Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worms Could Dodge Net traps

Posted by Zonk on from the crafty-devils dept.

Danse writes "ZDNet reports that future worms could evade a network of early-warning sensors hidden across the Internet unless countermeasures are taken. According to papers presented at the Usenix Security Symposium, just as surveillance cameras are sometimes hidden the locations of the Internet sensors are kept secret. From the article: 'If the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data.' A team of computer scientists from the University of Wisconsin wrote up the background in their award-winning paper titled 'Mapping Internet Sensors with Probe Response Attacks.'"

9 of 58 comments (clear)

  1. Conclusion = obvious by rritterson · · Score: 4, Insightful

    Duh! Of course you can slowly figure out how a security system works, and then work around it. See any famous and/or talented thief for such an example. The real threat, I suppose, is that these worms can do it automatically and on a larger scale.

    Solution: Don't open holes and then fill them with trip wires. Just fill up the hole (via patch or otherwise) in the first place.

    --
    -Ryan
    AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
    1. Re:Conclusion = obvious by aussie_a · · Score: 3, Insightful

      You obviously seem to have all the answers, why don't you go and code these magic patches for them?

      Security isn't easy, and fixing holes with patches isn't easy. It takes time, skill and money. Placing a trip wire as a stop-gap measure is helpful, especially if the hole takes years to fix (without creating more holes).

      If you can do better, then by all means do so. But the security war will never be won by those securing the systems.

  2. Quick Summary by Shadowlore · · Score: 4, Interesting

    Maintaining sensor anonymity is critical because if the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data.'

    So basically: "Security through Obscurity is Bad." combined with "We found a way to eliminate the obscurity.".

    --
    My Suburban burns less gasoline than your Prius.
  3. I wonder how long before... by Biomechanical · · Score: 4, Insightful

    ...We have roving Intrusion Countermeasures (Or IC) inside our system. Not just passive measures, but semi-autonomous active measures.

    We already have a form of White IC - simple detection, non-aggressive measures. How long before we have more active Grey IC - Tar Babies (similar to today's honey pots), Tar Pits, Blaster - and ultimately, Black IC - seeking out the source of the intrusion and in turn, destroying the origin of attack?

    Would a big, multi-national corporation get punished for "accidentally" frying the computer of someone who was thought to be intruding into the corporation's computers? I seriously doubt it.

    --
    His name is Robert Paulsen...
  4. Again?! by Arkan · · Score: 4, Interesting

    Is it just me, or are we again speaking about security through obscurity (albeit I have to admin that it's in a slightly different way, this time).

    How long will it take for people involved in computers and networks security that "secret" has no virtually no meaning in the field?

    A private key is the only exception I can see at the moment: it is kept secret because nobody has any use of it except its owner, a noone will ever need access to it.

    But how long a "secret" early-warning network will remain so... when its primary function is to be contacted by the worms that try to evade it?

    --
    Arkan

    1. Re:Again?! by jd · · Score: 3, Interesting
      AFAICT, you are correct - the private key of a private/public key pair is about the only true secret, as virtually all other information is shared at some time or other.


      I suppose it is arguable that load-balancing and fail-over systems are "secrets" in a sense, as external users aren't supposed to see that information, but I'd call them "null secrets" in the sense that they have no value even if you DID know them.


      Presumably these early-warning systems are some kind of a mix of honey-pots and passive sniffers. If the worm is actually any good, it should be able to infiltrate a honey-pot and become stealthy (thus undetectable to anything inside the honey-pot). In that case, the system running the honey-pot would be able to detect an infection occured, but would NOT have reliable data on how or when.


      As for passive sniffers, a polymorphic worm that can vary the loading code as well as the payload, OR a worm that is encrypted and can hijack some OS internal decrypt code, would get past such a sniffer. There'd be nothing the sniffer could identify.


      The "ultimate" in malware would be some sort of hypervisor - similar in idea to Xen - that could "run" the host OS on top of itself. That way, nothing inside the OS could see it and all calls to the hardware that would reveal the malware could be trapped. Some early DOS boot sector viruses did something similar, copying the original boot sector to an empty sector somewhere else and then marking it bad to safeguard it. Any time a call was made to look at the boot sector, the call was trapped and the copy was returned instead of the real one.


      The "ultimate" transport mechanism for malware would use a decoder built into the OS. The LZW code for GIF images, perhaps. Just something that would make it impossible for virus scanners in a mail server, or sniffers on a network, to use simple pattern recognition to identify it. You'd then need a buffer overflow you could exploit to take your newly decrypted malware into the system itself.


      Image decoder exploits and buffer overflow exploits are well-known and have certainly been utilized in the past, though I'm not sure if in this way. Polymorphic code, designed to make identification strings next to impossible, has also been around a long time. I think the first polymorphic viruses appeared in the late 1980s and were certainly a significant cause of concern in the early 1990s.


      Of course, if Cisco doesn't fix that IOS bug soon, it'll all be moot anyway. If you can just capture one Cisco router at a time, in a chain, you can set up tunnels to carry whatever you damn well feel like. An IPSec tunnel would be utterly opaque to any monitoring system anyone cared to deploy, no matter how sophisticated.


      All in all, security through hidden monitors - security through several layers of obscurity - is no security at all, as it is simply too easy to bypass the layers involved and therefore the monitors, without having to know a damn thing about where the monitors are or even how they do the monitoring.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  5. DSheild Discussion by tjohns · · Score: 3, Informative
    A similar article by zdnet.co.uk was brought up a few days ago on the DShield discussion list. One choice quote is from Johannes Ullrich, a member of the SANS Internet Storm Center and the developer of DShield:

    We do receive reports from about 500-700k IP addresses each day.
    Including the full list would be hard (or make for a very large worm).
    In addition, many of these IPs are dynamic, so you have to exclude
    networks rather then individual IPs.

    To put it down bluntly: If every IP is a sensor, there is nobody left to
    attack ;-)


    For those of you who don't know, DShield is precisely one of the 'early-warning sensor' networks the article is talking about.
  6. That is to be expected by jurt1235 · · Score: 4, Insightful

    A biological virus adapts to its environment too, a worm too, so why would the digital variant not adapt. And since the main platform clearly suffers from an immune deficiency syndrom, just kept alive by their doctors and creators by means which are always to late to stop the newest infection but just on time to save most patients, it is pretty easy for the virusses to stay alive, and adapt to a point where the immune system will completely fail.

    --

    My wife's sketchblog Blob[p]: Gastrono-me
  7. Or alternatively by Rosco+P.+Coltrane · · Score: 3, Insightful

    Could certain software companies start spewing out secure software, so worms don't have much of a chance to exist in the first place?

    The number of companies getting fat over those needless insecurities is just gross...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash