Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier on Attack Trends: More Complex Worms

Posted by timothy on from the malice-on-the-loose dept.

Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing W32.spybot.KEG worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC. Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"

5 of 189 comments (clear)

  1. Schneier by pHatidic · · Score: 4, Informative

    If you haven't already read his book Beyond Fear I would highly recommend it. For those of us who don't read books, he covers a good chunk of the material in 34 minutes in this interview. Also very fascinating, I even played it for my grandparents and they both enjoyed it, and have since told me that they have seen him talking on CSPAN or something like that.

  2. Anatomy of the Web Application Worm by mrkitty · · Score: 5, Informative

    For those wondering about other advances/predictions in worms check out this paper I wrote a few years ago.
    http://www.cgisecurity.com/articles/worms.shtml

    --
    Believe me, if I started murdering people, there would be none of you left.
  3. Re:Dumb sysadmins by The+Jonas · · Score: 3, Informative
    How can they block the outgoing ports? This isn't the incoming ports of the IRC server (usually 6667)

    Without going into a long explanation, destination ports for outgoing connection attempts, such as port 6667, can be blocked from leaving the originating network. Even this method can be fine-tuned as to protocol/s, and so forth.

    The worm probably use a random outgoing port to connect to the IRC server, so I don't see how this would work without blocking other valid services.

    That random port is the port of the machine attempting the outgoing connection to a port such as 6667, to put it simply. The random outgoing port is irrelevant to blocking destination ports.

    A quick Google search returned these code examples from a Redhat firewall how-to page using iptables:
    iptables -A OUTPUT -p TCP --sport 6699 -j REJECT

    and
    iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP


    I hope this helps. Here is a Google search to get you started.
  4. Re:work work work... by Flendon · · Score: 5, Informative

    I would like to see a worm that goes around and patches servers for a change. It can be done.

    Welchia attempted to patch the DCOM RPC vulnerability that Blaster feed on and remove Blaster if present. It was called the "good samaritan worm". The problem was, as the AC pointed out, the network traffic Welchia generated DoSed any network that it "aided". Other "helpful" viruses have existed, but usually had the same unfriendly welcome for the same reason.

    --
    chown -R us ./base
  5. Re:work work work... by Petersson · · Score: 3, Informative
    and then sell it to spammers

    Is this the New Economics, the lost dream of IT visioneers?

    BTW this Monday my company network was badly infected with yet unknown worm. It created about 15 registry values named 'Microsoft System Backup' to make itself start at lot of occasions. Still can't find anything about it on the internet.

    Despite our admins, I've installed personal firewall...

    --
    I'm not insane. My mother had me tested.