Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Worms Going Further, Faster 301

Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"
This discussion has been archived. No new comments can be posted.

Worms Going Further, Faster

Comments Filter:
  • by ObviousGuy ( 578567 ) <ObviousGuy@hotmail.com> on Monday June 16, 2003 @07:20PM (#6218630) Homepage Journal
    There's a lot that can't be done about these things because at the very bottom of every system is a human being who will forget to patch the system or stupidly open an executable.

    There is no patch for human carelessness.
    • by rkz ( 667993 ) on Monday June 16, 2003 @07:23PM (#6218662) Homepage Journal
      Cut off their arms?
    • by laigle ( 614390 ) on Monday June 16, 2003 @07:33PM (#6218745)
      It's not even just that now. The latest rendition of Bugbear would send out an infected file named after a file on the computer it was sending from. I imagine the next generation mailers will check send records, or even incorporate spyware code, and mail themselves out using names of files the user sent recently, or selectively infect shared files to get loose on the network. For computers to be useful you have to have some level of trust, and as worms become smarter they can more easily exploit that fact.

      We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.
      • We need to stop stressing prevention quite so much and start dealing with what happens when a virus does get through.

        Harsher punishments for virus writers?

        Better system recovery process?
      • by Anonymous Coward
        Actually, the new Bugbear does selectively infect shared files. On my network, two 98 boxes had their entire C drives shared, while someone else (a laptop) became infected with the new Bugbear. Those two computers had only a few infected files, including:

        c:\program files\internet explorer\iexplore.exe
        c:\program files\outlook express\msimn.exe
        c:\program files\adobe\acrobat x.0\reader\acrord32.exe

        So it looks like the new Bugbear already selectively infects shared files.

        We need to stop stressing preventi
      • by RzUpAnmsCwrds ( 262647 ) on Tuesday June 17, 2003 @01:53AM (#6220482)
        "on the network. For computers to be useful you have to have some level of trust"

        This is what Palladium is all about. Executable code is signed, and it can only run if you choose to trust the publisher. Viruses are less of a problem because an infected file will fail signiture verification.

        Microsoft may be misguided with Palladium and the DRM goodies that it includes, but the underlying concept of trusted and untrusted code is a good one.

        Might I add, however, that the same thing can be done without the complete hardware implementation of Microsoft's product. A simple signed executable system would do the trick. Microsoft already uses this for ActiveX controls.
        • Although Palladium may help with some worms, since Outlook Express is a "trusted application" (at least by Palladium...), those .vbs scripts will be run as trusted apps; this will allow better than half of the viruses currently circulating to continue to do so.

          It's almost amusing to read my mail in kmail with HTML rendering turned off, and look over the attached scripts that arrive in my mailbox now and then. It makes me feel like an entomologist looking though a magnifying glass at a venomous spider pinn
    • learn from evolution (Score:3, Interesting)

      by Anonymous Coward
      <pontification>nature has evolved to fight biological infection by various means: genetic diversity, adaptive defensives. we could take a lesson from this.</pontification>
    • by pixelgeek ( 676892 ) on Monday June 16, 2003 @07:56PM (#6218884)
      -- There is no patch for human carelessness.

      The user isn't always to blame. What about the software developers who don't take even minimal efforts to protect their scripting systems?

      Yes, there will always be someone who will open attachments no matter how often you tell them not to.

      But perhaps the root issue isn't the fellow who can't stop clicking on Fireworks.exe files but the OS and application developers who enable and then don't patch systems that allow those users to be so easily exploited.
      • I think the root issue is the assholes who write the viruses in the first place, slack OS's and users just make their life easier.
    • by KrispyKringle ( 672903 ) on Monday June 16, 2003 @08:33PM (#6219146)
      Your assumption is that true security is a theoretical impossibility. On what grounds?

      I agree that it's not safe to rely on humans to keep systems patched. But, for one, if most systems are kept patched, a worm like SLAMMER would be useless. This is an obvious point you neglect, but not an interesting one.

      More interesting, I think, is the debate over whether there is such a thing theoretically possible as a secure architecture. This is, of course, the idea behind "secure" systems designed to be so from the ground up, such as Palladium. Ethernet, TCP/IP, ARP, and most of the other protocols which make up the 'Net were not designed with security in mind from the bottom up, but rather designed for effectiveness, ease of implementation, and the like. For example, why do Ethernet cards allow promiscuous mode? It makes diagnosing certain problems easier, but it also represents a very big opportunity for all sorts of security vulnerabilities. Or why can MAC addresses be changed so easily? This represents an easy opportunity for mischeif.

      But had the entire architecture of the 'Net been designed for security and accountability rather than ease of access and openness from the start (granted, two often-conflicting ideals), would absolute security be possible?

      Many say that security is never truly possible without unplugging the computer from the 'Net, turning it off, and embedding it in concrete. This may be exaggeration, but of course it is quite difficult to prove something secure; RSA has not be proven secure, public-key cryptography has not been proven secure, and I don't really see how you could prove any other system secure, either.

      This may not be necessary, however. We may not know for certain that RSA is secure, but we assume that the NSA does not know how to factor such large numbers any better than the rest of us, and we assume it to be secure (and such an assumption does appear valid). If enough evidence exists to assume a system to be "practically secure," that is enough for implementaiton.

      I have no answers to these questions. But I think to assume such a problem is unanswerable is silly and is itself merely a non-answer. Security may not be an easy goal, but it may be acheivable. At least in some forms, this is clearly the case; it would quite evidently be possible to stop some sorts of attacks, like SLAMMER, in the future, even if theoretical, absolute, security remains un-obtainable.

      • by knobmaker ( 523595 ) on Monday June 16, 2003 @09:11PM (#6219374) Homepage Journal

        Your assumption is that true security is a theoretical impossibility. On what grounds?

        Not to speak for the previous poster, but that's a pretty good assumption. No technological advance has ever succeeded in remaining secure for long.

        (Example: plate armor probably seemed impregnable in practical terms, until the longbow came along. Yeah, okay, a stinking peasant could hamstring a warhorse and beat the knight to death with a rock while he lay helpless on the ground, but these possibilities were probably ignored with the same superstitious enthusiasm that sysadmins ignore the rarer kinds of attacks on their systems.)

        I would think that the burden of proof falls on those who maintain that "true security" is attainable. And the minute you propose some system to guarantee that true security, some clever person will come along and propose a way to get around it.

        Anyone designing a critical security system should probably start off with the assumption that security will eventually be breached, and make damn sure that when the breach occurs, catastrophe does not result.

        • by GigsVT ( 208848 ) * on Monday June 16, 2003 @09:25PM (#6219447) Journal
          I'm no historian, but I bet plate armor was more for intimidation factor than anything else.

          I bet a hundred shiny enemy knights on horses really does a lot to demoralize your thousand foot soldiers.

          I think a lot of modern security is the same way, deter most attacks with shiny armor, and minimize damage on the inevitable attacks that will get through.

          Now the real problem these days is the companies selling cheap tin armor and telling people it's the strongest steel. Some things never change. :)
          • by KrispyKringle ( 672903 ) on Monday June 16, 2003 @10:44PM (#6219762)
            I'm not sure I'd agree with that assessment. With the shiny knights metaphor, anyone, regardless of education or background (or military experience, in this example) is intimidated simply on a gut level. But with computer security, if you are ignorant, you aren't indimidated by the latest firewall or the highest-encryption VPN. And if you know enough to be a threat, you know enough to know what armor works and what doesn't. Unlike your metaphor with medieval knights, the actual conflict is combat, and the defenses are secondary. With computer security, the conflict is the armor; anyone who is a "soldier" is also an armorer who knows what is strong and what is weak.

            Name a security measure that is mere intimidation. Name a measure that has no added value and is just shiny armor. (This does, admittedly, apply to local security measures using biometrics; thumbprint scanners are less secure, at least on the consumer-grade, and just cooler looking, but I don't think it applies quite the same way to real network security measures.)

            Your point is well-taken, that companies have no incentive to sell something that works above and beyond selling what sells, but it neglects that the two generally do go together and the leaders in the field tend to have true committment to security.

    • If we're talking about ultra-fast worms in particular, only the first problem matters. A piece of malware that depends on users getting to their email is going to talke longer than 15 minutes to spread.

      We could still be vulnerable even if everyone patched their systems, if someone writes the exploit before the patch comes out.

      Scary stuff.
    • i would vote for a slowing down the release cycle of software products. with the idea of 'new versions' every 18 months becoming common, it seems that there is more writing of code than debugging/optimizing.

      and i've said this before, certain software companies have not been very good about training administrators about patching, etc.

      eric
    • by Gordo_1 ( 256312 ) on Monday June 16, 2003 @09:21PM (#6219426)
      Actually, this is exactly where a portion of the security community is currently focusing. With a deep enough level of protocol understanding, it's often possible to write generalized algorithms that detect (and presumably block) novel attempts to exploit a known vulnerability. For example, in the case of SQL Slammer, the buffer overflow vulnerability disclosure came many months before the worm hit, and at least a couple intrusion detection vendors were able to positively identify the exploit attempt without requiring an update -- one of the keys to protection against such a rapidly propagating worm.
  • by Qweezle ( 681365 ) on Monday June 16, 2003 @07:20PM (#6218632) Journal
    I'm wonderfully happy to live in a world where the only large-scale communication network is prone to mass disruption and/or destruction at the drop of a pin. Great.
  • by Anonymous Coward on Monday June 16, 2003 @07:22PM (#6218643)
    Fast moving worms are harder for those pesky birds to get at.

  • damn. (Score:4, Funny)

    by wo1verin3 ( 473094 ) on Monday June 16, 2003 @07:22PM (#6218648) Homepage
    I thought this article was about Worms 2 being released for linux :(
  • by Anonymous Coward
    It was terrible. I had to take lots of drugs.
  • by eupheric ( 618980 ) on Monday June 16, 2003 @07:24PM (#6218673)
    obligatory dumb and dumber:
    LLOYD
    (smiling)
    I got worms.

    MARY
    I beg your pardon?

    LLOYD
    That's what we're gonna call it: I
    Got Worms. We're gonna specialize in
    selling worm farms â" you know, like
    ant farms. A lot of people don't
    realize that worms make much better
    pets than ants. They're quiet,
    affectionate, they don't bite, and
    they're super with the kids.

    MARY
    Aren't ants quiet, too?
  • by Sheetrock ( 152993 ) on Monday June 16, 2003 @07:24PM (#6218674) Homepage Journal
    Where it is the point in this matter nowadays? It really took talent to write malware in the old days, what with having to be able to get the virus in the executables and boot sectors of floppy disks, but now everything looks like a work of the VBScript cut-and-paste. Why is it so hard to find the author of these programs?
    • by oneishy ( 669590 ) <jczebota@[ ]ishy.com ['one' in gap]> on Monday June 16, 2003 @07:31PM (#6218729) Homepage
      Actually 'the Sapphire Worm' [caida.org] was just 376 bytes long. Not much extra code in that assembly program to track an author by.
    • by Read Icculus ( 606527 ) on Monday June 16, 2003 @07:41PM (#6218793)
      Maybe the "delinquents" are actually pretty damn smart. Smart enough to not get caught because they take proper security precautions. Like others have said this worm was a pretty smooth little hack. All over UDP and in a single packet. Anyway at least when a worm like this comes along people start paying attention to actually fixing the problem. If no one exploited the vulnerability then folks like MS might never get around to fixing it. When something like this is front-page news and on CNN normal folks sit up and take notice. Maybe enough notice to try and make their systems more secure, or perhaps switch to a more secure preogram/OS. Not that I like viruses and worms, quite the opposite is true. I remember when my ISP got a worm, (Code Red I think), and infected me. The incident certainly made me more security conscious, and I now have a new ISP that I hope has more of a clue than my old one.
      • by PhxBlue ( 562201 ) on Monday June 16, 2003 @08:23PM (#6219089) Homepage Journal

        Actually, Microsoft had released a patch for the vulnerability that was exploited. Unfortunately, no one (including Microsoft) bothered to implement it.

    • by PetiePooo ( 606423 ) on Monday June 16, 2003 @07:45PM (#6218825)
      Not to nitpick, but the SQL Slammer [silicondefense.com] worm appeared to be written in assembly. It is quite interesting to read through the source. [boredom.org] [alt] [immunitysec.com] [alt] [eeye.com]

      While the PRNG isn't of the highest quality, its brevity is what allowed it to spread so quickly. An infected system was sending out packets as fast as the outbound pipe could handle it. A smaller virus, even by a few bytes, would mean that much faster of an infection rate.

      By and large, you're right about VBScript making for simple virii, but this isn't the one to use as an example.
    • by aphor ( 99965 ) on Monday June 16, 2003 @08:02PM (#6218923) Journal

      Why is it so hard to find the author of these programs?
      Because there are so many no-talent hacks out there who *could* have written that lump of nasty crap.

      In the beginning days, on the Apple ][ computers in my grade-school, we learned to guess our way through cracking floppy-disk copy-protected games by comparing a cracked game and a pristine byte-by-byte copy of the original. We eventually learned that a certain byte word combination was the first hardware keyboard access, and we could guess that spot was a good place to stick a jump. Then we tried a few addresses until it worked. In grade school.

      Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

      What really grabbed me was how a really good (insidious) virus could have such a low footprint that it could go undetected for so long. The programmers of those viruses were gifted binary ecologists. I knew then that the games I played were bloated when one year the game took one disk, and the second year you had to swap two disks even though there was little extra play for all the extra data. I envied the virus programmers for their wizardly and miserly command of the machine's meager resources. I even dreamt of the day that I could crank one out like putting together a jigsaw puzzle.

      Now I am older, and the opportunity for that conquest was stolen by Moore's Law. The games (and all software in general) got bloatier and bloatier. There was so much waste, and the machines got so fast so fast, that I saw clever programming die. I was sad. It wasn't until (after I bought a student copy of Borland C++ and was stultified by the massive bloat of win16 API) that I became acquainted with Unix (FreeBSD in particular) around 1.2.1 vintage. I rediscovered elegant software.

      Now, I understand the vulgar joy in duping someone else, but only a jackass gets off duping people who compare to invertibrates on an intellectual scale. VB worms are the modern-day equivalent of burning ants with a magnifying glass. "Letth thaw off hith tweeter Beavith! Hehehehehe Heheheheh..."

      • by Tackhead ( 54550 ) on Monday June 16, 2003 @09:49PM (#6219562)
        > Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

        Grok!

        I still remember stunning some of my cow orkers by saying from two cubicles away, "Dude, run a virus scanner. There's no reason your floppy drive should be doing that many seeks across the entire width of the disk. Something's writing to the FAT or boot sector every time you access any files. Probably a virus. Kill it before it kills you."

        To this day, they still no idea how I knew about that without even looking at the screen or touching the box, but from where I sat it was just obvious (when I first heard that pattern of seeks and asked if the guy was copying 100 small files to the floppy, and he said "no") that something on that box was fucked up. (And fucked up in a way that MS-DOS, all by itself, wasn't :)

        Funny note - the virus in question was indeed a boot sector virus, and was pretty much harmless on Win3.1 boxen. Not so on an NT box. If only I'd come to work one day before. Yuk.

  • by Renraku ( 518261 ) on Monday June 16, 2003 @07:25PM (#6218675) Homepage
    A good set of vulnerabilities across multiple hardware configurations and OSes is a great start. An interesting idea would be to sync the worms up based upon a reading from a certain timezone on time.gov. Make them start scanning all IPs for vulnerable, uninfected machines at the same time. So not only do you get the chance to infect, but you DDoS. Fun stuff. Also, you could make it infect unprotected routers and give the virus 'priority' in transmissions, etc, etc.
  • UDP all the way! (Score:5, Insightful)

    by Gothmolly ( 148874 ) on Monday June 16, 2003 @07:25PM (#6218677)
    The nice part about Slammer is that it could just spew data - if it hit you, and you were vulnerable, you were infected. It didn't require any complicated TCP sessions, was MUCH nicer on host resources, and the entire hack fit inside a single packet. Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.
    • Re:UDP all the way! (Score:3, Informative)

      by b1t r0t ( 216468 )
      Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.

      Whatever you gain by compressing something that small, you lose in the space that the decompression code takes up, unless the OS provides a decompression service for you.

      The way Slammer worked, it had to fit in a single packet, which meant it had about 1500 bytes to work with. That means it could have been more than four times bigger than it was, but no more.

  • More platforms (Score:2, Interesting)

    by Anonymous Coward
    I'm still waiting for a Cisco IOS bug to be discovered that is present in all 12.x series code. I can't wait to see the worm for that one :D
  • by Anonymous Coward on Monday June 16, 2003 @07:26PM (#6218689)
    • It's not a description of an actual worm, it's not even a description of how to build a worm, it's a vague description of how a worm might be constructed:

      1. Scan internet servers looking for vulnerable software
      2. Infect said software.

      Duh. The author writes, "I didn't write this paper to give people malicious ideas." -- It's okay! There's nothing in the paper that would assist people in doing anything useful!
  • by XxtraLarGe ( 551297 ) on Monday June 16, 2003 @07:28PM (#6218702) Journal
    Thank God I've got a Mac! It's hard enough to get regular software ported, I doubt that many people would invest time to port a worm, except "Worms Blast" =D
    • by dfj225 ( 587560 ) on Monday June 16, 2003 @07:38PM (#6218776) Homepage Journal
      I would imagine that worms and other viruses are not really a problem to most Windows users that you would find on this site. I know that a vast majority of the viruses are spread using holes in Outlook, which is probably unpopular with this crowd. Also, people here know enough that you really need a virus scanner for full protection. I use Windows XP, and haven't had a virus yet. I also use Mozilla mail instead of outlook.
    • If Slammer or it's ilk takes your subnet down, it doesn't matter if you're using a C64, you're getting hosed.

      I use a Mac, too, but I have no illusion of immunity.
    • by PhoenixFlare ( 319467 ) on Monday June 16, 2003 @07:42PM (#6218803) Journal
      Oh please...

      The installed base of Macs is so small compared to Windows PCs, there's no reason to write worms that affect Apple machines.

      You can bet your ass that if Macs were as ubiqutous as x86 machines, they'd be getting slammed with worms too....That cocky attitude gets really grating.

    • But (Score:5, Funny)

      by commodoresloat ( 172735 ) on Monday June 16, 2003 @09:17PM (#6219409)
      Everyone knows that worms DO infect apples.
  • Some day (Score:3, Funny)

    by Anonymous Coward on Monday June 16, 2003 @07:29PM (#6218711)
    Some day, we will all curse like sailors and have to reboot every god damned machine we have - maybe even revert to latest backup. Some day, the apocalypse will hit us, and Internet will cough for a day like it had the SARS. And then you hope your mother wasn't in hearing range.
  • by univgeek ( 442857 ) on Monday June 16, 2003 @07:35PM (#6218754)
    For a world-wide problem with worms, cross-platform worms are not required - just a simultaneous release of single platform worms. The spreading algo would be common, the payload and infection mechanism platform specific.

    One for windows, one for linux, one for routers/switches...

    Imagine the impact. Would the internet survive?

    The only things preventing this might be the fact that no single person has the required experience in all the platforms, and vulnerabilities in non-windows OS's are typically more difficult to exploit.
    • by account_deleted ( 4530225 ) * on Monday June 16, 2003 @07:44PM (#6218817)
      Comment removed based on user account deletion
    • I disagree, too many variations in hardware, software on the Linux / router&switch side of things. One of the things that makes it easy to infect Windows systems is that if you know a server is running W2K, you can assume the hardware is x86, you know which files exist on that system, and (most importantly) you know the structure of those executables since they are identical across installations. With Linux, compiler optimizations and kernel configurations make code injection points almost impossible t
      • So target x86 with one set of attack vectors, Alpha with another, VAX with another, etc... Can't figure out which system you are attacking? Include some fingerprint code in your virus. Sure, it's not completely reliable, but we're talking about a massive increase in the number of comprimised targets.

        Vulnerabilities exist for all of them. Information exists for all of them. It's just a matter of time until someone with the talent decides to do it.
    • by gregfortune ( 313889 ) on Monday June 16, 2003 @08:13PM (#6219001)
      Oh, come on. From the quality of code we've seen in the recent "big" worms, any idiot with a little spare time can write a reasonably effective worm. We're lucky that no one really talented has had a motive for writing a really nasty worm (read cross-platform and well written with a huge number of attack vectors and a deadly payload).

      Write a Windows worm?
      Sure, watch the security bulletins from MS and associated companies and include a few exploits in your worm. You know we won't run out of people who haven't patched yet.

      Write a Linux worm?
      Sure... See above? It's the same.... There are platform differences as far as library calls, hooking into e-mail, etc, but a little time would solve that easily.

      Write a .... worm?
      Umm. See above? Just wash, rinse, repeat... All we're talking about is a little time.

      Seriously, I'm waiting for someone slightly talented to get pissed off at technology in general. That will be the day people running automatic daily updates on (pick your platform) will be happy they've got a patched system and banging their head against the wall 'cause their ISP didn't.
  • Problems (Score:5, Insightful)

    by cfreeze ( 146454 ) on Monday June 16, 2003 @07:38PM (#6218774) Homepage
    One problem with saying that Slammer or any "flash worm" is that bandwidth and current infastructure isn't taken into account. Any worm taking on activity levels (as seen by how the whole Internet seemed to slow down) of this magnitude tend to self contain themselves at local router or node bottlenecks. As links go to fiber this won't hold, but atleast for now it does.
  • by maliabu ( 665176 ) on Monday June 16, 2003 @07:42PM (#6218805)
    in THE Doomsday, those who don't believe will be wiped out.

    so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

    and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.
  • by DynamiteNeon ( 623949 ) on Monday June 16, 2003 @08:08PM (#6218961)
    Why doesn't someone just make a worm that goes around and downloads Windows and SQL server updates to patch against all these worms? I realize Microsoft doesn't have the best track record even with their updates, but it would still probably solve some problems. And yes, I realize there's something wrong with forcing people to install updates, but consider the alternative of reading these articles every week here.
    • First, it's illegal and if you got caught, well... Second, and more importantly ('cause I really don't care if you get your butt thrown in jail<grin>), it would very likely break applications on a good sized portion of the machines you "updated"
    • by FLoWCTRL ( 20442 ) on Monday June 16, 2003 @08:32PM (#6219142) Journal
      There was a lot of speculation in the security community that this is effectively what the "Slammer" worm was -- a non-malicous worm that forced everyone to patch their software. Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload. All it did was propogate itself. The DoS effect was just a result of the massive increase in network traffic from its propogation. It could have been way, way worse.

      --
      http://oss.netmojo.ca

      • You know, if I had mod points, I'd give you a +1 interesting. That's something that never would have crossed my mind. I suppose part of the reason it wouldn't have occured to me is because I didn't know (read: wasn't infected, didn't care) what exactly slammer did. I think I was playing paint ball the weekend it hit hard ;).

        If the reason behind it had anything to do with getting people to patch more, or making people more aware of security holes, then I'd have to say I support this sort of worms. I'm relat
      • by PetWolverine ( 638111 ) on Monday June 16, 2003 @11:40PM (#6220000) Journal
        Remember that although this worm could have executed any code it wanted on all of those hosts, it had no malicious payload

        Let's think of a worst-case scenario, here...

        The worm had a program to propagate itself in a space of 376 bytes. It had up to, what, 1500 bytes to carry whatever program it wished? Let's say it used those 1500 bytes to set up a program that would listen on a particular TCP port for instructions from the author's computer. Then, rather than propagating itself as fast as possible, it sends out a packet every few minutes, gradually and insidiously infecting all MSSQL servers on the Internet.

        The 1100 extra bytes are used to write a program to disk, and then launch it. This program listens for connections on some high port, or perhaps just listens for UDP packets of a certain description (since it knows the firewall lets those through). At first, it simply catches all worm packets and records the IP addresses, so that it knows what other hosts are infected.

        The author's computer listens for these packets, and makes a similar list of infected hosts. Then, when the time is ripe, he starts sending additional instructions to those hosts.

        The hosts receive the new instructions, modify their program based on the contents, and then echo the packet out to the hosts in their lists. The author numbers the instruction packets, and the hosts make a note of which ones they've received and ignore repeats. That way, once all infected hosts are updated, the patches stop flying around.

        One of the first instructions to be sent out is to make the program launch at boot time. Then, the infected computers are sent instructions to stop propagating themselves. They're sent instructions to report back to the original source. The author looks at the hosts, sends out special non-propagating instructions to military hosts to send him their data. He sends out instructions to hosts that may have access to credit card databases to send him the numbers and expiration dates. He gathers whatever other information he deems useful.

        Then, he sends out an instruction for all hosts to delete all data from all databases.

        How difficult would it be to write the initial program for that? How difficult to make those patches, and make them work? My guess is, someone who knows assembly well could pull it off. It may take a fair amount of time and patience, but the amount of money to be made is pretty considerable and could make it worthwhile. Hey, if I were going to write a malicious worm, that's how I would go about it.

        But the most pertinent question is, how many MSSQL servers are still out there, unpatched, vulnerable, serving critical data?
    • some one sent one to one of my website server and called it codeBlue, it was supposed to patch server vulnerable to codeRed. No idea if it did or not, we were on an Irix server.
  • Warhol (Score:5, Funny)

    by Anonymous Coward on Monday June 16, 2003 @08:20PM (#6219069)
    a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."'
    A "Warhol" worm wouldn't infect the Internet in 15 minutes, it would infect it for only 15 minutes.
    • Re:Warhol (Score:3, Funny)

      by retto ( 668183 )
      I think a virus with a 15 minute life would be a good idea. It could pop in, say 'gotcha,' a little 'how's your father,' and then retire with a little dignity. Too many viruses nowadays overstay their welcome and just wind up looking kind of pathetic. Every now and then I hear about Nimba or even Michelangelo trying to make a comeback with the Wizards and kind of ruins the memory of them from when they were in their prime. The good ones...they leave the game before the game leaves them...
  • by DmitriA ( 199545 ) on Monday June 16, 2003 @08:22PM (#6219080)
    Schneier raises some good points regarding this issue in this month's Crypto-Gram [counterpane.com].


    In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability. We simply don't understand the interactions well enough to predict which kinds of attacks could cause catastrophic results, and terrorist organizations don't have that sort of knowledge either -- even if they tried to hire experts. ...

    Despite our predilection for calling anything "terrorism," these attacks are not. We know what terrorism is. It's someone blowing himself up in a crowded restaurant, or flying an airplane into a skyscraper. It's not infecting computers with viruses, forcing air traffic controllers to route planes manually, or shutting down a pager network for a day. That causes annoyance and irritation, not terror.

    This is a difficult message for some, because these days anyone who causes widespread damage is being given the label "terrorist." But imagine for a minute the leadership of al Qaeda sitting in a cave somewhere, plotting the next move in their jihad against the United States. One of the leaders jumps up and exclaims: "I have an idea! We'll disable their e-mail...." Conventional terrorism -- driving a truckful of explosives into a nuclear power plant, for example -- is still easier and much more effective.

    • by sn00ker ( 172521 ) on Monday June 16, 2003 @09:33PM (#6219488) Homepage
      In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability.
      Now, was it not the case that it was the network load, rather than the worm, that caused these problems?
      It was contemporary knowledge that ATMs use(d?) dedicated networks, primarily to protect against intrusion. If ATM traffic is now being routed across the 'net, VPN'd or not, the possibilities are endless.

      As for "cyber terrorism" being a bullshit term, not entirely. Fine, loss of ATMs or e-mail won't panic most people (unless you're in the middle of a multi-billion-dollar, must-happen-now deal that's being conducted through e-mail), but you can do things through the 'net that will result in public disorder. A coordinated effort to modify the sites of all major news organisations could easily start a mass panic if the "right" message was presented - Even more so if web radio broadcasts were also tampered with to back the news sites.

  • by versus ( 59674 ) on Monday June 16, 2003 @08:53PM (#6219271) Homepage
    This paper appears in the Proceedings of the 11th USENIX Security Symposium (Security '02)

    How to 0wn the Internet in Your Spare Time [icir.org]

    Interesting topics: "Better" worms techniques

    • Localized scanning--Code Red II
    • Multi-vector worms--Nimda
    • Hit-list Scanning
    • Permutation Scanning
    • Simulation of a Warhol Worm

    "A combination of hit-list and permutation scanning can create what we term a Warhol worm, capable of attacking most vulnerable targets in well under an hour, possibly less than 15 minutes. "

  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Monday June 16, 2003 @09:04PM (#6219338)
    A really nice way to make an extremely destructive worm would be to ensure that the great majority of computers connected to the internet are running the exact same operating software. This would guarantee that a vulnerability can reliably be exploited in pretty much any neighbor.

    Unfortunately, such a scenario is but a dream. Modern operating systems are too secure!
    • The worm I am afraid of is one that learns (or at least adapts) using some sort of evolution-based algorthm. Several million computers is a sufficient "population" for the worms to gain a lot of knowledge about what works and what doesn't.
  • This sounds like Ender's Worm [waynesreview.com]. Very interesting read.
    • Re:Sounds like.. (Score:2, Interesting)

      by brian728s ( 666853 )
      It is similar, but not quite the same (ender's worm). The worm would be based on a neural network capable of storing various infection and spreading techniques. Coupled with the neural network would be the âoestandardâ worm tools for infection and stealth. The core receives additional training information from other infected computers. The first time a worm is activated, it creates copies of itself on the host in various places using various techniques. Many of these may be discovered. Their
    • The problem with Ender's worm is that by design it is self-defeating. The idea of a "worm farm" of different units targetting different systems is effective, but with a common communications protocol, it negates the worms' ability to evolve and thwart detection. The writer of the paper talks about the worms' needs to change signatures to avoid AV detection, yet communicate with other units by a common question-and-response session, which would make it incredibly easy for any infected unit on the network t
  • by Animats ( 122034 ) on Tuesday June 17, 2003 @12:29AM (#6220178) Homepage
    A key point of this article is patch-based security won't work, and signature-based virus scanning won't work, against a competent attacker. If someone discovers a new exploit and crafts a fast-spreading attack based on it, the attack can take over a vast number of hosts long before there's any response.
  • by Vaughn Anderson ( 581869 ) on Tuesday June 17, 2003 @12:41AM (#6220220)
    Hey, when is someone going to be nice enough to the world to make a purty li'l worm that actually shuts off all the security features that are exploited in Outlook...

    I am sure there are plenty of reasons not to do this, but if you asked the person politely like.

    "Hello, this is your friendly internet virus fighter coming to say hello and give you a hand! Would you like to turn off the features now that allowed me to hack into your computer?
    | Yes | No |"

    *click*

    "Thank you and have a nice day! If I come back again that means a new hole/exploit was found in Outlook and I can give you another helping hand!"
  • by gilgongo ( 57446 ) on Tuesday June 17, 2003 @06:10PM (#6227308) Homepage Journal
    Ever since explorezip (the worm before that I Love You thing) appeared and wiped out most of our office network, I have thought that the whole anti-virus industry was on the back foot.

    At work we all have this little anti-virus icon in our task bars, updating virus libraries from a central server (and slowing down all our machines as well). But if a new Outlook worm came out and we all started opening it, the anti-virus software would just ignore it until the patch came out. Even if the gap between us getting the worm and the patch was a few seconds, the damage would be done.

    So why are we paying thousands of bucks a year for anti-virus when we know it probably will do nothing? Sure, it catches the occasional tired Word macro and maybe an antique trojan on an old floppy, but is that worth it?

    Hmm.

A triangle which has an angle of 135 degrees is called an obscene triangle.

Working...