Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier on Attack Trends: More Complex Worms

Posted by timothy on from the malice-on-the-loose dept.

Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing W32.spybot.KEG worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC. Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"

20 of 189 comments (clear)

  1. work work work... by rd4tech · · Score: 5, Insightful

    We expect to see more blended threats: exploit code that combines malicious code with vulnerabilities in order to launch an attack.
    This mixed with irc connectiviy, LAN port scanning, update downloads...
    Sounds like a full time job to create one. What are these people gaining anyway?

    1. Re:work work work... by satanami69 · · Score: 5, Insightful

      They turn your machine into a zombie and then sell it to spammers.

      --
      I really hate Dan Patrick.
    2. Re:work work work... by pschmied · · Score: 5, Insightful
      What are these people gaining, anyway?


      Automated access to large numbers of systems inside big corporations and government, where they collect passwords, account names, scan for vulnerabilities and gather information from PC disk drives for evaluation and sale (corporate espionage). Use of thousands of home systems for spambots and DDoS attack fleets. It's all about organized crime and money to be made these days.



      No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.

      --
      . Penguins Surely Ca
    3. Re:work work work... by bersl2 · · Score: 4, Interesting

      No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.

      Wouldn't this be a successful argument for platform diversity? They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?

      Can one then conclude that because the common wisdom seems to favor a uniform system, this is those people's just deserts?

    4. Re:work work work... by pschmied · · Score: 4, Interesting
      Wouldn't this be a successful argument for platform diversity? They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?


      Excellent point. However, in practice it can be a tricky balance. For example, a company that runs AIX on the Power architecture is less likely to be vulnerable to the buffer overflow exploit of the week than say Linux on Intel.

      The trade off becomes "patch early, and patch often" versus "maintain an expensive development/build environment for a relatively obscure platform that sucks to build software on." As a person who has witnessed this phenomenon first hand and has felt the full pain of building all the standard OSS on AIX, I can tell you that Linux/Intel starts looking pretty good at times.

      As always, it's never black and white. Platform diversity == good. Too much platform diversity == major pain in the ass.

      -Peter
      --
      . Penguins Surely Ca
    5. Re:work work work... by Flendon · · Score: 5, Informative

      I would like to see a worm that goes around and patches servers for a change. It can be done.

      Welchia attempted to patch the DCOM RPC vulnerability that Blaster feed on and remove Blaster if present. It was called the "good samaritan worm". The problem was, as the AC pointed out, the network traffic Welchia generated DoSed any network that it "aided". Other "helpful" viruses have existed, but usually had the same unfriendly welcome for the same reason.

      --
      chown -R us ./base
    6. Re:work work work... by binner1 · · Score: 4, Funny

      The fact that you were able to install a personal firewall on your machine indicates to me that it may be quite a while before your admins figure out what nailed them...

      -Ben

  2. Modern viruses attack from 2 directions by Dancin_Santa · · Score: 5, Insightful

    The whole problem is twofold. The first is stupid users. How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts? The second is privilege escalation at the binary level. System-level software with any sort of hole will allow an attacking program the ability to do whatever it wants, even if the user isn't running as root (the daemon is running at that level).

    We had a guy who was constantly downloading and running every attachment he ever received. We finally set him up with an ePod terminal and some crayons and haven't had a significant virus problem since. As a bonus, we get some interesting artwork to hang in the lobby.

    This goes to show the benefits of Open Source software. Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.

    We can't take the drastic step of eliminating Windows on our networks because it is so entrenched, but the slow migration away from it one desktop at a time is giving us a whole new outlook on viruses.

    1. Re:Modern viruses attack from 2 directions by Indy+Media+Watch · · Score: 5, Funny

      The first is stupid users.

      Sorry BOFH wannabe, they're not stupid users, they're just users.

      If they aren't doing what you would like, you obviously have a training deficiency which might be your fault, not theirs.

      How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts?

      By undermining their efforts. And if they try to undermine your undermining of their undermining, simply undermine their undermining of your undermining of their undermining. It's really quite simple.

      --

      Indy Media Watch-Proctologist of the Internet

    2. Re:Modern viruses attack from 2 directions by pschmied · · Score: 4, Insightful
      The whole problem is twofold. The first is stupid users... The second is privilege escalation at the binary level.


      Human stupidity is greatly amplified by weak architectures. If one lucky user gets a malicious email and executes the attachment (after unlocking the password protected zip and clicking on "Natalie_Portman_Naked.zip") that's bad enough. But cleaning up dozens or hundreds of PC systems clobbered by the resulting worm infestation is catastrophic. The industry is only starting to realize that we need better tools to fix stupid.



      -Peter



      --
      . Penguins Surely Ca
    3. Re:Modern viruses attack from 2 directions by killjoe · · Score: 4, Funny

      "By undermining their efforts. And if they try to undermine your undermining of their undermining, simply undermine their undermining of your undermining of their undermining. It's really quite simple."

      I don't know where I heard this but...

      "You can never make anything idiot proof because idiots are so damned ingenious"

      --
      evil is as evil does
  3. IIS == Thumper by hedley · · Score: 4, Funny

    Nice to see the industries stock thumper is still #1 for attracting worms and looks to be still #1 in the future. Upon sighting wormsign one only need look closeby for a compromised IIS box.

    Hedley

  4. Schneier by pHatidic · · Score: 4, Informative

    If you haven't already read his book Beyond Fear I would highly recommend it. For those of us who don't read books, he covers a good chunk of the material in 34 minutes in this interview. Also very fascinating, I even played it for my grandparents and they both enjoyed it, and have since told me that they have seen him talking on CSPAN or something like that.

  5. Now if we could only... by Anonymous Coward · · Score: 5, Funny
    "Bruce Schneier has posted an interesting entry on expected attack trends to his blog."

    ...develop a worm that attacks trendy blogs.

  6. Anatomy of the Web Application Worm by mrkitty · · Score: 5, Informative

    For those wondering about other advances/predictions in worms check out this paper I wrote a few years ago.
    http://www.cgisecurity.com/articles/worms.shtml

    --
    Believe me, if I started murdering people, there would be none of you left.
  7. One day there'll be a worm so complex by salparadyse · · Score: 5, Funny

    ... that to all itents and purposes it looks like an Operating System. It will give the use a limited amount of funciontality in order to maintain it's cover. Secretly it will report back to its maker about what you do on your computer and... Oh, wait a minute...

  8. Schneier and the SF Public Library by IO+ERROR · · Score: 4, Interesting
    Bruce Schneier is my hero. His blog has been in my feed reader for quite a while.

    Some comments: I haven't read Beyond Fear yet, but I have read Applied Cryptography. The San Francisco Public Library kept it in a back room and asked me to surrender my ID to look at it. I have no idea why. Maybe it's a terrorism manual.

    --
    How am I supposed to fit a pithy, relevant quote into 120 characters?
  9. Crime that targets the shady by tloh · · Score: 4, Funny

    from the article:"We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks."

    While mainstream web services are cringing in anticipation of becoming targets, it is quit amusing to watch what seems to be one kind of filth devouring another.

    --
    Stay sentient. Don't drink bad milk.
  10. Re:Spybot by beetlefeet · · Score: 5, Funny

    Besides they make viruses?
    What do they care about infringing on a trademark?!

    Z3r0C001: Hey what do you think about the name "I Be Malicious" for the name of our new virus?

    |<rash0v3rr|d3: Hmm, the initials of that spell I.B.M., we could be in for a lengthy legal battle.

    Z3r0C001: You're right, legalities aside, it would at least be unethical to use a name that shortens to another companies name, especially seeing as both of our products are in the computing realm.

    |<rash0v3rr|d3: Indeed, lets forget the virus and forget our troubles with a big bowl of strawberry icecream.

    Z3r0C001: w00t

  11. Have to agree, as a virus/worm removal writer by jayloden · · Score: 5, Interesting

    I spend my spare time making a virus/worm removal tool for viruses and worms that affect AOL Instant Messenger, and I definitely agree, they've gotten a LOT more sophisticated. I'm no antivirus expert, I've just been working with this particular area of viruses since 2003, so I've seen them progress over time. It used to be a simple executable in the root of the drive, or in the system directory, and a "Run" entry in the registry.

    Now these things screw with the shell setting for Windows, add themselves to the win.ini and system.ini registry entries and run themselves as services, drivers, etc. Even more annoying, they're copying the names of real windows files now, but dropping into different directories - like find.exe but in the Windows directory instead of System32. They create multiple copies of executables that run from every autorun entry they can find, and recreate each other. They communicate with IRC, they steal passwords and usernames to AIM accounts, and in at least a few cases I've found WinPCap and other sniffing or trojan tools installed as well.

    For many months, updating the AIM virus removal tool I maintain was a matter of a few seconds of updates. Then one weekend it turned into several hours of creating new functions and sections of code to handle all these new variants.

    The best I can figure, it's script kiddies or zombie botnet operators just running canned and packaged code, because after the first variant appears, a hundred more follow within a few weeks, using the same techniques or filenames. Generally, the purpose of these worms tends to be to download and install spyware - bringing in income through referral programs - and then leave the system open as part of a botnet.

    Lately, these techniques are being combined with common exploits on vulnerable websites, especially ones with some of the recent PHP vulnerabilities. Again, it's like botnet-in-a-can, grab some scripts and some code, change a few filenames or urls, and let 'er rip. It's certainly not getting any easier to put in the time to update the removal tool, that's for sure.

    -Jay
    http://jayloden.com/aimfix.htm