Schneier on Attack Trends: More Complex Worms

Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing W32.spybot.KEG worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC. Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"

Schneier

[pHatidic]

If you haven't already read his book Beyond Fear I would highly recommend it. For those of us who don't read books, he covers a good chunk of the material in 34 minutes in this interview [itconversations.com]. Also very fascinating, I even played it for my grandparents and they both enjoyed it, and have since told me that they have seen him talking on CSPAN or something like that.

Anatomy of the Web Application Worm

[mrkitty]

For those wondering about other advances/predictions in worms check out this paper I wrote a few years ago.
http://www.cgisecurity.com/articles/worms.shtml [cgisecurity.com]

that would be illegal in New South Wales Australia

[Amakiell]

New South Wales Australia has just passed a law that prevents bosses spying on email. Even big ones with attachments.

Re:Modern viruses attack from 2 directions

[Coolpup]

Being able to see the code gives attackers a practically clear window into the guts of any network relying on that software. More eyes means more vulnerabilities found, so the network is actually safer because all these holes are known, if not by the security companies themselves, by the attackers who attempt to exploit the bugs.

While I agree that open source is good stuff, your logic is retarded. You basically state that if the vulnerability is known by the attacker and not security companies that there is nothing to worry about. What you meant to say is that there are enough freelance coders out there that check the code and are responsible enough to report exploits to the proper distribution channels.

Re:Dumb sysadmins

[The Jonas]

How can they block the outgoing ports? This isn't the incoming ports of the IRC server (usually 6667)

Without going into a long explanation, destination ports for outgoing connection attempts, such as port 6667, can be blocked from leaving the originating network. Even this method can be fine-tuned as to protocol/s, and so forth.

The worm probably use a random outgoing port to connect to the IRC server, so I don't see how this would work without blocking other valid services.

That random port is the port of the machine attempting the outgoing connection to a port such as 6667, to put it simply. The random outgoing port is irrelevant to blocking destination ports.

A quick Google search returned these code examples from a Redhat firewall how-to page [redhat.com] using iptables:

iptables -A OUTPUT -p TCP --sport 6699 -j REJECT

and

iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP

I hope this helps. Here is a Google search [google.com] to get you started.

Re:Dumb sysadmins

[sr180]

Why even have port 80 open? Just force all web traffic to go through a proxy if you want it to be secure.

Re:work work work...

[Flendon]

I would like to see a worm that goes around and patches servers for a change. It can be done.

Welchia [symantec.com] attempted to patch the DCOM RPC vulnerability that Blaster feed on and remove Blaster if present. It was called the "good samaritan worm". The problem was, as the AC pointed out, the network traffic Welchia generated DoSed any network that it "aided". Other "helpful" viruses have existed, but usually had the same unfriendly welcome for the same reason.

Re:work work work...

[Petersson]

and then sell it to spammers

Is this the New Economics, the lost dream of IT visioneers?

BTW this Monday my company network was badly infected with yet unknown worm. It created about 15 registry values named 'Microsoft System Backup' to make itself start at lot of occasions. Still can't find anything about it on the internet.

Despite our admins, I've installed personal firewall...

Re:Dumb sysadmins

[interiot]

Yup, that's what my Fortune 100 company does. Only three egresses, and all of them have a username and password so viruses can't get out unless they keylog or ethersniff. It's actually quite a huge PITA for normal users.

Re:Dumb sysadmins

[Alioth]

That's what we do here. In fact, we don't actually route anything onto the Internet, and our internal DNS servers do not resolve names outside of our network.

The only outside access is via a web proxy.

But unless you have a very restrictive 'deny,allow' rule set (which we don't, because it simply wouldn't fly here), a worm can simply look up your proxy settings and use the web proxy instead. Or it can use port 443, and use HTTP CONNECT with the proxy to a remote system listening on port 443, then encrypt the traffic. To the proxy, it'll look like normal HTTPS traffic in transit. (This is the way we get SSH access to outside systems, despite not having any routing to the Internet - our SSH client uses the proxy, and connects to a remote SSH server that is set to listen on 443).

Re:work work work... Anti-malware tips....

[iamcf13]

They turn your machine into a zombie and then sell it to spammers.

But first they have to infect it.

The easy way to avoid a zombied computer:

Pretty much use any OS other than one made by Microsoft. Since the market share for a non-Microsoft OS is so small, it isn't worth the malware author's time to attack them. A successful attack (if possible) would yeild little or no damage in a collective sense.

On a Microsoft OS? More work is involved in order to stay malware free.

Go into IE and turn off ActiveX, and scripting or (religiously) use the Off By One browser or Lynx which both doesn't understand ActiveX and scripting.

Treat your email and email attachments like 'text files' like I do. I only use Outlook to send email--not receive it.

Use a software firewall and antivirus. I use Agnitum's Outpost and Grisoft's AVG. I also recommended Trend Micro's Sysclean.

A great help would be to surf the internet from behind a hardware router that drops ALL incoming unsolicited connections. The other tips mentioned above should minimize the risk of system compromise from all other user initiated connections.

Re:Dumb sysadmins

[scottv67]

Right, and what will happen with people running services that are blocked? That's right, they'll just start using the "magical" port 80 that lets people connect to it.

This actually makes it easier to detect the "rogue apps" trying to exit the corporate network. If everyone tries to use port 80, then I have to redirect only port 80 with WCCP. I run the port 80 traffic through various Layer 7 scrubbing appliances to pick off the stuff that we don't want to leave our network.

It's like shooting fish in a very small barrel.

Re:Dumb sysadmins

[scottv67]

I like the SSH work-around to connect to the proxy that is your egress from the corporate network. Very elegant.

You mentioned worms that encrypt their traffic. This traffic would be difficult to detect and block using Layer 7-aware appliances.

There is a similar trick to your SSH-workaround to get the Citrix client to work over port 80. Part of Citrix (nfuse?) can use port 80 and the traffic *looks* like HTTP. But it's really not HTTP and a proxy can break the Citrix connection. The solution is to tell Citrix to use a "secure" connection so that it sends the "HTTP CONNECT" command to the proxy. Then the proxy doesn't monkey with the Citrix traffic passing through. It's an ugly work-around but is needed because of the HTTP proxies at our perimeter. (You also need to tell your HTTP proxy that port 80 is okay for HTTPS traffic so that it will accept the HTTP CONNECT command on port 80).