Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security

Curious Yellow, Superworm 167

jpmccord writes "Brandon Wiley's white paper, Curious Yellow, explains how "a superworm -- a worm that coordinates it actions among infected hosts and launches a massive distributed denial of service attack on any hosts it can't infect using those it can" (via disLEXia, a weblog by Maximillian Dornseif). The "doomsday scenario" frightens "even us", says Dornseif. An accompanying discussion rebukes Wiley's article a bit. Aaron Swartz's light-hearted take is rather entertaining: "So go read it now and find out how you can take over the whole Internet. And if you're going to, could you give me 24 hours notice?""
This discussion has been archived. No new comments can be posted.

Curious Yellow, Superworm

Comments Filter:
  • worms to crawl (Score:1, Interesting)

    maybe worms may crawl similar to a spider.


    Why let the worms have all the fun?


    A spider attack could crawl all the webservers looking for IIS machines, or flaws on other servers. Link by link taking down servers...

  • Come on... (Score:3, Insightful)

    by Doctor O ( 549663 ) on Tuesday October 29, 2002 @06:50AM (#4554517) Homepage Journal
    ...this was posted some days ago, I'm just too lazy to go find the link.
  • by morie ( 227571 ) on Tuesday October 29, 2002 @06:50AM (#4554518) Homepage
    It could also submit every computer it couldn't infect as containing something of interest to the slashdot community. Who needs a ddos attack?
  • by Anonymous Coward
    Sweet friggin christ. If it's a dupe, REMOVE IT.

    88 Miles an hour and shit [slashdot.org]
  • So it cant get on my machine, then it will ddos me.. nice.. but what do I care, it will stop doing that and then my machine is still clear.. and if it will affect a lot of machines on my ISP's network, wont the ISP do something about it?
    • So it cant get on my machine, then it will ddos me

      Well if it comes down to being a victim of a ddos, or helping in it, maybe you should purposely allow it to infect you. There might not be an outage if you're just helping the ddos of someone else. At least your machine may still function, internet-ly speaking.

      Of course, I'm not really crazy (or even serious) about this idea, but helping an attacker (in this case, the worm) may keep his gaze from fixing on you. Then wait till others have defeated the worm and implement their solution. Run with whoever is winning the battle. I would paraphrase from the great Dark Helmet: Evil will win, because Good is dumb.

      However, there is nobility in fighting the good fight. Stand up to the oppressive worm, even if it defeats you. Others may succeed where you may fail.

      I think I just wrote this to use the phrase "internet-ly speaking"

  • by G. W. Bush Junior ( 606245 ) on Tuesday October 29, 2002 @06:56AM (#4554532) Journal
    The Slashdot community may be faced with the "Curious Yellow Post" that may take over all other slashdot news in just a few days...

    If anyone attempts to post other news it will immediately be taken off the site and replaced by a link to the "Curious Yellow Post"...
  • This is a repeat ... (Score:5, Informative)

    by sdr ( 11050 ) on Tuesday October 29, 2002 @06:56AM (#4554533)
    of this [slashdot.org] article.
    • by Fex303 ( 557896 )
      Er... not quite. The first half is, but in the second half of THIS story it talks about a more moderate viewpoint. Y'know, the bit that says:

      "An accompanying discussion rebukes Wiley's article a bit. Aaron Swartz's light-hearted take is rather entertaining: "
      So go read it now and find out how you can take over the whole Internet.


      Let's not be too quick to jump on the "Repeat story!" bandwagon. I mean, it can't take that long to read the four sentence story can it?
    • by devnullkac ( 223246 ) on Tuesday October 29, 2002 @07:24AM (#4554583) Homepage

      This is slightly OT, but it seems to happen often enough to warrant a comment on the point.

      I don't know what tools the Slashdot editors have available to them already, but it seems that the Slashcode already extracts all the links from previous stories (the Related Links box), so it shouldn't be too difficult to compose a story posting utility which looks for stories posted in the last x days which contain any of the same links as the proposed story, flagging possible duplicates.

      • Agreed. This isn't a homegrown site anymore, they're paid for this.

        Surely they can take the time to write a cross-checker to see if any of the links in the submissions have been used in any previous stories, after redirects.

        Surely it can't be that hard...
        • At the same time, maybe this article was posted because it presented links to several perspectives on the topic.

          At the same time, maybe this article should have been posted as a comment to the original story, or even tacked on as an update and "reposted" instead of being "repeated". (I was busy this weekend; I didn't see the first story until now. I'll try to pay closer attention next time, but when I miss a story, I don't look back...)

          At the same time, maybe the /. editors just really like the whole super-worm discussion and really want us to go nuts with it.

        • Come one man! This is SlashDot... The editors don't even use SPELL-checkers, and you want them to grep for URL's?

          #667 can't possibly be your real uid. You MUST be new here. ;)
      • by Anonymous Coward
        You're right, that would be a good addition to Slashcode, but the "editors" should read the site in the first place.

        I briefly browse Slashdot every day; not religiously, but skim through, and even I can spot these dupes just through memory. If someone employed here can't remember that, it's abysmal.

        I guess the point is, that's why these guys don't have professional journalism jobs. I'm not sure why they're called "editors" (seeing as they don't correct any spelling errors). Maybe "story selectors" would be more appropriate, and a system where readers moderate-up stories. Of course, this would make the editors' jobs redundant, but they don't do anything of worth at the moment.

        In short, I like Slashdot -- the comments and the stories. But they're grossly unprofessional and would have trouble finding work in real writing circles.

      • Well, one could wait for the paid staff to get around to it, but there's always the option of taking things into one's own hands... [slashcode.com]
    • I submitted my article at about that time, but I never noticed that article. This proves two things: I wasn't paying very good attention to the story I just posted, and someone wasn't paying very good attention to the story when they pushed it through the queue.

      I suppose it's too late to append my article as a comment to the original... :-)

    • I find it ironic that there are at least SIX virtually identical (repetitive), upmodded comments about this being a repeat story.

      Sad.

      S
  • Well. Okay. (Score:4, Funny)

    by torpor ( 458 ) <ibisum@gmail. c o m> on Tuesday October 29, 2002 @06:56AM (#4554534) Homepage Journal
    Then I guess there's nothing we can do. The Internet is doomed.

    Still, I know I'll be able to read about the new one on MSNBC.newtld a day or two afterwards ... after I get a new Passport ID, that is.
  • Doomsday scenario? (Score:5, Insightful)

    by Mika_Lindman ( 571372 ) on Tuesday October 29, 2002 @06:58AM (#4554539)
    The "doomsday scenario" frightens "even us", says Dornseif.

    Doomsday? Hey guys, it's the internet! Who's gonna die if the internet shuts down? Come on now, it's not like the next ice age or nuclear war! 99% of worlds population won't give a shit if the internet shuts down for a few days. Who cares if a bunch of nerds freak out 'cause they can't read their emails?

    The main question is, are YOU so addicted to the net, that you would use the term "doomsday", if it shuts down?
    • ``The main question is, are YOU so addicted to the net, that you would use the term "doomsday", if it shuts down?''
      Yes. I depend on the Internet for news, entertainment, maintaining contacts with friends, and income. So what is left if that perishes?

      So let me think of way to defend myself against this...write another worm that launches DDoS attacks against the hosts infected by Curious Yellow...worm wars!
    • by Shalome ( 566988 ) on Tuesday October 29, 2002 @07:11AM (#4554561) Homepage
      You apparently have no idea what the actual scope of the internet covers. Corporate and military communications, banking transactions, medical information tracking, etc, etc. Yes, we could live without the internet, but reverting to the "old fashioned" pen-and-paper snailmail transportation of information, even for short periods of time, could cost billions of dollars -- not to mention levels of annoyance it would cause in day-to-day life.
      • by Pike65 ( 454932 ) on Tuesday October 29, 2002 @07:38AM (#4554612) Homepage
        Corporate and military communications, banking transactions, medical information tracking, etc, etc

        Actually in the UK each regional Trust communicates using direct lines between centres. If you send medical details between Trusts, it's still done via paperwork.

        They trust the Internet about as much as I do ; )
        • Actually in the UK each regional Trust communicates using direct lines between centres. If you send medical details between Trusts, it's still done via paperwork.

          Agreed. Many corporations use private networks and lines for mission-critical data. Look at interac or debit. They use telephone lines and a modem chip to dial up and transmit information. This might be a cost issue (using telephone lines would be cheaper than providing a direct ethernet connection to each room that needs debit or credit card information). If the Internet ever "goes down", internal networks still might be safe, as they're distinct entities that only have a bridge to the Internet and don't make up the inet backbone.
        • Corporate would be effected, but core military and banking information is done via private lines that have nothing to do with the internet. The Federal Reserve Bank communicates over private lines just like the UK Trust.

          Funny thing about all of this is, Curious $color is probably already on every computer and no one knows about it. My hope is that the US government simply has control of it.
    • A lot of people died when the stock market "shut down" in 1929. Don't knock the significance of the Internet! Besides, in a world more dependent every day than yesterday on technology and connectivity, an Internet breakdown of even slight magnitude can be extremely detrimental... If it shut down completely all of a sudden, there would be chaos.

      I know it's a horrible thing to think about, but maybe we should, come to think of it... Anyone think we should devise a contigency plan for when/if the Internet does hit a brick wall? Not because I'm paranoid, but because I would rather be overprotected than regretfully and idiotically vulnerable.

      • Sunspots cause thousands of skin cancer deaths each year too. Changes in air pressure causes heart attacks. A wrong look from a person causes another to go postal. There are just some things in the world we can work with.

        The internet shut down and stopped our business? Reroute around the problem. That's why the internet can survive a nuclear war. Don't be passive and expect it to survive world events on its own. It still takes a brain to drive the thing around someone who left their dead car in the middle of the information superhighway.

        If the internet shuts down and you still can't send email, its your own damn fault. In the old days, you had to dial up another connection and complete the route. Now we have more tools cheaply at our disposal: wireless, satellite, laser, and dedicated lines everywhere. To not know how to use them is missing out on great opportunities.
      • A lot of people died when the stock market "shut down" in 1929.

        Tell me about it. I'm gonna throw myself off the roof if Old Man Murray [oldmanmurray.com] doesn't come back online by the end of the week.

        I don't know what I'd do if the entire *Internet* shut down...

        =)
    • by Anonymous Coward
      The internet has already shut down in some ways. One way in particular are all forms of posted discussions that involve many people. Conversations fall into useless patterns. Some sort of artifact of our minds causing us to talk in endless loops when a large enough pool is reached. Mindless and numbing repetition. Not meant as a slight against /. but an observation from usenet, mailing lists, everything. flamewars, holy wars, and a million different and more subtle species of mindless reptitive behavior.

      It's like watching the same pieces fall from some pavlonian machine over and over again. One comment brings forth a slew of responses, all providing an identical response. In Usenet, it's horrible.

      • It's like watching the same pieces fall from some pavlonian machine over and over again.

        Mindless and numbing repetition.
        Conversations fall into useless patterns.
        talk in endless loops endless loops endless loops endless loops... :)
    • by oku ( 609226 )
      Doomsday? Hey guys, it's the internet! Who's gonna die if the internet shuts down? Come on now, it's not like the next ice age or nuclear war!

      Not quite, but considering the amount of business that is done over the Internet these days, it is going to be pretty rough for many companies. Especially banks would be vulnerable, I guess, subsequently leading to massive drops of stock prices, leading to further bancrupticies. Not nice, not at all.

      Of course, it is uncertain if such a worm could really take down the Internet. But if it could, it would really hurt.

    • by Zocalo ( 252965 ) on Tuesday October 29, 2002 @07:52AM (#4554655) Homepage
      Quite. There seem to be quite a few people out yelling about the "death of the Internet", much like people used to go around with sandwich boards with "The end of the world is nigh!" written on them. Perhaps they should take a few minutes and go read this rather excellent article [theregister.co.uk] at the Register and get a dose of reality. And after that, perhaps a re-reading of "Chicken Little" just to hammer the point home.
      • Imminent Death Of The Net Predicted! prov.

        [Usenet] Since Usenet first got off the ground in 1980-81, it has grown exponentially, approximately doubling in size every year. On the other hand, most people feel the signal-to-noise ratio of Usenet has dropped steadily. These trends led, as far back as mid-1983, to predictions of the imminent collapse (or death) of the net. Ten years and numerous doublings later, enough of these gloomy prognostications have been confounded that the phrase "Imminent Death Of The Net Predicted!" has become a running joke, hauled out any time someone grumbles about the S/N ratio or the huge and steadily increasing volume, or the possible loss of a key node or link, or the potential for lawsuits when ignoramuses post copyrighted material, etc., etc., etc.

        Savant
    • I don't think anyone has to remind you about how much finacial dependence we have on the internet in general. I doubt if it gets shut down our government, educational systems, banks can just write and send out paper checks to other governments, educational systems, banks.

      What about "First Strike" Senario's being the reason the whole internet was created by the Department of Defense.

      But I'm sure they can just trust some guy on the phone if anything needs to be launced. Hey if it sounds like Bush has to be right?

      • The Internet (or more properly speaking, Arpanet) was created as an experiment with DoD funding. The experiment was, in Defense terms, not particularly successful, and they moved on to other ways of getting their job done, leaving the Internet to academics and, well, fools and poltroons like us.

        Did you really think that the Pentagon was letting us all play on their wires? This isn't War Games, and the military planners aren't brain-dead.

    • It would be nice to be able to get away from the computer every once in a while. Go out, talk a walk, talk to my neighbor in the next cube.....

      SheWhoWalksWithToesLikeCobras



    • If the internet shutting down will free me from having to clean my mailbox of spam, then bring it on! If you ask me, these worms sound like the strongest spam filter I've ever heard of....
      Seth
  • But is it really more frightening that Microsoft's new DRM measures (accompanied with its ad-hoc EULA) which propagates through Windows Update and may instant-DDOS all P2P networks ?

    Note that both Curious Yellow and Palladium are still theoric menaces.

    • Note that both Curious Yellow and Palladium are still theoric menaces.

      Harking back to the article, Palladium would not start out as Curious Yellow. It could loosely be construed as Curious Blue, due to its attempt to prevent propogation of copyrighted materials and its ability to upgrade itself. It would not take much, however, to bastardize Palladium into Curious Yellow by those who feel "...a computer on every desk..." is a good thing.
  • by Bowie J. Poag ( 16898 ) on Tuesday October 29, 2002 @07:16AM (#4554566) Homepage


    If you really think about it, the math behind such an event may not work out....My guess is, there simply aren't enough hosts on the net that are simultaneously A) succeptible to infection B) sitting on static IPs, and C) unmonitored by human eyes. All three conditions must exist in order for the worm to propogate -- If any one of those factors is absent, that particular thread of the superworm is halted. It makes the scenario described in this article practically impossible. Sure, a superworm may exist, but it would be so slow-moving and predictable that it would be no more a threat than any other form of DoS attack.

    If you really want something abstract to think about, consider this: How is this "superworm" different than, say, a non-existant website mentioned on a nationwide TV broadcast? Instead of malicious code generating the resulting network congestion, its humans -- The net result is the same -- The effect will taper off as T increases. Nothing to really worry about, in other words.

    Yeah, I know. I'm sure someones gonna come back and read this 10 years from now and want to slap me silly with a 10 lbs. trout, for my lack of forethought.. But seriously, I think these sort of stories are more along the lines of interesting fiction than they are real-world possibilities.

    Cheers,
    • by chrestomanci ( 558400 ) <david@@@chrestomanci...org> on Tuesday October 29, 2002 @07:37AM (#4554609)

      If you really think about it, the math behind such an event may not work out....My guess is, there simply aren't enough hosts on the net that are simultaneously A) susceptible to infection B) sitting on static IPs, and C) unmonitored by human eyes. All three conditions must exist in order for the worm to propagate -- If any one of those factors is absent, that particular thread of the superworm is halted. It makes the scenario described in this article practically impossible. Sure, a superworm may exist, but it would be so slow-moving and predictable that it would be no more a threat than any other form of DoS attack.

      IMHO, there are plenty of susceptible computers out there.

      Most internet servers, both large and small are on static IPs, and only subject to occasional human monitoring. (That is occasional, relative to this worm's speed of propagation, which is estimated to be under a minute).

      I would include my home linux box in the category of susceptible computers. It is permanently connected (ADSL), on static IP, and I only use it every day or so. It it became infected with Curious Yellow, I would be unlikely to notice for 12 hours or so, (unless my ISP phoned me), and if the worm was stealthy enough not to monopolise any resource (CPU, disc, bandwidth etc), I might not notice for weeks until someone contacted me. Considering how infectious this hypothetical worm is, 12 hours would be enough to do huge damage.

      Ask yourself if the same would apply to any permanently connected computers in your control?

      As for "susceptible to infection". Curious Yellow would be designed to use some sort of zero day exploit, so we have no idea which computers are susceptible, and it would be complacent to assume that only windows boxes are. My system runs Debian Stable, and I regularly apply the security patches, but that does not make it completely invulnerable.

      Don't be complacent, Treat the risk seriously.

      • Don't be complacent, Treat the risk seriously.

        Good avice. I admin a RedHat webserver. I set it up to run up2date followed by autoupdate every 6 hours. I had a breakin maybe 4 years ago due to a patch oversight... maybe 6 hours is a bit too often, but it allows me to be lazy about actually doing anything with the box. If I hear of somethign spreading fast, I'm taking it down pronto, but for the most part it's set-it-and-forget-it.

        • Could a sophisticated worm disable up2date, or other update utilities, but still make it look like they're functioning correctly?
          • Sure... once you've been rooted, it's game over. You have to hope it hasn't infected your bios and wipe the disk clean. (pretty much, just to be safe)

            The point of keeping everything very current is that maybe a fix will come out against a "day 0" or "day 2" exploit before the worm gets you, and you want to grab that update before the worm hits. Once the worm has an opportunity to modify the program (has root privledges), you're screwed. Unless you're running a Mandatory Acess Control (not THAT Mac) system (Such as SELinux or TrustedBSD), asking what happens after a root exploit is a moot point. The OS has to be written off as a complete loss.



      • Right, I agree, we should not be complacent...but by the same token, part of being pro-active on these sorts of things is to have discussions similar to the one we're having right now. :)

        While I agree with your observations, I dont think you quite "got' what I was trying to say. Allow me to clarify a few things:

        The threat Curious Yellow poses has to do with its ability to function _in tandem_ with other threads of itself. That means, the superworm can only be as strong as the number of threads that exist at any given point in time. It's not a cumulative effect, since the large majority of machines that will be infected are transient hosts--hosts which will pass in and out of existance fairly frequently, and will not be a functioning part of the worm for the vast majority of the superworm's overall lifespan. Keep in mind, the majority of the hosts on the Internet are not people like you and I. They are home PCs, which spend only a comparably slim amount of time connected to the net, and are therefore a "moving target" for the superworm.

        As I mentioned earlier, the three conditions must all be met, simultaneously, by all threads of the superworm. Any lapse of those three conditions can be equated with a corresponding drop in overall potency... In other words, the more it grows, the more weakened it becomes. As time goes on, the major threads of the worm die off as they are discovered, which effectively breaks down the ability of the superworm to function collaboratively with other instances of itself. Such a superworm would decay with time.

        The number of hosts which are sitting on the net, vulnerable, and untracked by their owners will be small, but never zero...so of course, the worm will still propogate. No ones arguing that. However, that doesn't change the decay process described above.

        In essence, this worm has its own demise built-in. Its growth will spike, and then slowly decay with time, eventually become no more of a threat than any other worm trying to eek out a living. :) Just like with any real-world pathogen, it's overall lifespan is going to be a function of the availability of infectable hosts, something i'm sure you'll agree will be bound to decline with time. After all, you and I have yet to succumb to HIV, West Nile, Bubonic Plague, Mad Cow, Hanta, Benge', Typhoid, Anthrax, or Ebola...despite the fact that they all exist.

    • by JustKidding ( 591117 ) on Tuesday October 29, 2002 @07:48AM (#4554645)
      You may have noticed that the net has a lot of servers, like webservers, dns servers, proxies and such. Those are the kind of servers that are checked like, ones a week if they don't malfunction, are online 24/7, have a static ip, lots of bandwidth, and so much traffic that a little extra will go by unnoticed. Besides that, the ability to quickly propagate code patches would make it nearly impossible to install security patches on a system that is already infected.

      There is little point in having the worms detect when to go into turbo mode, since such a command could be quickly relayed trought the network. And ofcourse there is a chance that some of the worms would switch to turbo mode prematurely, leading to early detection.

      i find the idea of the worm spidering for new hosts rather interesting; obviously, it's a nearly ideal way to find other webservers. Also, since any host on the web has a reference to a dns server, it's very easy for any worm to find at least one of those. Once a dns server is compromised, the worm has a fairly complete and realtime list of webservers, with very few bad addresses. This way, many hosts may be infected with very little host- and portscanning.

      If such a superworm would ever get out in the wild, it may be very hard or nearly impossible to stop it.

    • According to my https logs there still is alot of machines infected with code red and other stuffs that has had a cure for very long time but people haven't yet patch their systems. So I think it will be possible for a worm like this to spread, seems that most users doesn't care about to secure their own machine.
    • Static IPs are not necessary. Think Gnutella or FastTrack. You need at least a few percent of the infected machines to have static IPs, but by no means all. There are tons of vulnerable machines out there. Joe average doesn't remember CodeRed.
    • If you really think about it, the math behind such an event may not work out....My guess is, there simply aren't enough hosts on the net that are simultaneously A) succeptible to infection B) sitting on static IPs, and C) unmonitored by human eyes.

      Let's look at B and C, firstly. Who says a worm has to have static IPs? Did you read the article when it talked about Altnet? You think all those people running Kazaa are running on static IPs? What is Kazaa, or Gnutella even, but a coordinated worm whose soul method of propogation is that the boxes owners or users elected to install the application? And any dynamic IP address is static long enough to propogate a worm instance.

      As for C, we're lucky worm and virii authors are clueless, in addition to harmless. Stealth is the key here. A worm could go completely undetected if it propogated itself by means of, say, hot-installed kernel patches or something and used very few system resources (CPU, disk, network).

  • tomorrow (Score:5, Funny)

    by anshil ( 302405 ) on Tuesday October 29, 2002 @07:19AM (#4554573) Homepage
    Come on Pinky, let's prepare for tomorrow evening.

    Why Brain? What are we going to do tomorrow evening?

    Same as every evening, we try to take over the Internet!
  • we are just lucky... (Score:5, Interesting)

    by Lumpy ( 12016 ) on Tuesday October 29, 2002 @07:29AM (#4554591) Homepage
    These worm and virii writers are pretty harmless... If they were really malicious we would have seen Nimbda doing things like delete *.doc *.xls or format the hard drive.

    A very scary worm would simply spread it's self quietly and slowly, wait for a doomsday time to tick and then Boom... simply start a massive delete fest on the computers or to be even more sinister start changing numbers randomly in spreadsheets and documents... like simply adjusting up or down by a random amount.

    Once a virus or worm has admin control or system control it can do anything and luckily we still havent had one of these buggers do any destructive things...

    I am expecting it though... It's just like guns... most of the planet can safely own and use them and only a few lunatics start blowing people's heads off.
    • luckily we still havent had one of these buggers do any destructive things...

      Uh, CIH?
    • Its like you've got blackmail on the king. Do you immediately release it and laugh? No. Do you ask for $10M and split town? Heck no! Ask for 10M this week, attack helicopters the week after that, and a month later, when you own half the phillipines and have your own army and small navy, *then* you point and laugh, but only if you can't control yourself any longer.

      If you've got something powerful under your control, the last thing you'd want to do is blow it up. Well, if you're crafty, that is.

      One argument to this is that many hackers are in it for the 'glory' and bragging rights. That's true enough, but I'm not afraid of those people. I'm afraid of foreign governments.

      Heck, I'm afraid of *our* government doing this. How much worse is it if Code Yellow is required by law to be part of your OS? Granted, I'm feeling paranoid today, but it doesn't seem to far to go to 'combat terrorism', or to 'fight child pornography'. Or consider China, who is already doing a great deal of work to control their citizens' internet access.

      $.02

      -Zipwow
  • Well... I guess it's just me, but I really can't worry about a worm that sounds so much like that little monkey... what's his name... Curious George [curiousgeorge.com]. I mean - if it gets to a point where the worm is doing serious damage, give it a banana! Or better yet - feed it pieces of a puzzle... that sent him to the hospital if I remember correctly...

    The thing I would worry about, is what if that guy with the big yellow hat does something. With that kind of hat you could really do some damage to a network - think Oddjob [imdb.com] on a MUCH larger scale!

    Well... as I said - maybe it's just me...

    - L to the amer, B to the unny.

  • It seems to me the claim a bit like this case:

    I go to a conference and present a poster paper. On the back of the poster, being the intelligent, trusting fool that I am, I copy all my secret data that I don't want anybody to see. Somebody peeks behind the poster, sees this data, and tells the whole conference and now they all know my secrets.

    But I am not at fault here and the wrong doing is all by the guy who originally looked behind my poster?!

    Yeah, right!

  • by sonicsft ( 195337 ) on Tuesday October 29, 2002 @07:56AM (#4554668)
    Reading this the idea that it could use distributed communication to monitor and control the infection rate triggered the term "Distributed Computing" in my mind. The amount of processing power that could be harnessed by such a worm is tremendous. Even if the worm used a small fraction of procession time from a large infected base population its power would probably be enough to do some good calculations quickly. I don't think the algorithms are ready yet, but imagine if you can use this worm to distribute a distributed AI. Combine this with the concept of virus polymorphism, and you have a virus that could stay alive, possibly undetected in the open, and do some interesting stuff. Maybe I've been reading too much sci-fi (Ender's Game) but couldn't these concepts, which are now very real, be used to create an internet life form if you will. Anyway, I don't claim to be an expert on anything I just talked about but I wanted to get the idea out into the open.

    -sonic
  • ...because if some sufficiently skilled h4x0rz put your ideas into practice, and launch global worm warfare, some accusing fingers could end up pointing in your direction.

    But if the worms do their job sufficiently well, the police/justice systems will be so adversely affected that your arrest papers won't even see the light of day :)

    Well done, dude! You've covered a lot of angles in your paper. You may have even launched the bootloader for Project Mayhem!
  • by MartyJG ( 41978 ) on Tuesday October 29, 2002 @08:17AM (#4554746) Homepage
    Anti-virus companies Norton and Sophos today announced they had spotted a new virus in the wild. According to anti-virus experts a new virus known only as "Curious Yellow" has been attacking the popular Slashdot.org site.

    The site has already been hit twice, with a story appearing on their main 'articles' section. The virus has been spoofing known slashdot editors such as 'Hemos' and 'michael' [slashdot.org]. The site has yet to comment on these attacks, but have warned there is a risk that further variants may attack their 'slashback' section later this week.

    So far there is no known cure for this virus.
  • "Curious Yellow Post"...... "Curious Yellow Post"...... "Curious Yellow Post".... "Curious Yellow Post"...... For the love of God someone get me out of this loop!
  • Nupe It (Score:3, Funny)

    by Ctrl-Z ( 28806 ) <tim.timcoleman@com> on Tuesday October 29, 2002 @08:58AM (#4554901) Homepage Journal


    Little. Yellow. Different.

  • It's happening (Score:3, Interesting)

    by FeatureBug ( 158235 ) on Tuesday October 29, 2002 @09:41AM (#4555107)

    Yes, something funny is definitely going on right now on the net. These statistics are solid and based on 4 years of data going back to 1998: my firewall has detected on average 1 probe every 3 hours.

    On 28th September this year I made the mistake of visiting the website of Taiwanese motherboard maker QDI Group website [qdigrp.com] to download a newer BIOS. Literally within seconds my firewall started getting hit by netbios probes. It's been about two probes a minute all day every day from sites all over the world since 28th September. That's a 400-fold increase! It's getting worse. They're from all over the place but always TCP to netbios port 137.

    Does anyone else want to try vsiiting www.qdigrp.com?? Has anyone else seen the same pattern? I'll post a few of the IPs here. Maybe someone will recognise them.

    • Netbios probe epidemic sample of unique netblocks:

      12.79.164.132 ATT WorldNet Services, Bridgeton MO, USA
      61.63.51.132 Koos Broadband Telecom Co Ltd, Taipei, Taiwan
      61.66.23.153 Hoshin Gigamedia Center Inc, Taipei, Taiwan
      61.84.155.229 Bukkwangju Node, Kwangju, Korea
      62.82.150.12 Retenet SA, Barcelona, Spain
      63.238.201.181 Qwest Communications, Denver CO, USA
      64.128.228.13 Telocity Delaware Inc, Hermosa Beach CA, USA
      64.221.167.233 XO Communications, San Jose CA, USA
      64.28.67.150 SLASHDOT!! Exodus Comms, Santa Clara CA, USA
      66.139.73.8 ServerBeach, San Antonia TX, USA
      66.231.36.202 Coldwater Board of Public Utilities, Coldwater MI, USA
      66.50.81.233 Coqui.net Corp, San Juan, Puerto Rico, USA
      67.119.49.16 HisAndHerHairGoods, San Francisco CA, USA
      80.36.162.80 Telefonica de Espana, Madrid, Spain
      130.225.41.146 Danish CC for Research & Education, Copenhagen, Denmark
      140.186.101.246 Cambridge Entrepreneurial Network, Quincy MA, USA
      144.232.4.246 Sprint Comms, Overland Park KA, USA
      148.76.64.119 Spacenet, Inc, McLean VA, USA
      158.152.204.252 Pilsbury, Demon Internet, London, UK
      162.39.227.110 Central Telephone Company, Little Rock AR, USA
      193.195.224.1 Demon Internet, London, UK
      194.38.141.141 CMCin2, Lisbon, Portugal
      196.30.233.120 UUNET Internet Africa, Johannesburg, South Africe
      200.161.93.37 Comite Gestor da Internet no Brasil, Sao Paulo, Brazil
      200.24.101.125 Unitel SA, Cali, Columbia
      200.44.17.59 CANTV Servicios, Caracas, Venezuala
      200.67.91.103 Uninet SA, Jardines del Pedregal, Mexico
      200.75.195.174 CableOnda CableModem, Panama City, Panama
      202.239.162.34 Asahi Shimbun, Tokyo, Japan
      203.249.50.165 Wonkwang University, Chonbuk, Korea
      203.250.139.23 PaiChai University, Taejon, Korea
      207.249.143.232 Instituto Sup.Autonoma de Occ., Flores, Mexico
      210.212.250.67 Shrimati Indira Gandhi College, Tiruchirapalli, India
      210.214.24.49 Satyam Infoway Pvt.Ltd, Chennai, India
      210.255.9.145 Dion (KDDI Corp), Tokyo, Japan
      211.142.185.132 China Mobile Comms Corp, Beijing, China
      211.158.48.138 Chongqing BoardBand Networks Co, Chongqing, China
      211.197.12.211 Nexen Tire Co, Seoul, Korea
      217.164.246.17 Emirates Telecomms Group, Abu Dhabi, United Arab Emirates
      217.216.216.43 Supercable, Seville, Spain
      217.58.146.195 Interbusiness, Florence, Italy
      218.54.251.250 Cyberia Woosong, Taejon, Korea
    • Yes, it's real,you aren't imagining this. I have seen the same thing for about 10 days. Just got my 29th attempt in two hours.
    • Re:It's happening (Score:4, Interesting)

      by freeweed ( 309734 ) on Tuesday October 29, 2002 @12:22PM (#4556326)
      I've been seeing rougly 150-200 netbios probes a day since the end of September. I used to get a consistent 10 or 20. And I've never been to QDI's webstie.

      I suspect this *may* be due to that wonderful new bug, Opaserv, which Norton seems unable to clean out successfully, even though they know full well about it. Basically, it's a worm that looks for open C: shares, and brute-forces the password, one character at a time (or if there's no password, it infects). You get a couple of files in C:\windows (depending on variant), and some entries into your registry and/or win.ini (again depenting on variant).

      I spend a few hours looking into this when one of our work machines refused to clean itself (frightening how many windows machines have accessible shares in my University :). Do any sort of search on 'Opaserv' or 'brasil.pif'.

      This thing started showing up roughly a month ago, and it's the only thing I can connect with these insane netbios probes. It's also consistent with my observation that entire (or most of a) class C's seem to be infected and probing me - that's one of the fun parts of this worm - it basically scans anyone with a similar IP until it's infected everyone it can. Clean it off your system, and don't protect yourself, and within an hour you'll be infected again.

      And once again, it all comes down to: don't run your file sharing over tcp/ip and firewall your netbios ports. Microsoft apparently has a patch for the password cracking issue, but so far no one has done much else to combat this thing.

  • by captainstupid ( 247628 ) <<dmv> <at> <uakron.edu>> on Tuesday October 29, 2002 @10:06AM (#4555252) Journal
    I would be more worried if the worm ran around breaking things and choking children, like [entertainment-geekly.com]
    furious yellow.
  • sheesh... twice in a week. Good thing I have no data limits on that line...
  • by Anonymous Coward
    A simple but devastating Windows worm design would be one that selected a local system DLL at random, asked a peer worm on a similar system for its timestamp for the same DLL, then replaced the newer DLL with the older one. Other than some minor details, that's it.

    This would be subtle and very damaging: systems in the worm network would progressively become unpatched against security vulnerabilities. It would be computer equivalent of an autoimmune deficiency like AIDS. Little harm would be done directly, but it would undermine sysadmin patches and open up the host to infection from all other earlier known forms of attack.

    The dynamics of such a P2P worm system as a whole would be to eventually seek the lowest common denominator patch level.

    Such a worm would ideally not render Windows systems inoperable/defunct, so maybe only a small subset of system DLL's would be considered and some date limit to the degree of DLL downgrading might need to be incorporated. This is all hypothetical, but such a worm would make maximum benefit of the "DLL hell" weakness of Windows.
  • ...but I didn't see how this worm will deal with the fact that it has to infect a hetrogenous environment. There is no way a single variant of a worm could effect every internet connected machine out there. If there are different versions, then how would it update itself? It's not like a worm can just infect a random computer at will, there has to be a specific vunerability that it uses. The best defense to this kind of attact is the kind of internet we have now: different OS's on different hardware running different services.
    • it infects the vulnerable windows machines, like worms are doing everyday, and then the ones it cant (patched windows pcs, linux, etc) it uses the infected pcs to DDoS them. It doesn't infect everyone, just attacks the ones it cant using the ones it infected.
      • I guess the question: is can any worm find a target to attack that will include enough hosts to successfully control the internet? One of the techniques it mentions is blackholing computers that it can't infect. I thought that a lot of routing is done by hardware routers. It would have also somehow infect those as well to be successful.
  • ...the worlds largest reboot and reformat session EVER! I can almost hear the beeps now... I hope M$ planned for this contingency when they created their computer key system for XP. There will be a lot of people reactivating their keys at the same time!
  • With this story slashdot has hit an all time grammar low. I'm still trying to figure out what its supposed to be about.
  • by Anonymous Coward
    you make it think your infected, and it wont attack you.
  • This [upenn.edu] page says that "I am Curious Yellow is the title of a Swedish film from 1967 (in Swedish it's Jag aer nyfiken - gul). The following plot summary comes from the Internet Movie Database:

    Lena, aged twenty, wants to know all she can about life and reality. She collects information on everyone and everything, storing her findings in an enormous archive. She experiments with relationships, political activism, and meditation. Meanwhile, the actors, director and crew are shown in a humorous parallel plot about the making of the film and their reactions to the story and each other. Nudity, explicit sex, and controversial politics kept this film from being shown in the US while its seizure by Customs was appealed."


    Here [geocities.com]'s the script (best read after ingesting copious amounts of mind-altering drugs, otherwise it doesn't make much sense).
  • Earth to Brandon Wiley, have you perhaps heard of the Morris worm [mit.edu]?

    This DDOS attack was carried out in 1988, and it was done by mistake. Our boy Robert Morris wasn't careful about how quickly the worm spread itself, and as a result when it started infecting computers, about one in seven of them would relentlessly pound away at any host it could find. Now, the Internet wasn't nearly as big as it was today, but even so it meant that hundreds or thousands of infected hosts were lining up to rape any given computer.

    These days, you have to be CAREFUL when you write your virii or it'll be much much more than just a minor annoyance, it will flood networks out of existence. This white paper doesn't outline an attack strategy, it demonstrates the destructive effect of sloppy virus design.
  • Was a controversial Swedish movie made in 1967. The plot summary from the Internet Movie Database [imdb.com] says:

    Lena, aged twenty, wants to know all she can about life and reality. She collects information on everyone and everything, storing her findings in an enormous archive. She experiments with relationships, political activism, and meditation. Meanwhile, the actors, director and crew are shown in a humorous parallel plot about the making of the film and their reactions to the story and each other. Nudity, explicit sex, and controversial politics kept this film from being shown in the US while its seizure by Customs was appealed.

    So why is this guy naming super-worms after Swedish pr0n?

Much of the excitement we get out of our work is that we don't really know what we are doing. -- E. Dijkstra

Working...