[ISN] Researchers predict worm that eats the Internet in 15 minutes

From: InfoSec News (isnat_private)
Date: Tue Oct 22 2002 - 01:56:54 PDT

  • Next message: InfoSec News: "[ISN] Call For Papers Announcement: Black Hat Windows Security"

    By Ellen Messmer
    Network World Fusion
    Computer science researchers are predicting new types of dangerous
    worms that would be able to infect Web servers, browsers and other
    software so quickly that the working Internet itself could be taken
    over in a matter of minutes.
    Though still in the realm of theory, the killer worms described in a
    research paper entitled, "How to Own the Internet in Your Spare Time",
    are triggering some skepticism but the idea of them is seldom
    dismissed as outlandish science fiction.
    The three authors of the research, published two months ago, present a
    future where worm-based attacks use "hit lists" to target vulnerable
    Internet hosts and equipment, such as routers, rather than scanning
    aimlessly as the last mammoth worm outbreaks, Nimda and Code Red, did
    last year. And this new breed of worms will carry dangerous payloads
    to allow automated denial-of-service and file destruction through
    remote control.
    "Code Red and Nimda could have spread faster, and they didn't have
    powerful payloads," asserts Stuart Staniford, president of Silicon
    Defense, and co-author of the research paper. The other authors are
    Vern Paxson, a staff scientist at both the Berkeley-based ICSI Center
    for Internet Research and Lawrence Berkeley National Lab's network
    research group, and Nicholas Weaver, a graduate student at the
    University of California at Berkeley.
    The paper argues that this next generation of computer worms -- which
    would certainly have military application during war - would carry
    knowledge about a specific server's vulnerability and propagate at a
    breathtakingly high rate of infection, "so that no human-mediated
    counter-response is possible."
    Remedying software vulnerabilities remains a huge problem, with many
    corporations admitting it takes about a day or two -- at best -- to
    apply software patches once a software vendor has acknowledged a
    vulnerability in product coding and supplied a fix for it. And home
    computer users online are often wholly unaware of these types of
    Staniford says they tested the paper's thesis in a lab simulation of a
    computer worm designed to subvert 10 million Internet hosts over both
    low-speed and high-speed lines. Supplied with its own "hit list" of IP
    addresses and vulnerabilities gained through prior scanning, the
    theoretical worm could infect more than nine million servers in a
    quarter hour or so.
    They called this the "Warhol worm" after artist Andy Warhol's
    well-known quote that in the future, everyone will be famous for 15
    minutes. A similar, theoretical worm they coined the Flash worm,
    blasted out from a 622M bit/sec link, would take even less time to
    "own" the Internet.
    The authors conclude that just as the U.S. government has established
    the "Centers for Disease Control" in Atlanta as the central voice in
    matters related to new health risks for the nation, it would benefit
    the country to set up an operations center on virus- and worm-based
    threats to cybersecurity.
    Richard Clarke, the advisor to President Bush on cybersecurity
    matters, said that while he hadn't read the Flash-worm research paper,
    he wouldn't discount the idea of a very-fast-moving worm of this type.
    As it happens, the draft "National Strategy to Secure Cyberspace"  
    report issued last month, for which Clarke is asking for public
    comment, contained the recommendation that the government fund a
    network operations center as a central point for threat analysis.
    Another U.S. government official, Bob Dacey, director of information
    security issues at the U.S. General Accounting Office, said of the
    theoretical worms: "The risk is there, though I can't speak to the 15
    minutes. When you look at Nimda and Code Red, you see greatly
    developed delivery mechanisms."
    To date, the Internet hasn't seen a worm with a really dangerous
    payload to destroy systems combined with rapid delivery but it
    certainly might be out there in the future, said Dacey, who's in
    charge of overseeing vulnerability-testing of federal agencies'
    Dacey said agencies need to do a better job of applying software
    patches, and to that end the federal government is seeking to award a
    contract for an outside patch-management service to help agencies
    install patches quickly.
    The terms "Flash" and "Warhol" worms are not yet part of the common
    vocabulary of the antivirus software business and its technologies. At
    first glance, the idea of a worm devouring the Internet in 15 minutes
    sounds far-fetched to many.
    "It's hard to imagine such a thing could happen," responds Bob Justus,
    vice president of security at Union Bank of California, but then he
    adds: "But I guess it's possible."
    Antivirus software vendors and the security industry as a whole seem
    to be taking the research paper seriously though it's unclear what
    defenses there may be for a worm that attacks the whole Internet in
    "It's definitely plausible," says TruSecure's virus expert, Roger
    Thompson. "It's highly likely we'll see them."
    Traditional antivirus software relies on signature updates to stop a
    worm or virus once it's identified, but with fast-moving Flash and
    Warhol worms, this wouldn't work, Thompson pointed out.
    "We haven't seen a 'Flash' worm yet, but now that there's a paper on
    it, we probably will," says Mikko Hyponnen, manager of anti-virus
    research at F-Secure.
    This research indeed has "credibility," said a spokesman for
    Moscow-based Kaspersky Labs, but he added, "Actually, we predicted
    this technology two years ago but never published it because it may
    give virus writers another clue how to improve their malware. The
    Berkeley guys did this and they are half-guilty for such a worm
    [appearing] that may easily cause the Internet to be down in just an
    hour, so users will not be able to download anti-virus updates."
    Staniford admits he's taken some heat for describing how the worms
    would work, but tried not be too obvious. He said there may not be
    much way to defend against a Flash worm today, but Silicon Defense,
    has something in the works, which he declined to discuss, that may be
    ready by next February.
    Not all security firms think the killer worms are an identifiable
    problem yet. Security firm Network Associates research division, Avert
    Labs, said the concept of a Flash worm is "possible," but added with a
    note of skepticism, "there is a big step between theory and practice.'
    Others security firms are also a bit dubious about Flash. Trend
    Micro's product manager Bob Hansen said, "The threat from this type of
    thing is definitely growing," but that "it takes a ton of research to
    design one of these things."
    Nevertheless, Hansen said it's "certainly credible to think that a
    worm designed as a targeted hacker tool could be created to bring down
    20 or 30 of the major business Web sites within a matter of minutes."
    While signature-based updates wouldn't be ready fast enough,
    behavior-based technologies, such as Trend Micro's Applet Trap, which
    he noted isn't a big seller, might be successful in blocking such an
    Okena, which makes behavior-based intrusion-detection software,
    weighed in on the Flash worm. Director of product management Ted Doty
    said if a Flash worm does appear in the future, Okena's StormWatch
    software for servers and desktop might be able to block it as it did
    Nimda or Code Red by blocking unauthorized behavior. However, few
    companies are using any type of behavior-blocking software today.
    "You can detect attacks you haven't known about before," says Rob
    Clyde, chief technology officer at Symantec about the idea of a Flash
    worm. "But it's not going to be easy."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 04:33:59 PDT