Dailydave mailing list archives
RE: Self updating worms?
From: "Jonathan Wilkins" <jwilkins () microsoft com>
Date: Fri, 10 Sep 2004 13:57:44 -0700
I think that people are getting a little sidetracked with discussions around who would do this sort of thing. I think that history shows that if it's possible, it'll be done. The main reason I had for discussing this in the first place is that current defences to worms seem to rely on the fact that worms tend to be noisy, stupid and that defences are pretty simple (just install the patch). It seems that people are convinced that this is actually possible, and Dave doesn't even seem to think it's as complicated as I do. The real question is this: what defences will work against a slow spreading, quiet worm? Current response pretty much goes like this: 1. someone goes "oh shit, my firewall's getting hammered, what's going on?" 2. someone gets a copy and the reverse engineering starts 3. someone figures out what hole is being exploited 4. everyone reprioritizes that patch and starts installing it What happens when the total traffic is too small to notice and days or weeks go by between probes? What happens when the exploit being used is different across instances? I'm working on a few ideas, but I don't have anything that I haven't been able to beat yet.
-----Original Message----- From: Blue Boar [mailto:BlueBoar () thievco com] Sent: Friday, September 10, 2004 11:42 AM To: Oded H Cc: Jonathan Wilkins; dailydave () lists immunitysec com; ge () linuxbox org; th-research () linuxbox org Subject: Re: [Dailydave] Self updating worms? Oded H wrote:There is a clear benefit for the bad guys espcially if weare talkingabout organized crime to have a self updating worm, simply because although they dont want to leave a trail they would like toget someexclusive access to a victom host. Adding some defence(i.e. patch) tothe vulnerability on which their worm arrived is a step atthat direction. You don't need "worm" bits (attack vectors) to maintain a botnet, you only need those to grow one. If someone sells off a fixed set of 1000 zombies, they probably don't want the customer competing with them for new bots. In fact, the seller would probably be quite happy that there is a natural attrition of the bot set, so they can sell more to the same buyer later. Assuming of course that the builders and users of botnets are mutually exclusive sets. BB
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Self updating worms?, (continued)
- Re: Self updating worms? Gadi Evron (Sep 09)
- RE: Self updating worms? Kohlenberg, Toby (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Dave Aitel (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Dave Aitel (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Oded H (Sep 10)
- Re: Self updating worms? Gadi Evron (Sep 10)
- Re: Self updating worms? Blue Boar (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 10)
- Re: Self updating worms? robert (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 13)
- Re: Self updating worms? robert (Sep 13)