[ISN] How bigger, badder Code Red worms are being built

From: InfoSec News (isnat_private)
Date: Tue Sep 04 2001 - 23:12:34 PDT

  • Next message: InfoSec News: "[ISN] Gaping hole in NAI's Gauntlet firewall"

    Robert Vamosi,
    Associate Editor,
    ZDNet Reviews
    Wednesday, September 5, 2001  
    As I write this, there are two new fast-spreading Internet worms for
    Windows users: Apost does the now-familiar "e-mail itself to everyone"
    thing we've come to expect from Windows worms and viruses, except this
    worm sends multiple copies of itself. And then there's an updated
    version of Magistr, redesigned to infect even more users with its
    destructive payload. Faster propagation has been the trend with Win32
    viruses and worms, but what if rapid propagation methods were employed
    for network-savvy worms such as Code Red? Well, someone has already
    given thought to that.
    Andy Warhol is famous for saying "In the future, everybody will have
    15 minutes of fame." Nicolas Weaver at UC Berkeley has written a paper
    proposing that virus writers constructing some future Code Red-like
    worm add a list of 10,000 to 50,000 "well connected" Internet servers,
    then launch the virus. The advantage, he argues, is that even if only
    10 to 20 percent of the servers are vulnerable to the worm's exploit,
    that would still be an enormous jump on Code Red and previous worms.
    Weavers adds that the initial 10 percent infection could be achieved
    in the first minute or so; he then proposes that his "uberworm" could
    infect most of the Internet within 15 minutes (hence the Warhol worm).
    NOT TO BE OUTDONE, the team of Suart Staniford, Gary Grim, and Roelof
    Jonkman at Silicon Defense proposed an even greater propagation rate:
    they claim they can infect the Internet in 30 seconds. They argue that
    a worm writer could scan the Internet in advance and identify almost
    all of the vulnerable systems on the Internet before launching the
    worm. With a very fast Internet connection (they mention an OC12
    link), they argue even a 48MB address list of vulnerable Internet
    address could be sent out in about 4 minutes.
    Jose Nazario, a biochemist by trade who has previously offered
    valuable insights on digital worms, points out that neither of these
    papers take into account the basic elements of propagation on the
    Internet. Nazario points to an IBM paper called "How Topology Affects
    Population Dynamics," which looks at lessons learned from biological
    infections and how, with an understanding of this model, programmers
    might better design future digital organisms (they don't specifically
    say "worms").
    Basically, the authors of both the Warhol and Flash worms assumed a
    very simple Internet model where every node to be infected is a
    neighbor of every other node. The reality is much more complicated.
    That's what Nazario says torpedoes the technical merits of both of
    these studies.
    SO WHY even mention this research? Nicolas Weaver himself posts that
    he is leaving his paper up online so that people can understand, with
    documentation, what danger there is in a homogenous Internet. Someone
    will attempt to do what these authors have proposed, and someone might
    someday make a worm that "flashes" the entire Internet with a
    malicious payload. Rather than be caught unaware, isn't it better to
    realize this is out there and take steps to minimize its impact?
    Weaver proposes that companies use context-sensitive firewalls where
    only "that which is not explicitly allowed is forbidden." He further
    suggests internal firewalls throughout the company and regular
    security audits. He adds, "regular backups are also essential." He
    further suggests that: "Homogenous populations, whether in potatoes or
    computers, are always more vulnerable to diseases." That's something
    to remember when implementing one or multiple types of servers on your
    network. Just as biodiversity has kept life going on Earth, mixing up
    one's operating systems can only strengthen the Internet.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 01:26:45 PDT