Forwarded from: Robert G. Ferrell <rferrellat_private> > The three authors of the research, published two months ago, present > a future where worm-based attacks use "hit lists" to target > vulnerable Internet hosts and equipment, such as routers, rather > than scanning aimlessly as the last mammoth worm outbreaks, Nimda > and Code Red, did last year. The operative term here is "vulnerable." Properly secured systems run very little risk of infection by "killer worms," or anything else. True 0-day exploits that make use of previously totally unsuspected vulnerabilities and bypass properly configured firewalls are exceedingly rare. What makes 'killer worms' such a threat in these doomsday scenarios is not so much the payload as the mechanism of propagation. The worms everyone likes to use as examples, Code Red and Nimda, propagated by exploiting holes in end-user software that was both insecurely coded and more often than not improperly installed. Not many routers are likely to be running IIS, MSIE, or Outlook, however. 'Taking down the Internet' will involve a lot more than getting a bunch of idiots to open attachments with names like "readme.exe." It's important to draw a distinction between clogging the Internet with spurious traffic (Denial of Service) and actually disrupting routing. DoS is potentially serious if massively distributed, but even the worst DDoS attacks are temporary. Incapacitating routers or root name servers, on the other hand, would have far more lasting effects on Internet communications, but widespread failure of these devices can be obviated by as simple a trick as ensuring heterogeneity of equipment (by their nature worms are usually designed to attack only one operating system/application at a time). If every router on the backbone were running the same version of Cisco IOS, for example, that would be bad. > Remedying software vulnerabilities remains a huge problem, with many > corporations admitting it takes about a day or two -- at best -- to > apply software patches once a software vendor has acknowledged a > vulnerability in product coding and supplied a fix for it. And home > computer users online are often wholly unaware of these types of > problems. But if these same software vendors would take the responsibility upon themselves to train their programmers to code securely and not to release software until it was exhaustively tested for security vulnerabilities, the need for scrambling to release/install patches would disappear. As an example, you can't target a buffer overflow against software that has no runaway string operations or other variables that lack bounds checking. > Dacey said agencies need to do a better job of applying software > patches, and to that end the federal government is seeking to award > a contract for an outside patch-management service to help agencies > install patches quickly. Concentrating on patching mechanisms is treating a symptom, not the disease. Patching will never run better than a poor second to secure coding. > Antivirus software vendors and the security industry as a whole seem > to be taking the research paper seriously though it's unclear what > defenses there may be for a worm that attacks the whole Internet in > seconds. Heuristics leap to mind. Stop looking for specific signatures and start looking for suspicious system behavior. The algorithms already exist for this, it's just a matter of convincing the antivirus companies that this is the way to go. Of course, they'd lose all that money for subscriptions to update services... > The Berkeley guys did this and they are half-guilty for such a worm > [appearing] that may easily cause the Internet to be down in just an > hour, so users will not be able to download anti-virus updates." Oh, please. Are you seriously suggesting that people who devote a large proportion of their free time to creating malicious code wouldn't have stumbled onto this rather obvious point on their own, especially if the threat truly is a military one? Gosh, it takes a certified genius to come up with the idea of using hard-coded target lists and large pipes. Stop thinking so highly of yourselves. Not all worm writers are 15 year olds with acne, rampant hormones, and gangsta fixations. Some of them actually think, and while the phrase "military intelligence" may be an oxymoron at the command level, that definitely isn't always the case on the 'front lines.' > "You can detect attacks you haven't known about before," says Rob > Clyde, chief technology officer at Symantec about the idea of a > Flash worm. "But it's not going to be easy." You mean it's not going to be as profitable... RGF Robert G. Ferrell rferrellat_private http://rferrell.home.texas.net/rgflit.html - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 01:44:11 PDT