Slashdot Mirror
Schneier on Attack Trends: More Complex Worms
Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on
expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing
W32.spybot.KEG
worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC.
Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"
No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.
Wouldn't this be a successful argument for platform diversity? They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?
Can one then conclude that because the common wisdom seems to favor a uniform system, this is those people's just deserts?
Some comments: I haven't read Beyond Fear yet, but I have read Applied Cryptography. The San Francisco Public Library kept it in a back room and asked me to surrender my ID to look at it. I have no idea why. Maybe it's a terrorism manual.
How am I supposed to fit a pithy, relevant quote into 120 characters?
Excellent point. However, in practice it can be a tricky balance. For example, a company that runs AIX on the Power architecture is less likely to be vulnerable to the buffer overflow exploit of the week than say Linux on Intel.
The trade off becomes "patch early, and patch often" versus "maintain an expensive development/build environment for a relatively obscure platform that sucks to build software on." As a person who has witnessed this phenomenon first hand and has felt the full pain of building all the standard OSS on AIX, I can tell you that Linux/Intel starts looking pretty good at times.
As always, it's never black and white. Platform diversity == good. Too much platform diversity == major pain in the ass.
-Peter
. Penguins Surely Ca
I spend my spare time making a virus/worm removal tool for viruses and worms that affect AOL Instant Messenger, and I definitely agree, they've gotten a LOT more sophisticated. I'm no antivirus expert, I've just been working with this particular area of viruses since 2003, so I've seen them progress over time. It used to be a simple executable in the root of the drive, or in the system directory, and a "Run" entry in the registry.
Now these things screw with the shell setting for Windows, add themselves to the win.ini and system.ini registry entries and run themselves as services, drivers, etc. Even more annoying, they're copying the names of real windows files now, but dropping into different directories - like find.exe but in the Windows directory instead of System32. They create multiple copies of executables that run from every autorun entry they can find, and recreate each other. They communicate with IRC, they steal passwords and usernames to AIM accounts, and in at least a few cases I've found WinPCap and other sniffing or trojan tools installed as well.
For many months, updating the AIM virus removal tool I maintain was a matter of a few seconds of updates. Then one weekend it turned into several hours of creating new functions and sections of code to handle all these new variants.
The best I can figure, it's script kiddies or zombie botnet operators just running canned and packaged code, because after the first variant appears, a hundred more follow within a few weeks, using the same techniques or filenames. Generally, the purpose of these worms tends to be to download and install spyware - bringing in income through referral programs - and then leave the system open as part of a botnet.
Lately, these techniques are being combined with common exploits on vulnerable websites, especially ones with some of the recent PHP vulnerabilities. Again, it's like botnet-in-a-can, grab some scripts and some code, change a few filenames or urls, and let 'er rip. It's certainly not getting any easier to put in the time to update the removal tool, that's for sure.
-Jay
http://jayloden.com/aimfix.htm