Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Worms Security IT

Schneier on Attack Trends: More Complex Worms 189

Posted by timothy
from the malice-on-the-loose dept.
Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing W32.spybot.KEG worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC. Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"
This discussion has been archived. No new comments can be posted.

Schneier on Attack Trends: More Complex Worms

Comments Filter:
  • work work work... (Score:5, Insightful)

    by rd4tech (711615) * on Tuesday June 07, 2005 @11:40PM (#12754921)
    We expect to see more blended threats: exploit code that combines malicious code with vulnerabilities in order to launch an attack.
    This mixed with irc connectiviy, LAN port scanning, update downloads...
    Sounds like a full time job to create one. What are these people gaining anyway?
    • by satanami69 (209636) on Tuesday June 07, 2005 @11:40PM (#12754927) Homepage
      They turn your machine into a zombie and then sell it to spammers.
      • Why doesn't every corporation in the world install something to prevent worms from propagating? Do they not care or do they think they are already protected because they have a firewall?
        • Re:work work work... (Score:2, Interesting)

          by cassidyc (167044)
          And this "Something" would be what exactly?? Some mythical piece of software that has not and could never be created.

          The only way to ensure that a PC never propogates anything is to never turn the damn thing on.

          CJC
      • Re:work work work... (Score:3, Informative)

        by Petersson (636253)
        and then sell it to spammers

        Is this the New Economics, the lost dream of IT visioneers?

        BTW this Monday my company network was badly infected with yet unknown worm. It created about 15 registry values named 'Microsoft System Backup' to make itself start at lot of occasions. Still can't find anything about it on the internet.

        Despite our admins, I've installed personal firewall...

      • They turn your machine into a zombie and then sell it to spammers.

        But first they have to infect it.

        The easy way to avoid a zombied computer:

        Pretty much use any OS other than one made by Microsoft. Since the market share for a non-Microsoft OS is so small, it isn't worth the malware author's time to attack them. A successful attack (if possible) would yeild little or no damage in a collective sense.

        On a Microsoft OS? More work is involved in order to stay malware free.

        Go into IE and turn off ActiveX
        • by xtracto (837672) on Wednesday June 08, 2005 @06:29AM (#12756146) Journal

          Go into IE and turn off ActiveX, and scripting or (religiously) use the Off By One browser or Lynx which both doesn't understand ActiveX and scripting.

          Treat your email and email attachments like 'text files' like I do. I only use Outlook to send email--not receive it.

          Use a software firewall and antivirus. I use Agnitum's Outpost and Grisoft's AVG. I also recommended Trend Micro's Sysclean.

          A great help would be to surf the internet from behind a hardware router that drops ALL incoming unsolicited connections.


          Do you see how cumbersome is to keep the Windows machine free of *ware and viruseseses?

          Why bother doing all that when you could just spend 40 minutes installing one of the already user friendly enough Linux distros on the market (Linspire, Xandros, Mandrake, Suse...)???
        • Since the market share for a non-Microsoft OS is so small, it isn't worth the malware author's time to attack them. A successful attack (if possible) would yeild little or no damage in a collective sense.

          You could also use a non-Microsoft, niche product like the ISS personal firewall to help protect yourself if you must use Windows.

          And then you can get nailed with something like Witty [caida.org].

          There were only about 12,000 Black Ice systems out there. There are over 10 million OS X systems deployed in the

    • by pschmied (5648) on Tuesday June 07, 2005 @11:50PM (#12754965) Homepage
      What are these people gaining, anyway?


      Automated access to large numbers of systems inside big corporations and government, where they collect passwords, account names, scan for vulnerabilities and gather information from PC disk drives for evaluation and sale (corporate espionage). Use of thousands of home systems for spambots and DDoS attack fleets. It's all about organized crime and money to be made these days.



      No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.

      • Re:work work work... (Score:5, Interesting)

        by bersl2 (689221) on Wednesday June 08, 2005 @12:34AM (#12755146) Journal
        No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.

        Wouldn't this be a successful argument for platform diversity? They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?

        Can one then conclude that because the common wisdom seems to favor a uniform system, this is those people's just deserts?
        • Re:work work work... (Score:5, Interesting)

          by pschmied (5648) on Wednesday June 08, 2005 @01:02AM (#12755261) Homepage
          Wouldn't this be a successful argument for platform diversity? They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?


          Excellent point. However, in practice it can be a tricky balance. For example, a company that runs AIX on the Power architecture is less likely to be vulnerable to the buffer overflow exploit of the week than say Linux on Intel.

          The trade off becomes "patch early, and patch often" versus "maintain an expensive development/build environment for a relatively obscure platform that sucks to build software on." As a person who has witnessed this phenomenon first hand and has felt the full pain of building all the standard OSS on AIX, I can tell you that Linux/Intel starts looking pretty good at times.

          As always, it's never black and white. Platform diversity == good. Too much platform diversity == major pain in the ass.

          -Peter
          • Re:work work work... (Score:3, Interesting)

            by bersl2 (689221)
            Sure, at the single network level, moderation is good. I also meant at the level of the entire Internet, diversity is good.

            Everyone makes the "Oh, but if enough of us switch, then they'll start attacking [name of OS] too!" and commercial developers don't want to write cross-platform because it's not profitable.

            I propose that this offloads much of the cost onto the user setups, who pay in lost productivity, lost or stolen data, and sometimes directly financially, because they represent a large target. I ar
        • by infonography (566403) on Wednesday June 08, 2005 @04:02AM (#12755786) Homepage
          not quite, while platform diversity is in many levels a good thing, it's a lot more then just a defense against transient viral/worm attacks. Microsoft rules the not-too-complex-but-works world because it's just that. You don't need to be an Otaku to get a DVD to play. Some people would be victims no matter what OS they run. I run both UNIX and Windows, I have taken precautions on both sides and have not seen any serious breaches in several years. System security is part of my routine, because I am a serious user. AOL users have been the traditional food for hackers and virii in the past but AOL has seen the logic in taking that out of the hands of a incompetent userbase.

          Say what you want about Microsoft, and while much of it's true, the users are to a degree at fault as well. If I leave my keys in my car and the doors unlocked, I can't very well blame the manufacturer for it being stolen.
          • Say what you want about Microsoft, and while much of it's true, the users are to a degree at fault as well. If I leave my keys in my car and the doors unlocked, I can't very well blame the manufacturer for it being stolen.

            The problem with this analogy is that you are implying that Microsoft actually provides the door locks which the users are neglecting to use. While things have gotten better with respect to default services and firewalling, it is still de riguer to add on third-party software to any Mic

        • I would argue that the case for platform diversity is VERY difficult to make. PARTICULARLY in corporations.

          The argument goes. In nature, species survival depends on diversity to maintain some portion of the population who can survive the onslought of some new contagion. SO in computers we should mimic nature and have a heterogeneous mix of software so our computer networks can survive worm/virus contagion.

          BZZZT!

          Networks and corps are different to species. Computers don't multiply and diversify as a natur
          • Corporates or networks don't need SOME computers to survive. They need ALL to survive. Data is sacred not computers. Data is located in far flung pockets of the network. The loss of even small amounts of data can be disastrous. Telling someone "it's ok cos' some of our computers survived" will get you fired.

            For the Apollo 13 astronauts, ground control computer failure of any sort (including system compromise by hostile users) would have been all but a guaranteed death sentence for the 3 men aboard the cri
          • I know you're on a rant here :-) but I'd like to point out that if a worm finds one single hole in a perfectly homogeneous environment, then that worm is going to spread without limit.

            I'd also like to point out that even corporations don't have perfectly homogenous environments. Servers, desktops, workstations for various tasks such as artists, marketers, developers, etc., all have different needs and usually have different OS and application configurations.

            However, you're right in that commonality in

        • They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?

          The simple answer is "Yes, if needs be".

          Do you really think that in the event that heterogenous environments become commonplace, they'll all just say "oh well, it's too hard now, better forget the years of practice and honing my skills and do something else instead"?

          It'll slow them down, sure, and it'll likely defeat the lessor malcontents, but there will always be people willin
      • Call my cynical, but I think the public perception of corporate espionage is even more ignorant than that of regular espionage. I mean, if corporate espionage was as rife as people think it is then surely I, or one of the many other geeks here who work in highly "secure" environments, would have been approached to engage in it. I never have, have you? What are you gunna steal? Trade secrets? Release dates for products? Customer lists? Is this stuff even remotely valuable anymore?
        • Re:work work work... (Score:3, Interesting)

          by killjoe (766577)
          It's valuable to somebody. In any collection of documents you harvest from a company there will be mentions of their major competitiors and to those people any and all information about the competition is valuable. If I offered a company details about their competition you can bet your ass they would pay me lots of money and would not even blink at buying it.
          • Yeah, they would, cause it would be illegal and people in business generally don't do things that are illegal. But hey, don't take my word for it. Go make contact with someone in a rival company and try selling them information, you'll quickly discover I'm right. Consider it a gentleman's wager, if I'm wrong you get $$$, if I'm right you get a jail sentence.
            • " Yeah, they would, cause it would be illegal and people in business generally don't do things that are illegal."

              ROLFLMAO. Thanks for the humor dude. I haven't laughed that hard in days. That's hilarious!

              But hey, while I got you let me ask you a question. All those hackers, spammers, people who control zombies, etc are they doing it for profit or fun?
              • Look! I'm the cynical one ok? We can't both be cynical. So go fuckin' sell some information to a competitor, preferably with a hidden camera on your person, or STFU.
      • Big bust in Israel for this sort of stuff
        http://www.personneltoday.com/Articles/2005/06/07/ 30214/Spies+like+us.htm [personneltoday.com]
    • It is, like very much else, all about the money. If you have enough zomibe computers then you can use them to make money. You can sell your network to spammers or someone who wants to lauch a major ddos attack against their competition, or simply use them yourselves to market what ever you have to offer.

      1. Create a botnet
      2. ???
      3. PROFIT !!!
    • "What are these people gaining anyway?"

      Depends on who "these people" are.

      Anti viral company: Creating a greater need for their product.

      Support desk: More support calls to them.

      Someone with a grudge against a particular o.s: They can say that their o.s isn't as vunerable.

      Script kiddie: They do it for their ego after watching hackers and getting all hot and sweaty by the site of the davinci code

      Admin: Do it to get the Product Manager to allow upgrades on their networks and more staff and $$$

      • Re:work work work... (Score:5, Informative)

        by Flendon (857337) on Wednesday June 08, 2005 @01:45AM (#12755382) Homepage Journal
        I would like to see a worm that goes around and patches servers for a change. It can be done.

        Welchia [symantec.com] attempted to patch the DCOM RPC vulnerability that Blaster feed on and remove Blaster if present. It was called the "good samaritan worm". The problem was, as the AC pointed out, the network traffic Welchia generated DoSed any network that it "aided". Other "helpful" viruses have existed, but usually had the same unfriendly welcome for the same reason.
    • What are these people gaining anyway?

      Chicks.
    • What are these people gaining anyway?

      About 9 pounds a week, on their staple diet of cheetos and Moutain Dew?

  • This worm will certainly fail. It doesn't even try to gain access to network shares using the 'elusive' password:

    "trustno1"

    My idiot former roommate was a paranoid wannabe computer geek and he cherished his "cool password that I would never get because it uses numbers too".

    Dolt.

  • by Dancin_Santa (265275) <DancinSanta@gmail.com> on Tuesday June 07, 2005 @11:46PM (#12754946) Journal
    The whole problem is twofold. The first is stupid users. How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts? The second is privilege escalation at the binary level. System-level software with any sort of hole will allow an attacking program the ability to do whatever it wants, even if the user isn't running as root (the daemon is running at that level).

    We had a guy who was constantly downloading and running every attachment he ever received. We finally set him up with an ePod terminal and some crayons and haven't had a significant virus problem since. As a bonus, we get some interesting artwork to hang in the lobby.

    This goes to show the benefits of Open Source software. Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.

    We can't take the drastic step of eliminating Windows on our networks because it is so entrenched, but the slow migration away from it one desktop at a time is giving us a whole new outlook on viruses.
    • by Indy Media Watch (823624) on Wednesday June 08, 2005 @12:03AM (#12755016) Homepage
      The first is stupid users.

      Sorry BOFH wannabe, they're not stupid users, they're just users.

      If they aren't doing what you would like, you obviously have a training deficiency which might be your fault, not theirs.

      How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts?

      By undermining their efforts. And if they try to undermine your undermining of their undermining, simply undermine their undermining of your undermining of their undermining. It's really quite simple.
      • by killjoe (766577) on Wednesday June 08, 2005 @01:30AM (#12755338)
        "By undermining their efforts. And if they try to undermine your undermining of their undermining, simply undermine their undermining of your undermining of their undermining. It's really quite simple."

        I don't know where I heard this but...

        "You can never make anything idiot proof because idiots are so damned ingenious"
      • Sorry BOFH wannabe, they're not stupid users, they're just users.

        Sorry, wannabe nice guy, but the #1 sign of stupidity is that stupid people never know that they are stupid.
        If you are not stupid, but just unknowing about something, you know that listening to people who know about it is a smart idea. So you'll listen to what the admin or IT dude has to say and follow it.
        If you're stupid, you think you aren't, and you disregard it all. So you turn off the firewall, forget about that antivirus thingy and cho
    • by pschmied (5648) on Wednesday June 08, 2005 @12:13AM (#12755059) Homepage
      The whole problem is twofold. The first is stupid users... The second is privilege escalation at the binary level.


      Human stupidity is greatly amplified by weak architectures. If one lucky user gets a malicious email and executes the attachment (after unlocking the password protected zip and clicking on "Natalie_Portman_Naked.zip") that's bad enough. But cleaning up dozens or hundreds of PC systems clobbered by the resulting worm infestation is catastrophic. The industry is only starting to realize that we need better tools to fix stupid.



      -Peter



    • Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.

      While I agree that open source is good stuff, your logic is retarded. You basically state that if the vulnerability is known by the attacker and not security companies that ther
      • if you had RTFA you might have had a chance to understand that security companies don't need good hearted coders to tell them about exploits, they monitor networks and see the attackers breaking in. From this information security companies can easily expose zero-day exploits.
    • How can you possibly secure a network against attacks if your users are constantly undermining your lockdown efforts?

      This really isn't that hard. I run 8 university computer labs, and in the last 2 years I have had 1 machine get infected. That machine was in a faculty member's office, and he had formatted it and reinstalled windows in order to undo my lockdown.

      Between good imaging tools (ghost, etc.), setting policies, using industry lock down tools (deep freeze, driveshield, etc.), and creative u

  • by hedley (8715) <hedley@pacbell.net> on Tuesday June 07, 2005 @11:49PM (#12754961) Journal
    Nice to see the industries stock thumper is still #1 for attracting worms and looks to be still #1 in the future. Upon sighting wormsign one only need look closeby for a compromised IIS box.

    Hedley
  • Uh, things are going to continue the way they have been going, probably.

    I found this essay most unimpressive.
  • by UnAmericanPunk (310528) on Tuesday June 07, 2005 @11:59PM (#12755004) Homepage
    This [homestarrunner.com] is all I could think of when reading this.

    "...we've got a KEG... of worms... and phytoplankton"
  • Schneier (Score:5, Informative)

    by pHatidic (163975) on Wednesday June 08, 2005 @12:11AM (#12755045)
    If you haven't already read his book Beyond Fear I would highly recommend it. For those of us who don't read books, he covers a good chunk of the material in 34 minutes in this interview [itconversations.com]. Also very fascinating, I even played it for my grandparents and they both enjoyed it, and have since told me that they have seen him talking on CSPAN or something like that.
    • Bruce Schneier is my hero. His blog [schneier.com] has been in my feed reader for quite a while.

      Some comments: I haven't read Beyond Fear yet, but I have read Applied Cryptography. The San Francisco Public Library kept it in a back room and asked me to surrender my ID to look at it. I have no idea why. Maybe it's a terrorism manual.

      • Cool. I have Practical Cryptography and I'd say that it is worth checking out of the library to read the first few chapters but not worth buying. He gives some good practical advice, but then he tries to give overviews of the algorithms by giving the math equations without explaining how they work. I guess this might be ok if you are a math major, but for the rest of us I'd say Applied Cryptography would be a better bet because supposedly (meaning I haven't read it) he actually explains the maths. Now I hat
  • by Anonymous Coward on Wednesday June 08, 2005 @12:12AM (#12755054)
    "Bruce Schneier has posted an interesting entry on expected attack trends to his blog."

    ...develop a worm that attacks trendy blogs.

  • by mrkitty (584915) on Wednesday June 08, 2005 @12:23AM (#12755101) Homepage
    For those wondering about other advances/predictions in worms check out this paper I wrote a few years ago.
    http://www.cgisecurity.com/articles/worms.shtml [cgisecurity.com]
  • New South Wales Australia has just passed a law that prevents bosses spying on email. Even big ones with attachments.
  • Are We Glad.... (Score:3, Insightful)

    by Ecko7889 (882690) on Wednesday June 08, 2005 @12:53AM (#12755221)
    Aren't we so glad Microsoft is getting into the Anti-Virus Business.....oh wait...don't they make the OS?

    What happened to fixing the OS, so an AV isn't needed?

    Why do I even bother?
  • by salparadyse (723684) on Wednesday June 08, 2005 @12:55AM (#12755233)
    ... that to all itents and purposes it looks like an Operating System. It will give the use a limited amount of funciontality in order to maintain it's cover. Secretly it will report back to its maker about what you do on your computer and... Oh, wait a minute...
  • by tloh (451585) on Wednesday June 08, 2005 @01:11AM (#12755300)
    from the article:"We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks."

    While mainstream web services are cringing in anticipation of becoming targets, it is quit amusing to watch what seems to be one kind of filth devouring another.
  • "It's going to get worse".

    Hopefully, that'll save time before you go RTFA...
  • Shame the article doesn't mention the 50-100 items of anti-British/neo-Nazi spam many people received last month, which was believed to have been sent out by zombie PCs. I wouldn't be surprised if that was some kind of test of a new mass-mailing network; that many messages on one subject within a single day was unprecendented.

    Oh yeah, and that worm icon - come on, timothy, it's a caterpillar, surely.

  • by jayloden (806185) on Wednesday June 08, 2005 @07:42AM (#12756374)
    I spend my spare time making a virus/worm removal tool for viruses and worms that affect AOL Instant Messenger, and I definitely agree, they've gotten a LOT more sophisticated. I'm no antivirus expert, I've just been working with this particular area of viruses since 2003, so I've seen them progress over time. It used to be a simple executable in the root of the drive, or in the system directory, and a "Run" entry in the registry.

    Now these things screw with the shell setting for Windows, add themselves to the win.ini and system.ini registry entries and run themselves as services, drivers, etc. Even more annoying, they're copying the names of real windows files now, but dropping into different directories - like find.exe but in the Windows directory instead of System32. They create multiple copies of executables that run from every autorun entry they can find, and recreate each other. They communicate with IRC, they steal passwords and usernames to AIM accounts, and in at least a few cases I've found WinPCap and other sniffing or trojan tools installed as well.

    For many months, updating the AIM virus removal tool I maintain was a matter of a few seconds of updates. Then one weekend it turned into several hours of creating new functions and sections of code to handle all these new variants.

    The best I can figure, it's script kiddies or zombie botnet operators just running canned and packaged code, because after the first variant appears, a hundred more follow within a few weeks, using the same techniques or filenames. Generally, the purpose of these worms tends to be to download and install spyware - bringing in income through referral programs - and then leave the system open as part of a botnet.

    Lately, these techniques are being combined with common exploits on vulnerable websites, especially ones with some of the recent PHP vulnerabilities. Again, it's like botnet-in-a-can, grab some scripts and some code, change a few filenames or urls, and let 'er rip. It's certainly not getting any easier to put in the time to update the removal tool, that's for sure.

    -Jay
    http://jayloden.com/aimfix.htm [jayloden.com]
  • I've tried searching for this answer before put I haven't seen a conclusive answer. It seems to me that the ingriedients are there, reproduction, and perhaps mutation from network errors, data corruption, etc?
    And a follow-up question is if not now, then will viruses evolve in the future when they get more complex?

    These papers are the closest thing to an answer I've found but still not conclusive to me:
    http://www.pcvirus.org/links [pcvirus.org]
  • There was a FUD article on one of the PHB-style IT news sites a year or two ago. This article said that new, more complex worms, were emerging, and that these worms could target systems across any processor architecture, any operating system, and with any software running therein, and that the worm could morph itself to get from one system to the next. What a bunch of hogwash. You would need a program that has the ability to search for and take advantages of vulnerabilities unknown at the time of writing (w

The tree of research must from time to time be refreshed with the blood of bean counters. -- Alan Kay

Working...