Re: White Paper - Web Application Worms: Myth or Reality?

[Nicholas Weaver <nweaver () CS berkeley edu>]

        This proposal for target selection is part of a more general
class: external target list worms, aka "Metaserver" worms.  

        A metaserver is simply a server who's job is to keep track of
other servers, which a worm can use to discover actual targets.  Not
only is google a metaserver, but they appear all over: the domain
controller is a windows metaserver in the enterprise LAN, and gamespy
is a metaserver for a bunch of different multiplayer-games.  They can
all be leveraged as means of finding targets.


        See Nicholas Weaver, Vern Paxson, Stuart Staniford, Robert
Cunningham, "A Taxonomy of Computer Worms", First workshop on Rapid
Malcode (WORM) 2003.

URL: http://www.cs.berkeley.edu/~nweaver/papers/taxonomy.pdf

        for more details.



        Additionally, its a question how much making the system
self-propigating buys you for the particular target populations, over
just auto-rooting using the list the metaserver gives you.

        Self propigation allows exponential growth, but when the
target population is on the order of ~10k or less, and the metaserver
gives you a complete list of these targets, a simple sequential attack
is acceptable as a per-zombie throughput of 1 victim/second would
only require 2.7 hours to get the entire population using just one
zombie, while 10 zombies could go through the entire population in
just over 15 minutes.  

        The major possible advantage of making it a worm is not speed
(after all, the Witty author easily got ~120 zombies, and 15 minutes
totally blows away human-based defenses), but robustness once defenses
for automated attacks are developed in the future.

        The major disadvantage of making it a worm is that this now
has servers engaged in unusual behavior (initiating outgoing
connections), which could also be picked up by automated defenses.

        If I was Evil Hacker, the current defenses are such that I'd
use a zombie group, rather than a worm.  And probably in the future,
I'd use a small zombie-army, given the size of the population, and the
additional stealth imparted by not having the compromised servers
attack other servers.



        It also strongly overlaps with such work as "Googling Up
Passwords" by Scott Granneman,
http://www.securityfocus.com/columnists/224 

        which you should probably cite.



        This doesn't affect the overall conclusion of the whitepaper
(small populations of custom services are vulnerable to fast attacks,
because the metaservers can be used to provide a target list), but
this is not a new worm concept, but a particular instance of a more
general, and highly dangerous class of attack.

-- 
Nicholas C. Weaver                                 nweaver () cs berkeley edu