Slashdot Mirror
Schneier on Attack Trends: More Complex Worms
Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on
expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing
W32.spybot.KEG
worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC.
Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"
We expect to see more blended threats: exploit code that combines malicious code with vulnerabilities in order to launch an attack.
This mixed with irc connectiviy, LAN port scanning, update downloads...
Sounds like a full time job to create one. What are these people gaining anyway?
The whole problem is twofold. The first is stupid users. How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts? The second is privilege escalation at the binary level. System-level software with any sort of hole will allow an attacking program the ability to do whatever it wants, even if the user isn't running as root (the daemon is running at that level).
We had a guy who was constantly downloading and running every attachment he ever received. We finally set him up with an ePod terminal and some crayons and haven't had a significant virus problem since. As a bonus, we get some interesting artwork to hang in the lobby.
This goes to show the benefits of Open Source software. Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.
We can't take the drastic step of eliminating Windows on our networks because it is so entrenched, but the slow migration away from it one desktop at a time is giving us a whole new outlook on viruses.
Nice to see the industries stock thumper is still #1 for attracting worms and looks to be still #1 in the future. Upon sighting wormsign one only need look closeby for a compromised IIS box.
Hedley
Uh, things are going to continue the way they have been going, probably.
I found this essay most unimpressive.
Stasis is death. Embrace change.
This is all I could think of when reading this.
"...we've got a KEG... of worms... and phytoplankton"
Question everything that you've accepted without thinking.
If you haven't already read his book Beyond Fear I would highly recommend it. For those of us who don't read books, he covers a good chunk of the material in 34 minutes in this interview. Also very fascinating, I even played it for my grandparents and they both enjoyed it, and have since told me that they have seen him talking on CSPAN or something like that.
For those wondering about other advances/predictions in worms check out this paper I wrote a few years ago.
http://www.cgisecurity.com/articles/worms.shtml
Believe me, if I started murdering people, there would be none of you left.
New South Wales Australia has just passed a law that prevents bosses spying on email. Even big ones with attachments.
Worms typically don't use the "standard" IRC ports. Most organizations don't have tough egress filtering in place, but folks should start considering, "block all outbound ports except port 80". Even so, it's still possible for nasty traffic to go out on port 80, then, isn't it?
-Peter
. Penguins Surely Ca
Aren't we so glad Microsoft is getting into the Anti-Virus Business.....oh wait...don't they make the OS?
What happened to fixing the OS, so an AV isn't needed?
Why do I even bother?
$sig$
... that to all itents and purposes it looks like an Operating System. It will give the use a limited amount of funciontality in order to maintain it's cover. Secretly it will report back to its maker about what you do on your computer and... Oh, wait a minute...
Some comments: I haven't read Beyond Fear yet, but I have read Applied Cryptography. The San Francisco Public Library kept it in a back room and asked me to surrender my ID to look at it. I have no idea why. Maybe it's a terrorism manual.
How am I supposed to fit a pithy, relevant quote into 120 characters?
from the article:"We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks."
While mainstream web services are cringing in anticipation of becoming targets, it is quit amusing to watch what seems to be one kind of filth devouring another.
Stay sentient. Don't drink bad milk.
Without going into a long explanation, destination ports for outgoing connection attempts, such as port 6667, can be blocked from leaving the originating network. Even this method can be fine-tuned as to protocol/s, and so forth.
The worm probably use a random outgoing port to connect to the IRC server, so I don't see how this would work without blocking other valid services.
That random port is the port of the machine attempting the outgoing connection to a port such as 6667, to put it simply. The random outgoing port is irrelevant to blocking destination ports.
A quick Google search returned these code examples from a Redhat firewall how-to page using iptables:
and
I hope this helps. Here is a Google search to get you started.
In Soviet Russia the insensitive clod is YOU!
Yup, that's what my Fortune 100 company does. Only three egresses, and all of them have a username and password so viruses can't get out unless they keylog or ethersniff. It's actually quite a huge PITA for normal users.
Change password.
That's what we do here. In fact, we don't actually route anything onto the Internet, and our internal DNS servers do not resolve names outside of our network.
The only outside access is via a web proxy.
But unless you have a very restrictive 'deny,allow' rule set (which we don't, because it simply wouldn't fly here), a worm can simply look up your proxy settings and use the web proxy instead. Or it can use port 443, and use HTTP CONNECT with the proxy to a remote system listening on port 443, then encrypt the traffic. To the proxy, it'll look like normal HTTPS traffic in transit. (This is the way we get SSH access to outside systems, despite not having any routing to the Internet - our SSH client uses the proxy, and connects to a remote SSH server that is set to listen on 443).
Oolite: Elite-like game. For Mac, Linux and Windows
Besides they make viruses?
What do they care about infringing on a trademark?!
Z3r0C001: Hey what do you think about the name "I Be Malicious" for the name of our new virus?
|<rash0v3rr|d3: Hmm, the initials of that spell I.B.M., we could be in for a lengthy legal battle.
Z3r0C001: You're right, legalities aside, it would at least be unethical to use a name that shortens to another companies name, especially seeing as both of our products are in the computing realm.
|<rash0v3rr|d3: Indeed, lets forget the virus and forget our troubles with a big bowl of strawberry icecream.
Z3r0C001: w00t
They turn your machine into a zombie and then sell it to spammers.
But first they have to infect it.
The easy way to avoid a zombied computer:
Pretty much use any OS other than one made by Microsoft. Since the market share for a non-Microsoft OS is so small, it isn't worth the malware author's time to attack them. A successful attack (if possible) would yeild little or no damage in a collective sense.
On a Microsoft OS? More work is involved in order to stay malware free.
Go into IE and turn off ActiveX, and scripting or (religiously) use the Off By One browser or Lynx which both doesn't understand ActiveX and scripting.
Treat your email and email attachments like 'text files' like I do. I only use Outlook to send email--not receive it.
Use a software firewall and antivirus. I use Agnitum's Outpost and Grisoft's AVG. I also recommended Trend Micro's Sysclean.
A great help would be to surf the internet from behind a hardware router that drops ALL incoming unsolicited connections. The other tips mentioned above should minimize the risk of system compromise from all other user initiated connections.
not quite, while platform diversity is in many levels a good thing, it's a lot more then just a defense against transient viral/worm attacks. Microsoft rules the not-too-complex-but-works world because it's just that. You don't need to be an Otaku to get a DVD to play. Some people would be victims no matter what OS they run. I run both UNIX and Windows, I have taken precautions on both sides and have not seen any serious breaches in several years. System security is part of my routine, because I am a serious user. AOL users have been the traditional food for hackers and virii in the past but AOL has seen the logic in taking that out of the hands of a incompetent userbase.
Say what you want about Microsoft, and while much of it's true, the users are to a degree at fault as well. If I leave my keys in my car and the doors unlocked, I can't very well blame the manufacturer for it being stolen.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
http://en.wikipedia.org/wiki/Inchworm
I would argue that the case for platform diversity is VERY difficult to make. PARTICULARLY in corporations.
The argument goes. In nature, species survival depends on diversity to maintain some portion of the population who can survive the onslought of some new contagion. SO in computers we should mimic nature and have a heterogeneous mix of software so our computer networks can survive worm/virus contagion.
BZZZT!
Networks and corps are different to species. Computers don't multiply and diversify as a natural result of that. The only thing diversity in computers gives you is a CRAPPY understanding of your network and the risks therein. Oh and a fairly good likelihood that SOME computers in your environment are vulnerable to EVERY exploit for EVERY platform released.
Corporates or networks don't need SOME computers to survive. They need ALL to survive. Data is sacred not computers. Data is located in far flung pockets of the network. The loss of even small amounts of data can be disastrous. Telling someone "it's ok cos' some of our computers survived" will get you fired.
As far as I am concerned for corps the solution is to have a well understood build that is well protected from likely contagions and strong procedures, processes and technologies to rapidly detect and limit any outbreaks.
Computer security is about building strong immune systems and rapid innoculation to new contagions. It probably will be for a long time. Survival of the fittest does not work.
Oh Contagions in computer terms are different to the real world as well. Real world contagions are mutations. Good ones are flukes. In computing they are intelligent in that the developer is motivated, malicious and works hard to defeat your defences. They test their software against common innoculations such as Anti-virus software and ensure it is resistant to them.
Aaahhh. Rant over.
Strange game, the only way to win is not to play. - Wargames 1983
*WOPR (War Operation Planned Response) computer system A.K.A Joshua
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
there any excuse anymore other than incompetence and companies that are operating on a small budget?
But small businesses are the fastest growing section of the economy, and the only way they can remain productive and competitive is to leverage cheap IT. Translate that to: not paying consultants. That means that the person who is supposed to be worrying about what the small company actually produces is instead worrying about being a home-grown IT person. I can't tell you the number of small businesses I've seen in this mode, and the lack of just-add-water total security systems leaves them pretty vulnerable. But even if there were such magic bullet products out there, any small network open enough to be actually useful to a small business is going to be vulnerable to attacks that have been crafted by a large team of highly skilled, motivated Russian techno-mobsters. That's a tough enemy to fight when you're just, say, a 5-man gardenening retailer, or a mom and pop sign making company.
I think the real solution is thin clients and hosted apps. That way the ASP can use some economy of scale to deal with the threats. I know, thin clients don't work for everyone, but even if you use a fat machine as a thin client, at least your core business apps and data would be safe at Acme Hosting, and the worst thing you'd have to do is burn down your local network and start over.
BTW:
And to the FBI agent who may come across this message: Go find some real criminals. The last I heard, there are still plenty of real crimes still being committed on a daily basis. Murder, rape, child exploitation, etc. Why not devote some time on the big stuff?
Come on, don't fall for the "we can't do two things at once" concept. That's BS. I would imagine that a small company being extorted by Russian DDoS attackers would be "big stuff" to everyone who depends on that small business for their families' income. Dealing with that stuff, and dealing with murderers and rapists (usually local law enforcement, anyway) aren't mutually exclusive. I think what you're really lobbying for is a larger budget for the FBI so that they can deal with sophisticated info-criminals and deal with the more traditional crimes in a large and growing population. Stealing a company's trade secrets, or knocking their business offline, or running off with banking info and using it - the guys who do that for a living sure as hell are "real criminals." Just because they happen to be geeks doesn't make them any less criminal. Don't give them any sympathy just because they have an interest in code or know what NAT stands for.
Don't disappoint your bird dog. Go to the range.
Go into IE and turn off ActiveX, and scripting or (religiously) use the Off By One browser or Lynx which both doesn't understand ActiveX and scripting.
Treat your email and email attachments like 'text files' like I do. I only use Outlook to send email--not receive it.
Use a software firewall and antivirus. I use Agnitum's Outpost and Grisoft's AVG. I also recommended Trend Micro's Sysclean.
A great help would be to surf the internet from behind a hardware router that drops ALL incoming unsolicited connections.
Do you see how cumbersome is to keep the Windows machine free of *ware and viruseseses?
Why bother doing all that when you could just spend 40 minutes installing one of the already user friendly enough Linux distros on the market (Linspire, Xandros, Mandrake, Suse...)???
Ubuntu is an African word meaning 'I can't configure Debian'
so you're saying you change jobs a lot due to being fired for security violations?
Who run Barter Town?
I spend my spare time making a virus/worm removal tool for viruses and worms that affect AOL Instant Messenger, and I definitely agree, they've gotten a LOT more sophisticated. I'm no antivirus expert, I've just been working with this particular area of viruses since 2003, so I've seen them progress over time. It used to be a simple executable in the root of the drive, or in the system directory, and a "Run" entry in the registry.
Now these things screw with the shell setting for Windows, add themselves to the win.ini and system.ini registry entries and run themselves as services, drivers, etc. Even more annoying, they're copying the names of real windows files now, but dropping into different directories - like find.exe but in the Windows directory instead of System32. They create multiple copies of executables that run from every autorun entry they can find, and recreate each other. They communicate with IRC, they steal passwords and usernames to AIM accounts, and in at least a few cases I've found WinPCap and other sniffing or trojan tools installed as well.
For many months, updating the AIM virus removal tool I maintain was a matter of a few seconds of updates. Then one weekend it turned into several hours of creating new functions and sections of code to handle all these new variants.
The best I can figure, it's script kiddies or zombie botnet operators just running canned and packaged code, because after the first variant appears, a hundred more follow within a few weeks, using the same techniques or filenames. Generally, the purpose of these worms tends to be to download and install spyware - bringing in income through referral programs - and then leave the system open as part of a botnet.
Lately, these techniques are being combined with common exploits on vulnerable websites, especially ones with some of the recent PHP vulnerabilities. Again, it's like botnet-in-a-can, grab some scripts and some code, change a few filenames or urls, and let 'er rip. It's certainly not getting any easier to put in the time to update the removal tool, that's for sure.
-Jay
http://jayloden.com/aimfix.htm
Comment removed based on user account deletion
You could also use a non-Microsoft, niche product like the ISS personal firewall to help protect yourself if you must use Windows.
And then you can get nailed with something like Witty.
There were only about 12,000 Black Ice systems out there. There are over 10 million OS X systems deployed in the world, and no telling how many others (Linux, *BSD, etc.). Each is probably a big enough "niche" to get attention when the opportunity arises (which will happen sooner or later).
There is really no longer anywhere safe to hide.
/jonathan
*Everything* is working at Layer 7 these days: Juniper/Netscreen IDPs, Websense's Network Agent, Blue Coat and so on.
There are many good tools which can do "deep inspection" and take action.
Hell, you could do it with Snort if you wanted to invest the time.
Right, and what will happen with people running services that are blocked? That's right, they'll just start using the "magical" port 80 that lets people connect to it.
This actually makes it easier to detect the "rogue apps" trying to exit the corporate network. If everyone tries to use port 80, then I have to redirect only port 80 with WCCP. I run the port 80 traffic through various Layer 7 scrubbing appliances to pick off the stuff that we don't want to leave our network.
It's like shooting fish in a very small barrel.
I like the SSH work-around to connect to the proxy that is your egress from the corporate network. Very elegant.
You mentioned worms that encrypt their traffic. This traffic would be difficult to detect and block using Layer 7-aware appliances.
There is a similar trick to your SSH-workaround to get the Citrix client to work over port 80. Part of Citrix (nfuse?) can use port 80 and the traffic *looks* like HTTP. But it's really not HTTP and a proxy can break the Citrix connection. The solution is to tell Citrix to use a "secure" connection so that it sends the "HTTP CONNECT" command to the proxy. Then the proxy doesn't monkey with the Citrix traffic passing through. It's an ugly work-around but is needed because of the HTTP proxies at our perimeter. (You also need to tell your HTTP proxy that port 80 is okay for HTTPS traffic so that it will accept the HTTP CONNECT command on port 80).
The failure option will be available in the next release as a standard feature.
Show me on the doll where his noodly appendage touched you.