Re: Researchers predict worm that eats the Internet in 15 minutes

[InfoSec News <isn () c4i org>]

Forwarded from: Robert G. Ferrell <rferrell () texas net>

> The three authors of the research, published two months ago, present
> a future where worm-based attacks use "hit lists" to target
> vulnerable Internet hosts and equipment, such as routers, rather
> than scanning aimlessly as the last mammoth worm outbreaks, Nimda
> and Code Red, did last year.

The operative term here is "vulnerable."  Properly secured systems run
very little risk of infection by "killer worms," or anything else.  
True 0-day exploits that make use of previously totally unsuspected
vulnerabilities and bypass properly configured firewalls are
exceedingly rare.  What makes 'killer worms' such a threat in these
doomsday scenarios is not so much the payload as the mechanism of
propagation.  The worms everyone likes to use as examples, Code Red
and Nimda, propagated by exploiting holes in end-user software that
was both insecurely coded and more often than not improperly
installed. Not many routers are likely to be running IIS, MSIE, or
Outlook, however. 'Taking down the Internet' will involve a lot more
than getting a bunch of idiots to open attachments with names like
"readme.exe." It's important to draw a distinction between clogging
the Internet with spurious traffic (Denial of Service) and actually
disrupting routing.  DoS is potentially serious if massively
distributed, but even the worst DDoS attacks are temporary.  
Incapacitating routers or root name servers, on the other hand, would
have far more lasting effects on Internet communications, but
widespread failure of these devices can be obviated by as simple a
trick as ensuring heterogeneity of equipment (by their nature worms
are usually designed to attack only one operating system/application
at a time).  If every router on the backbone were running the same
version of Cisco IOS, for example, that would be bad.

> Remedying software vulnerabilities remains a huge problem, with many
> corporations admitting it takes about a day or two -- at best -- to
> apply software patches once a software vendor has acknowledged a
> vulnerability in product coding and supplied a fix for it. And home
> computer users online are often wholly unaware of these types of
> problems.

But if these same software vendors would take the responsibility upon
themselves to train their programmers to code securely and not to
release software until it was exhaustively tested for security
vulnerabilities, the need for scrambling to release/install patches
would disappear.  As an example, you can't target a buffer overflow
against software that has no runaway string operations or other
variables that lack bounds checking.

> Dacey said agencies need to do a better job of applying software
> patches, and to that end the federal government is seeking to award
> a contract for an outside patch-management service to help agencies
> install patches quickly.

Concentrating on patching mechanisms is treating a symptom, not the
disease.  Patching will never run better than a poor second to secure
coding.

> Antivirus software vendors and the security industry as a whole seem
> to be taking the research paper seriously though it's unclear what
> defenses there may be for a worm that attacks the whole Internet in
> seconds.

Heuristics leap to mind.  Stop looking for specific signatures and
start looking for suspicious system behavior.  The algorithms already
exist for this, it's just a matter of convincing the antivirus
companies that this is the way to go.  Of course, they'd lose all that
money for subscriptions to update services...

> The Berkeley guys did this and they are half-guilty for such a worm
> [appearing] that may easily cause the Internet to be down in just an
> hour, so users will not be able to download anti-virus updates."

Oh, please.  Are you seriously suggesting that people who devote a
large proportion of their free time to creating malicious code
wouldn't have stumbled onto this rather obvious point on their own,
especially if the threat truly is a military one?  Gosh, it takes a
certified genius to come up with the idea of using hard-coded target
lists and large pipes. Stop thinking so highly of yourselves.  Not all
worm writers are 15 year olds with acne, rampant hormones, and gangsta
fixations.  Some of them actually think, and while the phrase
"military intelligence" may be an oxymoron at the command level, that
definitely isn't always the case on the 'front lines.'

> "You can detect attacks you haven't known about before," says Rob
> Clyde, chief technology officer at Symantec about the idea of a
> Flash worm. "But it's not going to be easy."

You mean it's not going to be as profitable...

RGF

Robert G. Ferrell
rferrell () texas net
http://rferrell.home.texas.net/rgflit.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.