run as root, they run as a user with '/bin/false' as shell and write access to nowhere.
You compromised my Apache box? alright, have fun doing nothing except controlling apache until I notice and reboot, or the service is auto-restarted (every day for sanity).
There are exceptions, but it's a hell of a lot better than Windows where it seems the entire world is running as 'system' except the stuff on your screen, which runs as you.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
I used to trust ZoneAlarm, but then I figured that hardware firewalling is probably a safer bet than software firewalling, especially if the software firewall is running on a Windows box.
ZoneAlarm is the only thing that can tell you this attempt to connect to port 80 on http://12.34.56.78 is not coming from your browser, but from a process called __Leet_IM__CLient!!!111__ . You get the picture...
Because you allow port 80 outbound in your hardware firewall, don't you?
if you use a good enough junk-filter, slashdot.org will display a single, *blank*, page
Did I sleep through this one? I haven't seen it, nor received any breathless warnings of it from our anti-malware specialists. What happened?
Because you allow port 80 outbound in your hardware firewall, don't you?
Yes, I believe so, in order for client systems to browse the Web.
I'm the only one in my family with access to the Administrator account (well, my sister has it too when I'm not directly onsite at our house, but I keep watch on what she does) and I generally check out software before I install it. I'm reasonably sure most of our software is fine. Most of the software we're running is what we've been using for some time and I generally know what phones home and what doesn't.
Things like: Office 97, Adobe Acrobat Reader, Jasc Paint Shop Pro, whatever open-source programs I run now (we're replacing a lot of proprietary programs with open-source, mostly due to the licensing hassle), etc.
I know that AOL phones home, but I don't really care too much. We don't use Outlook, although it's installed.
Everyone else is running with normal user privileges, which, in Windows, I believe, do not allow the user to install applications. Even I run under a regular account for daily use.
If you put a Windows machine on a network, you just made your network insecure.
On an unsecure network like the Internet or anything connected to wireless, perhaps..
If it's a family network that's entirely wired Ethernet, I think it's probably fine. That's what ours is, right now.
If I get a wireless 802.11g card, though, I think I better take some steps to actively secure the wired portion of our network. (That probably will involve building a *BSD or Linux box that connects the three networks together, i.e., the internal wired LAN, the wireless LAN, and the "DMZ"/connection to the Internet via the router, and manages and monitors the traffic between them.)
Any system that is improperly secured (Linux included) is unsafe to put on a network these days. Windows, unfortunately, comes improperly secured. That's why when I load systems, I take steps to configure the systems with some level of security.
Possibly they had the worm already written except for the exploit. Maybe they'd tested spreading and destruction parts using another very old and likely to be already patched exploit and have been waiting, template ready, for an appropriate exploit to be found which they could plug into their worm template.
Eat at Joe's.
The thing that *really* worries me about this kind of story is that it provides a ready-made reason for two things - neither of which I want.
1st - A "secure" ie regulated internet where all traffic is traceable and managed
2nd - A hardware security model that prevents unauthorised code running ie. Palladium or whatever marketing fluffy word is now being used...
You know, and I know, that there are "nicer" ways of doing this but just wait until the first worm with a destructive payload hits the general population.
Not Good.
Excellent post. Moving away from C/C++ is a good idea for many projects, but since there's far too much C/C++ code out there for that to be a universal solution, we need to see wider deployment of stackguarding compilers like the propolice and stackguard patches to gcc 3.x. We also need to look at easy migration paths from C/C++ to a type-safe language, like Cyclone, a type-safe dialect of C.
And even with that activity some kind of damage could be done. A mail worm could be used to send spam from "trusted" mail servers. Bandwidth and CPU could be consumed enough to make sites unoperational, and, of course, there is the net effect, if all apaches in the world (or worse, all BIND in the world, that is more used than apache) try to do something similar than the article worldwide bandwidth could suffer.
My point not was that in windows such worm could be very harmful, just that even for linux or other "safe" OSs such worms could do a hit on internet as a whole.
I spent most of yesterday rebuilding my Windows 2000 system at work. I did a raw copy of my windows partitions to a second drive using dd under Linux before I started the rebuild so I was able to preserve much of my data, but far from all of it. My outlook .pst file is the most painful loss so far, and who knows what else I'll find damaged beyond repair before I'm done.
Once upon a time I would be furious about this. Nowadays I've come to expect it. It seems we live in a world where sociopaths are given free reign to harm others without penalty or consequence. Worms like this are concrete proof of the existence of genuine evil. What kind of a person would write create something for the sole purpose of ruining other people's computers? Other people who they don't know and who have never done anything to hurt them? I'll tell you what kind, the kind I'd kill in a cold second. I hope and pray that they find the people behind this, and that they are in a place where our law enforcement can get at them. The best thing would be just to take them out someplace and shoot them, but short of that a nice long prison sentence will suit me just fine.
This worm has convinced me of the need to increase the steps we take in fighting people like this. The model where we work to protect our systems just doesn't work. Locking your door and windows and pulling the shades may keep an intruder out of your house most of the time, but it doesn't eliminate that intruder. It is far better to trap and kill a rabid animal than it is to simply put up barbed wire around your house. It is time that the would-be victims of these crackers went on the offensive. You wouldn't just stand there if someone was trying to beat you up. You'd fight back and if possible make sure your attacker hurt badly enough that they wouldn't be attacking anyone else anytime soon.
Crackers are a not a computer problem, they are a people problem. If computers didn't exist they would find some other way to be destructive and malicious. Crackers are no more a computer problem than carjackers are a problem with your car. The only difference is that carjackers run the risk of getting shot by their would-be victims and/or being sent to prison. Crackers essentially operate with impunity. The only way the cracker problem is going to be effectively handled is to make that change.
If I ever find out who is behind this worm and I'm in a position to do something about it... heaven help them because it will take an act of God to save them from me.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
The Cooperative Association for Internet Data Analysis (CAIDA) and the University of California, San Diego Computer Science Department have an analysis...
So you're saying El-CAIDA is now stopping attacks on the US? I'm confused...
Those who can, do. Those who can't, consult.
the internal wired LAN, the wireless LAN, and the "DMZ"/connection to the Internet via the router, and manages and monitors the traffic between them
As a matter of fact, that is exactly what I am running right now for my home system. I use and can recommend IPCOP. It still doesn't obviate the need for securing that wireless stuff, however. STFW, you'll find lotsa security info for wireless on the 'net. Some of it is trivial, much of it requires more effort than I want to put in, but at least I don't have to worry about war drivers cruising by and using my bandwidth or sucking bank numbers off of the home systems.
Caida.org slashdotted??
You know very little, dear sheep.
I'll look into it.
Okay, taking these programs one at a time:
JCreator: does not run on linux, but other java IDEs such as eclipse run, and there's always the option of trying to just use something like vim.
Scanner: No clue whether or not it is supported, but you can check here. I recently got a Cannon scanner that was perfectally supported according to the list and it was in fact. Then you can use something like Kooka to scan, and for me it's worked like a dream.
Palm: There's always KPilot (the interface I use.) It synchronises almost everything (except mail, I think.) Todo and calendar go to KCalendar, memos go to KNotes, and it lets you install things.
And for MathCAD, no clue. Maybe wine or winex could run it?
:wq
There is no reason on Earth that this worm couldn't have attacked Linux boxen. If this worm had been tailored to attack the the recent openssh vulnerability the day after it came out, many of us would have been owned immediately. How many of us have an open ssh port through our NAT devices and firewalls? The scary thing about this worm is that the authors have demonstrated an ability to attack new vulnerabilities in third-party software very quickly. In the case of the openssh vulnerability (a root exploit) that would have meant that very many of us Linux users would have been affected before we could do anything about it.
No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey
To take the 'firewall in a building' analogy a little further, the firewall itself isn't even meant to be non-flammable.
The purpose of a firewall in a building is to buy time.
Time for people to escape.
Time for the Fire Department to get there and get to work.
Perhaps, but less important, time for removal/protection of unusually valuable property.
Perhaps in the computing industry we think too much of our firewalls, even if they don't have flammable bells and whistles on them.
The living have better things to do than to continue hating the dead.
The situation you describe brings the power back to little people like me. I can't/won't pay for a high speed connection to my home, so I use dialup. That means if a mother-of-all-destructive-viruses comes out, I've automatically got a fighting chance. I'd be just as likely to win a scatch off lottery ticket as to be caught at just the right time. Furthermore, that means my computers are only connected to an outside network when I'm there watching. I know not all viruses are apparent until after the damage is done. But if I did notice anything, the power switch is just inches away. If such a catastrophic virus event ever occurred, no doubt the last people with functioning computers would be us cheap dialup users.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
Woah. My LiDE 30 is completely supported!
Interesting...
Not sure yet though if I want to give up MSOffice, especially since I also use it for working on projects from home (Publisher... it's a proprietary file format, I know.) and the Office OEM license came with this computer.
Now, if I could run WinXP and OfficeXP within some sort of emulator on the Linux box, then I could probably transition pretty easily.
Why are they sitting on such a large number of unused IP addresses? Everybody that complains (and rightfully so) about the shortage of IPv4 address should knock on UCSD's door...
Even with NAT, it's good to have IP addresses available. If we ever move to IPv6, which is more efficient and has more usable features as well as having an insanely larger number of addresses, we might not have to worry, but IPv4 addresses definately need to be conserved.
(While we're on the topic... will we ever fully move to IPv6? The US is still holding out on switching from the imperial system.)
You're probably covered for $2-3m already, under one policy or other, if (say) you are careless crossing the road and cause a major accident.
PC risks are just as insurable - and it will be interesting to see how the insurance market prices $1m of cover for Windows systems versus Linux systems versus...
The Witty worm has shown that users of minority operating systems need to be concerned about "flash worms" - internet worms that spread faster than humans can respond, making it impossible to protect yourself simply by patching your system. Many Unix users have become complacent, believing that worm epidemics can be blamed on the poor quality of Microsoft's software, its dominant market position, or sloppy system administration. Witty has shown that these assumptions are false, and we are all at risk.
The threat to servers is fairly well understood, and network services generally run with reduced permissions and/or in chroot sandboxes to reduce the damage they can cause if infected. However, ordinary users also run network-exposed software which is vulnerable to worms. The following is a proposal for protecting personal data against worms.
Imagine that each user of a Unix system has two accounts: a "real" account and a "shadow" account. The shadow account is used for running network-exposed software. It has its own home directory for configuration files and so on, and it cannot access the user's "real" home directory. The real user has a setuid script for launching programs as the shadow user. Logins are not permitted on the shadow account.
The problem is that we want to have full access to our files even from our most exposed applications: web browsers, email clients and instant messaging programs. To make this possible we need to recognise the difference between "personal files" and "program files". This terminology may stick in the throats of Unix veterans, but the distinction is a real and important one: personal files have inherent value to the user. Program files may be vital to the operation of some program, but they can be replaced.
The value of personal files is of course invisible to the computer, but it can be seen in the way a user interacts with those files. Personal files are manually selected in the file manager or file selection dialog, while program files are opened by applications using hardcoded names or settings in some configuration file. For a large class of programs, interaction with personal files is manual while interaction with program files is automatic.
This distinction makes it possible to give sandboxed applications limited access to personal files: a sandboxed program can keep its program files inside the sandbox, and be granted access to personal files outside the sandbox when the user selects them manually. This is achieved by using a separate "open" program that runs as the real user, presents a file selection dialog to the user, and dumps the contents of the selected file to its standard output. A similar "save" program saves the contents of its standard input to a location selected by the user. These setuid programs can be called by sandboxed applications to allow "consensual" access to personal files, without allowing automatic access that might be exploited by a worm.
Example: a Unix system has one user, Andy, with two accounts: andy and andy-shadow. In andy's home directory is a setuid script belonging to andy-shadow, which simply changes to andy-shadow's home directory and executes the program named on the command line. This allows Andy to run any program in a sandbox, including a shell or file manager if the sandbox needs cleaning. In andy-shadow's home directory are two setuid programs, open and save, which are owned by andy and executable (but not writable) by andy-shadow. Sandboxed applications can call these programs to open and save files with Andy's help, but they cannot directly access his home directory. If they need to save any settings etc, they use andy-shadow's home directory.
Shadow accounts (and the corresponding setuid programs) can be created automatically for all users. T
Possibly they had the worm already written except for the exploit.[...]template ready, for an appropriate exploit to be found which they could plug into their worm template.
That's what I do. I am sure many (most?) VXers do that also.
I you are too lazy to properly configure your firewall, or even more stupid and run your firewall on a PC that users can login to (or even more idiotic, run it on a Windows PC with full root for every user, ala win 98) then you deserve to be owned.
Came home around midnight to find my DSL router's lights flashing like a Christmas tree. My server's hard drive light flickering like mad.. CPU usage at 100%, Netlimiter freaking out. I disconnected from the net, and still had problems. Tried to reboot.. and yay! Blue screen. After doing some analysis, both my system and data drives were toast (CHKDSK started to recover the entire drive's folder/file structure into random filenames.. that's when you throw in the towel.) My backup drive was surprisingly not affected in any way.
ISS claims they released a security patch 2 weeks before this worm hit. That's a bunch of crap. My BlackIce was configured for Auto Update checking, every day, and I was not notified of an update to the software. Talking to other ISS users, it would appear ISS actually released the patch only 24 hours before the worm hit.
I sent ISS a little criticism via e-mail, about their handling of the issue, and how they are going to compensate their userbase. I got a standard reply back "We're sorry you've been inconvienienced. Thanks." -- Pfft.
I hope someone organizes a lawsuit against them. And don't tell me their EULA protects them from things like this.
Not All Who Wander Are Lost
Wow, what are the odds of that? I just got the LiDE30, and yeah, it works flawlessly as long as you have the right permissions to access the device (I think you need to give the user access to /proc/usb/[something] where your scanner is)
Anyways, you probably could run OfficeXP under wine somehow. I personally doubt it would run under normal wine, but winex (transgaming) would most likely run it, but I can't check here (nasty web filter) It should be on the software compatability list at http://transgaming.com.
Another option seems to be CodeWeavers which claim to support office XP, but the price is a whole lot higher than winex, and you probably would want winex anyway for running your games.
Good luck with your linux
:wq
-> ...chroot jail...
It's very easy to to manage security for service processes under Windows. Different users can be created for the services, allowing whatever ACL restriction you'd like.
Yeah. Linux has users and permissions, too. Chroot jails are not the same thing, and Windows doesn't have anything like them.
Which gets back to the point: there are so many more things you can do on Linux to improve your security. The fact that some people do their best to make do without those things doesn't make the situation ideal on Windows.
No, Windows doesn't have chroot(), largely because of the legacy of drive letters, which means we don't have a single controllable root on Windows.
But chroot is really just a nifty short cut for restricting file system access - meaning you're probably using root for your process - bad. And it certainly isn't unbreakable if you're using root for your processes. ACLs can achieve the same effect, but with more work for the Admin.
I agree that 98% of Windows boxes are not adequately secured. My guess is that 85% of Linux boxes are also not adequately secured. I think XP SP2 and Server 2003 are great steps in the right direction toward good default configurations. I think Automatic Windows Update is a huge part of the solution. I think Windows app developers need to be flogged when Admin rights are required to run their app.
I keep reading that it was so surprising that the worm was released just one day after the vulnerability was announced.
I think the more likely scenario was the virus writer was already aware of the vulnerability and had already written the worm, however as soon as eEye announced he/she hand was forced and they released before ISS had a chance to post any patches.
This idea should further bolster the idea that we should have immeadiate disclosure of vulnerabilities. User's should stop using that particular product and switch to an alternate if there's no patch available, because there's a chance someone malicious has already prepared to exploit it.
My two cents...
/* TBD */