Schneier on Attack Trends: More Complex Worms 189
Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on
expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing
W32.spybot.KEG
worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC.
Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"
Schneier (Score:5, Informative)
Anatomy of the Web Application Worm (Score:5, Informative)
http://www.cgisecurity.com/articles/worms.shtml [cgisecurity.com]
that would be illegal in New South Wales Australia (Score:2, Informative)
Re:Modern viruses attack from 2 directions (Score:2, Informative)
While I agree that open source is good stuff, your logic is retarded. You basically state that if the vulnerability is known by the attacker and not security companies that there is nothing to worry about. What you meant to say is that there are enough freelance coders out there that check the code and are responsible enough to report exploits to the proper distribution channels.
Re:Dumb sysadmins (Score:3, Informative)
Without going into a long explanation, destination ports for outgoing connection attempts, such as port 6667, can be blocked from leaving the originating network. Even this method can be fine-tuned as to protocol/s, and so forth.
The worm probably use a random outgoing port to connect to the IRC server, so I don't see how this would work without blocking other valid services.
That random port is the port of the machine attempting the outgoing connection to a port such as 6667, to put it simply. The random outgoing port is irrelevant to blocking destination ports.
A quick Google search returned these code examples from a Redhat firewall how-to page [redhat.com] using iptables:
and
I hope this helps. Here is a Google search [google.com] to get you started.
Re:Dumb sysadmins (Score:3, Informative)
Re:work work work... (Score:5, Informative)
Welchia [symantec.com] attempted to patch the DCOM RPC vulnerability that Blaster feed on and remove Blaster if present. It was called the "good samaritan worm". The problem was, as the AC pointed out, the network traffic Welchia generated DoSed any network that it "aided". Other "helpful" viruses have existed, but usually had the same unfriendly welcome for the same reason.
Re:work work work... (Score:3, Informative)
Is this the New Economics, the lost dream of IT visioneers?
BTW this Monday my company network was badly infected with yet unknown worm. It created about 15 registry values named 'Microsoft System Backup' to make itself start at lot of occasions. Still can't find anything about it on the internet.
Despite our admins, I've installed personal firewall...
Re:Dumb sysadmins (Score:3, Informative)
Re:Dumb sysadmins (Score:3, Informative)
The only outside access is via a web proxy.
But unless you have a very restrictive 'deny,allow' rule set (which we don't, because it simply wouldn't fly here), a worm can simply look up your proxy settings and use the web proxy instead. Or it can use port 443, and use HTTP CONNECT with the proxy to a remote system listening on port 443, then encrypt the traffic. To the proxy, it'll look like normal HTTPS traffic in transit. (This is the way we get SSH access to outside systems, despite not having any routing to the Internet - our SSH client uses the proxy, and connects to a remote SSH server that is set to listen on 443).
Re:work work work... Anti-malware tips.... (Score:2, Informative)
But first they have to infect it.
The easy way to avoid a zombied computer:
Pretty much use any OS other than one made by Microsoft. Since the market share for a non-Microsoft OS is so small, it isn't worth the malware author's time to attack them. A successful attack (if possible) would yeild little or no damage in a collective sense.
On a Microsoft OS? More work is involved in order to stay malware free.
Go into IE and turn off ActiveX, and scripting or (religiously) use the Off By One browser or Lynx which both doesn't understand ActiveX and scripting.
Treat your email and email attachments like 'text files' like I do. I only use Outlook to send email--not receive it.
Use a software firewall and antivirus. I use Agnitum's Outpost and Grisoft's AVG. I also recommended Trend Micro's Sysclean.
A great help would be to surf the internet from behind a hardware router that drops ALL incoming unsolicited connections. The other tips mentioned above should minimize the risk of system compromise from all other user initiated connections.
Re:Dumb sysadmins (Score:2, Informative)
This actually makes it easier to detect the "rogue apps" trying to exit the corporate network. If everyone tries to use port 80, then I have to redirect only port 80 with WCCP. I run the port 80 traffic through various Layer 7 scrubbing appliances to pick off the stuff that we don't want to leave our network.
It's like shooting fish in a very small barrel.
Re:Dumb sysadmins (Score:2, Informative)
You mentioned worms that encrypt their traffic. This traffic would be difficult to detect and block using Layer 7-aware appliances.
There is a similar trick to your SSH-workaround to get the Citrix client to work over port 80. Part of Citrix (nfuse?) can use port 80 and the traffic *looks* like HTTP. But it's really not HTTP and a proxy can break the Citrix connection. The solution is to tell Citrix to use a "secure" connection so that it sends the "HTTP CONNECT" command to the proxy. Then the proxy doesn't monkey with the Citrix traffic passing through. It's an ugly work-around but is needed because of the HTTP proxies at our perimeter. (You also need to tell your HTTP proxy that port 80 is okay for HTTPS traffic so that it will accept the HTTP CONNECT command on port 80).