Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier on Attack Trends: More Complex Worms

Posted by timothy on from the malice-on-the-loose dept.

Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing W32.spybot.KEG worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC. Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"

11 of 189 comments (clear)

  1. work work work... by rd4tech · · Score: 5, Insightful

    We expect to see more blended threats: exploit code that combines malicious code with vulnerabilities in order to launch an attack.
    This mixed with irc connectiviy, LAN port scanning, update downloads...
    Sounds like a full time job to create one. What are these people gaining anyway?

    1. Re:work work work... by satanami69 · · Score: 5, Insightful

      They turn your machine into a zombie and then sell it to spammers.

      --
      I really hate Dan Patrick.
    2. Re:work work work... by pschmied · · Score: 5, Insightful
      What are these people gaining, anyway?


      Automated access to large numbers of systems inside big corporations and government, where they collect passwords, account names, scan for vulnerabilities and gather information from PC disk drives for evaluation and sale (corporate espionage). Use of thousands of home systems for spambots and DDoS attack fleets. It's all about organized crime and money to be made these days.



      No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.

      --
      . Penguins Surely Ca
    3. Re:work work work... by Flendon · · Score: 5, Informative

      I would like to see a worm that goes around and patches servers for a change. It can be done.

      Welchia attempted to patch the DCOM RPC vulnerability that Blaster feed on and remove Blaster if present. It was called the "good samaritan worm". The problem was, as the AC pointed out, the network traffic Welchia generated DoSed any network that it "aided". Other "helpful" viruses have existed, but usually had the same unfriendly welcome for the same reason.

      --
      chown -R us ./base
  2. Modern viruses attack from 2 directions by Dancin_Santa · · Score: 5, Insightful

    The whole problem is twofold. The first is stupid users. How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts? The second is privilege escalation at the binary level. System-level software with any sort of hole will allow an attacking program the ability to do whatever it wants, even if the user isn't running as root (the daemon is running at that level).

    We had a guy who was constantly downloading and running every attachment he ever received. We finally set him up with an ePod terminal and some crayons and haven't had a significant virus problem since. As a bonus, we get some interesting artwork to hang in the lobby.

    This goes to show the benefits of Open Source software. Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.

    We can't take the drastic step of eliminating Windows on our networks because it is so entrenched, but the slow migration away from it one desktop at a time is giving us a whole new outlook on viruses.

    1. Re:Modern viruses attack from 2 directions by Indy+Media+Watch · · Score: 5, Funny

      The first is stupid users.

      Sorry BOFH wannabe, they're not stupid users, they're just users.

      If they aren't doing what you would like, you obviously have a training deficiency which might be your fault, not theirs.

      How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts?

      By undermining their efforts. And if they try to undermine your undermining of their undermining, simply undermine their undermining of your undermining of their undermining. It's really quite simple.

      --

      Indy Media Watch-Proctologist of the Internet

  3. Now if we could only... by Anonymous Coward · · Score: 5, Funny
    "Bruce Schneier has posted an interesting entry on expected attack trends to his blog."

    ...develop a worm that attacks trendy blogs.

  4. Anatomy of the Web Application Worm by mrkitty · · Score: 5, Informative

    For those wondering about other advances/predictions in worms check out this paper I wrote a few years ago.
    http://www.cgisecurity.com/articles/worms.shtml

    --
    Believe me, if I started murdering people, there would be none of you left.
  5. One day there'll be a worm so complex by salparadyse · · Score: 5, Funny

    ... that to all itents and purposes it looks like an Operating System. It will give the use a limited amount of funciontality in order to maintain it's cover. Secretly it will report back to its maker about what you do on your computer and... Oh, wait a minute...

  6. Re:Spybot by beetlefeet · · Score: 5, Funny

    Besides they make viruses?
    What do they care about infringing on a trademark?!

    Z3r0C001: Hey what do you think about the name "I Be Malicious" for the name of our new virus?

    |<rash0v3rr|d3: Hmm, the initials of that spell I.B.M., we could be in for a lengthy legal battle.

    Z3r0C001: You're right, legalities aside, it would at least be unethical to use a name that shortens to another companies name, especially seeing as both of our products are in the computing realm.

    |<rash0v3rr|d3: Indeed, lets forget the virus and forget our troubles with a big bowl of strawberry icecream.

    Z3r0C001: w00t

  7. Have to agree, as a virus/worm removal writer by jayloden · · Score: 5, Interesting

    I spend my spare time making a virus/worm removal tool for viruses and worms that affect AOL Instant Messenger, and I definitely agree, they've gotten a LOT more sophisticated. I'm no antivirus expert, I've just been working with this particular area of viruses since 2003, so I've seen them progress over time. It used to be a simple executable in the root of the drive, or in the system directory, and a "Run" entry in the registry.

    Now these things screw with the shell setting for Windows, add themselves to the win.ini and system.ini registry entries and run themselves as services, drivers, etc. Even more annoying, they're copying the names of real windows files now, but dropping into different directories - like find.exe but in the Windows directory instead of System32. They create multiple copies of executables that run from every autorun entry they can find, and recreate each other. They communicate with IRC, they steal passwords and usernames to AIM accounts, and in at least a few cases I've found WinPCap and other sniffing or trojan tools installed as well.

    For many months, updating the AIM virus removal tool I maintain was a matter of a few seconds of updates. Then one weekend it turned into several hours of creating new functions and sections of code to handle all these new variants.

    The best I can figure, it's script kiddies or zombie botnet operators just running canned and packaged code, because after the first variant appears, a hundred more follow within a few weeks, using the same techniques or filenames. Generally, the purpose of these worms tends to be to download and install spyware - bringing in income through referral programs - and then leave the system open as part of a botnet.

    Lately, these techniques are being combined with common exploits on vulnerable websites, especially ones with some of the recent PHP vulnerabilities. Again, it's like botnet-in-a-can, grab some scripts and some code, change a few filenames or urls, and let 'er rip. It's certainly not getting any easier to put in the time to update the removal tool, that's for sure.

    -Jay
    http://jayloden.com/aimfix.htm