Dailydave mailing list archives
RE: Self updating worms?
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Thu, 9 Sep 2004 10:51:40 -0700
definitely possible and I don't know that it would be even that difficult. Consider- if the worm were able to hijack/modify/monitor DNS requests coming out of a compromised system, it could specify DNS servers to use and we could leverage some of the work that Dan Kaminsky's done on abusing DNS to feed updates to the worms very easily and in a quiet fashion. Frankly, I'm surprised this hasn't already been implemented many times over... t
-----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Jonathan Wilkins Sent: Thursday, September 09, 2004 7:49 AM To: dailydave () lists immunitysec com Subject: [Dailydave] Self updating worms? It occured to me at CanSec this year that tools such as Core's Impact, Immunity's Canvas and the open source Metasploit Framework (not to mention the various worm development languages that Tom Ptacek, Joae Nazario and Dave Aitel have been discussing) open up a new possibility for worm automation. By using standardized payloads, they allow for extraction of injector code. This opens the possibility of worms learning of new exploits in a totally automated fashion. I know this is no trivial task, but it would allow a stealthy worm to continue to exploit new hosts long after it's initial release. One major disadvantage for a slow spreading worms has been that the longer it takes to spread, the more hosts will be patched when it finally attempts an attack. If a slow spreading worm was able to get new information on current exploits techniques long after initial release this disadvantage would disappear. Previously, worm authors have attempted to provide updates through web sites, IRC channels, Usenet, and the like, but the communication channels were easily disrupted. By building code into the worm that can identify payloads and extract delivery code, the slow spreading worm could compromise thousands of hosts without becoming such a obvious presence on the network that it is discovered. Further, since it's already examining network traffic, the addition of a cryptographically secure update and control mechanism adds obvious value (worm updates via spam?). Imagine a worm that starts off by scanning 10000 hosts, in the next generation, each instance would only scan 1000, then 100, then 10, then 1, then only scan with a 10% probability and so on. Depending on the wait between generations, the vulnerability used could be quite different between different instances. Thoughts? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- <Possible follow-ups>
- RE: Self updating worms? Kohlenberg, Toby (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Dave Aitel (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Dave Aitel (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Oded H (Sep 10)
- Re: Self updating worms? Gadi Evron (Sep 10)
- Re: Self updating worms? Blue Boar (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 10)
- Re: Self updating worms? robert (Sep 10)
(Thread continues...)