Re: [ISN] Researchers predict worm that eats the Internet in 15 minutes

From: InfoSec News (isnat_private)
Date: Tue Oct 22 2002 - 22:58:03 PDT

  • Next message: InfoSec News: "[ISN] Tracking Down Insecure WLANs"

    Forwarded from: Robert G. Ferrell <rferrellat_private>
    > The three authors of the research, published two months ago, present
    > a future where worm-based attacks use "hit lists" to target
    > vulnerable Internet hosts and equipment, such as routers, rather
    > than scanning aimlessly as the last mammoth worm outbreaks, Nimda
    > and Code Red, did last year.
    The operative term here is "vulnerable."  Properly secured systems run
    very little risk of infection by "killer worms," or anything else.  
    True 0-day exploits that make use of previously totally unsuspected
    vulnerabilities and bypass properly configured firewalls are
    exceedingly rare.  What makes 'killer worms' such a threat in these
    doomsday scenarios is not so much the payload as the mechanism of
    propagation.  The worms everyone likes to use as examples, Code Red
    and Nimda, propagated by exploiting holes in end-user software that
    was both insecurely coded and more often than not improperly
    installed. Not many routers are likely to be running IIS, MSIE, or
    Outlook, however. 'Taking down the Internet' will involve a lot more
    than getting a bunch of idiots to open attachments with names like
    "readme.exe." It's important to draw a distinction between clogging
    the Internet with spurious traffic (Denial of Service) and actually
    disrupting routing.  DoS is potentially serious if massively
    distributed, but even the worst DDoS attacks are temporary.  
    Incapacitating routers or root name servers, on the other hand, would
    have far more lasting effects on Internet communications, but
    widespread failure of these devices can be obviated by as simple a
    trick as ensuring heterogeneity of equipment (by their nature worms
    are usually designed to attack only one operating system/application
    at a time).  If every router on the backbone were running the same
    version of Cisco IOS, for example, that would be bad.
    > Remedying software vulnerabilities remains a huge problem, with many
    > corporations admitting it takes about a day or two -- at best -- to
    > apply software patches once a software vendor has acknowledged a
    > vulnerability in product coding and supplied a fix for it. And home
    > computer users online are often wholly unaware of these types of
    > problems.
    But if these same software vendors would take the responsibility upon
    themselves to train their programmers to code securely and not to
    release software until it was exhaustively tested for security
    vulnerabilities, the need for scrambling to release/install patches
    would disappear.  As an example, you can't target a buffer overflow
    against software that has no runaway string operations or other
    variables that lack bounds checking.
    > Dacey said agencies need to do a better job of applying software
    > patches, and to that end the federal government is seeking to award
    > a contract for an outside patch-management service to help agencies
    > install patches quickly.
    Concentrating on patching mechanisms is treating a symptom, not the
    disease.  Patching will never run better than a poor second to secure
    > Antivirus software vendors and the security industry as a whole seem
    > to be taking the research paper seriously though it's unclear what
    > defenses there may be for a worm that attacks the whole Internet in
    > seconds.
    Heuristics leap to mind.  Stop looking for specific signatures and
    start looking for suspicious system behavior.  The algorithms already
    exist for this, it's just a matter of convincing the antivirus
    companies that this is the way to go.  Of course, they'd lose all that
    money for subscriptions to update services...
    > The Berkeley guys did this and they are half-guilty for such a worm
    > [appearing] that may easily cause the Internet to be down in just an
    > hour, so users will not be able to download anti-virus updates."
    Oh, please.  Are you seriously suggesting that people who devote a
    large proportion of their free time to creating malicious code
    wouldn't have stumbled onto this rather obvious point on their own,
    especially if the threat truly is a military one?  Gosh, it takes a
    certified genius to come up with the idea of using hard-coded target
    lists and large pipes. Stop thinking so highly of yourselves.  Not all
    worm writers are 15 year olds with acne, rampant hormones, and gangsta
    fixations.  Some of them actually think, and while the phrase
    "military intelligence" may be an oxymoron at the command level, that
    definitely isn't always the case on the 'front lines.'
    > "You can detect attacks you haven't known about before," says Rob
    > Clyde, chief technology officer at Symantec about the idea of a
    > Flash worm. "But it's not going to be easy."
    You mean it's not going to be as profitable...
    Robert G. Ferrell
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 01:44:11 PDT