Worms Going Further, Faster 301
Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"
Oh no! Shut the Interweb off! (Score:5, Insightful)
There is no patch for human carelessness.
Re:Oh no! Shut the Interweb off! (Score:5, Funny)
Re:Oh no! Shut the Interweb off! (Score:5, Funny)
Connecting to AOL...
-blink-
You've got mail!
-blink-blink
"ooh, an attachment..."
Re:Oh no! Shut the Interweb off! (Score:5, Insightful)
We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.
Re:Oh no! Shut the Interweb off! (Score:2, Insightful)
Harsher punishments for virus writers?
Better system recovery process?
Re:Oh no! Shut the Interweb off! (Score:5, Funny)
Re:Oh no! Shut the Interweb off! (Score:2, Informative)
c:\program files\internet explorer\iexplore.exe
c:\program files\outlook express\msimn.exe
c:\program files\adobe\acrobat x.0\reader\acrord32.exe
So it looks like the new Bugbear already selectively infects shared files.
We need to stop stressing preventi
Re:Oh no! Shut the Interweb off! (Score:4, Insightful)
This is what Palladium is all about. Executable code is signed, and it can only run if you choose to trust the publisher. Viruses are less of a problem because an infected file will fail signiture verification.
Microsoft may be misguided with Palladium and the DRM goodies that it includes, but the underlying concept of trusted and untrusted code is a good one.
Might I add, however, that the same thing can be done without the complete hardware implementation of Microsoft's product. A simple signed executable system would do the trick. Microsoft already uses this for ActiveX controls.
Re:Oh no! Shut the Interweb off (Score:3, Insightful)
It's almost amusing to read my mail in kmail with HTML rendering turned off, and look over the attached scripts that arrive in my mailbox now and then. It makes me feel like an entomologist looking though a magnifying glass at a venomous spider pinn
Re:Oh no! Shut the Interweb off! (Score:5, Insightful)
Scenario:
This code has not been signed (or is signed by an unknown publisher) Click OK in this box could transmit a virus, destroy your hard drive, subvert your nations economy, summon flesh eating aliens and damn us all to eternal hell.
Yes, checking signatures on code you execute is a good thing, but there are specifics to be concerned about in an implementation. How to you guarantee the signature? Obviously, some sort of authentication, and method of checking the signiture against, perhaps, a public key is needed. And to handle that you need a web of trust that's workable. But none of that matters a whit if users aren't careful about the trust, and don't investigate. Nor is it worth a darn if they ignore warnings. These problems (aka user education, and poorly designed secure systems) have to be taken care of before any of this will be useful.
learn from evolution (Score:3, Interesting)
Re:Oh no! Shut the Interweb off! (Score:5, Interesting)
The user isn't always to blame. What about the software developers who don't take even minimal efforts to protect their scripting systems?
Yes, there will always be someone who will open attachments no matter how often you tell them not to.
But perhaps the root issue isn't the fellow who can't stop clicking on Fireworks.exe files but the OS and application developers who enable and then don't patch systems that allow those users to be so easily exploited.
Re:Oh no! Shut the Interweb off! (Score:2, Insightful)
Re:Oh no! Shut the Interweb off! (Score:3, Insightful)
"You got raped because you were showing a little leg and walking down a dark street?"
You can dress more conservatively and only walk down lit streets, but by refusing to address the root issue
Re:Oh no! Shut the Interweb off! (Score:5, Insightful)
I agree that it's not safe to rely on humans to keep systems patched. But, for one, if most systems are kept patched, a worm like SLAMMER would be useless. This is an obvious point you neglect, but not an interesting one.
More interesting, I think, is the debate over whether there is such a thing theoretically possible as a secure architecture. This is, of course, the idea behind "secure" systems designed to be so from the ground up, such as Palladium. Ethernet, TCP/IP, ARP, and most of the other protocols which make up the 'Net were not designed with security in mind from the bottom up, but rather designed for effectiveness, ease of implementation, and the like. For example, why do Ethernet cards allow promiscuous mode? It makes diagnosing certain problems easier, but it also represents a very big opportunity for all sorts of security vulnerabilities. Or why can MAC addresses be changed so easily? This represents an easy opportunity for mischeif.
But had the entire architecture of the 'Net been designed for security and accountability rather than ease of access and openness from the start (granted, two often-conflicting ideals), would absolute security be possible?
Many say that security is never truly possible without unplugging the computer from the 'Net, turning it off, and embedding it in concrete. This may be exaggeration, but of course it is quite difficult to prove something secure; RSA has not be proven secure, public-key cryptography has not been proven secure, and I don't really see how you could prove any other system secure, either.
This may not be necessary, however. We may not know for certain that RSA is secure, but we assume that the NSA does not know how to factor such large numbers any better than the rest of us, and we assume it to be secure (and such an assumption does appear valid). If enough evidence exists to assume a system to be "practically secure," that is enough for implementaiton.
I have no answers to these questions. But I think to assume such a problem is unanswerable is silly and is itself merely a non-answer. Security may not be an easy goal, but it may be acheivable. At least in some forms, this is clearly the case; it would quite evidently be possible to stop some sorts of attacks, like SLAMMER, in the future, even if theoretical, absolute, security remains un-obtainable.
Re:Oh no! Shut the Interweb off! (Score:5, Insightful)
Your assumption is that true security is a theoretical impossibility. On what grounds?
Not to speak for the previous poster, but that's a pretty good assumption. No technological advance has ever succeeded in remaining secure for long.
(Example: plate armor probably seemed impregnable in practical terms, until the longbow came along. Yeah, okay, a stinking peasant could hamstring a warhorse and beat the knight to death with a rock while he lay helpless on the ground, but these possibilities were probably ignored with the same superstitious enthusiasm that sysadmins ignore the rarer kinds of attacks on their systems.)
I would think that the burden of proof falls on those who maintain that "true security" is attainable. And the minute you propose some system to guarantee that true security, some clever person will come along and propose a way to get around it.
Anyone designing a critical security system should probably start off with the assumption that security will eventually be breached, and make damn sure that when the breach occurs, catastrophe does not result.
Re:Oh no! Shut the Interweb off! (Score:5, Insightful)
I bet a hundred shiny enemy knights on horses really does a lot to demoralize your thousand foot soldiers.
I think a lot of modern security is the same way, deter most attacks with shiny armor, and minimize damage on the inevitable attacks that will get through.
Now the real problem these days is the companies selling cheap tin armor and telling people it's the strongest steel. Some things never change.
Re:Oh no! Shut the Interweb off! (Score:4, Insightful)
Name a security measure that is mere intimidation. Name a measure that has no added value and is just shiny armor. (This does, admittedly, apply to local security measures using biometrics; thumbprint scanners are less secure, at least on the consumer-grade, and just cooler looking, but I don't think it applies quite the same way to real network security measures.)
Your point is well-taken, that companies have no incentive to sell something that works above and beyond selling what sells, but it neglects that the two generally do go together and the leaders in the field tend to have true committment to security.
Re:Oh no! Shut the Interweb off! (Score:3, Insightful)
We could still be vulnerable even if everyone patched their systems, if someone writes the exploit before the patch comes out.
Scary stuff.
Re:Oh no! Shut the Interweb off! (Score:2, Insightful)
and i've said this before, certain software companies have not been very good about training administrators about patching, etc.
eric
Re:Oh no! Shut the Interweb off! (Score:5, Insightful)
Ah, the lovely internet... (Score:5, Funny)
Better. Stronger. Faster. (Score:2)
only large-scale communication network? (Score:5, Funny)
Good for the worms (Score:5, Funny)
Honeypots (Score:2)
>
> Kinda makes the phrase "The early bird catches the worm", redundant doesn't it.
Honeypots: The early bird may get the worm, but the second mouse gets the cheese.
*BOFH-like evil grin*
damn. (Score:4, Funny)
Re:damn. (Score:4, Funny)
I had worms once... (Score:2, Funny)
I've got worms! (Score:5, Funny)
LLOYD
(smiling)
I got worms.
MARY
I beg your pardon?
LLOYD
That's what we're gonna call it: I
Got Worms. We're gonna specialize in
selling worm farms â" you know, like
ant farms. A lot of people don't
realize that worms make much better
pets than ants. They're quiet,
affectionate, they don't bite, and
they're super with the kids.
MARY
Aren't ants quiet, too?
Re:I've got worms! (Score:2)
Re:I've got worms! (Score:2)
However I'm traumatised, and can't make self click on a
Why do delinquents bother? (Score:5, Insightful)
Re:Why do delinquents bother? (Score:4, Interesting)
Re:Why do delinquents bother? (Score:4, Insightful)
Not much room for extra code in a program that has to fit in a single UDP packet.
Re:Why do delinquents bother? (Score:5, Interesting)
Re:Why do delinquents bother? (Score:4, Informative)
Actually, Microsoft had released a patch for the vulnerability that was exploited. Unfortunately, no one (including Microsoft) bothered to implement it.
Re:Why do delinquents bother? (Score:2, Insightful)
Re:Why do delinquents bother? (Score:5, Interesting)
While the PRNG isn't of the highest quality, its brevity is what allowed it to spread so quickly. An infected system was sending out packets as fast as the outbound pipe could handle it. A smaller virus, even by a few bytes, would mean that much faster of an infection rate.
By and large, you're right about VBScript making for simple virii, but this isn't the one to use as an example.
Re:Why do delinquents bother? (Score:5, Insightful)
In the beginning days, on the Apple ][ computers in my grade-school, we learned to guess our way through cracking floppy-disk copy-protected games by comparing a cracked game and a pristine byte-by-byte copy of the original. We eventually learned that a certain byte word combination was the first hardware keyboard access, and we could guess that spot was a good place to stick a jump. Then we tried a few addresses until it worked. In grade school.
Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.
What really grabbed me was how a really good (insidious) virus could have such a low footprint that it could go undetected for so long. The programmers of those viruses were gifted binary ecologists. I knew then that the games I played were bloated when one year the game took one disk, and the second year you had to swap two disks even though there was little extra play for all the extra data. I envied the virus programmers for their wizardly and miserly command of the machine's meager resources. I even dreamt of the day that I could crank one out like putting together a jigsaw puzzle.
Now I am older, and the opportunity for that conquest was stolen by Moore's Law. The games (and all software in general) got bloatier and bloatier. There was so much waste, and the machines got so fast so fast, that I saw clever programming die. I was sad. It wasn't until (after I bought a student copy of Borland C++ and was stultified by the massive bloat of win16 API) that I became acquainted with Unix (FreeBSD in particular) around 1.2.1 vintage. I rediscovered elegant software.
Now, I understand the vulgar joy in duping someone else, but only a jackass gets off duping people who compare to invertibrates on an intellectual scale. VB worms are the modern-day equivalent of burning ants with a magnifying glass. "Letth thaw off hith tweeter Beavith! Hehehehehe Heheheheh..."
Re:Why do delinquents bother? (Score:4, Interesting)
Grok!
I still remember stunning some of my cow orkers by saying from two cubicles away, "Dude, run a virus scanner. There's no reason your floppy drive should be doing that many seeks across the entire width of the disk. Something's writing to the FAT or boot sector every time you access any files. Probably a virus. Kill it before it kills you."
To this day, they still no idea how I knew about that without even looking at the screen or touching the box, but from where I sat it was just obvious (when I first heard that pattern of seeks and asked if the guy was copying 100 small files to the floppy, and he said "no") that something on that box was fucked up. (And fucked up in a way that MS-DOS, all by itself, wasn't :)
Funny note - the virus in question was indeed a boot sector virus, and was pretty much harmless on Win3.1 boxen. Not so on an NT box. If only I'd come to work one day before. Yuk.
Equation for a good worm (Score:5, Interesting)
Re:Equation for a good worm (Score:2, Funny)
UDP all the way! (Score:5, Insightful)
Re:UDP all the way! (Score:3, Informative)
Whatever you gain by compressing something that small, you lose in the space that the decompression code takes up, unless the OS provides a decompression service for you.
The way Slammer worked, it had to fit in a single packet, which meant it had about 1500 bytes to work with. That means it could have been more than four times bigger than it was, but no more.
More platforms (Score:2, Interesting)
Anatomy of the Web application worm (Score:4, Informative)
http://www.cgisecurity.com/articles/worms.shtml [cgisecurity.com]
Oi, did anybody actually READ the link? (Score:3, Informative)
1. Scan internet servers looking for vulnerable software
2. Infect said software.
Duh. The author writes, "I didn't write this paper to give people malicious ideas." -- It's okay! There's nothing in the paper that would assist people in doing anything useful!
No worms for me, please! (Score:5, Funny)
Re:No worms for me, please! (Score:5, Insightful)
Re:No worms for me, please! (Score:2)
Re:No worms for me, please! (Score:4, Insightful)
Antivirus software is for people who run software that has bugs in it. You mentioned you are using Windows...
Antivirus software is for people who believe in Security In Depth, a school of thought which says that you should use multiple layers of security, so that if one fails you aren't screwed.
Antivirus software is for people whose data is worth more than $50 (or $20 after rebate).
Re:No worms for me, please! (Score:3, Insightful)
I'm not saying I do this; I don't e
Re:No worms for me, please! (Score:3, Insightful)
I use a Mac, too, but I have no illusion of immunity.
Re:No worms for me, please! (Score:5, Funny)
I use a Mac, too, but I have no illusion of immunity.
I do. Woo hoo!
Re:No worms for me, please! (Score:5, Insightful)
The installed base of Macs is so small compared to Windows PCs, there's no reason to write worms that affect Apple machines.
You can bet your ass that if Macs were as ubiqutous as x86 machines, they'd be getting slammed with worms too....That cocky attitude gets really grating.
Re:No worms for me, please! (Score:2)
Re:No worms for me, please! (Score:2)
Personally, I think the feeling of invincibility that many Mac users have is just as dangerous as any Microsoft security vulnerability.
But (Score:5, Funny)
Some day (Score:3, Funny)
Cross-platform not necessary? (Score:5, Insightful)
One for windows, one for linux, one for routers/switches...
Imagine the impact. Would the internet survive?
The only things preventing this might be the fact that no single person has the required experience in all the platforms, and vulnerabilities in non-windows OS's are typically more difficult to exploit.
Comment removed (Score:4, Funny)
Re:Cross-platform not necessary? (Score:2)
Re:Cross-platform not necessary? (Score:2)
Vulnerabilities exist for all of them. Information exists for all of them. It's just a matter of time until someone with the talent decides to do it.
Re:Cross-platform not necessary? (Score:5, Insightful)
Write a Windows worm?
Sure, watch the security bulletins from MS and associated companies and include a few exploits in your worm. You know we won't run out of people who haven't patched yet.
Write a Linux worm?
Sure... See above? It's the same.... There are platform differences as far as library calls, hooking into e-mail, etc, but a little time would solve that easily.
Write a
Umm. See above? Just wash, rinse, repeat... All we're talking about is a little time.
Seriously, I'm waiting for someone slightly talented to get pissed off at technology in general. That will be the day people running automatic daily updates on (pick your platform) will be happy they've got a patched system and banging their head against the wall 'cause their ISP didn't.
Re:Cross-platform not necessary? (Score:4, Funny)
OK, I'll nibble. Write a reasonably effective worm!
Otherwise, you're not even smart enough to be considered an idiot...
I dare ya!
Problems (Score:5, Insightful)
Re:Problems (Score:2)
Doomsday in a good way? (Score:5, Insightful)
so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?
and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.
Re:Doomsday in a good way? (Score:5, Interesting)
Um... what if the worm writer used a new vulnerability that he discovered himself? There would be no patches.
If it's so easy to write one... (Score:4, Interesting)
Re:If it's so easy to write one... (Score:2)
Re:If it's so easy to write one... (Score:5, Interesting)
--
http://oss.netmojo.ca
Re:If it's so easy to write one... (Score:2)
If the reason behind it had anything to do with getting people to patch more, or making people more aware of security holes, then I'd have to say I support this sort of worms. I'm relat
Re:If it's so easy to write one... (Score:5, Interesting)
Let's think of a worst-case scenario, here...
The worm had a program to propagate itself in a space of 376 bytes. It had up to, what, 1500 bytes to carry whatever program it wished? Let's say it used those 1500 bytes to set up a program that would listen on a particular TCP port for instructions from the author's computer. Then, rather than propagating itself as fast as possible, it sends out a packet every few minutes, gradually and insidiously infecting all MSSQL servers on the Internet.
The 1100 extra bytes are used to write a program to disk, and then launch it. This program listens for connections on some high port, or perhaps just listens for UDP packets of a certain description (since it knows the firewall lets those through). At first, it simply catches all worm packets and records the IP addresses, so that it knows what other hosts are infected.
The author's computer listens for these packets, and makes a similar list of infected hosts. Then, when the time is ripe, he starts sending additional instructions to those hosts.
The hosts receive the new instructions, modify their program based on the contents, and then echo the packet out to the hosts in their lists. The author numbers the instruction packets, and the hosts make a note of which ones they've received and ignore repeats. That way, once all infected hosts are updated, the patches stop flying around.
One of the first instructions to be sent out is to make the program launch at boot time. Then, the infected computers are sent instructions to stop propagating themselves. They're sent instructions to report back to the original source. The author looks at the hosts, sends out special non-propagating instructions to military hosts to send him their data. He sends out instructions to hosts that may have access to credit card databases to send him the numbers and expiration dates. He gathers whatever other information he deems useful.
Then, he sends out an instruction for all hosts to delete all data from all databases.
How difficult would it be to write the initial program for that? How difficult to make those patches, and make them work? My guess is, someone who knows assembly well could pull it off. It may take a fair amount of time and patience, but the amount of money to be made is pretty considerable and could make it worthwhile. Hey, if I were going to write a malicious worm, that's how I would go about it.
But the most pertinent question is, how many MSSQL servers are still out there, unpatched, vulnerable, serving critical data?
Re:If it's so easy to write one... (Score:2)
Re:If it's so easy to write one... (Score:2, Interesting)
The point was that a majority of the people being affected are probably those that don't even know what windows update is to begin with. They probably wouldn't even notice the changes being made in the background by this worm.
Warhol (Score:5, Funny)
A "Warhol" worm wouldn't infect the Internet in 15 minutes, it would infect it for only 15 minutes.
Re:Warhol (Score:3, Funny)
There is no such thing as cyberterrorism (Score:5, Insightful)
Re:There is no such thing as cyberterrorism (Score:4, Insightful)
It was contemporary knowledge that ATMs use(d?) dedicated networks, primarily to protect against intrusion. If ATM traffic is now being routed across the 'net, VPN'd or not, the possibilities are endless.
As for "cyber terrorism" being a bullshit term, not entirely. Fine, loss of ATMs or e-mail won't panic most people (unless you're in the middle of a multi-billion-dollar, must-happen-now deal that's being conducted through e-mail), but you can do things through the 'net that will result in public disorder. A coordinated effort to modify the sites of all major news organisations could easily start a mass panic if the "right" message was presented - Even more so if web radio broadcasts were also tampered with to back the news sites.
Worm Analysis paper - "prior art" (Score:4, Informative)
How to 0wn the Internet in Your Spare Time [icir.org]
Interesting topics: "Better" worms techniques
"A combination of hit-list and permutation scanning can create what we term a Warhol worm, capable of attacking most vulnerable targets in well under an hour, possibly less than 15 minutes. "
How to make super destructive worm (Score:4, Funny)
Unfortunately, such a scenario is but a dream. Modern operating systems are too secure!
Re:How to make super destructive worm (Score:2, Interesting)
Sounds like.. (Score:2)
Re:Sounds like.. (Score:2, Interesting)
*ring* hello? is virus there? Yea, hold on... (Score:3, Interesting)
Patching-based security won't work. (Score:4, Informative)
a call to the white hats? (Score:5, Interesting)
I am sure there are plenty of reasons not to do this, but if you asked the person politely like.
"Hello, this is your friendly internet virus fighter coming to say hello and give you a hand! Would you like to turn off the features now that allowed me to hack into your computer?
| Yes | No |"
*click*
"Thank you and have a nice day! If I come back again that means a new hole/exploit was found in Outlook and I can give you another helping hand!"
Another nail in the anti-virus coffin (Score:3, Insightful)
At work we all have this little anti-virus icon in our task bars, updating virus libraries from a central server (and slowing down all our machines as well). But if a new Outlook worm came out and we all started opening it, the anti-virus software would just ignore it until the patch came out. Even if the gap between us getting the worm and the patch was a few seconds, the damage would be done.
So why are we paying thousands of bucks a year for anti-virus when we know it probably will do nothing? Sure, it catches the occasional tired Word macro and maybe an antique trojan on an old floppy, but is that worth it?
Hmm.
Re:But there aren't 3 billion systems. (Score:3, Informative)
Perhaps not espec
Re:But there aren't 3 billion systems. (Score:2)
Re:But there aren't 3 billion systems. (Score:2)
Incidently, I was a CIRT responder for a "small hardware manufacturer in the Valley" during the event. Having seen first hand how hard Slammer hit our firewalls, I don't doubt the claimed traffic level here.
Re:But there aren't 3 billion systems. (Score:3, Insightful)
The same kind that,when you are driving, lets you know in one glance how many miles per hour you will cover if you stay at your current speed.
Seems pretty informative to me.
Re:But there aren't 3 billion systems. (Score:5, Informative)
If the worm spews out X packets over Y minutes, why would it change in the Y+n next minutes ?
Think about it yourself, the worm doesn't suddenly stop and think "hey I've infected 3 bn. systems now, I better slow down", it keeps on going, but as only a fraction of the 4 bn available addresses in IPv4 are available and globally reachable it doesn't make sense to do an exhaustive test...
Re:But there aren't 3 billion systems. (Score:3, Interesting)
Actually, it's quite valid. Ask any cop who's ever pulled somebody over for doing 120KPH in a 40KPH zone, even though they only drove 5KMs. :)
Re:I'm still getting pestered by Code-Red. (Score:5, Informative)
Re:I'm still getting pestered by Code-Red. (Score:2)
Re:I'm still getting pestered by Code-Red. (Score:2)
BTW, I only start up apache on this machine just to see who comes knocking. Judging from some of the reactions, some folks don't know (or care) about the footprints of still-virulent worms. If someone were to be so careless as to leave an unpatched IIS on the net long enough, it too wou
Re:speaking of large attacks (Score:2, Funny)