Schneier on Attack Trends: More Complex Worms 189
Gary W. Longsine writes "Bruce Schneier has posted an interesting entry on
expected attack trends to his blog. Of particular interest is the increasing sophistication of automated worm-based attacks. He cites the developing
W32.spybot.KEG
worm -- once inside a network it scans for several vulnerabilities and reports its findings via IRC.
Trend Micro also has information on a scanning-capable version of this worm, which they call: WORM_SPYBOT.ID"
Re:work work work... (Score:3, Interesting)
Depends on who "these people" are.
Anti viral company: Creating a greater need for their product.
Support desk: More support calls to them.
Someone with a grudge against a particular o.s: They can say that their o.s isn't as vunerable.
Script kiddie: They do it for their ego after watching hackers and getting all hot and sweaty by the site of the davinci code
Admin: Do it to get the Product Manager to allow upgrades on their networks and more staff and $$$
I would like to see a worm that goes around and patches servers for a change. It can be done.
Re:work work work... (Score:5, Interesting)
Wouldn't this be a successful argument for platform diversity? They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?
Can one then conclude that because the common wisdom seems to favor a uniform system, this is those people's just deserts?
Schneier and the SF Public Library (Score:5, Interesting)
Some comments: I haven't read Beyond Fear yet, but I have read Applied Cryptography. The San Francisco Public Library kept it in a back room and asked me to surrender my ID to look at it. I have no idea why. Maybe it's a terrorism manual.
Re:work work work... (Score:5, Interesting)
Excellent point. However, in practice it can be a tricky balance. For example, a company that runs AIX on the Power architecture is less likely to be vulnerable to the buffer overflow exploit of the week than say Linux on Intel.
The trade off becomes "patch early, and patch often" versus "maintain an expensive development/build environment for a relatively obscure platform that sucks to build software on." As a person who has witnessed this phenomenon first hand and has felt the full pain of building all the standard OSS on AIX, I can tell you that Linux/Intel starts looking pretty good at times.
As always, it's never black and white. Platform diversity == good. Too much platform diversity == major pain in the ass.
-Peter
Re:work work work... (Score:3, Interesting)
Re:work work work... (Score:3, Interesting)
Everyone makes the "Oh, but if enough of us switch, then they'll start attacking [name of OS] too!" and commercial developers don't want to write cross-platform because it's not profitable.
I propose that this offloads much of the cost onto the user setups, who pay in lost productivity, lost or stolen data, and sometimes directly financially, because they represent a large target. I argue that there is enough of this happening that "complex" malware is being written, increasing the damage done, then perhaps the hidden costs equal or exceed that of developers' time and salary to make software work on diverse systems, something that can be recouped by raising prices slightly across the board.
It's the same supporting argument as for diversity in biological systems, except that in this case, the selection is more effective than random.
Re:work work work... (Score:2, Interesting)
The only way to ensure that a PC never propogates anything is to never turn the damn thing on.
CJC
NOT an argument for platform diversity (Score:3, Interesting)
The argument goes. In nature, species survival depends on diversity to maintain some portion of the population who can survive the onslought of some new contagion. SO in computers we should mimic nature and have a heterogeneous mix of software so our computer networks can survive worm/virus contagion.
BZZZT!
Networks and corps are different to species. Computers don't multiply and diversify as a natural result of that. The only thing diversity in computers gives you is a CRAPPY understanding of your network and the risks therein. Oh and a fairly good likelihood that SOME computers in your environment are vulnerable to EVERY exploit for EVERY platform released.
Corporates or networks don't need SOME computers to survive. They need ALL to survive. Data is sacred not computers. Data is located in far flung pockets of the network. The loss of even small amounts of data can be disastrous. Telling someone "it's ok cos' some of our computers survived" will get you fired.
As far as I am concerned for corps the solution is to have a well understood build that is well protected from likely contagions and strong procedures, processes and technologies to rapidly detect and limit any outbreaks.
Computer security is about building strong immune systems and rapid innoculation to new contagions. It probably will be for a long time. Survival of the fittest does not work.
Oh Contagions in computer terms are different to the real world as well. Real world contagions are mutations. Good ones are flukes. In computing they are intelligent in that the developer is motivated, malicious and works hard to defeat your defences. They test their software against common innoculations such as Anti-virus software and ensure it is resistant to them.
Aaahhh. Rant over.
Re:Dumb sysadmins (Score:2, Interesting)
Have to agree, as a virus/worm removal writer (Score:5, Interesting)
Now these things screw with the shell setting for Windows, add themselves to the win.ini and system.ini registry entries and run themselves as services, drivers, etc. Even more annoying, they're copying the names of real windows files now, but dropping into different directories - like find.exe but in the Windows directory instead of System32. They create multiple copies of executables that run from every autorun entry they can find, and recreate each other. They communicate with IRC, they steal passwords and usernames to AIM accounts, and in at least a few cases I've found WinPCap and other sniffing or trojan tools installed as well.
For many months, updating the AIM virus removal tool I maintain was a matter of a few seconds of updates. Then one weekend it turned into several hours of creating new functions and sections of code to handle all these new variants.
The best I can figure, it's script kiddies or zombie botnet operators just running canned and packaged code, because after the first variant appears, a hundred more follow within a few weeks, using the same techniques or filenames. Generally, the purpose of these worms tends to be to download and install spyware - bringing in income through referral programs - and then leave the system open as part of a botnet.
Lately, these techniques are being combined with common exploits on vulnerable websites, especially ones with some of the recent PHP vulnerabilities. Again, it's like botnet-in-a-can, grab some scripts and some code, change a few filenames or urls, and let 'er rip. It's certainly not getting any easier to put in the time to update the removal tool, that's for sure.
-Jay
http://jayloden.com/aimfix.htm [jayloden.com]
Re:Blocking "non-standard" ports (Score:2, Interesting)
There are many good tools which can do "deep inspection" and take action.
Hell, you could do it with Snort if you wanted to invest the time.