RE: [ISN] What, Me Worry About Warhol Worms?

From: InfoSec News (isnat_private)
Date: Sat Aug 18 2001 - 01:28:42 PDT

  • Next message: InfoSec News: "[ISN] The Code Red worm can cause minor Mac problems"

    Forwarded from: Rogan Dawes <rdawesat_private>
    
    Comments inline.
    
    Forwarded from: "Jay D. Dyson" <jdysonat_private>
    
    Hi folks,
    
    	I've seen this fly across a number of lists lately:
    
    	Warhol Worms: The Potential for Very Fast Internet Plagues
    	http://www.cs.berkeley.edu/~nweaver/warhol.html
    
    	While Mr. Weaver does raise some compelling points about the
    	possibility of a Warhol Worm (catchy term!), there are some problems
            with the model he presents.
    
    	1.	Connection timeout:
    		Not every IP on the 'net is alive.  And some that are
    		alive don't respond to pings or vanilla TCP scans.
    
    Nick was not suggesting pinging, I think. Simply send the SYN, and wait for
    an ACK. The worm could use nmap style scanning techniques to keep a record
    of who it had scanned, without clogging up the connection table. It would be
    able to timeout a lot quicker (and scan a lot faster) this way than if it
    used the native OS connect implementation, I think.
    
    	2.	Firewalls:
    		Not every system behind a firewall is NAT'd.  Some systems
    		have routable IPs behind those firewalls (don't ask me
    		why).
    
    How does this slow the propagation of the worm? Sure, in some cases, the
    worm won't get out past the firewall again, but perhaps at that point, it
    falls back to local network scanning, for the machines it can get to. Do an
    initial test for connectivity against a selection of highly available
    servers, e.g. Microsoft.com to see if can get out.
    
    	4.	Honeypots:
    		HIDS configured to bind to ports typically used by known
    		vulnerable services.  The worm "crawls in," but it won't
    		crawl out.
    
    Given the numbers of honeypots out there (guess: a couple of thousand, max),
    I don't see that that would have a significant effect on the spread of the
    worm. Unless the first box infected is a honeypot, and it has the entire
    initial hitlist, of course, or a substantial portion thereof.
    
    	5.	Human error:
    		As every worm released thus far shows, we're only human.
    		Every worm from the Morris worm of the '80s to the Code
    		Red have suffered from programmatic mistakes.  It's just
    		the nature of the beast.
    
    I wouldn't like to count on that :-)
    
    	6.	Hurry Up and Wait:
    		If such a worm were to start propagating at such prodigous
    		speeds, it would ultimate start tripping over itself.  The
    		first network that would be a victim of it would likely
    		suffer network saturation.  This would in turn slow the
    		propagation to other networks significantly.
    
    Not if it starts with a hitlist, it wouldn't. That way, the initial
    population is fairly well spread out, and does not impact other instances.
    ULTIMATELY, it will start tripping over itself, but at that point, it is
    because it has already infected the majority of the machines out there.
    
    	All these factors taken together will greatly increase -- by at
    	least an order of magnitude -- the purported Warholian window.  
    
    	Sure, the notion of a fast-moving worm seems scary on the face. 
    	There is admittedly no effective human response to it...but when you
            get right down to it, the same is true for the
            slow-as-molasses-in-January worms. 
    
    	With all of that in mind, the timeframe of spread isn't the
    	alarming part.  The alarming part is that most vendors and admins
            are still sitting on their thumb when it comes to sound
            security practices. 
    	*That* is truly the cause for alarm here. 
    
    This I can't disagree with. Given the size of the second Code Red infection
    population, a month later, it could spread at a far slower rate, and STILL
    get most of the vulnerable machines out there . . . 
    
    	- -Jay
    
    Rogan
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Sat Aug 18 2001 - 03:30:57 PDT