RE: Self updating worms?

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

definitely possible and I don't know that it would be even that
difficult. Consider- if the worm were able to hijack/modify/monitor
DNS requests coming out of a compromised system, it could specify DNS
servers to use and we could leverage some of the work that Dan
Kaminsky's
done on abusing DNS to feed updates to the worms very easily and in
a quiet fashion.

Frankly, I'm surprised this hasn't already been implemented many times
over...

t 

> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com 
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
> Jonathan Wilkins
> Sent: Thursday, September 09, 2004 7:49 AM
> To: dailydave () lists immunitysec com
> Subject: [Dailydave] Self updating worms?
>
>
> It occured to me at CanSec this year that tools such as Core's Impact,
> Immunity's Canvas and the open source Metasploit Framework (not to
> mention the various worm development languages that Tom Ptacek, Joae
> Nazario and Dave Aitel have been discussing) open up a new possibility
> for worm automation.  By using standardized payloads, they allow for
> extraction of injector code.  This opens the possibility of worms
> learning of new exploits in a totally automated fashion.
>
> I know this is no trivial task, but it would allow a stealthy worm to
> continue to exploit new hosts long after it's initial release.  One
> major disadvantage for a slow spreading worms has been that the longer
> it takes to spread, the more hosts will be patched when it finally
> attempts an attack.  If a slow spreading worm was able to get new
> information on current exploits techniques long after initial release
> this disadvantage would disappear.  Previously, worm authors have
> attempted to provide updates through web sites, IRC channels, Usenet,
> and the like, but the communication channels were easily disrupted.  By
> building code into the worm that can identify payloads and extract
> delivery code, the slow spreading worm could compromise thousands of
> hosts without becoming such a obvious presence on the network 
> that it is
> discovered.  Further, since it's already examining network traffic, the
> addition of a cryptographically secure update and control 
> mechanism adds
> obvious value (worm updates via spam?).  
>
> Imagine a worm that starts off by scanning 10000 hosts, in the next
> generation, each instance would only scan 1000, then 100, then 10, then
> 1, then only scan with a 10% probability and so on.  Depending on the
> wait between generations, the vulnerability used could be quite
> different between different instances.
>
> Thoughts?
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave