Self updating worms?

["Jonathan Wilkins" <jwilkins () microsoft com>]

It occured to me at CanSec this year that tools such as Core's Impact,
Immunity's Canvas and the open source Metasploit Framework (not to
mention the various worm development languages that Tom Ptacek, Joae
Nazario and Dave Aitel have been discussing) open up a new possibility
for worm automation.  By using standardized payloads, they allow for
extraction of injector code.  This opens the possibility of worms
learning of new exploits in a totally automated fashion.

I know this is no trivial task, but it would allow a stealthy worm to
continue to exploit new hosts long after it's initial release.  One
major disadvantage for a slow spreading worms has been that the longer
it takes to spread, the more hosts will be patched when it finally
attempts an attack.  If a slow spreading worm was able to get new
information on current exploits techniques long after initial release
this disadvantage would disappear.  Previously, worm authors have
attempted to provide updates through web sites, IRC channels, Usenet,
and the like, but the communication channels were easily disrupted.  By
building code into the worm that can identify payloads and extract
delivery code, the slow spreading worm could compromise thousands of
hosts without becoming such a obvious presence on the network that it is
discovered.  Further, since it's already examining network traffic, the
addition of a cryptographically secure update and control mechanism adds
obvious value (worm updates via spam?).  

Imagine a worm that starts off by scanning 10000 hosts, in the next
generation, each instance would only scan 1000, then 100, then 10, then
1, then only scan with a 10% probability and so on.  Depending on the
wait between generations, the vulnerability used could be quite
different between different instances.

Thoughts?
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave