RE: sky != falling

["Marc Maiffret" <mmaiffret () eeye com>]

Forget the fact for a moment that things get lost in translation with
reporters. So that being said here is the unedited version of my
thoughts on the matter...

The question should be not whether there will be a worm or not but
whether a vulnerability can be used by a worm, it is a technical yes or
no. Whereas saying if there is going to be a worm or not is a truly
unscientific guess.

Also it is not going to come across in a press interview the exact
details of a thought around which flaws are more easily to exploit, and
therefore potentially could result in a worm. For example when talking
about MSDTC it is not to say we are talking about eEye's flaw
specifically (not that we had trouble) but there are always silently
fixed vulnerabilities that typically can be even easier for other people
to exploit.

A good case in point is the ASN vulnerabilities. A lot of people doubted
the reality of exploits/attacks and we just smiled and grinned because
we already knew of a more reliable attack vector. It finally took
someone smart enough (Solar eclipse, rocks) to reverse the patch and
write an exploit for one of the silently fixed flaws and then sell it to
Immunity. Luckily that was all under NDA and no one in the public was
any the wiser about this exploit existing until over a year later. Now
could there have been a worm for that ASN vulnerability? Definitely. The
chances of that happening would have been greatly increased if it would
have been someone at Metasploit releasing a public exploit for it rather
than a closed exploit for Canvas customers. 

Worms these days for the most part suck ass, actually the majority of
worms that have ever been written have mostly sucked ass, and were
obviously written by people doing their best to fumble their way to the
finish line. The avg. worm today seems to be based on a toolkit style
approach where you just plug in the latest remote SYSTEM public exploit,
make sure your dependent on to many variables that wont exist on most
networks, like TFTP, and then have a crappy randomization algorithm, and
of course a payload that phones home to some central IP address or IRC
channel so that your ass ends up on the 6 o'clock news.

I think most of the guys who would be technically competent enough to
write a good worm, and whom are criminally motivated, have learned that
worms do nothing other than cause systems to be patched. Why do that
when you can do targeted attacks and truly have something to gain
besides nameless/faceless recognition, unless of course your caught in
which case maybe someone will recognize you as "the worm guy" while your
grabbing your ankles upstate somewhere.

We are moving back to the late 90's when vulnerabilities were all over
the place, and systems *were* being exploited, however there wasn't
anything visual or grand about it to make IT people understand there
truly is a threat. 

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 

Important Notice: This email is confidential, may be legally privileged,
and is for the intended recipient only. Access, disclosure, copying,
distribution, or reliance on any of it by anyone else is prohibited and
may be a criminal offense.  Please delete if obtained in error and email
confirmation to the sender.  

> -----Original Message-----
> From: Dave Aitel [mailto:dave () immunitysec com] 
> Sent: Friday, October 14, 2005 8:46 AM
> To: dailydave
> Subject: [Dailydave] sky != falling
>
> I know everyone is freaking, but I don't think there's going 
> to be a DTC worm. More to the point, Sinan Eren doesn't think 
> there's going to be a DTC (MS05-051) worm, and if anyone 
> knows, it's him. Even if you can predict  or leak 
> VirtualAlloc() addresses, which is probably unlikely for 
> anyone any time soon, there's a lot of variable in the kinds 
> of machines that are vulnerable. Is that SP4 up2date? Is it 
> slipstream? 
> This bug isn't going to have a worm. I hate to step up 
> against Marc and Neel, but imo, no worm.
>
> If there IS a worm, I predict it's going to be the ms_netware 
> bug. That bug is so easy (once you have a decent widechar.py 
> - thanks bas!) that you can use it in buffer overflow 101 
> classes. The umpnp bug is a bit more complex, you can 
> overwrite eip with 00XX00YY where XX and YY are characters 
> from a registry key you get to pick. It's fun for the whole 
> family. Do you A) spam the heap with lots of your shellcode? 
> or B) off by two EIP and hope for something cool? C) find an 0day.
>
> I got some questions from various people asking "What's the 
> most important bug just released?" My answer was "Who cares? 
> The most important bug is the one that will get released next month."
>
> Has anyone noticed that Microsoft requires you to download 
> and run a "validation tool" from an HTTP:// site in order to 
> get the rollup patch?  It's like a dsniffer's dream come true.
>
> -dave