Analysis of the Witty Worm

DavidMoore writes "The Cooperative Association for Internet Data Analysis (CAIDA) and the University of California, San Diego Computer Science Department have an analysis of the recent Witty worm. Among other things, Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous Internet worm."

buggy code

[neoThoth]

The end of the worm seems to have bytes suggesting a flaw in the original worm code.
I'm still getting data points for the infected by analyzing the worms victims who contact my IP.

Re:buggy code

[rritterson]

"The end of the worm seems to have bytes suggesting a flaw in the original worm code."

Would you mind elaborating on that assertion? I'm curious.

Re:buggy code

[Himring]

There's a bug, in the worm, ... in the bottom of the sea....

Save yourself some reading

Conclusion:

The Witty worm incorporates a number of dangerous characteristics. It is the first widely spreading Internet worm to actively damage infected machines. It was started from a large set of machines simultaneously, indicating the use of a hit list or a large number of compromised machines. Witty demonstrated that any minimally deployed piece of software with a remotely exploitable bug can be a vector for wide-scale compromise of host machines without any action on the part of a victim. The practical implications of this are staggering; with minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts.

While many of these Witty features are novel in a high-profile worm, the same virulence combined with greater potential for host damage has been a feature of bot networks (botnets) for years. Any vulnerability or backdoor that can be exploited by a worm can also be exploited by a vastly stealthier botnet. While all of the worms seen thus far have carried a single payload, bot functionality can be easily changed over time. Thus while worms are a serious threat to Internet users, the capabilities and stealth of botnets make them a more sinister menace. The line separating worms from bot software is already blurry; over time we can expect to see increasing stealth and flexibility in Internet worms.

Witty was the first widespread Internet worm to attack a security product. While technically the use of a buffer overflow exploit is commonplace, the fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end-users apply patches to plug security holes is not viable.

It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert. Yet the current mechanism for dealing with security holes expects an end user to constantly monitor security alert websites to learn about security flaws and then to immediately download and install patches. The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order.

The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves. When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

Re:Save yourself some reading

[Ralph+JH+Nader]

The parent is incorrect. It is not a Windows worm and the worm is not the fault of Microsoft. The worm exploits a vulnerability in BlackIce, a "personal firewall" that runs on Windows.

While the vulnerability will not show up on non-Windows machines, it is not because it is a Windows vulnerability.

The parent is very misleading at best.

Re:Save yourself some reading

[Ralph+JH+Nader]

From here:

The Witty worm exploits a stack-based overflow in ICQ response parsing in the Protocol Analysis Module (PAM) of ISS products.

That has nothing to do with the internal architecture of Windows. That's a bug in ZoneAlarm. There is no reason to blame Windows at all for a bug in a software product written to run on Windows.

Re:Save yourself some reading

[SlightOverdose]

Neither does Linux. At the moment if you need protection your choices are to use a VM (Java,.NET) or a high level scripting language.

Re:Save yourself some reading

[bobthemonkey13]

And that relies on the assumption that your VM securely isolates the virtual machine from the real one. This turns out to be false in practice -- there have been several exploits for Sun's Java VM, and there's no reason to think that Microsoft's .NET runtime will be any better. High-level scripting languages help against low-level stack-smashing attacks, but it's far too easy to write a script that doesn't properly prevent exploitation of the dynamic features of the language (improper filtering of commands to Perl's system(), PHP's remote-fetching include(), etc). Features like Perl's taint-checking can help a lot, but don't take the place of careful coding.

As for the issue of the underlying OS providing security features, it's not entirely a moot point. Linux provides some stack/heap protection and other binary runtime security through the grsecurity patches; OpenBSD has W^X and other security features built into the kernel. Still, expecting the OS to protect binaries at runtime is a completely ass-backwards way of approaching security. Ultimately, application developers have to bear most of the burden for writing secure code.

Re:Save yourself some reading

[thogard]

For a small payload, you need to know the address of every function the code needs. If you take something that is very standard such as a apche and then look at how common the binary is. If you do an md5 of solitare on windows systems, your only going to find about 5 to 10 different versions for all versions of windows. Apache on the other hand is often built from source so there are thousands of different variations of the same version.

On systems I need to secure, I will often throw in a few extra variables in main (which shifts the entire heap), or sometimes I'll take and older version and just apply the patches I need from the current version. There are other tricks as well such as turn on debugging or profileing on in just one of the source modules. With open source, its trivial to make a unique binary so why not do it?

Re:Save yourself some reading

[muffen]

You are failing to consider the extent to which Windows internal architecture dictates the software running on the platform.

Most of the time Microsoft bashing is valid, but saying that this is Microsoft's fault in any way is about one step away from stupid.

If this was the fault of Windows, a buffer overflow such as this one could not happen under Linux/MacOS/FreeBSD/Netware etc etc etc. However, a quick search on SecurityFocus tells us that it did infact happen on all the platforms listed above.

So, please explain to me how Microsoft can be blamed for this in any way!

...and saying that they should not allow code-execution on the stack or make it more secure so you dont need a firewall are not valid arguments.

Re:Save yourself some reading

[Jaysyn]

So you're saying that all of those linux application security flaws on bugtraq are actually linux security flaws? Just because they are on the same platform? I think not.

Jaysyn

Re:Save yourself some reading

[Malc]

That still assumes that the interpreter, VM, JIT, whatever doesn't have a vulnerability that can be exploited. It also doesn't protect you against attacks that use SQL injection, cross-scripting, exploit the developers use of the wrong (i.e. too high) security permissions, etc. You;re right in that the approach you recommend will probably lower your risk, but it won't remove it altogether.

More information on the Witty Worm

[Ralph+JH+Nader]

You can find more information here.

Re:More information on the Witty Worm

[inode_buddha]

Better info here.

Before it gets slashdotted even.

Re: Windows Security Model Needs Fixing!

[seaswahoo]

In contrast, the Witty worm infected a population of hosts that were proactive about security -- they were running firewall software.

This makes me feel a bit safer, since we used to run Windows-based boxen directly on the Internet but now they all hide behind a Linksys NAT Router and firewall.

From what I've learned, the general rule is NEVER to put a Windows machine directly on an unsecure network. Unfortunately, the machine I'm typing on here at the University of Virginia is directly connected and yes, it runs Windows. I turned on the Internet Connection Firewall...but this kind of worm vulnerability makes me nervous. Today, someone attacks the eEye security software; tomorrow, someone takes out Microsoft's ICF.

Similarly, end users may also be unaware that perceived slowness of their computer or Internet connection is caused by a worm, and they may reboot their computers in the hope that that will fix the problem.

I find this problem with spyware and adware too. I recently cleaned out the computer of a family friend that was very slow and would no longer connect to the Internet. Removed a huge gob of spyware with Ad-Aware and Bazooka, and BAM! we were back online.

Goes to show you. I'm thinking that Microsoft's security model in Windows may need to be revised, considering in XP Home at least, all users run as Administrator (root) and system services have way too many privileges.

Makes me glad I replaced my aging NT file server with Linux/Samba.

Re:ground zero hosts?

[2MuchC0ffeeMan]

i believe it's the first host to be infected, the 'master server', but it might just be that the master server just had server 'baby' master servers.

Heh

[ Insert witty comment here. ]

Their unsaid conclusion

[ObviousGuy]

They state that the most important thing is to force users into a security mindset and this is near impossible. Also, they point out that even security-aware users may be at risk because of the risk of infection before the ability to patch the firewall/AV software is possible.

This leads to the conclusion that firewall/AV software should be included as part of the baseline system, whether with the operating system or as an additional package at system build time. Also it leads to the conclusion that user-assisted updates are useless and only automatic updates can effectively patch fast enough to block worms of this sort.

This is one of the most depressing stories about the state of the Internet that I've read in a while.

Interesting conclusion

[IANAL(BIAILS)]

The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants.

While I agree that the success of most internet worms does indicate that the patching model is no good, come on now - there is no way that that end users would be financially liable for their computers. No matter how good an idea it might sound at first, such a concept just isn't workable.

Re:Interesting conclusion

[ryanjensen]

A driver is responsible for the upkeep of his vehicle if his negligence causes an accident ... a property owner is responsible for its upkeep if someone is injured on his property. I don't think it's a very large leap to be able to consider a computer owner liable for its upkeep if it is used in an attack, and I don't think many in this country would object either.

The concept would be at least as workable, in the courts, as any liability legislation is currently.

Re:Interesting conclusion

[gordyf]

That was not their conclusion. If you continued the quote, you'd see that they said much the same thing as you.

When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

Re:Interesting conclusion

[jmv]

Are you willing to bet a large amount of money (or jail time) that your computer will *never* be compromised. What if a worm before a patch is available. If you compare to cars, you'd have to say that you're responsible for what happens to your car even if it's been sabotaged.

Re:Interesting conclusion

[Flower]

A driver is responsible for the upkeep of his car but there is an assumption that the car is safe to drive to begin with when I buy it from the dealership. If it's the case that the car isn't safe there is usually a recall where I can take it in to the dealer for free and get the problem fixed. If there isn't a recall and the car isn't safe and I do have an accident then I can sue the manufacturer for selling me a defective product.

When cars begin to become unsafe there are a variety of noticable warning signs that I need to maintain my vehicle. The oil light will go on, the brakes will grind, sundry odors emit from the hood, the tires begin to look flat... It doesn't even have to get that far. Some dealerships will send you mail reminding you that you might need an oil change. Of course there reason for doing this is to make some cash but it is a reminder to maintain your car and once at the garage things like rotating tires or what-not can also come up.

To make this short [too late], there are a variety of mechanisms in place to let the driver know he needs to maintain his vehicle that simply isn't present or currently applicable when compared to a PC owner. From where I'm sitting there seems to be a great deal of wiggle room when applying the standards you propose.

Re:Interesting conclusion

[rgmoore]

A driver is responsible for the upkeep of his vehicle if his negligence causes an accident

The analogy breaks down, though, because the problem isn't with user failing to maintain his product, but with the product containing a manufacturing defect. Patching buggy software is the computer equivalent of taking a car in for a recall. Punishing computer users when their computers get infected is like punishing drivers when they get into accidents caused by failure of recalled parts. There has to be some kind of grace period during which the creator is considered at fault for making a defective product, rather than the user for not having it fixed.

Re:Interesting conclusion

[ryanjensen]

If you're car has be sabotaged, and you *know about its resultant defect* you should be held liable. However, I think you are correct in saying that an owner should not be found negligent for unknowingly operating a sabotaged car.

But I think your comparison is incorrect. I meant to liken the non-application of patches by computer users to the car owner who doesn't perform routine preventative maintenance on his vehicle. If a car owner doesn't replace his brakes for 45,000 miles after they first start squeeling (from the metal "warning plate") and they fail, shouldn't he be held liable? Likewise, if a computer user does not follow the recommended Microsoft updates -- or worse, never applies a single patch -- shouldn't he be held liable for damage his machine causes?

For worms before patches, there should of course be no liability on the computer owner's part -- now, on the software developer's part is another story.

Re:Interesting conclusion

[MyHair]

A driver is responsible for the upkeep of his vehicle if his negligence causes an accident ... a property owner is responsible for its upkeep if someone is injured on his property. I don't think it's a very large leap to be able to consider a computer owner liable for its upkeep if it is used in an attack, and I don't think many in this country would object either.

Your analogy fails on many levels, but I'm too tired to point them all out. Here's a biggie: Automobiles are highly engineered and legally regulated devices; there are safety standards to be met before you can put one on the road, and there are legal limits to how the end user can modify them. PCs and especially software don't have that kind of pre-consumer engineering.

Another one: the roadways are public works. The internet as we use it is a collection of private agreements to communicate between points. Why don't the intermediate points share liability for passing on the attacking packets? Hell, the operators of the intermediate points are generally trained for their equipment and pay people to monitor traffic and health. (This is making a point; actually I don't want my ISP or any of their providers policing my internet connection.)

Re:Interesting conclusion

I believe the US government gave M$ a "pass" on security and allowed it to sell software to, for example, the Navy. (I am too lazy to look up the details.)

Cringeley... (the real one, not the fake ghost-written InfoWorld column version) discussed this very subject in his two latest columns...

1

2

Re:Interesting conclusion

[ryanjensen]

Like you, I would prefer not to have any regulation requiring updates to computers. You may say I am playing Devil's Advocate or simply starved for debate by suggesting fines for negligent computer users.

However, to continue the discussion with the recall on your automobile: was the mitigating error a manufacturer goof or your goof? If you do not take your car in to get it fixed, do you think the manufacturer should still be held liable? Who would I take to court if the defect that caused your recall (ignored by you) takes off one of my arms?

I'm not sure if negligence in the automobile and land owner examples from my original post leads to civil or criminal cases. If civil, there need not be regulation for computer users ... just a way to establish fault. If criminal, then yes -- regulation and the like would be both inevitable and undesirable.

And I believe it's a common axiom, "There's an exception to every rule, except to the rules for which there is no exception." But in this case, there was not a patch available (according to some sources) since the vulnerability was so fresh. I don't mean to say that, because users were trying to protect their computers through a third-party, they shouldn't be held liable -- I meant that because the exploit came so quickly, they should not.

Disclaimer: I am not a lawyer, though I would like to be soon.

Re:Interesting conclusion

[Tin+Foil+Hat]

Yes, yes it is a large leap to any conclusion of that kind. To follow the car analogy, if someone were to steal my car and ram it into a crowded restaurant, I would not be held responsible even had I left the door open and the engine running. That is exactly what is happening with trojaned computers. It is the attackers that should be held responsible, not the poor sap who's computer got hijacked.

More Ground Zero hosts?

Interesting. An article at zdnet suggests that the Witty was in fact a prototype, and could be the first example of cyber-terrorism. The combination of
a)The destructive payload
b)Time from disclosure to deploymentc)Large number of Ground Zero hosts
suggests capabilities far beyond that of an autistic 17 year old in his parent's basement. Could this be the start of internet based Al Quaeda action, that anti terrorism experts have so long stated was coming?

Re:More Ground Zero hosts?

My god he's right! This is the start of the Al Qaeda internet terrorism initiative that non-ratings-concerned-non-sensationalist Fox News and MSNBC warned us about! Emmanual Goldstine is their leader and he will be issuing a communique to the Ministry of Truth shortly. Everyone should PANIC!

Immediately put on your gas-masks and have your anthrax treatments ready! But, do not disconnect your machine from the network. Continue buying and supporting the economy. If you don't, THE TERRORISTS WIN.

Re:More Ground Zero hosts?

[Otter]

You know what this means -- it's up to us Lunix nerds to save civilization! Just like Frodo and Sam!

You guys go ahead. I'll catch up with you as soon as my 'emerge -u kde' finishes.

vulnerability to worm time

[neoThoth]

the rate of worm creation on this one was almost a little TOO quick. This time to creation would almost suggest that the author of the worm perhaps had inside knowledge. It's not entirely outside the realm of reason that the vulnerability leaked from ISS before the announcement was made.

Re:vulnerability to worm time

[Yakman]

It could also be that whoever wrote this worm found the vulnerability independently and had been writing code to exploit it, when he saw the security advisory go up he released it ASAP before people had a chance to patch their boxes. If the vulnerability hadn't been announced the worm may have been released later with a different payload.

Re:vulnerability to worm time

[InfiniteWisdom]

I guess the writer had written the payload in advance and waited for an appropriated vulnerability to show up to use as a vectir. Generating exploits isn't rocket-science... in fact there are automated tools out there that will generate exploits for common holes like buffer/stack overflows.

There is also the chance that the author discovered the bug either himself or through "black hat" groups before the advisory was put out.

Re:ground zero hosts?

[centralizati0n]

A ground zero host/vector is a host that wasn't infected by another machine, but by an individual who wished the machine to infect other machines. A ground zero host does not necessarily need to have the same exact code as the code it sends out, for example, in this case, it would be unproductive for the ground zero host to have the original code since it erodes the filesystem of the host.

Anyone else see this?

[citking]

On Friday March 19, 2004 at approximately 8:45pm PST, an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including ISS RealSecure Network, RealSecure Server Sensor, Proventia, RealSecure Desktop, and BlackICE. Emphasis mine.

Man, I am so used to seeing IIS in a security vulnerability I had to give it a second glace. I guess people shouldn't use those letters in software abbreviations anymore. It's becoming bad luck!

Seriously, worms like this that damage computers are very un-cool. As a freelancer I got to see this on only a few machines and by gratuitous use of recovery console, fixmbr, and (alas) one format and reinstall later I was able to fix them all.

While doing this onsite at a realty company I asked what they used as a firewall. Seeing blank stares from them all wasn't the highlight of the day. Not having a hardware firewall handy it was quite fun to race against the vermin as I downloaded patches off of the net on a virgin XP install! I actually thought I heard giggling echoing from the DSL modem as the DL percentage ticked higher slowly but surely....

Re:Anyone else see this?

[Minna+Kirai]

Seriously, worms like this that damage computers are very un-cool

It doesn't damage computers. It erases data; the computer itself is fine.

Sure, this is destructive... but it's much better than if it were installing BO2K everyplace, so the worm author could collect CCNs. That'd be much more damaging than simple erasures.

Re:Anyone else see this?

[DarkHelmet]

...as I downloaded patches off of the net on a virgin XP install

Windows Update is nice for keeping up to date with all the patches for windows as they are released. But using it to patch a series of machines doing fresh installs is silly.

At the height of the Blaster worm, I had to reinstall Windows for a friend of mine. I connected to the net in order to update Window XP, and her machine was reinfected within five minutes of connecting: before the machine could be patched.

I learned my lesson. Here is a guide on how to slipstream an installation of Windows XP and SP1.

Although I wouldn't recommend it, you can also slipstream a copy of Windows SP2 Beta 1. When SP2 is finalized, I fully intend to create a slipstream version of that for the next time I have to reinstall windows somewhere.

See, this is why service packs are a Good Thing (TM).

Re:Anyone else see this?

[kayen_telva]

XP has a built in firewall you could have enabled BEFORE you connected the ethernet cable

more than enough protection during your race to download patches.
frankly, enough protection for concientious users ALL the time

What's It going To Take

[flopsy+mopsalon]

Another day, another virulent internet worm utilizing an unaccounted-for "buffer overflow" to propagate itself throughout the internet. Users suffer and system administrators grind their teeth to clean out their networks.

By now I am sure it has been noticed that the "buffer overflow" is a very common "exploit" used by these internet worms to infect machine after machine. One simple way to address this problem would be to replace these vulnerable "buffers" with something that will not overflow, perhaps something spongy and highly absorbent. Isn't anyone working on a solution along these lines? You never seem to hear about any progress being made. Honestly, sometimes it seems like no one in the technology industry has any common sense.

Re:What's It going To Take

[ryanjensen]

ZDNet UK had a preview of Windows XP SP2 recently (see link) that included discussion of the pack's implementation of software-based overflow protection. It also mentions that 64-bit processors include this protection in hardware (NX or "no eXecute"). So, there is a little progress being made.

Net Telescope

[mmca]

Network Telescope

The UCSD Network Telescope consists of a large piece of globally announced IPv4 address space. The telescope contains almost no legitimate hosts, so inbound traffic to nonexistent machines is always anomalous in some way. Because the network telescope contains approximately 1/256th of all IPv4 addresses, we receive roughly one out of every 256 packets sent by an Internet worm with an unbiased random number generator. Because we are uniquely situated to receive traffic from every worm-infected host, we provide a global view of the spread of Internet worms.

They have 1/256th of all the IPv4 space?!?
Thats alot of IPs that could be freed up for other purposes.

Its great that they are doing this. And it is an interesting project. But I've been hearing about the lack of IPs for the last 5 years, and this one group has 1/256th of them.

------------
www.ComicSmash.com

Re:Net Telescope

[iworm]

No. There are exactly 126 Class A addresses. They probably DO have a Class A, if their claim is correct, but there are not 256 of them, just 126...

Re: Windows Security Model Needs Fixing!

[PlusFiveTroll]

The article stated that a good number of request came from behind NAT firewalls. Many devices like the linksys allow you to DMZ a host, which would end up being an attack vector behind your firewall. Also many people turn on port forwarding, done incorrectly, is an attack vector.

Time to learn SELinux I think

[SmallFurryCreature]

Cause Linux and BSD sure ain't safe against this. Bufferoverflows ain't nothing new and this analasys shows there is no security in being a small target.

Might be time to make a security model that stops a firewall application from writing to the Harddisk or deleting files. Why should it after all? Or a limiting just how many emails a user can send, how many times do you send thousands in a minute?

Perhaps even a delete mechanism that doesn't allow destruction of data without a password.

Paranoid? 12.000 machines just went Poof in half an hour with this virus if the story tells it right. Doesn't exactly cheer me.

Holy CRAP

[Saint+Aardvark]

Jesus Christ, if you read that and weren't frightened, you're dead inside.

The highest packet rate they saw was more than 23,000 per hour, sustained for at least one hour. The worm came out one day after eEye announced the vulnerability. It just went ahead and started erasing the hard drive, rather than just grep for passwords or credit card numbers. And this thing targeted and 0wned people who cared about the security of their computer!

If you've read nothing else, check out the conclusion:

It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert. Yet the current mechanism for dealing with security holes expects an end user to constantly monitor security alert websites to learn about security flaws and then to immediately download and install patches. The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order.

The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves. When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

I was thinking the other day about all the precautions you need to go through with a Windows box just to get a new install up-to-date; I was smug, and thinking that a Windows box without a firewall was like a person without a skin: no protection from infection, no way of stopping the most basic of attacks.

And now reading this I feel that smugness just draining in a really hideous way. I use Linux and FreeBSD...what of it? I realize there is still a big difference between Unix and Microsoft, between a local and a remote exploit, between an ordinary user account and root. But I'm no longer convinced those differences are enough: there's a thousand programs available on my machines, and all that stands between me and 0wnership is a programming error and someone who decides that, you know what, seven thousand hosts is worth it.

Nothing more to say at this point...I'm still staring uneasily at the blinking cable modem lights, wondering when it'll be my turn.

Re:Holy CRAP

[rgmoore]

The highest packet rate they saw was more than 23,000 per hour, sustained for at least one hour.

Perhaps equally scary is that the worm seems to have saturated its host population in under an hour. Since infection rate is slower in a small population like this one, a worm infecting via an exploit in a popular program could propagate even faster. If a worm writer were to discover and exploit a previously unknown vulnerability in a very widely deployed program, the consequences could be ghastly.

Re:Holy CRAP

[astrashe]

I don't know. This is scary, in a sense. But there's a lot of risk in the world, and you just have to live with it. If my computer gets wiped off, it's not the end of the world.

I know that everyone isn't in a position to say that -- some people are running banks, or whatever. But most people can say it.

We drive cars, even though cars crash and people die in them. Another person can crash into you even if you're doing everything right, and you'll die. We live and work in buildings, even though we know that there are fires every day in large cities. Sometimes people die in fires. You lock your doors, and you make a good faith effort to keep the bad guys out, but if someone really wanted to get in, they could.

You just have to deal with uncertainty in life.

Your computers are never going to be completely safe. The sun will come up tomorrow anyway.

As a practical matter, people who take reasonable precautions *usually* come off pretty well with computers. They can hold on to their data and keep it out of other people's hands. There's no guarantee that will always be the case, but it's been true until now.

Re:Holy CRAP

[Beryllium+Sphere(tm)]

>I'm not sure what the ultimate solution is, but I do know one thing. We need to change our naive behavior.

None of my security colleagues that I know of believes in the existence of an ultimate solution (though building a plywood box around the computer and filling it with concrete works pretty well. Just make sure you remove the wireless card first).

We need fault tolerance. Backing up protects against the undiscovered bug you correctly warned about, and also protects against fire, burglary and human error.

Watertight compartments on a ship are an example of fault tolerance. A hull breach will cause damaage but the ship may stay afloat. So are circuit breakers -- they turn a potential fire into a loss of power. We need things like stack canaries. They're not solutions, but they limit damage.

"witty" worm

[benna]

This is the best named worm i've ever seen. When I first read headlines about it they said things like "witty worm attacks firewall." It took me a while to realize that was the name of the worm and not a judgement by the reporter (no I didn't read the articles)

KneeJerking

[minusthink]

Since I deal more with our internal software/services (opposed to dealing with the customers) I don't do really have to fix anything other than wipe a machine or two. However, for me, the worse part of this is the kneejerking that occurs right afterward.

Now that this worm hit, management is crying for more security without really thinking it through. Now all staff machines need to be behind hardware firewalls. ALL machines. Linux, Solaris (95% of our boxes), Windows. Not such a big deal except they bought us cheapo netgear cable/dsl firewalls that I'm convinced will do nothing more than ipf/iptables to stop a determined cracker. These netgear firewalls stop me from mounting NFS of anything, they have no trusted hosts options. In fact, I can only port forward from everywhere, so in a sense it is lowering my security.

Does anyone else experience reactionary steps like this from the PHBs?

(THanks for reading my rant :)

analysis of the witty worm

[circletimessquare]

analysis of the witty worm has revealed that it is wittier than most posts on slashdot

Re:ground zero hosts?

[evilad]

The proper term in epidemiology would probably be "index cases."

Can IPv6 help?

[yudan]

As Witty Worm sends packets to random generated IP address, because of the relatively small and quite dense IPv4 space, it can quite easily hit a venerable host. I am not sure if using IPv6 will render this kind of attack impossible? Can anyone clear this for me?

Re:Can IPv6 help?

[dunedan]

That will depend on how ipv6 addresses are allocate. IPv6 pushes address space from 32 bits(~4 billion) to 128 bits (~4billion^4) if everyone spread out over the whole range it could slow down the spread of viruses since each random address would have a much lower chance of hitting a live machine. If however we all cluster in the same part of that range it won't help at all.

not the best solution, maybe rethink the stack?

[crimethinker]

This leads to the conclusion that firewall/AV software should be included as part of the baseline system

That's a very good suggestion, except that in this case, the firewall software was the vulnerable component. No BlackICE, no Witty worm.

I'm deeply troubled by this; we piss and moan about how the average windoze luser doesn't have a firewall or AV software, and then this pops up.

Much as I would like to, I can't blame this on Microsoft. It's just sloppy programming, the sort of practice that M$ has made prevalent. There, I blamed M$ after all. Still, changing the permission model of Windoze wouldn't have helped this; BlackICE is exactly the sort of software that needs access to the network protocol stacks; it's supposed to be one of the trusted portion of the system, as compared to all those VBScript viruses that run as admin/root, but shouldn't.

If I were designing a new CPU, I would think about including some hard-core stack protection. A no-execute bit in the MMU is a very good start, but still not bullet-proof. I'm thinking something (with OS assistance) to disallow all access beyond the link pointer for the current function call. Every CALL sets a new boundary, and every RET pops back to the last boundary. Try to write past the boundary, and you get a machine exception. Much finer granularity than 4K pages that most 32-bit MMU's provide.

-paul

You Underestimate 17-year-olds

[mdarksbane]

Read Gibson's report of the DDOS on his website, and you'll have a completely different view of the possible reach of a 17-year-old in our current times of insecure computing.

http://www.grc.com/dos/grcdos.htm

In short, anyone with basic scripting knowledge and some time can create a reasonably-sized network (of a few hundred system, at least) of remote-controlled "bots" or zombies, generally home users on cable modems. Quickly-propagating worms are more easily come by. It doesn't take much to add a "delete IMPORTANTFILE.SYS" to one of those.

It takes even less effort to then combine the two.

While this action may appear to require large-scale planning and intent, it can accomplished fairly easily by one kid with issues and a bit of time to work on it. Not to say that it *isn't* an easy way for cyber-terrorists to strike (if a kid can do it well, a trained terrorist could probably add something more interesting), but it is definitely within the reach of an oddball kid.

Destructive

Interesting: one could have had the feeling that it was 'stupid' for these worms to destroy their hosts so rapidly. Why not wait for a few hours or days and then do it in a synchronized manner?

In fact, the overall number of host that could be infested was low (~12,000): there was no need for waiting.

It seems that those who launched it had a very good knowledge of what they where doing.

Definitely interesting.

Re:Destructive

[buttahead]

there was no need for waiting.

I'd go a step further and say that immediate damage to the system was mandatory. Waiting in this case would have detracted from the destructiveness of this worm. Since it was attacking firewalled, and, probably anti-virus enabled machines, waiting would mean that the destruction would be nullified.

It seems that those who launched it had a very good knowledge of what they where doing.

Sounds like someone from marketing has decided to write worms. They thought about the market of hosts they were trying to infect. A good reason for infecting this set of hosts would have been to stifle the security software vendors. In order to avoid this situation in the future, a person should invest in a new model of protection. Seems to be a perfect opening for a new market.

Re:Destructive

[buttahead]

the last part of my comment was really meant to be humor, as marketeers don't have that kind of smarts :) I was trying to point to the start of a market, instead of a company attacking a competetor.

But, if I were serious:
how many lines of code is a person able to write in a day? how many does witty have? Who was the closest competitor to the firewall app that was infiltrated? How many man hours can that company contribute (in a single day) to a bouncing new market that will mean 1.2 billion dollars a year?

Re:Destructive

[SpaceLifeForm]

Hmmm, and what would this new model of protection entail? Something like Cisco proposed?

From the analysis:

When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.

Folks, we don't need any more infrastructure to prevent worms. We don't need any more infrastructure to control what you can and can't do on the Internet.

It's not the Internet that causes the problems, it's the in-secure machines that are vunerable.

Re:Destructive

[SatanicPuppy]

It acted very much like Ebola, which is an interesting comparison. Ebola is massively virulent, but it's onset and effects are so quick that it tends to "burn itself out" before infecting a large number of people. This virus did the same.

It would be interesting to see what percent of the population that COULD have been affected, was. Maybe the writer concluded that, in hitting people with this specific vulnerability, they would have tapped the bulk of their targets in the first 24 hours or so, leaving no need for a long-lived worm.

A delay in targeting a tech savvy population is risky if you care about the amount of long-term damage you're going to cause. A delay of two or three days would have meant many users would have had time to remove the worm before it started eating hard drives.

Next internet-stopper worm could be a linux one...

[gmuslera]

.. this analisys shows the impact on internet as a whole of a worm that not was a microsoft software, not was very widespread, even was a security/firewall software, and patches/advisory was from just a day before.

Under that conditions, if a similar flaw is found in i.e. iptables, ssh, bind, apache or postfix, it could have a similar impact, be the OS Linux, FreeBSD, MacOSX or whatever you consider "safe" and widely enough used.

Of course, if the same would happened to a really popular software out there (clients are more popular than servers, we know the effect of outlook worms, and even by default installed servers, like IIS, or maybe even the Win XP SP2's bundled firewall) the effect would be much worse, but no OS connected to internet is safe against this. Maybe releasing policies will change putting the "when its ready" release date over the "when the marketing people say" on the light or the widespread of this kind of things.

Re:We can catch the worm's author

[Bagheera]

Ok, I'll bite. . .

Yes, there are laws against writing malicious code. They apply if the authors happen to be in a country that respects the USAPatriot Act or whatever other laws may be applied. Your actual chances of catching these folks are slim to none.

Even with 100 "Ground Zero" hosts, you won't get anything from /etc/passwd since these are Windows boxen, and don't HAVE an /etc/passwd file.

Personally, I suspect the timing of the "destructive" release of this worm was based on the impending alerts about the 'sploit. I seriously doubt the creation of the worm happened after the public knowledge of the release. It's very likely that folks "in the know" were using the 'sploit for weeks to months before it was publicly acknowledged. The worm was "Spoil our fun, will you? Ha! Chew on this!"

The destructive payload was certainly viscious, but I would worry that there were exploited (with this particular 'sploit) boxen out there LONG before anyone knew there was a hole in RealSecure and BlackICE.

Great summary section of the overall problem

A very interesting article, and what some great lines that I quote a few here:

"The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software."

There it is. The users pay good money to be on the internet, but they are not ready to be on the internet in its current unsafe condition. So to help fix the problem we want them to be security experts? The authors are correct, we have a totally failed security model that requies too much expertise out of the average joe blow end users.

A niche Warhol worm

[theCat]

We tend to think of the M$ monopoly, and the subsequent homogenous pool of hosts, as being the reason for the rapid spread of worms. Actually, the monopoly means that most virus will be targeted for that platform because it is obvious, but a virus well targeted even for a niche platform like ISS can take off because there internet itself is now almost completely transparent.

What this suggests is that the combination of 1) bandwidth commonly available and 2) CPU speed are now more than sufficient for a virus to find almost all of the hosts it needs to anywhere these are on the internet. When a few early, fast hosts can spew 11,000,000 pps to random IP addresses then it doesn't take long to find what one is looking for.

No doubt this is part of the reason for the observation that when 2% of Windows sysadmins fail to patch for a known vuln, then the next worm to come along and exploit that vuln has a field day. 2% of a really big number is in turn a lot of hosts, millions of Windows hosts for example.

And a million of anything, be it Mac OSX or NetScreen or Checkpoint or BeOS or OS/2 or Amiga or anything, is fair game when a smartly written virus can get them all.

I guess I'll have to go back and review my Mac for system updates.

Is there a 0wned-net we need to know about?

[LostCluster]

What's most disturbing to me is that this worm appeared on about 200+ distinct hosts at such a rate of speed that it could not have done so that fast using it's main random-checking method. There clearly was some plan to pre-seed the worm into at least that many places before the worm started to spread on its own.

I doubt whomever programmed this worm had legit access to that many well-destributed computers... so it appears that some carrier hack occured before this worm was released, which effectively took about 12 hours off of the reaction time clock before the white hats even realized what was hitting them. Are we about to see a rash of compound attacks where one worm has a second worm baked in?

The cost of C/C++ and no bounds checking

[wintermute42]

I'm a long time UNIX/Linux hacker (I first programmed on UNIX on a VAX). I've written a lot of C/C++ code. But long ago I used Pascal and more recently I've been using Java more.

Both Pascal and Java do range checking. That is, they check the bounds of arrays (buffers) when they are accessed. This means that about half of the security exploits (including the one, targeted at BlackIce etc...) would not be exist if our software base was implemented in languages with bounds checking.

The original reason that bounds checking was not implemented in C was that the early compilers were very basic (little in the way of optimization) and bounds checking overhead slows execution. Bounds checking overhead can be reduced through optimization, but Ritchie's original C compiler only did simple optimization.

Another problem is that in C pointers and arrays are more or less interchangable. So bounds checking becomes difficult or impossible in all cases (C provides way too much pointer flexibility when it comes to enforcing bounds checking).

If we were to add up the cost of all of the buffer overflow security attacks it must run in the billions. So the "power" of the C programming model has extracted a pretty high price. This puts an interesting retrospective slant on Brian Kernighan's 1981 article Why Pascal is Not My Favorite Programming Language .

I have to confess that I would not go back to using Pascal. But native compiled Java, with Java's bounds checks, would be far safer than C++. And it would result in software that is more robust against security attacks.

Yes we can all learn to use fgets, strncpy and other safer library routines. But this only makes our code safer. It does not provide the complete protection against buffer overflow attacks. So perhaps it is time to reconsider the programming languages we are using. Perhaps unrestricted pointers and no bounds checking has become too costly.

Re:The cost of C/C++ and no bounds checking

[bloosqr]

I think bounds checking should be a compile time option. One of the reasons I switched to C++ actually was the ability to wrap [] (via templates) to automatically get bounds checking w/out relying on the compiler to do it for me. The overhead of bounds checking is not negligable for numerical work so while this is a boon for debugging, its nice to be able to turn it off for optimization once the code is "working", especially as we're not all writing daemon code (i.e. if i'm mucking about doing linear algebra once i get the linear algebra bits setup i dont need to check over and over again to make sure each reference is w/in the array bound (effectively dumping two if statements into each memory access). If you/we are feeling paranoid, why not recompile all daemon/system code w/ a bounds checking c/c++ compiler or link w/ something like efence?

-bloo

Re:The cost of C/C++ and no bounds checking

[Minna+Kirai]

But native compiled Java, with Java's bounds checks, would be far safer than C++.

Or how about native compiled C++, with bounds checks?

There's nothing about C++ that means you can't have bounds checking! The specification allows for undefined behavior when an array is accessed incorrectly. The compiler author can decide for himself what that undefined response could be. It might be an invalid access (like most current compilers do), but there's no reason it couldn't hit a boundary-check and abort the program.

Assorted add-in libraries to C++ compilers do this. They're not very popular, of course. But if programmers cared about safe insurance against memory overruns, they could achieve it without switching languages.

Danger - spin detected

[lone_marauder]

Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.

How many Linux, BSD, and Mac machines were infected?

Re:Danger - spin detected

[MyHair]

How many Linux, BSD, and Mac machines were infected?

Don't pretend that those haven't had remote root exploits before. (Well, not sure about Mac.) This incident seems to demonstrate that a destructive worm can be deployed in short order and rapidly spread even when the target population is in a tiny minority of internet hosts.

That prompted me to insert a bridging Linux firewall and want to learn to tighten it up even further. (Blocking 1-1024 now plus ports like 3128 & MSSQL; I want to block all unwanted incoming connections but am yet unsure about Freenet, Kazaa Lite, bittorrent and Quake3 inbound needs.)

(BTW, used LEAF uClib Bering for the bridging firewall. Axed the Shorewall and htb.init and put my own scripts in, though, due to issues with htb.init.)

Re:We can catch the worm's author

[mrtroy]

HAHA!

You posted anon because you are a fool. Thats the sadly obvious reason.

There are laws against hacking: The Patriot Act and other laws generated by the Deparment of Homeland Security are examples. This worm has intentionally terrorized computer networks across the world, and we can prosecute these bastards.

I am glad you go to Harvard Law School, and are a TF...but sadly I must point out a nice little flaw in your arguement (how did you pass the LSAT without knowing fallacies?)

The Patriot Act and other laws generated by the Deparment of Homeland Security are examples. == AMERICAN


This worm has intentionally terrorized computer networks across the world, and we can prosecute these bastards. == THE WORLD.

Your American laws are only good in America. What makes you think that the worm was began by an American or that you could prosecute that individual?

There are 100 ground-zero IP addresses recorded in the telescope: these ground-zero hosts are likely to be useful for forensics, and search warrants should be issued for their recovery. Without too much trouble, we could probably find a username in /etc/passwd from one of the hackers.

Explain to me who is doing this forensics, and how the search warrants will be issued for these "100 ground-zero IP addresses". Yet again, are these all American IPs? Are the people investigating American?

Without too much trouble, we could probably find a username in /etc/passwd from one of the hackers. == GIBBERISH.

What exactly do you mean here. You are going to find the hacker's username in /etc/passwd?

I dont really understand why/how/what you mean here. If a hacker is smart enough to start this large scale worm, do you not think he is smart enough to not leave any logs on the computers he first infected? And if they are, they would definately be proxies, which yet again are you going to investigate them? Even if they are not American?

And finally....

With a bit of work, I believe that the hackers can be brought to justice. The question is, what happens next week when the next bored teenager releases the next worm?

You are going to bring the hackers to justice where? Are they American? Do you have the right to prosecute anyone in the world?

And it is hardly the work of a bored teenager. First, its unlikely its a teenager...it is rather convenient to blame teenagers though. You are missing the real question, which is what can we do to prevent worms of massive scale from occurring.

I really hope that you use what you learn at Harvard inside America, and do not try to impose your laws anywhere else in the world. Especially considering your lack of knowledge on the subject yet your intentions to bring some hackers to justice.

New tactical doctrine for attacks

[Animats]

Virus writers are now developing a tactical doctrine. This suggests that future viruses will be more effective, not for technical reasons, but because the attacks will be organized more like military attacks. We now see virus writers getting inside the OODA cycle of the defenders. This is consistent with modern military tactical doctrine. Read MCDP-1, Warfighting. This short Marine Corps publication tells you how to think about war and how to win it. This revolutionized USMC doctrine, which previously focused on heroically advancing no matter what the opposition.

A key point of modern tactical doctrine is to act faster than the opposition can react. Special operations types talk about the "period of vulnerability", which begins when the defender notices an attack and ends when the attacker achieves relative superiority. Most attacks fail during the period of vulnerability. So modern tactical doctrine says that it's worth huge amounts of effort and money to cut that time down. This is why special ops people rehearse and train to a level that seems unreasonable. It's not to make them good, athough it does. It's to make them fast, so they get through those first seconds and minutes at the beginning of an attack before the defenders can react.

That's exactly what we saw with this worm. The attack was launched in a way that rendered the usual strategies of anti-virus companies ineffective. Anti-virus companies, (and Microsoft), have known response and patching cycle times. The creators of this worm got inside that cycle time, by building both a fast-propagating worm and by starting it from multiple points.

Military doctrine gives us some insights on what to expect next. This worm invoved a campaign, a series of battles fought to achieve a goal. One attack acquired machines to be used as bases in a later attack. That's standard doctrine. Other relevant military concepts include mutual support, feints, and diversions. We are starting to see worms and viruses that support each other, so that if one is removed, another attack lets it back in. We may see feints and diversions, where a big noisy attack is launched to divert attention from something more subtle.

Another doctrinal concept is that of combined arms. So far, virus writers generally haven't utilized other hacking techniques, like dumpster diving, social engineering, or wiretapping. That may change.

We may well see an attack that wipes out most of the Internet-connected Windows machines in the world in a single day.

Re:New tactical doctrine for attacks

[Animats]

It's not a new observation about war. It's more of a justification for putting far more resources into preparation for the first few minutes of a battle than has historically been the case. There's a truism that no battle plan survives contact with the enemy. But for the first few minutes, with sufficient preparation and intelligence, that's often not true.

The classic example is Eben-Emael. Seventy men took out one of the strongest forts in the world, manned by a thousand troops, in ten minutes. This allowed Hitler's armies to advance into Belgium and conquer France. Six months of preparation, ten minutes of vulnerability.

The lesson for virus/worm writers is that an attacker needs the capability to rehearse and optimize attacks. This requires two things - general intel about target machines (what percent of targets are vulnerable to each available attack, for example), and a farm of machines on which to test and tune attacks. Many worms/viruses have failed because propagation was too slow, or all the attacks targeted the same machines, or some similar tactical failure in the early part of propagation. The original Morris worm failed for just such a reason. The serious attacker will have a farm of machines on which to repeatedly test the attack plan, without arousing attention until the actual attack.

Re:New tactical doctrine for attacks

[fuzzybunny]

Good form. Breezy and fluffy, but original enough to provide a convincing imitation of insight.

Don't fall into the common trap of judging historical patterns by what you know today. Virus/worm attacks, beyond the coordinated DDoS Stacheldraht/Trinoo/TFN a few years back have been the work of one or a few individuals just releasing to see what happens. There are a lot of indicators that worms are being released with schedules and goals.

If MDCP-1 "revolutionized" the MC, maybe that says more about the Marines...

Once again, exercise caution in generalizing. Sun Tzu, von Clausewitz, Napoleon, Guderian may have had and propagated fantastic ideas about warfare, but the reason the latter were so successful was because nobody else thought of implementing those ideas. What seems painfully obvious to you/me today was not always so.


No it doesn't. If you have any predictions about what'll come next, state them.

Once again, I disagree. If what we're seeing with Netsky/MyDoom is a pattern of testing viruses with escalating degrees of sophistication and effectiveness, it's possible to create some (quite possibly mistaken) conclusions about future attack patterns, the identities and goals of the people writing them, and maybe, if you're really lucky, general avenues of attack.

The whole concept of virus-scanning is flawed.

Flawed, yes. Unnecessary, no. The reason we have any security at all is as a combined response to past incidents and exploits and theoretical future weaknesses. If you see virus scanning as a be-all end-all solution, you've got a problem. As you do if you decry individual security components out of hand because they don't do things they're simply not designed to do (i.e. be psychic about what's next.)

Nothing significantly better about it's spread rate.

No, but just looking at the spread rate is to use a flawed metric. What's interesting is the initial population, although I'll agree with you that distributed attack networks are nothing new, and the fairly novel target selection. That's what worries me.

Yes, it's a bit far-fetched to apply military analogies to worms; the goals are different, as are the means, the motivation, etc etc etc. However, considering that concepts like 'planning', 'strategy' and 'dynamic adaptation' _are_ fairly novel concepts in the worm world (see my first points) it might not be such a stretch after all.

Re:New tactical doctrine for attacks

[tswann01]

Thank you for the well-written, insightful post. Any time we can think about these issues from such a different perspective, we all benefit. I do have 2 comments:
1. Virus writers have used social engineering extensively (ILoveYou, etc.) to get users to open attachments.
2. How do we know that we haven't seen feints and diversions? I see no reason to assume that sufficiently subtle attacks aren't already taking place. "The practical implications of this are staggering; with minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts."

Re: Windows Security Model Needs Fixing!

[Phragmen-Lindelof]

"Unfortunately, the machine I'm typing on here at the University of Virginia is directly connected and yes, it runs Windows."

Why?

UV has good people. Why do they let you (require you to (??)) use Windows? Are you in CS, Math or Applied Math? ... Engineering? Business? What?
Based on the IPs of computers spreading virus, worms, etc. in the past, my impression is the engineering departments (& "institutes") are among the most common academic sources of this garbage. (Earlier today, unl.edu was a problem.)

Security defined

[mcrbids]

I think we all have to come to terms with the fact that our current state of Computer Science is not up to the task of dealing with the Internet as it is becoming.

Linux/BSD has a somewhat better security record than MSFT, but even after all the auditing effort put out by the guys over at BSD/OpenSSH, there have *still* been a number of security vulnerabilities of recent!

The problem is not being viewed in the proper light. Something like a buffer overflow should not result in a compromisable host! Something like a misquoted SQL statement should not result in an SQL injection vulnerability!

Applications and programming environments need to be structured and developed with the understanding that people make mistakes and there needs to be allowance for that.

You can't expect a group of programmers to maintain 50,000, 500,000, or 5,000,000 lines of code without there being mistakes in there.

It just cannot be done.

So languages, programming techniques, and infrastructure needs to be developed that truly prevents the "bug==severe security risk" situation.

Really, as much as we all laud their security record, Microsoft is in a good position to trounce the OSS crowd if they can come up with a software language and security system that allows for programming mistakes.

The answer is NOT to make sure you input validate *everything* - although input validation is always a good thing.

The answer is to develop a system where common programming mistakes do not result in a security issue.

Get used to it. People are people. They make mistakes. We either cease being human, or develop a system that makes allowances for our humanity.

Can we do it?

Adapt

[gad_zuki!]

Instead of worrying about things we can't change (1 day/0 day exploits) lets focus on things we can change.

Here are some hypotheticals and not-so hypotheticals.

Are there any products that will ghost my drive onto another drive inaccessible to the OS by ordinary means every day?

How can we teach people and developers the wonders of encryption so their credit card numbers and passwords can't be stolen?

What will it take for hardware and OS makers to find a solution to most/all buffer overflows.

Why are non-servers on the internet 24/7? A 'disconnect me after 1 hour of inactivity' would go a long way.

Should we be encouraging residential ISPs to temporarily block ports during major outbreaks?

Should ISPs be denying access to computers found to be spewing spam, viruses, or trojans?

Why are we storing data locally? A fire or a crashed disk could mean the loss of important data, photos, etc. The internet hasn't seemed to provided users with an easy way to upload/download/synch documents off-site securely and easily.

/insert more ideas here

What did you say?

[rice_burners_suck]

Cooperative Association for Internet Data Analysis (CAIDA)

In other news, the Action League department of the Cooperative Association for Internet Data Analysis (AL CAIDA) today announced new threats of technological terrorist attacks. Among other things, they threatened to use illegally acquired funds to purchase the Microsoft Windows source code, insert viruses directly into the operating system, and release them to the unsuspecting world. The most frightening of their threats was to implement a technology called Windows Scripting Host, which would execute malicious code upon reception in an email inbox. Such a technology would allow viruses to spread faster than with earlier diskette-based methods.

Oh, wait... That's already been done for them. Back to the black hat drawing board with these computer crime organizations.

Re:ground zero hosts?

[SkArcher]

Is anyone else sensing the likelyhood that compromised MyDoom machines were the ground zero hosts?

There is more you CAN do for Linux

[gotr00t]

Though you're right in the respect that a stock disto of Linux or *BSD is just about as secure as Windows (perhaps a bit more), there is simply more you CAN do to secure Linux, versus Windows, in which almost all security has to be installed seperately.

You can massively limit the damage done by a worm in Linux simply by running all processes that leave a port open in a chroot jail, or by doing so as a lesser privledeged user. This is one of the many simple solutions avaliable, while in Windows, its not so easy.

two things

[Daltorak]

1) Internet Information Services's track record has improved dramatically in the last couple of years... the last security patch for it was in May of last year, and then the one before that was in 2002.

2) Why didn't you enable XP's firewall before connecting to the Internet? That's a pretty effective way of preventing your machine from getting infected while collecting the various updates.

Re:We can catch the worm's author

[cubic6]

Besides the fact that you're repeatedly trolling with the "Teaching Fellow" bit...

I highly doubt that the hosts who own your 100 so-called "ground-zero" IP addresses would be very helpful in an investigation, besides perhaps a cursory inspection. First, why would they be different from any other infected host, besides the fact that their IPs were hard-coded in the virus? The owners haven't commited any crime, but if the FBI grabs those computers, they won't see their computers for months or years.

First, it's a Windows worm, and THERE ISN'T AN /etc/passwd FILE IN WINDOWS!. Assuming there magically was, it wouldn't have any useful information. Yes, they might find a username. Who cares? If you cracked a box to install a worm, would you use a username that might possibly be traced to you? Unless the owner is running some hardcore auditing software, it's highly unlikely that there would be a single clue as to the virus author.

Second, if the virus author was intelligent at all, these hosts would be chosen to be outside the US, preferably in Libya or China or Russia or somewhere else with a low chance of cooperation with US law enforcement. Why? It's harder to get them taken down.

I'm not denying that they should be brought to justice, but let's not send the FBI to start grabbing random computers every time there's a virus outbreak. How would you feel if the FBI demanded you give them your shiny new $3000 laptop for as long as they want?

That is by design

[isaac_akira]

From the article text:

"The worm payload of 637 bytes is padded with data from system memory to fill this random size..."

So you are seeing some random grabage that was in memory on the victim's machine while the worm was being sent out. That helps to avoid detection as it is harder to profile the worm.

Re: Windows Security Model Needs Fixing!

[seaswahoo]

Yes, firewall software was the one that was compromised, I think. I used to trust ZoneAlarm, but then I figured that hardware firewalling is probably a safer bet than software firewalling, especially if the software firewall is running on a Windows box.

What about BIOS wiping, physical damage?

We need to seriously consider the consequences of the firmware upgradability of modern computers and components. Imagine a worm like this one which instead of just wiping the hard disk, erased the system BIOS. In fact, worse is possible. There are software upgradable EEPROMS on the video card, CD-ROM, even the harddisk, printer, scanner etc. These EEPROMS can only be burned about 100 times. A malicious program could physically destroy all of them. If someone wrote such a worm payload, and released it after a 0-day exploit targeting millons of machines, the result could truly be a societal disaster. There would not be enough EEPROM chips, nor enough skilled workers to replace all of them. It would be worse than the 2003 blackout. I've felt for a long time that we need systems where no amount of malicious programing could destroy the hardware nor essential components of the software. One possibility is a hardware switch which would need to be pressed before any firmware modification could proceeed. A similar idea would provided a hardware write protection to certain portions of the operating system.

Re:process privs

[davegust]

there is simply more you CAN do to secure Linux, versus Windows, in which almost all security has to be installed seperately.

You can massively limit the damage done by a worm in Linux simply by running all processes that leave a port open in a chroot jail, or by doing so as a lesser privledeged user. This is one of the many simple solutions avaliable, while in Windows, its not so easy.

It's very easy to to manage security for service processes under Windows. Different users can be created for the services, allowing whatever ACL restriction you'd like. For other processes, the "run as" option can provide the same function.

If you're having problems determining which services (or other process) are opening what ports, check out netstat -o.

This stuff is actually "easy" under Windows - maybe not Aunt Millie easy, but any power user can handle it. No MSCE required. The tools (and documentation) are there. There's even a fancy gee-wiz UI way to do it - no regedit necessary.

If you're a fan of software firewalls (I'm not), then yes, generally you have to buy these separately. But then software firewalls aren't really the answer, are they. Why do I need a separate piece of software to filter inbound connections. I can do that with the IPSECurity, or if I want redundancy, with a dedicated hardware firewall.

Call me over-confident, but I've had a Win 2000 Server on the net for 4 years, with no firewall of any kind, no NAT, no real-time anti-virus, and with open IIS ports. I run Outlook, IE6, VS.NET, SQL Server, and lots of other "notorious" MS software. The only illness this system has suffered was a code-red triggered DOS on my unpatched Cisco 675 router, and some nasty spyware installed with BearShare back before I knew what AdAware was. It's not magic - I just keep up with Windows Update and MBSA, and I try to be careful about what binaries I trust. Also, I back up religously. To be honest, the hardest part has been keeping up with mySQL, PHP, and ActiveState revs.

Why are you blaming ZoneAlarm?

[mbauser2]

Look at the page you linked to. ZoneAlarm isn't listed as compromised product. It's not even made by the same company as the compromised programs.

Re:Why are you blaming ZoneAlarm?

[Ralph+JH+Nader]

It was an honest mistake. I was thinking of BlackIce and put the wrong firewalling program. Blame my lack of sleep for the error. The rest of the argument remains true, however. Whether a security hole was discovered in Zonealarm, Blackice, or in any other Windows program, unless the bug was caused by a problem with Windows itself, it is not in itself a Windows worm.

Another poster in the thread cited that worms affecting Outlook are Windows worms and Outlook is software that runs on Windows. The difference is that Outlook is bundled with IE, and is integrated into Windows and it is very difficult to seperate it. Surely I don't need to educate Slashbots on this. Since it is so tightly wrapped with Windows, and Microsoft claims it's an integral part of Windows (they told the DOJ that), then it's part of Windows. If the problem involves Windows, a component of Windows (such as a DLL shipped with it), or a program integrated into Windows or installed with Windows, then it's a Windows vulnerability. When BlackIce is installed with Windows by the Windows installer, then a BlackIce vulnerability would be considered a Windows vulnerability.

In terms of Linux, a particular distro would be said to have a vulnerability if it involves the actual operating system or a package that the distro releases along with the OS. If I go install some buggy unsupported software on my Linux box, and then there's a worm for it, should that worm be considered an exploit of that distro since I was running that distro and was infected by the worm? That's absurd.

Re:Why are you blaming ZoneAlarm?

[Tony-A]

Whether a security hole was discovered in Zonealarm, Blackice, or in any other Windows program, unless the bug was caused by a problem with Windows itself, it is not in itself a Windows worm.

Whether a security hole was discovered in ... or other COMPUTER program, unless the bug was caused by a problem with THE COMPUTER ITSELF, it is not in itself a COMPUTER worm.

A worm or virus on a computer is a computer worm or virus.
A worm or virus on a Microsoft Windows computer is a Microsoft Windows worm or virus.

Re:Why are you blaming ZoneAlarm?

[pohl]

That's not strictly true. I have network daemons running on my machine that have some protection given to them by the underlying operating system. Were a buffer overflow exploit to be discovered in one and leveraged by an attacker, the best that the attacker can hope for is a shell that gives them all of the privileges of the user under whose authority the process is running. An attacker would have to find another vulnerability in another part of the system to get no another, more dangerous, level of privilege. This protection comes from architectural decisions made by those who wrote the OS.

Re:Call me crazy, but...

[Walkiry]

More destructive worms = less apathetic/ignorant users out there

I'm not going to bother replying to your "it's the victim's fault" tripe, but I'll just point out that the problem with this particular worm is that it's destroying computers from users that are NOT apathetic, it's targeted at people who have bothered to get a firewall up and running, using a exploit that was detected just a day before the spread.

Of course, you'd know that if you had bothered to RTFA. Wishful thinking, I know...

Microsoft? Are you taking notes?

[calebb]

In light of this worm, I wonder if Microsoft is going to make any changes to the new Windows XP SP2 firewall? (i.e., a self-monitoring 'heurtistic' process that watches for 'exploited-process-like-behavior.')

Re:Spectacular Failure

[pe1chl]

I don't think you got the message.
Worms like this could run on your dedicated firewall box (like linksys or draytek).
They don't require Windows or an insecure OS at all, they just require sloppy programming in any program that handles network packets.

A whole lot of point missing going on...

[Simon+Brooke]

About a week ago, we had a vulnerability announced in OpenSSL. I imagine most of us patched pretty quickly. But the Witty worm appeared within twenty-four hours of the announcement of the vulnerability it attacked, and it infected 95% of vulnerable machines within 45 minutes.

Yes, it's funny that it was a Windows firewall that was attacked. Yes, it's especially funny that it was an expensive Windows firewall that was attacked. Laugh.

But also think.

This could just as easily have been us. From my root logs I patched my servers for the OpenSSL vulnerability on Sunday 21st, which was four days after it had been announced. If the Witty worm had attacked OpenSSL, it would have got me. I suspect it would get most of us.

Linux (or BSD, or whatever) is not immune to this sort of attack. On the contrary, we're just as vulnerable as anyone else. Those of us who administer public-facing servers have got to learn to be still more cautious, and still more proactive about fixing holes as they are announced.

Re:A whole lot of point missing going on...

[Phragmen-Lindelof]

How is a DOS attack anything like overwriting a hard drive? This is FUD.
From US Cert:
II. Impact
An unauthenticated, remote attacker could cause a denial of service in any application or system that uses a vulnerable OpenSSL SSL/TLS library.

Re:A whole lot of point missing going on...

[HolyCoitus]

He isn't saying this specific vulnerability was the one that could have done it. He's saying that if a vulnerabilty did come along that could enable someone to do it, that he would not have patched until it was too late.

I wouldn't have either possibly, the point being you have to be sure that people can't get to your boxes like that. Either by patching or having layers of abstractions to stop it from happening. Most likely both.

It's more of a hypothetical at this point, but saying "it will never happen to me/us!" is bad policy.

...and this is why...

[Alex+Belits]

...anything that is called a "firewall":

1. Should NOT contain any attack analysis. The only attack that any security software not in the hands of security researcher has a legitimate reason to "analyze" is an attack that already succeeded, and the user is recovering from the destruction caused by it. Announcing "prevented" attacks or modifying the host's response to "suspicious" data is at least a useless toy, and at most a target for a real attack (though most often it's in the middle, a nuisance that reduces the reliability). Keep it simple, stupid!

2. Should be separated from the host that it protect by at least a virtual machine and (better) be on a separate device. Then the worst that can happen in the case of a firewall compromise is that the firewall will stop performing its functions. Running a "firewall" on the "firewalled" host is an equivalent of a person hiring himself as a bodyguard.

3. If running on the "protected" host, it should be passive, and merely prevent other software running on that host from receiving packets from the Internet even if that software listens on the ports that the author believes, should not be opened. Still, calling this a "firewall" stretches the definition way too far.

The original meaning of a firewall is a wall in the building that prevents fire from spreading when the building is already on fire, and firewall acts as a barrier for spreading it. It does not make a building non-flammable, and its design expects a building to contain flammable material, yet it prevents damage from spreading. A network firewall does something pretty close to this, it expect vulnerable hosts to be on either of its side, and merely reduces the probability of successful attack from "external" to "internal" network, yet being relatively simple, it is impossible or difficult to attack. Having a "firewall" full of "flammable" bells and whistles, and in the middle of a system that it assumes to be vulnerable is a very, very wrong kind of design.

Re: Windows Security Model Needs Fixing!

[seaswahoo]

I probably could replace MSOffice with OpenOffice, and there's probably a Java debugger and compiler for *nix systems. MathCAD? No idea where to replace that. Rise of Nations is MS-only (dammit), and there probably is Palm Pilot interfacing software for *nix. Have no idea if my Canon scanner is supported, but it need to use it. Well, if they're making a poor choice, that's too bad, but in the meantime, I have to get work done, so I just try and make do.

(and on the side, I tinker with Linux... :P)

Security defined...and Microsoft (may) succeed

[Faies]

I just recently visited the Microsoft Mobile Developers Conference held this week. Bill Gates himself gave the keynote on Wednesday, the highlight of which was the release of the new Speech Server. A transcript of his presentation is available at the following location:
http://www.microsoft.com/billgates/speeches/2004/0 3-24-VSLive.asp

The parent comment caught my eye in particular because security was brought up as an issue when discussing the future roadmap for Visual Studio. Gates said the following:

I mentioned quality and security is a very particular focus here, certainly for Microsoft that's been our top priority, even more than the new features we're doing, the development of "Longhorn," all the things about isolating networks, so that malicious code can't spread and do bad things, that's been a huge effort. And the Visual Studio group has participated in that. In fact, as part of our security effort we've invented a lot of tools that look at code and examine it, statically, for certain types of flaws. So we're using that ourselves, it's called PREfast, and we decided wow, this has been so effective at finding flaws we actually need to get it out for developers. So this PREfast capability will be built into the Visual Studio product. In fact, it's a very sensible thing, if there's development patterns that might be in error, you can put in recognition rules in those, so extend it into your application domain to find an even broader set that we preprogram it to find.

We have security capabilities, like, if you're developing an application that you don't want to force people to be in admin mode, you can ask the development tool to run in a way that it will error-out anything that doesn't work in normal user mode. And there's big push for Windows applications to make sure they don't require administrative mode. There's the new managed APIs, there's new compiler switches to generate code that is immune from certain types of attacks. So I would say a substantial number of features related very specifically to the quality and security initiatives.

So, in a nutshell, Microsoft's next release of Visual Studio, 2005, will have new features that try to detect common flaws in development patterns and warn the programmer ahead of time.

Applications can also make a distinction between administration/user modes, and if this is what I think it is + Microsoft implements this correctly, then Windows security could move up a step closer to that of Unix-based permissions systems with a rough emulation of the relation between root/user modes.

And most importantly, with compiler options to automatically write in extra security checks, developers may not have to ever even know that a particular bug exists and still be a-ok.

Will this warn the developer of every bug? Probably, and almost 100% certainly not. For that matter, it's an extremely bad thing if you designed your code poorly and don't know that it is so- programmers should not be initially taught using tools like this.

But, as the parent mentions, this will lead to somewhat-more-secure code, and help in the long run.

In fact, I don't see anything bad about writing developer tools such that the environment can sensibly pop up a dialog asking "Are you sure you don't want to check input xyz?". At the very least, something like this is needed in both Microsoft and OSS development platforms.

An Idea which I had for a long time.

[LuckyStarr]

Given, many hosts run the same OS (Linux, Windows, whatever) and the same binaries. Even if you compile the source from scratch the resulting binary is likely to be identical to other binaries on other machines.

This leads to a situation where malicious code can rely on things like stack position and such, enabling it to insert its code into it.

Idea:

Is it possible to modify the compiler or binary-format to gather some unique information from the host it is running on and modify the binary in a way that it behaves in a unique way on this machine?
For example in a way so that malicious code can not predict the position where it can insert itself, resulting in a crash rather than a compromise of the machine.

Pros:

- All malicious code would be obsolete if it doesnt know the "secret" of the machine and the method it uses to "scramble" its binaries and/or its memory.
- All remote/local exploits in any form would be converted to a DoS, which I think is not as dangerous as a compromise.

Cons:

- Would presumably make debugging of programs even worse than it is now.
- Insert "You stupid *%@&, you dont understand" here.

Please reply, as I feel that I may have missed something important.

--
LuckyStarr

Re: Windows Security Model Needs Fixing!

[u01000101]

I used to trust ZoneAlarm, but then I figured that hardware firewalling is probably a safer bet than software firewalling, especially if the software firewall is running on a Windows box.
ZoneAlarm is the only thing that can tell you this attempt to connect to port 80 on http://12.34.56.78 is not coming from your browser, but from a process called __Leet_IM__CLient!!!111__ . You get the picture...
Because you allow port 80 outbound in your hardware firewall, don't you?

Re:Quickly written

[A55M0NKEY]

Possibly they had the worm already written except for the exploit. Maybe they'd tested spreading and destruction parts using another very old and likely to be already patched exploit and have been waiting, template ready, for an appropriate exploit to be found which they could plug into their worm template.

I got hit by this worm

[leereyno]

I spent most of yesterday rebuilding my Windows 2000 system at work. I did a raw copy of my windows partitions to a second drive using dd under Linux before I started the rebuild so I was able to preserve much of my data, but far from all of it. My outlook .pst file is the most painful loss so far, and who knows what else I'll find damaged beyond repair before I'm done.

Once upon a time I would be furious about this. Nowadays I've come to expect it. It seems we live in a world where sociopaths are given free reign to harm others without penalty or consequence. Worms like this are concrete proof of the existence of genuine evil. What kind of a person would write create something for the sole purpose of ruining other people's computers? Other people who they don't know and who have never done anything to hurt them? I'll tell you what kind, the kind I'd kill in a cold second. I hope and pray that they find the people behind this, and that they are in a place where our law enforcement can get at them. The best thing would be just to take them out someplace and shoot them, but short of that a nice long prison sentence will suit me just fine.

This worm has convinced me of the need to increase the steps we take in fighting people like this. The model where we work to protect our systems just doesn't work. Locking your door and windows and pulling the shades may keep an intruder out of your house most of the time, but it doesn't eliminate that intruder. It is far better to trap and kill a rabid animal than it is to simply put up barbed wire around your house. It is time that the would-be victims of these crackers went on the offensive. You wouldn't just stand there if someone was trying to beat you up. You'd fight back and if possible make sure your attacker hurt badly enough that they wouldn't be attacking anyone else anytime soon.

Crackers are a not a computer problem, they are a people problem. If computers didn't exist they would find some other way to be destructive and malicious. Crackers are no more a computer problem than carjackers are a problem with your car. The only difference is that carjackers run the risk of getting shot by their would-be victims and/or being sent to prison. Crackers essentially operate with impunity. The only way the cracker problem is going to be effectively handled is to make that change.

If I ever find out who is behind this worm and I'm in a position to do something about it... heaven help them because it will take an act of God to save them from me.

Lee

Re: Windows Security Model Needs Fixing!

[Tin+Foil+Hat]

There is no reason on Earth that this worm couldn't have attacked Linux boxen. If this worm had been tailored to attack the the recent openssh vulnerability the day after it came out, many of us would have been owned immediately. How many of us have an open ssh port through our NAT devices and firewalls? The scary thing about this worm is that the authors have demonstrated an ability to attack new vulnerabilities in third-party software very quickly. In the case of the openssh vulnerability (a root exploit) that would have meant that very many of us Linux users would have been affected before we could do anything about it.