Slashdot Mirror
MS05-039 Worm in the Wild
An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.
← Back to Stories (view on slashdot.org)
What drives them is probably a sense of achievement. By creating a working worm they can prove something to themselves, their friends, and/or the world. And it seems to work, some people got security jobs because of the exploits they made.
As for what we can do to make writing worms less attractive...that's more difficult. There is no magic bullet here. Things that probably help:
- give more publicity to when these guys are caught and what they are sentenced to, rather than to how much damage they did
- make it harder to write worms in the first place. Many worm writers aren't extremely brilliant programmers, so chances are this would cause more worms to fail
- don't give them jobs after they are caught, unless they really deserve them! Just because they can write and release a worm, doesn't mean nobody else can. Better reward the people who can but don't, right?
- maybe apply the same punishment to minors that is applied to adults. If you're smart enough to put together a worm, you're smart enough to know you shouldn't release it.
Please correct me if I got my facts wrong.
Indeed, money is a motivation, but it's not the only one. It's also an intellectual challenge.
Back when I had learned to program in my early teens, I myself was quite fascinated by virii/trojans/etc. and wondered if I could create one. I probably could have written a moderately "successful" trojan by the standards of the time. It's not that hard.
Thankfully, I was responsible enough not to, but not everybody is. All it takes is one bad apple...
...until June 30, 2006
A n1
http://support.microsoft.com/default.aspx?pr=Life
That can be said of any (non-victimless) crime really, and just about every crime out there is committed for money and/or passion (revenge, political/religious ideals, whatever). For the past couple years in the US, times have not been good for software engineers - the fortunate ones with jobs are often underpaid and overworked and considered dispensable. In Russia, where the mob has a rather large influence, there is money to be made of creating & selling zombie networks. To top it off, the largest software maker on the planet isn't exactly well liked to say the least. Sounds like an awful lot of educated people with awful good motives.
What can we do to provide more disincentives to keep them from being jerks?
Well, I would argue that alternate approach of fixing the problems I mentioned would be more productive. But, unless I'm missing something, the only possible disincentives are:
Given that the first is unlikely the second is moot when the problem frequently originates in places outside of your country's jurisdiction, it seems like there is only one thing you can do. I'd like to avoid the (very) tired Linux/Apple-vs-MS security debate here, because I think that user ignorance is by far the biggest problem (I'm well aware MS's *default* settings are inadequate - but that doesn't mean securing the box is impossible).
Unfortunately though, despite all of the worms/viruses we've seen and the amount of $ they've cost everybody, and despite how easy it is to properly secure a PC - the end user remains largely apathetic. I wonder, at what point can we hold software makers or even the end users responsible? I would argue that after a point, the ignorance could constitute negligence or even an accessory to the crime. I don't mean to blame the victim or sound like big brother here - but think about your car for a moment - you need inspection, registration, a license, and insurance just to run the damn thing. And if something on the vehicle breaks and causes an accident - a poorly maintained or defective part could hold you or the manufacturer responsible, respectivley.
The rest of these are irrelevant, because they do not expect to get caught. Really. Even if the people around them are going down in flames, they don't expect to get caught.
About 15 years ago I was in the "hacker" scene (the ones breaking into computers, not the ones creating brilliant software). Getting caught never felt real, and never seemed to feel real for anybody else, either. My friends got busted left and right, yet - they'd always been careless about something, and I felt that *I* wouldn't be careless about that.
There's one other thing that could work: Break up the scene. The people need to be shown as ridicilous. And it needs to seem ridicilous to the people close to the scene.
For the tagging (grafitti) scene, it seems to have worked somewhat well here in Norway to use advertising to give them a new, ridicilous name and image.
I therefore humbly suggest we from now on call those that break into computers "Computer wankers".
Eivind.
Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
We have all workstations configured with local firewall rules that prohibit most outbound traffic unless IP address is from our intranet address range. If it's not only DHCP client, DNS client, AV updates and VPN to corporate network is allowed. Inbound traffic is completely blocked when plugged to foreign network. Even when within our network there's strict rules blocking everything as default and only allowing limited set of ports if traffic is coming from subnet used by helpdesk.
Visitors used to plug their laptops to our internal net, but we implemented 802.1x and it's no longer problem. Locations that couldn't be updated to it due various reasons are routed to separate firewall interface (VLAN) and can access corporate net (and internet) only thru VPN.
Printers and other devices that don't speak 802.1x are on separate VLANs that have no access to corporate net or internet.
This is all very basic stuff that any decent admin should be able to implement easily. Everything can be done in typical Active Directory + Win2000/XP/2003 environment without third-party software. Therefore implementing infrastucture like this is even cheap.
Since someone is going to ask how to limit outbound traffic with Win2k/XP built-in firewall here's answer: Use either RAS filtering (per machine VBS) or IPSEC group-policies.
Because all internet traffic is forced thru proxies doing antivirus checks at HQ those blocking rules aren't problem. Users simply access net using our main connection and their own is only used to tunnel everything via VPN. Users don't have local admin rights so they can't disable firewall to bypass security.
Biggest drawback with this kind of implementation is WLAN access. Since many WLANs require login using web browser and net access is denied unless VPN is active they're unusable. There's no easy solution to this. Only good solution would be some very restricted and secure browser that's allowed to access 80/443 ports. Preferrably running in own virtualmachine/sandbox to protect computer itself.
The spreading was indeed what I found so fascinating. You write a clever bit of software, release it, and if you've been clever enough, your bit of code will take on a life of its own. In time it could be all over the world, perhaps even mutating if you write it that way, all by itself.
:-)
Unsurprisingly, I decided to get a master's degree in AI
The original poster was talking about "just for the hell of it"-worm authors. I should point out that these blackhats in particular should NEVER get caught unless they are extremely prideful and/or stupid. Worms that "call home" can obviously be traced, but proof of concept and cause-a-lot-of-chaos worms are only ever connected to their author for one brief instant--when they are uploaded. This instant can be when they are connected at a coffee shop from several blocks away during rush hour. Wash, rinse, repeat for all of the popular public hotspots in the area, over the course of a week to ensure that your worm is seeded in multiple locations. Then, after a week (or after your virus is identified in the wild) halt all distribution and watch the chaos unfold. Unless you suffer from supremely bad luck (i.e. hidden camera in the area FIVE BLOCKS AWAY from the actual hotspot manages to catch you in the act and the FBI agents actually check the camera and they actually manage to spot your woktenna through your tinted car windows) there is no way you will ever be caught. You can even be stupid brag about it on IRC to all your buddies and even if the FBI arrests you, you can just say you were being a lying little prick and as long as you've wiped your HD, they'll won't have enough evidence to indite you (what are they gonna do, arrest every script kiddie on IRC that claims they wrote the worm? heh.)
Actually, just-for-the-hell-of-it random crime in general is a lot harder to trace than motivated crime. Nothing short of Orwellian-level surveillence can reliably solve random, profit-less crime committed by smart criminals. Fortunately, these two things--random, profit-less crime and smart criminals--are very rarely connected.