Malicious Distributed Computing 208
Jeremy Erwin writes "In this whitepaper, Brandon Wiley suggests a possible design for a "superworm", a coordinated network of worm nodes. Typically worms are designed to infect as many hosts as possible, but as overly rapid growth can lead to early detection, this is a suboptimal strategy. The worm, dubbed Curious Yellow uses communication between worm nodes to ensure optimal infection rates."
Don't they.. (Score:5, Funny)
Read the paper (Score:4, Informative)
Re:Don't they.. (Score:2)
The problem with viruses like this one are the difficulty of debugging. "Ha, Ha! The world shall feel the wrath of my superworm!! Hunh?? What do you mean divide by 0 error??"
Pinky, are you thinking what I'm thinking? Yes, but Stallman's beard does tickle so....
The worst virus you can get on your computer is still Microsoft. Word will send unwanted information out to everyone you know, IE will allow anyone to execute remote code on your system, and Outlook will run whatever viruses you manage to send to it.
Now, can this guy get you to shell out $200 US for the privelage of running his virus?? I think not. Microsoft is still the champine of the virii.
Welcome to Virus.NET. Select a project from the new projects wizard:
Nimda Based Worm
Klez Based Worm
Office Macro
Some dippy ass VB script
Windows XP
Ho Hum.
~Hammy
Hmmm (Score:3, Interesting)
Isn't talking about stuff like that, well you know, illegal now? I'm certain that talking about theoretical virus attacks could be considered terrorism. I mean here you are talk about this horrible WHAT-IF scenario and giving bad people all sorts of good ideas (providing AID are we?) Hmmm I have a feeling that this post may cause trouble. I bet our FRIENDS at the Homeland Security office would like to speak to you =)
AWW BUT WHAT THE HELL DO I KNOW!
Re:Hmmm (Score:1)
Hah. Depends. Which $CONTINENT do you live in?
Re:Hmmm (Score:2)
just wait until you are Eurasia and we are Oceana.
Tin foil hats! (Score:5, Funny)
Microsoft's clickwrap agreement now states that you're only licensing the right to use your own brain matter, and they're legally entitled to read it at thier leisure?
On with the tin foil hats....
Don't forget the DMCA (Score:3, Funny)
Careful...
Re:Hmmm (Score:5, Interesting)
As far as law enforcement is concerned, go ahead and think about it... the national security types are who you need to worry about =)
When is ThinkGeek getting Tin Foil hats with a stylish Tux logo?
Re:Hmmm (Score:2)
Interesting. Are the people whose machines are infected considered "in possession" of the virus, since it now resides on their hard drive?
Of course, I'm still waiting for the virus that infects your machine, then quietly downloads one kiddy-porn
Re:Hmmm (Score:2)
If Monkeyboy Ballmer was a lawyer, he'd be ranting "PRECENDENT PRECENDENT PRECEDENT" right now. Dangerous laws are the ones written so open that any meathead judge can come along and pass judgement, despite not having any clue whatsoever in the issue at hand.
Those viruses almost exist, by the way. Many of the new viruses getting out (about 4 new ones a day) spread through P2P apps and drop files that look like porn. Its not too much of a stretch to change the filename from hotlesbiansdoingit.mpg to hot16yearoldlesbiansdoingit.mpg, add an addressbook entry for a law enforcement contact, and THEN spam.
Re:Hmmm (Score:2)
But it's going to be *illegal* to possess devices or code which might be used to usurp computing resources, damage file systems, etc.
Where are people's priorities? It's all about the bottom line.
so (Score:5, Funny)
Re:so (Score:5, Funny)
Re:so (Score:2)
Thanks for the guide (Score:1, Funny)
I've been thinking (Score:5, Interesting)
What if... in order to decide wether the worm should switch to 'Turbo' infection speed, the worm queries google news for 'worm $0', and if the number of results > $we_have_been_discovered/, bang!
Previous worms used irc, but that doens't guarantee the author to be anonymous, does it?
Re:I've been thinking (Score:3, Informative)
Re:I've been thinking (Score:2)
Re:I've been thinking (Score:2, Insightful)
Since all they have to do is keep watching for uninfected nodes, each node could wait for a code update (which includes the appropriate private key) and then work around the specific anti-worm software.
Re:I've been thinking (Score:4, Informative)
I propose that a breakthrough was made in the modularity of worm systems last year, with Code Red and Nimda. The infection mechanism can be separated from the intelligence/communication module and payload. Does anyone know how many machines are still infected by Nimda?? It's staggering. You could have a worm that only spread to machines already infected by Nimda, and virtually guarantee that it would never be detected. You'd 0wN a staggering number of machines, your worm could close off others access to the same cmd.exe sitting in the web root, increasing survival chances for your host (less likely to be taken down), and you could do all the intelligent communication you wanted. Better yet, design a mechanism so that later versions of your worm will replace previous ones, so you can release updates as the design becomes more sophisticated. The possibilities are endless. As much time as you want to tinker with the perfect intelligent worm design, and you don't even have to write the infection module yourself.
I think wormnet design is one of the coolest theoretical exercises in CS... the problem right now is that there's no incentive to write intelligent worms (ie WormNet), because the unintelligent ones are so effective. Nimda was spotted almost immediately. It's still one of the worst. What's that tell you? When authors stop thinking about the individual worm, and start thinking that each worm is just a cell in a collective online entity... well, i'm kind of soured on calling things a paradigm shift, so I won't say.. d'oh!
Re:I've been thinking (Score:4, Interesting)
I like the paper, its another reminder that the current approach of virus control simply doesn't work. Security needs a lot more depth and a lot more work - and not just on windows either
w/ AI (Score:2, Interesting)
Bzzzt (Score:1)
That was in an X-Files episode (Score:2, Informative)
Re:w/ AI (Score:5, Funny)
lol! (Score:2)
You know, the number of times we've played out the-near-destruction-of-human-kind-at-the-hands-o
ANN's make no sense here (Score:3, Insightful)
Remember, this thing needs to be small, not bloated.
Re:ANN's make no sense here (Score:2)
Re:w/ AI (Score:2, Interesting)
Seriously though, having a random hodgepodge of neural network nodes, randomly wired, and without having two endpoints with which to train the network really does you no good. Neural networks are trained to be intelligient by feeding them input, then looking at the output and massaging them to make them produce the correct output in hopes that they eventually "learn" a pattern.
Now essentially building a beowulf cluster of sorts by linking all the nodes into a distributed processing network that could be used to crack RSA keys and the like... And could propogate updates (mutations?) to the worm... Well that will work.
Plus when you're detected, you can go out in a huge DDoS blaze of glory...
thats nothing compared to the /. effect (Score:4, Informative)
Curious Yellow: The First Coordinated Worm Design
By Brandon Wiley
The Warhol worm design began the theoretical discussion of so-called "superworms", a new type of computer worms. A worm is a computer program which copies itself from computer to computer in an attempt to reproduce as much as possible. A superworm uses more advanced techniques to achieve very quick infection of the network. The primary strategy behind the Warhol superworm is to pre-scan the network for vulnerable targets. When the worm is launched it already has a large list of targets with a known method for infection and can therefore quickly infect an initial seed population.
One thing which the Warhol paper mentions is that better results might be achieved via a coordinated worm in which various instances of the worm on different computers communicate with each other in order to optimize infection. The Warhol paper states, however, that no coordinated worm has ever been created. This paper proposes the first design for a worm which utilizes efficient communication between worm instances for an optimal infection strategy.
Benefits and Difficulties of Coordination
The purpose of adding coordination to a worm design is to raise the level of sophistication in the attack from a simplistic greedy strategy to a more game theoretically optimal cooperative divide and conquer strategy. There are times when a greedy strategy can be suboptimal. Overly zealous propagation can lead to early detection and eradication. Also, it is simply wasteful for a worm instance to attempt to infect a system which has already been infected rather than choosing an uninfected host as a target. Unfortunately, typical worms have no information on which to base a more sophisticated attack. In order to divide the infection tasks among operative worms, the worms must know about each other and have a method for dividing work among themselves.
The difficulty in creating a coordinated worm is in minimizing the coordination costs among worms. Since the initial goal of a worm is generally to reach all hosts on the Internet, the number of eventual worm instances will be enormous. The coordination strategy must be able to scale reasonably to that number of instances. If every worm had to coordinate with every other worm, for instance, the amount of bandwidth used to communicate between the worms could easily exceed that used by a greedy worm, defeating the benefits of coordination. The coordination strategy must also be simple to encode since worm designers attempt to make worms as small as possible.
Efficient Coordination of Worms
Interestingly, the problem of efficiently organizing worm instances into a network which can act globally but which has reasonable coordination costs for each node is very similar to problems found in peer-to-peer networks. The particular task of the division of the task space among all of the currently active worms is very similar to the problem addressed in distributed hash tables (DHT) designs. One popular contemporary DHT design is called Chord. In Chord, each node is assigned a portion of the task space such that the space is divided evenly and randomly among all nodes. Chord has some useful properties. First, each node in the network is reachable from each other node in the network with a maximum of O(log N) intervening nodes. Additionally, each node only needs to maintain knowledge of O(log N) other nodes, thus keeping coordination costs down to a reasonable level. What this means in simple terms is that in a network of one million nodes each node only has to keep track of approximately 20 other nodes and for one node to send a message to another node in the most distant part of the network it would take at most 20 intervening nodes. Similarly, for a network of ten million nodes, each node has to keep track of approximately 23 other nodes and it will take at most 23 intervening nodes to reach from one side of the network to the other. There are advanced variants of the Chord architecture which layer additional properties on top of the guarantees provided by the basic Chord design. Anonymous Chord (Achord) adds the property that it is very difficult for any node to find out the identities of all of the other nodes in the network. This makes it more difficult for an attacker to disable the network by discovering the identities of nodes. By having worms form an Achord network, a global framework for division of the space to be attacked can be created with reasonable coordination costs.
Details of Coordinating Worm Attacks with Achord
In order to create an Achord network, each node needs to be assigned a unique, difficult to forge, difficult to generate identifier. Identifiers are assumed to be generally random and evenly distributed. Each task also needs such an identifier. Tasks are matched to the node whose identifier is the closest match. The method which Curious Yellow uses to assign identifiers to worms and targets is via the SHA1 hash of their IP address. It is relatively difficult to choose your own IP address and the SHA1 hash makes the identifier approximately random and evenly distributed.
The method for nominating a worm to attack a target is easy. Each Achord node knows the IP addresses of the two nodes whose identifiers are closest to its own. When it learns of a new target, it calculates the identifier for the target and then determines if it is closer to the worm's own identifier or one of its neighbors. If the worm is the closest to the target then it attacks the target. Otherwise, it informs the closer neighbor of the existence of the target and then forgets about it. Since the identifier space is globally consistent, decisions about which worm should attack will always be consistent. Additionally, the decision about who should attack does not require immediate communication between the worms. Communication is only necessary to inform nodes of found vulnerable nodes which they are responsible for attacking.
Uses of a Coordinated Worm Network
The initial deployment of the worm network using superworm pre-scanning techniques may take up to 15 minutes (Warhol) or merely 30 seconds (Flash). Once the initial seed network is deployed, it can be used as a platform for launching a second stage of activities. One obvious activity is distributed scanning of the network for vulnerabilities and further infection. Unlike Code Red, which used a greedy scanning strategy, Curious Yellow will have exactly one worm scanning each potential target. This will both reduce the load on the network and make detection less of a threat. The global connectedness of the entire worm network allows for an even more interesting type of distributed scanning than is at first apparent. Since all nodes are reachable from all other nodes, it is possible for the worm's creator to release code patches to all of the worms in the network and for these code patches to spread to the entire network even faster than the initial infection (less than 15 seconds). Therefore, as new exploits are found for previously invulnerable systems, they can be distributed to the worm network, which has already been building up a list of potential future targets. The Warhol method of pre-scanning attacks can thus be utilized repeatedly for rapid infection of diverse systems. The speed at which patches can be distributed to worms is so great that it will probably out-pace attempts to fix vulnerabilities. A zero-day exploit can be used by worms for infection before news of the vulnerability has even been made public. Code patches can also be made to change the behavior of the worm to mask signature behavior which could lead to its detection.
The second stage of infection allows the infection to progress from controlling a large portion of the network to controlling the overwhelming majority of the network. This is just another part of the infection stage. Once the majority of the network has been infected, Curious Yellow can lay dormant until part or all of it is activated for some purpose.
There are a number of possible purposes to which Curious Yellow could be used. One obvious use is to simply crash the majority of the Internet at once. Once it is activated, the worm network has achieved its purpose. A slightly more interesting use of the worm network would be to use it for distributed denial of service attacks against enemy hosts. The typical approach for this is to have all compromised hosts send a flood of packets to the target, thus overloading it sufficiently to keep any legitimate packets from getting through. However, this is a naive approach when given such an advanced network to work with. The Curious Yellow infection should, if properly deployed, control the vast majority of the network. All of the infected nodes can act in concert towards a common goal. Nodes and groups of nodes can be specialized for certain tasks. New directives can be sent to the entire network in less than 15 seconds. It is therefore not necessary to have the entire network gang up on a single machine in order to disable it. This is in fact a greedy rather than cooperative strategy and thus suboptimal. First of all, the target to be attacked is probably infected. Therefore, the worm controlling the target can simply be instructed to disable the target. Additionally, if all of the nodes surrounding the target simply drop traffic routed to the target then the target becomes unreachable. Finally, the worms controlling the hosts attempting to contact the target can simply ensure that no attempt to communicate to the server is ever made. Curious Yellow, acting globally and in unison, can make any host simply cease to exist as far as the network is concerned.
Having total control of all of the Internet's traffic allows for other, more interesting, attacks. Traffic can be modified arbitrarily as it passes through the network. Defacing a website no longer requires actually having access to the computer containing the website. Web pages can be defaced automatically as they pass through the network, resulting in the world's collective web browsers rendering the pages differently than they are stored on the servers, a problem that the server administrators are totally powerless to fix. All of the unencrypted traffic on the Internet can also be observed. The entity controlling Curious Yellow can pick out particular individuals to monitor or gather statistical information about a large number of individuals.
Of course, Curious Yellow's control over individual computers is not limited to controlling Internet traffic. As zero-day root exploits are found and patches distributed, worms can eventually gain superuser access to all of the machines, giving them access to all of the stored information and all of the spare resources such as hard drive space and CPU cycles, and the ability to surveil all of the world's Internet-connected computer users. By sending out code updates to the network which cause Curious Yellow to metamorphasize into an anonymizing proxy network, its owners can connect anonymously to target computers and control them interactively, browsing files and watching what users do with them. They could also program the worms to automatically send back potentially interesting information. The spare resources of the world's computers could be utilized for whatever agenda the owners of Curious Yellow have in mind. In general the uses of the network are endless. The entity which controls Curious Yellow controls the world's computers.
The World After Infection
Dealing with the infection once it has been detected is difficult. Once a signature has been detected for the worm, it must be codified by the various competing virus scanner manufacturers and then distributed to infected computers, probably by voluntary downloads. Naturally, once an anti-virus patch for the worm becomes publicly available on the Internet, Curious Yellow will cause that site to disappear from the Internet. Inoculation will therefore have to happen by hand using physical media or network distribution which is secretive enough that that owners of Curious Yellow (subscribers to many major anti-virus update programs) don't find out about it. Once the patch falls into the hands of the creators, Curious Yellow will soon receive a counter-patch obsoleting the old anti-virus patch. Unfortunately, anti-virus distribution methods cannot keep up with the pace of Curious Yellow patch distribution. The only method which can eradicate the virus, therefore, is to disconnect the computers from the network and then apply via physical media patches which both eradicate the virus and patch the vulnerabilities which allowed it to spread. Once the virus is totally eradicated, the creators will wait for a new zero-day exploit to be discovered and then relaunch the virus with a new transmission vector and signature.
The only way to protect against Curious Yellow is to inoculate every computer with an anti-worm, Curious Blue, which uses similar technology to instantly distribute security patches. As soon as an exploit is discovered, a security patch must be released to Curious Blue before an exploit patch can be released to Curious Yellow. Infection and protection is thus primarily a race between the owners of the two entities. Of course, there might not be only two entities. There could be any number of competing vendors of Curious Blue offering different patches and different quality of service guarantees. Similarly, anyone with access to zero-day exploits could launch their own Curious Yellow. The battle does not end there, however. Curious Blue could act as an ideal platform for the initial stage of a Curious Yellow infection. All that is needed is an exploit in the Curious Blue code. Once one is found, the entire Curious Blue network can be turned, like a clever move in a game of Othello . The same is of course true of turning Curious Yellow into Curious Blue. These programs are particularly prone to such corruption because they are already designed to accept arbitrary code upgrades. They merely need to be fooled into accepting code which is not actually authorized.
Security, Cryptography, Signatures, and Trusted Code Updates
The authorization of code updates is a crucial component to both Curious Yellow and Curious Blue. Without a strong authentication system, the worm network can easily be taken over by an arbitrary attacker. The obvious way to do authentication is with public key signatures. In order to use public key signatures, the entity deploying the worm creates a pair of keys, one public and one private. The public key is distributed with the worm. The private key is known only to the worm's creator. When the creator wants to send a new code update, it generates a signature from the code using the private key. Since the worms have the public key, they can check to see if the signature was in fact generated by the matching private key. Using this technique, no attacker can send code updates to the network unless he possesses the creator's private key or finds a vulnerability in the worm which allows circumvention of the signature check.
Maintaining the secrecy of the private key is an interesting problem in a world overrun by competing strains of Curious Yellow and Curious Blue. A simple strategy which an attacker controlling one worm network might use to compromise another is to instruct the network to search all computers for files that might potentially contain the private key of the competing network. Due to the large size of private keys, they cannot be easily remembered and so much be stored electronically somewhere. In order to keep the private key from being discovered, the creator will be forced to have a special computer used for generating signatures which is never connected to the network. Signatures will be generated on this computer and then transferred to a network-attached computer via removable media. The attack then is to find where in the network signatures are first introduced.
The worm network can be configured to search for signature files stored on removable media. The network can also monitor other coexisting worm networks to see when code updates are sent. When a received code update matches a signature file found on removable media, the creator of the worm has been detected. Naturally, the creator of a particular strain of Curious Yellow would prefer that his own computers were not infected with competing strains. Unfortunately, the only way to ensure this is to inoculate with a strain of Curious Blue, which will undoubtedly also be searching for the creator so as to have legal action taken against it. Assuming, however, that the creator has the resources to inoculate against all competing strains, it can still be tracked. As the code updates propagate through the network, competing strains can monitor the progress. Using statistical analysis of the propagation of code updates, the source of updates can eventually be traced. Once the location of the creator has been determined, physical coercion such as spying, threats, lawsuits, and arrest are possible to gain control of the private key and thus the worm network.
In order to avoid being traced, further cryptography is necessary. So that the progress of code updates through the network cannot be monitored, the worm code needs to be encrypted so that it cannot be easily examined to determine which code it currently is running. It is still possible to examine the contents in memory, but this will be a somewhat difficult task to encode in a program the size of a typical worm. Additionally, code updates being sent over the network must be encrypted so that their progress cannot be observed. Even with encrypted connections, however, the creator can still be traced through timing correlations. All the the observer needs to see is that one worm contacted another, then that worm contacted a few others, leading into a cascade. Whichever worm made the first contact is the one closest to the creator. Defeating timing correlation requires the worm network to be constantly sending cover traffic to other worms. Luckily, code updates are generally small, so the amount of cover traffic to be generated is not very much. Once the network is communicating entirely over encrypted channels with constant cover traffic, the creator can send out code updates in an anonymous, untraceable manner. Not only that, but the creator can also use the network to render anonymous any other transactions, such as using it as an anonymous communications channel to converse with other entities and distribute files and information. This would be a boon to the usual cast of characters that could benefit from anonymous communication, such as people attempting to escape human-rights-violating regimes, international terrorists, and music fans.
Who Do You Trust?
In the world after the global infection of the Internet by strains of Curious Yellow and the commercial availability of strains of Curious Blue, computer users will have a choice. One can either have a computer which is never connected to the Internet, risk almost certain infection and control by the various factions controlling Curious Yellow, or intentionally give control to the creators of Curious Blue. There are multiple issues of trust involved. Initially there is the question of whether one places more trust in the harmlessness of the hackers or the professional integrity of the security professionals. If one chooses Curious Blue then there is the issue of which strain will actually be effective in protecting one from infections by Curious Yellow. There is the additional issue of which strain can be trusted to not contain any vulnerabilities which can be exploited to turn it to the other side.
Kazaa and Altnet
There is a disturbing similarity between Curious Yellow and the new Kazaa feature, Altnet. Kazaa is a peer-to-peer file sharing network not entirely unlike Achord, but lacking some of the useful features. In later versions of the software Kazaa bundled a feature called Altnet, which is a second peer-to-peer network deployed alongside Kazaa nodes. when Kazaa is installed, Altnet is quietly installed as well. Buried in the licensing agreement which users click through when installing Kazaa are some interesting provisions concerning Altnet. The user agrees that Altnet is allowed to automatically receive and install code updates and modify settings on the user's computer. This makes Altnet a prime target to be corrupted and used as a widely deployed network from which to launch activities. All that is needed is the proper method for causing the supposedly 2.5 million Kazaa nodes to accept a rogue code update. Interestingly, such an attack has already occurred. While Kazaa is the predominate licensee of the FastTrack network technology, it was previously second to an application called Morpheus, another application using the FastTrack network. Morpheus was mysteriously shut out from the FastTrack network despite the fact that it was supposedly an entirely decentralized network without a central form of control. The network of Morpheus clients was shut down by a rogue code update, eventually discovered to have been sent by the company behind Kazaa. This is the first example of the sort of warfare between strains. It could escalate into being literally a war between worm strains if an entity discovers the key to making Kazaa accept code updates and mobilizes the Kazaa network as a first stage of infection, using it for decentralized scanning of the network for vulnerable hosts and an eventual global takeover of the Internet.
No need for inter-worm communications (Score:5, Insightful)
For example:
64 initial worms go out at
With a little bit more intelligence you can target the worms on major ISP DSL/Cable networks to infect the home machines.
Re:No need for inter-worm communications (Score:5, Insightful)
But if you combined those two schemes you could get worms reporting back that they're not getting anywhere and a new worm could start on that space.
Re:No need for inter-worm communications (Score:2)
Some of the worms would most probably be deleted by anti-virus programs before they could infect their share of the network. Many of them wouldn't even succeed to install itself in the first place.
You may try to remedy this off-line, using techniquest from error correcting codes and fault-tolerant computations but I assume that doing it on-line is much simpler. OTH, if you have a degree in CS and like to create worms than why not try to learn some theory.
Of course (Score:5, Funny)
I'd say one good way to protect against it is don't open those files named YippeeImAnIdiot.jpg.vbs
Re:Of course (Score:2)
Re:Of course (Score:3, Insightful)
I'll go you one further... don't use any email client that has the capability of running scripts or executables received in email.
Sooooo Right! (Score:2)
Gosh, I wish I had some mod points to burn just now.... that's one of the best (even if it is obvious to most of us) points....
Precedent (Score:5, Informative)
Hash: SHA1
the Linux based 'Slapper' worm (link at end of message) was the first worm to create a peer-to-peer network of infected nodes. communication was basic, allowing the network to learn its own topology, and launch DDoS attacks as a single unit when commanded from a single remote location. the piece that Slapper is missing is authentication. imagine if the Slapper worm was written so that it carried with it a public key, and used that key to verify any command sent to it. the worm could be designed to not even reply to UDP requests whose signature fail, making remote detection completely impossible. signed messages would allow the worm author to remotely control the entire network of infected nodes exclusively, distributing patches to combat wormbusters, upgrades to allow the worm to infect new systems, and commands to launch DDoS attacks on targets of his choosing.
it's going to happen. you heard it here first.
- -s.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: i am sllort [slashdot.org] and i post AC [slashdot.org]
iD8DBQE9uR/OKpz2COjVE3YRAv1tAJ9HtLZ0AQDOfUvIGh4
igaqDD9fmOA8+/7Apub1nAs=
=XxoQ
http://zdnet.com.com/2100-1105-95
Re:Precedent (Score:2)
Most viruses and worms are written with specific hardware or processors in mind, so I guess I shouldn't worry as much with my Mac OS X system...or should I? If the code is really written to leech around or through a typical process in a UNIX flavor and not be concerned about hardware, then--oh, boy.
Thank God Mac OS X has many vulnerable services such as Apache, FTP, SSH, and the like switched off by default so you can't easily hose yourself. But one well-written trojan run on my computer could be a problem if I don't stay wary.
Re:Precedent (Score:2)
Encryption alone will not do this.
I agree that decrypting the udp packet would be computationally infeasible, assuming strong encryption. Likewise, forging arbitrary packets would be impossible for the same reason.
But you could still use a type of replay attack to flush out infected hosts. Once you capture a command packet (with a sniffer) and the characteristic response on an infected system, you can just resend that packet to another system and then if you see the characteristic response, you know the system is infected. This might not qualify as remote, since you would have to be in a position to observe the "expected response," which realistically means, you have to be on the same subnet.
I don't know. You are definitely on to something. There is probably a simple workaround for the replay attack I outlined. But I don't want to give anyone ideas. I don't want to give a design seminar for hard to detect worms. ;-)
MM
--
Re:Precedent (Score:2)
Re:Precedent (Score:2)
All Distibuted computing is malicious (Score:2, Funny)
I got the Curious Yellow worm (Score:4, Funny)
Don't drink the water, they said. Sure, whatever, I said.
I drank the water.
Like Real virususes (Score:5, Interesting)
the interesting thing here is the communication aspect. It's different than say a pre-progogrammed computer virus that does its thing on say jan 1 2000. Here the thing is adaptive and self organizing.
lets take this a step further. China is a breeding ground for both real and computer viruses. Real viruses like flu live in ducks, where they are harmless and mutate rapidly, transfer to pigs where they adapt to mammalian systems, then onto humans when they are ready. THe chinese computers, as discussed in slashdot have become 80% exposed/infected to viruses.
currently these virii (computer) do not actually "breed" in the sense of evolving by themsleves. But why not? Bacteria evolve during their own lifetimes by communicating (by exchange of circular DNA known as plasmids). If we start having computer-virus to computer virus communication we will soon have the cpabaility for viruses that breed and like a genetic algorithm "learn" new ways of infecting a host, learn to tune their rates of infection, and develop new and better communication protocols.
A question emerges then of what happens next. Most virus's follow the pattern of being at first increasingly virulent and deadly to their hosts. Then over time as they begin to kill too manyhosts and the evolve to become less virulent as a survival strategy. at the same time the surviving hosts have become better at killing them. A truce ensues where the bugs are too hard to completely kill because they mutate quickly.
Current viruses have the ability to replicate but not to evolve. The first step in evolving sexual reproductionis communication with another virus. later will come information sharing and controlled mutation. Terminator here we come, but not the same way as the movie.
God's been there already (Score:2)
Kind of twilight zonish don't you agree? I still expect to peel back my skin one day to see gears and rods and sh!t
Re:God's been there already (Score:1)
Ah, but don't you see? God is a programmer [fourmilab.ch]. We're just following his footsteps. Now for the clincher... what if there are bugs in the system?
God: What, bugs? No way, I'm perfect! Just let me fix this tiny little thing... (BUM!) Ooops, sorry Bill!
Re:Like Real virususes (Score:2, Interesting)
No it is actually Like Real virususes (Score:2)
The real difference in the analogy is the sophistication of the host. In the real world hosts and parasites co-evolved. An early parasite did not have to be a very clever bug. just be one step ahead of its equally dim host. each co-evolving to exploit each other's weaknesses. Now we have some really complex or really simple but tricky bugs that have a level of sophistication that seems miraculous.
That is to say, if you were to create a man-made virus today without stealling the existing machinery from natural bug, you would find it patheticly incompetent to deal with modern hosts. Likewise, current computer virsuses are going up not just against sophisticated computers systems, but also against the human minds that are activley hunting them. Thus it's going to be a while before computer viruses can survive and mutate on their own. they will need human help to combat the humans trying to kill them.
On the otherhand in china it appears there is a fertile breeding area when humans are not aggressively hunting bugs. this would be a good breeding ground for a simple bug to evolve to somthing actually AI quality.
Re:No it is actually Like Real virususes (Score:2)
Are you forgetting that an human being will have to be responsible for developing the AI for the virus? Today we can't even begin to understand the concepts behind self mutating computer viruses, and we many never fully understand the concepts.
And I, for one, and happy. I fear the the day that mankind releases upon the world code that has the capacity to mutate and change under certain circumstances. No good can come of that.
Re:Like Real virususes (Score:1)
There where machines that would get infected with Concept.A, then infected with Concept.B (or something like that), with the second virus stomping on parts of A's delivery system.
You'd get Concept.A's autostart + Concept.B's autoload etc.
Quite a bear to remove, if I remember...
Re:Like Real virususes (Score:2)
What happens if Wiley's benign future doesn't happen and the worms kill the internet dead?
As far as curious yellow is concerned, there is only one host.
[OT] Real viruses (Score:5, Interesting)
It is not optimal for a virus to kill its host. Ever. End-of-story.
Because a virus cannot live outside of a host, it is important that the virus keep its host alive as long as possible. Therefore, each virus evolves in an "optimal host". This host is a type of life (animal, plant, even bacteria), in which the virus exists without killing the host. The problem arises when the virus tries to expand its territory to a non-optimal host. In some of these hosts, it can't even get a footing, and dies off without infecting cells. In others, however, it infects the cells in a non-optimal way, killing the host (and with it the virus).
For example, ebola tends to kill people. Depending on the strain, it's between 50% and 90% fatality in humans. Obviously, humans are not ebola's optimal host. However, there are some species of bats that carry the ebola virus, and are not affected by it. These bats are the natural hosts of ebola, allowing the virus the best opportunity to survive without overpopulating.
This is all from memory, as my wife's at work, so corrections are appreciated.
Re:[OT] Real viruses (Score:2)
On the otherhand, there are plenty of bugs (but not viruses--they require a living host) that look at you as a large sack of purina bacteria kibble. All these thing want to do is kill you and digest your tasty bits at their leisure. These bugs dont require a host to live.
to a certain extent the current crop of computer viruses seem to define success as mortally wounding the host. Self preservations and adapting to their hosts are not the goals of most computer viruses.
Re:[OT] Real viruses (Score:2)
Plenty of potential hosts-- yet there is no epidemic, and smallpox is considered extinct in the wild. Why? Because a couple of decades ago, most everyone was vaccinated. No hosts, no new infections, no virus, no more need to vaccinate.
And yet, before vaccination, smallpox was very virulent, and quite deadly to its hosts.
Re:[OT] Real viruses (Score:2)
"optimal" virus strategies (Score:2)
Evolution selects for whatever increases reproductive success RIGHT NOW, not what might be theoretically optimal. It might be situationally "optimal" to the virus for the host to walk into a crowded room and explode in a shower of highly infective blood. This is basically what happens with Ebola, the patient becomes incredibly infectious to people around them. To be fair, your wife is (of course) correct that this sort of transmission usually is associated with new hosts, as in the case of Ebola. I bet the "wild" host for Ebola carries the virus without dying, perhaps having periodic bouts of the bloody runs to assist in spreading the virus to its conspecifics.
The exception, not the rule. (Score:2, Funny)
Consider smallpox and cold.
Smallpox of course does kill, but it's not around.. where is it? I don't see it, my neighbors and friends don't see it. Nobody sees it, except for biologists.
Smallpox is laughed at by the other viruses. It has the strength of Hercules, but what does it do with it? It pops up once every few generations and shows its strength, but is usually gone in a flash. Lame.
The common cold, on the other hand, is everywhere.. I have it right now, some of my neighbors and friends have it.. it's spreading like wild-fire!
The cold is a great virus.. it's like the star of the viruses.. it tries its hardest not to get the host sick, becuase a sick host stays home, and then the cold can't get to new hosts.
The real benefit of sanitation, plumbing in particular, is the quarantine of hosts infected by loser viruses. Viruses that devastate poor river villages in the tropics aren't a threat in the rich cities because of sanitation... a couple of people get the virus, stay home (to recover or die), and few others get exposed.
If you want to make better viruses, save us some time and make them cool, like the cold, instead of lame, like smallpox... we'll both be happier for it.
Re:Like Real virususes (Score:2)
Or, following what may have happened w/mitochondria, they start performing useful functions...say, drivers for graphics cards. Or would that prove Microsoft's point about the GPL being viral?
(Joke! Joke!)
Commnication is a prerequisite to "genetics" (Score:2)
Digital RNA (Score:2)
On top of this layer we add "digital DNA." which now is mereley a new object which adds new functionality both throught its own code and through the interactions it has with other objects. Some objects might even "delete" other objects from the DNA. Other objects would act as vectors ('installers') for installing more dna. Some would act as export objects, sending copies of object "DNA" to other viruses.
The current problem is that you cant just overwite code with new code and expect it to work. Basically by setting up an object competion model new code that is flakey does not kill the virus. this allows adaptation.
real viruses often cut chunks of dna out of their hosts, put their own wrappers (i,e, objects) around it and try it out and see what happens. if its useless it evenutally dies out in some generation. if it's useful you have some interesting new dna.
Worms and 'payload' (Score:5, Interesting)
On Worms: It's not the distribution method I'm concerned about -- it's the impact.
Oh sure, this method is similar to the old nuclear war strategy -- "time on target" -- where the missiles were all set to arrive at their targets at the same time, increasing the surprise factor and decreasing the defensive options. But it's the bombs going off that really ruined your day.
After running plenty of all-nighters flushing out assorted virii from corporate nets, I've come to the conclusion that the worst infections are the ones that look like some other kind of problem. Imagine a worm that changes the IP address of random hosts to the gateway address, or is intelligent enough to worm its way around innocuously until it snags an admin account and can begin 'remote registry' operations, or changes the nameserver addresses to trojans that redirect shopping sites to credit card collection impersonation sites. That kind of stuff is the hard stuff to defend against, because you don't know it's happening until way after it happens.
Re:Worms and 'payload' (Score:2)
In either case, you appear to be an Evil Genius [tm].
You should join S.P.E.C.T.R.E (Special Executive for Counterintelligence, Terrorism, Revenge, and Extortion) [tripod.com].
Evil Genius (Score:2)
Re:Worms and 'payload' (Score:2)
The other option was popping random registry locations. At a low enough rate, it would not be distinguishable form the regular Windows bit-rot.
Xix.
Re:Worms and 'payload' (Score:2)
At some point the spread is so successful that close to 100% of Microsoft is infected, even the machine they use to do builds. Thus, future versions of windows come with this virus pre-installed.
Because of the extra debugging work to get rid of what is really virus behaviour, the windows registry and security model really is the best, but we'll never know because of the virus and the settings it uses.
Or not.
Interesting... (Score:2, Interesting)
Mike
A worm with a purpose? (Score:4, Interesting)
-(publicity) Hey, I'm an elite hacker, I've infected half the world's computers
-(revenge, idiocy, attack) I'm pissed at the world and for that your PC's will pay
-(information theft/hijacking) There's something on your computer I might want, and now the door is open to get it
Now, we have a type 4
-All your base are belong... er, I mean, we are the borg, you will be assi... er...
basically, and advanced form of "W3 0WN 40U."
Distributed worms could actually have a point though... There are still certain questions that any individual PC cannot solve (for which they are building voluntary, non-malicious, distributed sytems) that could be processed by this worm. Curious blue (the fix to "curious yellow) could be launched as an "anti-worm, worm" using the same exploit as curious yellow to self-patch the hole.
Similarly, such a worm *could* be used to repair other known large-coverage bugs.
Of course, it would be just as illegal to create/launch "blue" as it would be to create/launch "yellow", but wouldn't it be nice if somebody were to let loose something that goes around fixing those annoying "code-red" and "nimda" infected systems still running amok?
Unfortunately, I cannot even use my own server with a "counterprocedure" to go out and repair those idiot machines that keep trying to access
Black hat hackers can't touch me, I run Red Hat not Black Hat - phorm
A worm with a GOOD purpose? (Score:2, Interesting)
What about a worm whose only effect was to change the MS Word default saving format to
I'm sure we would quickly have a world of MS morons saving their docs in a open file format, because they can't figure how to change back to their old
Re:A worm with a [real]purpose? (Score:2)
Did anyone else hear it? (Score:2)
Meanwhile, in another part of the city, H.A. Rey [amazon.com] begins work on on a cautionary tale about what happened when The Man in the Yellow Hat doesn't download the latest patches.
A new project? (Score:2)
easy way to kill it (Score:5, Interesting)
alternatively release a fake "wormcode patch" which poisons nodes after they pass it on. Such an anti-virus-virus would take the network down in less than 15 seconds. [blanu.net]
To be more robust, this worm has to start thinking smarter: it has to organise itself into a network of cells which are networks, rather than one big flat network. That way, only one node in each cell knows about only one node in an adjacent cell. If node A in cell 1 knows about node A' in cell 2, then when it gets compromised, it cannot betray nodes B', C' or D'.
Get the worm to spread until it knows about x number of nodes, and then tell each node that they are suddenly the only node in a new cell, and that all their old cell buddies are just their external contacts to other cells. repeat the process until you have global domination.
That way you can still issue orders, if you have access to the original cell, but if that cell dies, then the worm turns into many rogue cells which act on their standing orders... and any anti-virus-virus "patch" would have to start from the original cell....
sign the patches (Score:2)
What's to stop the code from using crypto to sign the patches? Worms have the public key, author has the private key. Simple and reasonably bullet proof.
End of the year (Score:1)
Thanks
Some Ideas... (Score:1)
offtopic, i know.... (Score:1)
Vurt Reference - Curious Yellow (Score:1)
Re:Vurt Reference - Curious Yellow (Score:2)
Curious Yellow, Blue, Crypto, Minow (Score:2)
Mirror (Score:2, Informative)
Re:Mirror (Score:2)
How does the network fix itself? (Score:4, Interesting)
I could see one node saying "Hey, my neighbor disappeared, we need a new node," but he doesn't know the neighbor's other neighbor. This is exactly like a linked list - if you delete a node before switching the pointers around, you've just created a memory leak.
Also, to make this thing branch, won't each node need at least three neighbors?
Scary but Preventable (Score:4, Interesting)
In today's environment if a group of intelligent hackers with a wide range of skills deployed and attempted to control a Curious Yellow, they would probably succeed, although they would have to start with months of planning and exploit-discovering to make sure they had pre-prepared their own "zero-day" exploits for a wide variety of platforms (wintel may be dominant, but unices and even routers could be crucial to some of the attack plans). And in order to keep up an arms race, they will have to continually here of or discover on their own new exploits before they get widely patched.
The whole problem here revolves around the insecurity of most operating system installs (especially Wintel, but commercial and free *nix are also relatively insecure by default). The real solution to scenarios like Curious Yellow ona global scale would be to secure all the operating systems by default. If every OS vendor would take a slightly more OpenBSD-ish tack on security, disabling most services by default and warning users of potential risks of turning them on misconfigured, auditing their code, and perhaps most importantly, open-sourcing their code for peer-review... it would severly limit Curious Yellow's ability to infect in the first place.
However, I think it's a pretty safe assumption that that level of universal computer security won't happen in the near future, and that some bright people are already coding their Curious Yellow variants. In that case the best you can hope for is to secure your own systems against Curious Yellow by being more secure than the norm. You won't be able to stop the distributed attacks and service problems that will affect your network traffic, but at least you can avoid being part of the problem and avoid direct control of your machine. Take the cautious road - reploy an OS you can see the source of. Disable mostly everything that listens to a network port. Take advantage of security-upping kernel patches (grsecurity for linux comes to mind, a collection of stack protection, randomization of various things, finer grained access control, etc). Run a firewall, make sure you know what it's doing and why. Don't let any traffic in unless there's a need, and keep an eye on that traffic. As with human infections, early detection leads to a faster recovery. Snort is your freind.
How to 0wn the Internet in your Spare Time. (Score:5, Informative)
The warhol paper largely got rolled into the "0wn the Internet" paper.
Biological viruses (Score:4, Interesting)
Perhaps the parallel to biology is too obvious to bother pointing out, but it's well understood in epidemiology that viruses that are quick to incubate, and nearly always fatal, historically couldn't propagate far and so haven't led to epidemics. This is why, for example, there are no Ebola epidemics: it kills such a high percentage of its victims, so quickly, that the virus effectively starves itself to death.
Of course today, with high speed travel so prevalent, we're giving the virii a hand in propagating, and doomsday scenarios become possible...
*shudder*
Asking for trouble... (Score:5, Interesting)
Then you make the child check up on it's parent every now and then. When it's parent fails to respond it tells it's own children that this event has occured (a sort of reverse TTL), when a child receives a rTTL of say 10 or more it knows that the game is up goes beserk! Maybe additionally it could check on its siblings.
Thus killing the worm could (potentially) cause more trouble than if it were left alone. To kill it would require a pseudo parent to replace the real parent which would be able to report the IP of the infected child machines.
It's all getting very X-Files this.
Perhaps the partitioning 2, 10 or 100 is based in the rTTL. When no one has noticed use a small partition, when people start to kill off the parent then crank up the partitions.
MLM goes (truly) viral!
So is this a hydra? (Score:2)
MAD (Score:2)
If this were doable, I can really see a future of detente for the 'net. If you had a worm that would essentially take over the 'net, but you didn't know if it would really work or not, and the consequences for trying and failing were pretty severe, then you wouldn't want to try it out. You'd wait, and only if someone else released theirs would you fire off yours. Assuming that this idea isn't too tough for more than one group to figure out, within hours of the release of one superworm the 'net will be swarming with several different variants of the same idea, all fighting to ensure that their creators get a little piece of the soon-to-be balkanized network. Imagine not just tracking, fingerprinting, and distributing fixes for one of these plagues, but trying to fend off several at once, all of them able to almost instantly distribute defensive tactics, etc.
Frankly, the only way you could salvage the 'net (short of a complete reinstall on millions of machines) would be to partition it to cut down the communications avenues, and then sterilize each small subsection one by one. And unfortunately the triumph that is Internet-style routing probably means that partitioning the damn thing would be a lot tougher than you would think.
Obligatory Vernor Vinge Reference (Score:2)
Make the payload Distributed AI (Score:2)
I'm from the future, here to tell you this is how Skynet REALLY got started. If you don't believe me, ask your computer. Just speak clearly into the mic.
Isnt publishing that illegal? (Score:2)
But i could be wrong.. dont have the name of the law handy to verify.
Misc thoughts (Score:2)
Like many others, I've been throwing around ideas along these lines for a while. More to the point:
All in all though, I think the main limiting factor to such an undertaking is its usefullness. I mean, what could be done with such a network while retaining its stealthy qualities? Any computation I can think of would require so many resources as to violate the steathy nature of the beast. That is, even if such a calculation is network efficient, I think the high CPU useage would tip people off. Even if you patched the system so that task manager, top, etc, didn't report the worm's CPU useage, some people would notice that their computers are noticeabily warmer, laptops have a shorter battery life, etc. If the creator of the network were to try to gain in any way through the use of stolen credit card or bank info, law enforcement would track them down when they try to use that information. So as another poster noted, this is really just a fancy way of saying "1 0wn y0u", which is really juvenile. Interesting thought exercise though.
-"Zow"
Re:Um, why?? (Score:4, Insightful)
btw its called freedom of the press. they can do that. and they should do it (if they feel its appropriate, not when you think its appropriate)
Re:Um, why?? (Score:1)
Re:Um, why?? (Score:5, Insightful)
Besides, he's not the first person to think along these lines. Though he has a number of ideas I had never considered, I had come up with an idea for a worm that would build a peer to peer network to coordinate its activities and prevent it from spreading too quickly.
His idea for having it update itself against anti-virus software is something I hadn't considered and is quite ingenius, I think.
I wouldn't have ever written such a program as I have too much useful software ot write to waste my time, but I've certainly thought of ideas on how one might go about it. If I have, and he has, then chances are, so have others, and eventually someone who has the time and motivation will actually do it, so best to protect against it now.
Re:Um, why?? (Score:3, Insightful)
Law enforcement frequently publish books on how to cheat, scam, swindle. The idea is to expose techniques to the public. If we have potential weaknesses in mind we are more likely to be cautious in designing and using the systems we use.
Re:Um, why?? (Score:4, Interesting)
Dunno?!?
I found this distributed autonomous intelligence / network worm idea very interesting, I wrote an article about it a couple of years back. Since then I've improved upon my ideas and maybe I'll release the new version in the up and coming 29A Virus Zine.
(the article) .. http://fourq.host.sk/iworm-net.htm
Sorry if you find this information too strong for your delicate palette. Don't follow the link if you think it's going to upset you so much. ;]]
A-Life, Evolution in the 21st Century.
It was published 25 years ago! (Score:4, Interesting)
Next, this is not new news, and not by a long shot. "The Adolescense of P1", a 1977 novel by Thomas Ryan, discusses a worm almost exactly like Curious Yellow. In it, the worm evolves along three lines: a hunger for new nodes, a paranoid fear of detection, and random mutation.
It takes over virtually every IBM computer in the world, which in 1977 was many thousands, and the author even deemed non-IBM computers as statistically irrelevant. Just as Nimda takes over unsuspecting Microsoft IIS Win2K machines, and deems others irrelevant.
The parallels are striking.
(In the novel, the random mutations cause it to develop sentience, at which point it starts reading news articles and tracks down its creator. But that's just where the "fiction" part of science fiction kicked in.)
It was a great read when I was back in high school. It may be dated, but it is prophetic.
I have to go home tonight and dig this out of my bookshelf. I think it now deserves a reread.