Slashdot Mirror
Schneier on Attack Trends: More Complex Worms
Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on
expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing
W32.spybot.KEG
worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC.
Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"
We expect to see more blended threats: exploit code that combines malicious code with vulnerabilities in order to launch an attack.
This mixed with irc connectiviy, LAN port scanning, update downloads...
Sounds like a full time job to create one. What are these people gaining anyway?
This worm will certainly fail. It doesn't even try to gain access to network shares using the 'elusive' password:
"trustno1"
My idiot former roommate was a paranoid wannabe computer geek and he cherished his "cool password that I would never get because it uses numbers too".
Dolt.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
Why are the outgoing ports for IRC not firewalled in the first place?
The whole problem is twofold. The first is stupid users. How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts? The second is privilege escalation at the binary level. System-level software with any sort of hole will allow an attacking program the ability to do whatever it wants, even if the user isn't running as root (the daemon is running at that level).
We had a guy who was constantly downloading and running every attachment he ever received. We finally set him up with an ePod terminal and some crayons and haven't had a significant virus problem since. As a bonus, we get some interesting artwork to hang in the lobby.
This goes to show the benefits of Open Source software. Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.
We can't take the drastic step of eliminating Windows on our networks because it is so entrenched, but the slow migration away from it one desktop at a time is giving us a whole new outlook on viruses.
Nice to see the industries stock thumper is still #1 for attracting worms and looks to be still #1 in the future. Upon sighting wormsign one only need look closeby for a compromised IIS box.
Hedley
To upgrade to Lornhorn, so your spyware, viri, and worms are more secure and stable!
Upgrade today... Oh wait.
They make the money off selling the power of botnets.
Uh, things are going to continue the way they have been going, probably.
I found this essay most unimpressive.
Stasis is death. Embrace change.
Your time cube is stupid.
This is all I could think of when reading this.
"...we've got a KEG... of worms... and phytoplankton"
Question everything that you've accepted without thinking.
If you haven't already read his book Beyond Fear I would highly recommend it. For those of us who don't read books, he covers a good chunk of the material in 34 minutes in this interview. Also very fascinating, I even played it for my grandparents and they both enjoyed it, and have since told me that they have seen him talking on CSPAN or something like that.
For those wondering about other advances/predictions in worms check out this paper I wrote a few years ago.
http://www.cgisecurity.com/articles/worms.shtml
Believe me, if I started murdering people, there would be none of you left.
It was a network intrusion like these worms create that resulted in Paris Hilton's private Sidekick data to be comprimised. That's how the net got a hold of her private nude photos.
$5 / month hosted VPS on linux = awesome!
Grakkar thanks for provinding 30 seconds of entertainment on a very boring tuesday night.
New South Wales Australia has just passed a law that prevents bosses spying on email. Even big ones with attachments.
Aren't we so glad Microsoft is getting into the Anti-Virus Business.....oh wait...don't they make the OS?
What happened to fixing the OS, so an AV isn't needed?
Why do I even bother?
$sig$
What about my situation? I mean, my boss is pretty big, but I don't know if he has any attachments...
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
... that to all itents and purposes it looks like an Operating System. It will give the use a limited amount of funciontality in order to maintain it's cover. Secretly it will report back to its maker about what you do on your computer and... Oh, wait a minute...
and we have microsoft to thank for all of this.
-- SKYKING, SKYKING, DO NOT ANSWER.
Wanted:
One massive botnet able to DDoS a
major corporate site. Heavy comp-
ensation availible.
Email: revenge_on_corps@gmail.com
main(0)
Some comments: I haven't read Beyond Fear yet, but I have read Applied Cryptography. The San Francisco Public Library kept it in a back room and asked me to surrender my ID to look at it. I have no idea why. Maybe it's a terrorism manual.
How am I supposed to fit a pithy, relevant quote into 120 characters?
More like... nerdular nerdence!
I loved him in Jaws.
from the article:"We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks."
While mainstream web services are cringing in anticipation of becoming targets, it is quit amusing to watch what seems to be one kind of filth devouring another.
Stay sentient. Don't drink bad milk.
Get a Packeteer Packetshaper. Block all Peer-to-Peer application protocols and definately IRC protocols. The Packetshaper works at layer 7 instead of layer 4.
...we can easily though malware into the floor have fun too.
Let's decompose and enjoy kicking worm ass.
You can hold down the "B" button for continuous firing.
1.- install windows
2.- use internet explorer to surf the internet (infecting the machine the moment you use it)
3.- A zombie is born
4.- profit!
"It's going to get worse".
Hopefully, that'll save time before you go RTFA...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I'm not a flaming liberal, but that story might be fake:
In his Navy application, Kerry made clear that he spent much of his college time on extracurricular activities, including the Yale Political Union, the Debating Association, soccer, hockey, fencing, and membership in the elite Skull and Bones Society.
Um, no. Skull and Bones is like Fight Club. The first rule of Skull and Bones is do not talk about Skull and Bones. The second rule of Skull and Bones is DO NOT TALK ABOUT SKULL AND BONES. To this day, neither Kerry or Bush has confirmed or denied their involvement or non-involvement in the alleged secret society Skull and Bones.
The trick is to figure out if you are being monitored or not. Has that law been passed? Last I heard, it was only a proposal.
Why did they name the worm WORM SPYBOT.ID? Won't they run into copyright trouble with Spybot the Anti-Spyware company?
What if a worm was named Windows XP or Longhorn, or even Linux?
Hey what's with the slashdot "worm" image? Its a caterpillar, not a worm. Look, it has legs!
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
First of all shouldn't most IDS systems pick up on this worm if it has been announced enough to be named and is obviously now a known exploit? I don't know if Kerio picks up on this worm, but I'd imagine they would have some sort of security update in the near future, and I'm sure it has to be in some signature databases. Secondly, what exactly does this affect? Unpatched windows systems? I'm sure anyone running a network that knows what they are doing (tm) would have clear safeguards for this kind of thing. Hell, even Kerio personal firewall will not let anything execute that I know of, and for the rare times that websites try to pass on some sort of java virus, Norton usually detects it before it hits the cache.
/w web and e-mail) that offers relatively little configuration and just basically works right out of the box. Even my cheap ass linksys router does some basic port forwarding and such.
Secondly is there any excuse anymore other than incompetence and companies that are operating on a small budget? Someone needs to make a firewall device that the windows network can be plugged into (think small company lan
Oh, it needs to be cheap and update itself with new security rules (IDS, firmware, etc) on a fairly constant basis, for a relatively low fee you could have it send security logs to the manufacturing company, which could say add rules or manipulate the box. Honestly, I think a well thought out firewall running on a fairly secure NOS would go an awfully long way in protecting their assets.
I think we are going to see some clever attacks in the future. I can think of so many ways that a network could be easily compromised and a trusted connection could be made. Think of all the business travelers that head out with their Cen-f'in-trino and connect to the nearest open hotspot then proceed to log right into a VPN session. Think of company wireless hotspot spoofing and imagine sending the visitor directly to the real network with their intercepted log in. How easy would something like that be? Hell you could even throw something like that in a backpack. How would they find *that*? I don't think that many companies have realized the gaping holes that they have left in their networks. Any company that thinks FedEx is secure enough to send unencrypted tapes is likely going to have a few more suprises along the way. I predict that the future is going to get worse for a lot of companies *cough*banks*cough before it gets better.
BTW, if this post is incoherent, my apologies. It *is* rather late. And to the FBI agent who may come across this message: Go find some real criminals. The last I heard, there are still plenty of real crimes still being committed on a daily basis. Murder, rape, child exploitation, etc. Why not devote some time on the big stuff?
zosxavius photography
Change password.
Now that "your guy" has been found out, you must keenly point out that grades do not necessarily reflect one's intellect (even though you used the reverse argument on Bush).
I think you meant to comment that other article...
http://yro.slashdot.org/yro/05/06/07/233201.shtml
They turn your machine into a zombie and then sell it to spammers.
But first they have to infect it.
The easy way to avoid a zombied computer:
Pretty much use any OS other than one made by Microsoft. Since the market share for a non-Microsoft OS is so small, it isn't worth the malware author's time to attack them. A successful attack (if possible) would yeild little or no damage in a collective sense.
On a Microsoft OS? More work is involved in order to stay malware free.
Go into IE and turn off ActiveX, and scripting or (religiously) use the Off By One browser or Lynx which both doesn't understand ActiveX and scripting.
Treat your email and email attachments like 'text files' like I do. I only use Outlook to send email--not receive it.
Use a software firewall and antivirus. I use Agnitum's Outpost and Grisoft's AVG. I also recommended Trend Micro's Sysclean.
A great help would be to surf the internet from behind a hardware router that drops ALL incoming unsolicited connections. The other tips mentioned above should minimize the risk of system compromise from all other user initiated connections.
not quite, while platform diversity is in many levels a good thing, it's a lot more then just a defense against transient viral/worm attacks. Microsoft rules the not-too-complex-but-works world because it's just that. You don't need to be an Otaku to get a DVD to play. Some people would be victims no matter what OS they run. I run both UNIX and Windows, I have taken precautions on both sides and have not seen any serious breaches in several years. System security is part of my routine, because I am a serious user. AOL users have been the traditional food for hackers and virii in the past but AOL has seen the logic in taking that out of the hands of a incompetent userbase.
Say what you want about Microsoft, and while much of it's true, the users are to a degree at fault as well. If I leave my keys in my car and the doors unlocked, I can't very well blame the manufacturer for it being stolen.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
I would argue that the case for platform diversity is VERY difficult to make. PARTICULARLY in corporations.
The argument goes. In nature, species survival depends on diversity to maintain some portion of the population who can survive the onslought of some new contagion. SO in computers we should mimic nature and have a heterogeneous mix of software so our computer networks can survive worm/virus contagion.
BZZZT!
Networks and corps are different to species. Computers don't multiply and diversify as a natural result of that. The only thing diversity in computers gives you is a CRAPPY understanding of your network and the risks therein. Oh and a fairly good likelihood that SOME computers in your environment are vulnerable to EVERY exploit for EVERY platform released.
Corporates or networks don't need SOME computers to survive. They need ALL to survive. Data is sacred not computers. Data is located in far flung pockets of the network. The loss of even small amounts of data can be disastrous. Telling someone "it's ok cos' some of our computers survived" will get you fired.
As far as I am concerned for corps the solution is to have a well understood build that is well protected from likely contagions and strong procedures, processes and technologies to rapidly detect and limit any outbreaks.
Computer security is about building strong immune systems and rapid innoculation to new contagions. It probably will be for a long time. Survival of the fittest does not work.
Oh Contagions in computer terms are different to the real world as well. Real world contagions are mutations. Good ones are flukes. In computing they are intelligent in that the developer is motivated, malicious and works hard to defeat your defences. They test their software against common innoculations such as Anti-virus software and ensure it is resistant to them.
Aaahhh. Rant over.
Strange game, the only way to win is not to play. - Wargames 1983
*WOPR (War Operation Planned Response) computer system A.K.A Joshua
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Corporates or networks don't need SOME computers to survive. They need ALL to survive. Data is sacred not computers. Data is located in far flung pockets of the network. The loss of even small amounts of data can be disastrous. Telling someone "it's ok cos' some of our computers survived" will get you fired.
For the Apollo 13 astronauts, ground control computer failure of any sort (including system compromise by hostile users) would have been all but a guaranteed death sentence for the 3 men aboard the crippled, barely-working spaceship.
Gene Krantz was right. In mission-critical situations: Failure is *not* an option!
As for the data being 'sacred', I agree about that. Data collected, created, or processed (including the software itself as a form of 'data') is eminently more valuable than the hardware itself that contains it which can be replaced/upgraded. The same can't be said of data -- it may be irreplaceable or be too time consuming to reconstruct after experiencing catastrophic data loss.
Case in point: Before 2001-09-11, some WTC tennant's idea of off-site backup was somewhere in the 'other' tower.
Look what happend that day....
Devastating, catastrophic loss of life, property, and data.
2001-09-11 should have served as a wakeup call to the IT industry: Handle your information resources with care, your livelyhood (and maybe your life) depends on it.
Go into IE and turn off ActiveX, and scripting or (religiously) use the Off By One browser or Lynx which both doesn't understand ActiveX and scripting.
Treat your email and email attachments like 'text files' like I do. I only use Outlook to send email--not receive it.
Use a software firewall and antivirus. I use Agnitum's Outpost and Grisoft's AVG. I also recommended Trend Micro's Sysclean.
A great help would be to surf the internet from behind a hardware router that drops ALL incoming unsolicited connections.
Do you see how cumbersome is to keep the Windows machine free of *ware and viruseseses?
Why bother doing all that when you could just spend 40 minutes installing one of the already user friendly enough Linux distros on the market (Linspire, Xandros, Mandrake, Suse...)???
Ubuntu is an African word meaning 'I can't configure Debian'
This article, and all articles on the same topic, can all be summarized by 'You rtypical consumer Windows system is utter swiss cheese, and is and will become more utterly vulnerable to variius exploitative 'software' which will take over the machine and use it for any number of nefarious purposes. If you are stupid enough to still think you *have* to be using Windows, at least have the sense to ensure that no Windows machine is ever connected directly to the Internet (only thru a *seperate* physical firewall/router *device* which performs NAT and does not permit connections initiated inbound from the Internet to even reach the Windows machine's NIC - software firewalls arent, dont, and cant), and that you immediately deinstall/deactivate MSIE and MSOE, and substitute less swiss-cheesy applications if you need the corresponding function. If you persist in using Windows on a directly connected Internet machine, then anyone who isnt a complete moron will label you as one'..
There. No further articles concerning Windows trojans/viruses/exploits are required. If attention is called to some new "news" regarding this, just refer to this summary.
Oh yeah, and that worm icon - come on, timothy, it's a caterpillar, surely.
When I am king, you will be first against the wall.
I spend my spare time making a virus/worm removal tool for viruses and worms that affect AOL Instant Messenger, and I definitely agree, they've gotten a LOT more sophisticated. I'm no antivirus expert, I've just been working with this particular area of viruses since 2003, so I've seen them progress over time. It used to be a simple executable in the root of the drive, or in the system directory, and a "Run" entry in the registry.
Now these things screw with the shell setting for Windows, add themselves to the win.ini and system.ini registry entries and run themselves as services, drivers, etc. Even more annoying, they're copying the names of real windows files now, but dropping into different directories - like find.exe but in the Windows directory instead of System32. They create multiple copies of executables that run from every autorun entry they can find, and recreate each other. They communicate with IRC, they steal passwords and usernames to AIM accounts, and in at least a few cases I've found WinPCap and other sniffing or trojan tools installed as well.
For many months, updating the AIM virus removal tool I maintain was a matter of a few seconds of updates. Then one weekend it turned into several hours of creating new functions and sections of code to handle all these new variants.
The best I can figure, it's script kiddies or zombie botnet operators just running canned and packaged code, because after the first variant appears, a hundred more follow within a few weeks, using the same techniques or filenames. Generally, the purpose of these worms tends to be to download and install spyware - bringing in income through referral programs - and then leave the system open as part of a botnet.
Lately, these techniques are being combined with common exploits on vulnerable websites, especially ones with some of the recent PHP vulnerabilities. Again, it's like botnet-in-a-can, grab some scripts and some code, change a few filenames or urls, and let 'er rip. It's certainly not getting any easier to put in the time to update the removal tool, that's for sure.
-Jay
http://jayloden.com/aimfix.htm
Comment removed based on user account deletion
Write comments about the boss's attachments. Then see if there is any reaction. If so, then you know your e-mail is being monitored.
The price of freedom is eternal litigation.
Thieves cherry-pick the most valuable books from libraries and sell them on eBay & Amazon. That's why libraries are increasingly going to the Internet and moving away from paper media.
I've tried searching for this answer before put I haven't seen a conclusive answer. It seems to me that the ingriedients are there, reproduction, and perhaps mutation from network errors, data corruption, etc?
And a follow-up question is if not now, then will viruses evolve in the future when they get more complex?
These papers are the closest thing to an answer I've found but still not conclusive to me:
http://www.pcvirus.org/links
You could also use a non-Microsoft, niche product like the ISS personal firewall to help protect yourself if you must use Windows.
And then you can get nailed with something like Witty.
There were only about 12,000 Black Ice systems out there. There are over 10 million OS X systems deployed in the world, and no telling how many others (Linux, *BSD, etc.). Each is probably a big enough "niche" to get attention when the opportunity arises (which will happen sooner or later).
There is really no longer anywhere safe to hide.
/jonathan
Why bother doing all that when you could just spend 40 minutes installing one of the already user friendly enough Linux distros on the market
I'll repeat this again. The same people who confound desktop support on Windows, easily the single easiest to use desktop OS ever made, are the yardstick by which you judge "user friendly". People who can't install and run AOL 9.0 are the yardstick. Your mother who can't make the VCR stop flashing 12:00 is the yardstick. NOT GEEKS WHO THINK IN SHORTHAND AND BINARY.
Can we please stop this nonsense about using "user friendly" and "Linux" in the same sentence already? The only people who believe it are defining user==technowizard. If you don't believe me, then try moving a user from Windows XP Home to DOS 6.22 and Windows 3.11 and then support them for a month. If they can't make DOS work right then they aren't going to work Linux right either. Simple as that. It was funny at first, a veritable lolacaust, but it's getting tired and inane now.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Worms will get more complicated!
[sarcasm]I never would have guessed because up until now they have been getting simpler and simpler![/sarcasm]
If there's anyone here who didn't know worms have been getting more complicated since they were first invented, then you you have no right to call yourself a computer geek.
The failure option will be available in the next release as a standard feature.
Show me on the doll where his noodly appendage touched you.
There was a FUD article on one of the PHB-style IT news sites a year or two ago. This article said that new, more complex worms, were emerging, and that these worms could target systems across any processor architecture, any operating system, and with any software running therein, and that the worm could morph itself to get from one system to the next. What a bunch of hogwash. You would need a program that has the ability to search for and take advantages of vulnerabilities unknown at the time of writing (which, in itself, is a task for a very skilled human and outside the realm of computer software), and this program would need to be able to translate itself from one processor architecture instruction set to another as it moves from system to system. Even if it could be done, no 1337 h4x0rz is going to do it, because that much time and effort could be used more wisely. Most worms are written in a matter of hours, not based on years of research into the unknown.
-AT
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
Neither the ID4 Aliens nor the ones from 3001 A Space Odysse stand a chance.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Two months later, ISS closed the Mountain View office--formerly independant company Network ICE, the original developer of BlackICE--and laid off the entire staff. At the time, I didn't connect the dots; we had "Level Zero" alerts on a weekly basis, usually requiring me to work through the night, and I didn't realize the seriousness of Witty in particular.
Based on that article, I'm guessing Witty was a major factor in ISS shutting down the RealSecure Desktop (BlackICE) team. Nevermind that iss-pam1.dll was developed by X-Force and foisted upon us, and was the actual source of the vulnerability.
Vista:XPSP2::ME:98SE