Dailydave mailing list archives
Self updating worms?
From: "Jonathan Wilkins" <jwilkins () microsoft com>
Date: Thu, 9 Sep 2004 07:48:54 -0700
It occured to me at CanSec this year that tools such as Core's Impact, Immunity's Canvas and the open source Metasploit Framework (not to mention the various worm development languages that Tom Ptacek, Joae Nazario and Dave Aitel have been discussing) open up a new possibility for worm automation. By using standardized payloads, they allow for extraction of injector code. This opens the possibility of worms learning of new exploits in a totally automated fashion. I know this is no trivial task, but it would allow a stealthy worm to continue to exploit new hosts long after it's initial release. One major disadvantage for a slow spreading worms has been that the longer it takes to spread, the more hosts will be patched when it finally attempts an attack. If a slow spreading worm was able to get new information on current exploits techniques long after initial release this disadvantage would disappear. Previously, worm authors have attempted to provide updates through web sites, IRC channels, Usenet, and the like, but the communication channels were easily disrupted. By building code into the worm that can identify payloads and extract delivery code, the slow spreading worm could compromise thousands of hosts without becoming such a obvious presence on the network that it is discovered. Further, since it's already examining network traffic, the addition of a cryptographically secure update and control mechanism adds obvious value (worm updates via spam?). Imagine a worm that starts off by scanning 10000 hosts, in the next generation, each instance would only scan 1000, then 100, then 10, then 1, then only scan with a 10% probability and so on. Depending on the wait between generations, the vulnerability used could be quite different between different instances. Thoughts? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- <Possible follow-ups>
- RE: Self updating worms? Kohlenberg, Toby (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Dave Aitel (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Dave Aitel (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Oded H (Sep 10)
- Re: Self updating worms? Gadi Evron (Sep 10)
- Re: Self updating worms? Blue Boar (Sep 10)
(Thread continues...)