[ISN] To Trap a Superworm

From: InfoSec News (isnat_private)
Date: Wed Feb 26 2003 - 00:12:02 PST

  • Next message: InfoSec News: "[ISN] Will the new EU cyber-security agency actually deliver?"

    By Alex Salkever 
    FEBRUARY 25, 2003 
    The Slammer worm's ability to spread so rapidly adds a frightfully new
    dimension to the species. Does Stuart Staniford have the cure?
    Fear the superworms. They're coming, and you can't escape. All you can
    do is contain the damage. That's the message Stuart Staniford has for
    the computer-security world. A co-founder of information-security
    company Silicon Defense in Eureka, Calif., Staniford has studied worms
    for many years as a respected researcher and innovator in the arena of
    intrustion detection. Such systems can help network administrators
    spot intrusions and prevent damage or security breaches to linked
    computers at corporations, universities, and government agencies.
    Some past worms such as CodeRed and Nimda have proven to be notable
    nuisances to network administrators. A worm is a small program that
    contains code for self-replication using unprotectd computers tied
    together over networks. Worms usually do bad things, such as using up
    a computer's processing resources, crashing systems, and possibly
    inserting spyware that can later be accessed to remotely control a
    compromised network.
    SOLITARY CONFINEMENT.  According to Staniford, though, the so-called
    Slammer worm that was unleashed on Jan. 24 heralds a new and difficult
    era of blazingly fast-spreading worms. And he claims Silicon Defense
    has devised a useful way to protect against them. On Feb. 24 it rolled
    out a hardware device dubbed CounterMalice, which aims to stop
    superworms by segmenting computer networks into compartments and
    monitoring each compartment for infections. If CounterMalice spots
    signs of an infection, it can isolate the offending compartments, like
    a ship commander sealing watertight doors to contain the damage on a
    leaking vessel.
    Though not a cheap solution at $25,000 per device, CounterMalice could
    prove worth the price if it can prevent worms from bringing down a
    company's network.
    Until Jan. 24, superworms were found only in speculative white papers
    but never in the wild. According to Staniford and many others, Slammer
    crossed the Rubicon into superworm territory. It used a so-called
    buffer overflow attack to overwhelm Microsoft SQL database products by
    jamming 376 bytes into an input field designed to handle far less
    data. The Slammer worm would then take over the crippled database
    product and start sending out scans in an attempt to infect other
    Microsoft (MSFT ) database products.
    LITTLE REACTION TIME.  CodeRed and Nimda caused lots of problems. But
    they were far less virulent. According to an analysis by some of the
    top researchers in computer worms, including Staniford, the Slammer
    infection doubled in size every 8.5 seconds. A Slammer-infected server
    could spew out tens of thousands of data queries per second, easily
    stopping traffic on a 100-megabit connection serving an entire midsize
    corporation. Slammer had infected 90% of all vulnerable servers
    worldwide within 10 minutes.
    In some corporations, system engineers literally had less than a
    minute to react before Slammer thoroughly bogged down their network
    and left them unable to manage their machines.
    As a result, Slammer gummed up not just corporate networks but the
    general economy worldwide. Bank of America (BAC ) automated teller
    machines stopped dispensing cash after BofA's Microsoft databases were
    overwhelmed. Continental Airlines (CAL ) had trouble with its
    online-booking and eTicket systems. Phone companies in Korea claimed
    customer could get no dial-tone.
    CELL DIVISION.  The havoc wreaked by Slammer was far more widespread
    than that of any past worms. Microsoft had released a patch in the
    summer of 2002 that addressed the vulnerability that Slammer
    exploited, but not all systems administrators had installed it. Some
    claimed it disabled other key functions on their machines. And
    Microsoft itself had problems containing a Slammer outbreak on its
    internal network.
    Which points to the basic premise of CounterMalice. Worms enter
    computer networks by various means. Superworms move so fast that all
    existing defenses, save pulling the plug on the computer, are useless.  
    Even the best antivirus company won't have a new virus definition out
    in less than an hour. Same holds for the attack signatures that
    intrusion-detection systems use. And, as Slammer illustrated, all it
    takes is one infected machine to effectively cripple an entire
    network. Due to a superworm's speed, system administrators might have
    mere seconds to react.
    Staniford claims that CounterMalice will work that quickly because of
    the way it divides a network into cells and then monitors each cell
    for abberant behavior that could indicate a worm infection. "A
    computer may be [sending data queries to] computers that it hasn't
    talked to before. A computer may be talking to places that are not
    live. Or the sequence of data queries might be unusual," says
    Staniford. The above traits could indicate an infected node on a
    network making efforts to spread a worm.
    "LOST CONTROL."  For example, Slammer fired out queries to randomly
    generated Internet protocol addresses (the unique number identifier
    carried by each device on a network). So the machines it infected
    certainly tried to talk to computers that weren't turned on and to
    machines they had never tried to communicate with before.
    Once CounterMalice spots a worm, it automatically isolates the
    machines in the cell and blocks the specific services the worm is
    using to spread (Slammer used port 1434, the standard designated port
    for some Microsoft SQL Server queries). By quarantining the offending
    machines, CounterMalcie gives systems administrators a chance to
    protect the rest of their networks and prevent major outages.
    "With Slammer, people lost control of their networks altogether
    because they couldn't get to the management consoles in time. Our goal
    is to prevent the worm from spreading and then make the patching and
    cleanup relevant again," says Staniford.
    "DIFFICULT TO TEST."  A big question is: How much will CounterMalice
    itself affect network performance? In the past, computer-security
    systems searching for behavioral red flags tended to slow down
    networks or return a lot of false-positive readings. This happened
    because of the amazing complexity of today's networks and engineers'
    inability to account for all scenarios and create truly accurate
    behavioral models.
    The big proof will come when the next superworm actually hits and
    Silicon Defense customers can prove CounterMalice works -- or doesn't.  
    The company couldn't provide any customers to testify to
    CounterMalice's performance to date, but Staniford has a solid
    reputation in the field. "The approach relies heavily on an
    enterprise's ability to compartmentalize their network, which makes
    great sense for any security program. But will it be able to identify
    the next worm? I think it's a valuable idea that will be difficult to
    test until the next worm hits," says Peter Lindstrom, research
    director for consultancy Spire Security in Malvern, Pa.
    Computer-security analysts say CounterMalice isn't likely to remain a
    stand-alone system for long and will probably be wrapped into either
    intrusion-detection systems, antivirus software, or other types of
    network defenses. Staniford says Silicon Defense is in talks with some
    big computer-security companies regarding CounterMalice but won't name
    names. The next attack will certainly put his product to the test.  
    With luck, it could also make Staniford known as the man who corralled
    the superworm.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 02:41:27 PST