Slashdot Mirror
Schneier on Attack Trends: More Complex Worms
Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on
expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing
W32.spybot.KEG
worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC.
Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"
If you haven't already read his book Beyond Fear I would highly recommend it. For those of us who don't read books, he covers a good chunk of the material in 34 minutes in this interview. Also very fascinating, I even played it for my grandparents and they both enjoyed it, and have since told me that they have seen him talking on CSPAN or something like that.
For those wondering about other advances/predictions in worms check out this paper I wrote a few years ago.
http://www.cgisecurity.com/articles/worms.shtml
Believe me, if I started murdering people, there would be none of you left.
New South Wales Australia has just passed a law that prevents bosses spying on email. Even big ones with attachments.
Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.
While I agree that open source is good stuff, your logic is retarded. You basically state that if the vulnerability is known by the attacker and not security companies that there is nothing to worry about. What you meant to say is that there are enough freelance coders out there that check the code and are responsible enough to report exploits to the proper distribution channels.
Without going into a long explanation, destination ports for outgoing connection attempts, such as port 6667, can be blocked from leaving the originating network. Even this method can be fine-tuned as to protocol/s, and so forth.
The worm probably use a random outgoing port to connect to the IRC server, so I don't see how this would work without blocking other valid services.
That random port is the port of the machine attempting the outgoing connection to a port such as 6667, to put it simply. The random outgoing port is irrelevant to blocking destination ports.
A quick Google search returned these code examples from a Redhat firewall how-to page using iptables:
and
I hope this helps. Here is a Google search to get you started.
In Soviet Russia the insensitive clod is YOU!
I would like to see a worm that goes around and patches servers for a change. It can be done.
Welchia attempted to patch the DCOM RPC vulnerability that Blaster feed on and remove Blaster if present. It was called the "good samaritan worm". The problem was, as the AC pointed out, the network traffic Welchia generated DoSed any network that it "aided". Other "helpful" viruses have existed, but usually had the same unfriendly welcome for the same reason.
chown -R us
Is this the New Economics, the lost dream of IT visioneers?
BTW this Monday my company network was badly infected with yet unknown worm. It created about 15 registry values named 'Microsoft System Backup' to make itself start at lot of occasions. Still can't find anything about it on the internet.
Despite our admins, I've installed personal firewall...
I'm not insane. My mother had me tested.
Yup, that's what my Fortune 100 company does. Only three egresses, and all of them have a username and password so viruses can't get out unless they keylog or ethersniff. It's actually quite a huge PITA for normal users.
That's what we do here. In fact, we don't actually route anything onto the Internet, and our internal DNS servers do not resolve names outside of our network.
The only outside access is via a web proxy.
But unless you have a very restrictive 'deny,allow' rule set (which we don't, because it simply wouldn't fly here), a worm can simply look up your proxy settings and use the web proxy instead. Or it can use port 443, and use HTTP CONNECT with the proxy to a remote system listening on port 443, then encrypt the traffic. To the proxy, it'll look like normal HTTPS traffic in transit. (This is the way we get SSH access to outside systems, despite not having any routing to the Internet - our SSH client uses the proxy, and connects to a remote SSH server that is set to listen on 443).
Oolite: Elite-like game. For Mac, Linux and Windows
They turn your machine into a zombie and then sell it to spammers.
But first they have to infect it.
The easy way to avoid a zombied computer:
Pretty much use any OS other than one made by Microsoft. Since the market share for a non-Microsoft OS is so small, it isn't worth the malware author's time to attack them. A successful attack (if possible) would yeild little or no damage in a collective sense.
On a Microsoft OS? More work is involved in order to stay malware free.
Go into IE and turn off ActiveX, and scripting or (religiously) use the Off By One browser or Lynx which both doesn't understand ActiveX and scripting.
Treat your email and email attachments like 'text files' like I do. I only use Outlook to send email--not receive it.
Use a software firewall and antivirus. I use Agnitum's Outpost and Grisoft's AVG. I also recommended Trend Micro's Sysclean.
A great help would be to surf the internet from behind a hardware router that drops ALL incoming unsolicited connections. The other tips mentioned above should minimize the risk of system compromise from all other user initiated connections.
Right, and what will happen with people running services that are blocked? That's right, they'll just start using the "magical" port 80 that lets people connect to it.
This actually makes it easier to detect the "rogue apps" trying to exit the corporate network. If everyone tries to use port 80, then I have to redirect only port 80 with WCCP. I run the port 80 traffic through various Layer 7 scrubbing appliances to pick off the stuff that we don't want to leave our network.
It's like shooting fish in a very small barrel.
I like the SSH work-around to connect to the proxy that is your egress from the corporate network. Very elegant.
You mentioned worms that encrypt their traffic. This traffic would be difficult to detect and block using Layer 7-aware appliances.
There is a similar trick to your SSH-workaround to get the Citrix client to work over port 80. Part of Citrix (nfuse?) can use port 80 and the traffic *looks* like HTTP. But it's really not HTTP and a proxy can break the Citrix connection. The solution is to tell Citrix to use a "secure" connection so that it sends the "HTTP CONNECT" command to the proxy. Then the proxy doesn't monkey with the Citrix traffic passing through. It's an ugly work-around but is needed because of the HTTP proxies at our perimeter. (You also need to tell your HTTP proxy that port 80 is okay for HTTPS traffic so that it will accept the HTTP CONNECT command on port 80).