How bigger, badder Code Red worms are being built

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/anchordesk/stories/story/0,10738,2810238,00.html

Robert Vamosi,
Associate Editor,
ZDNet Reviews
Wednesday, September 5, 2001  

As I write this, there are two new fast-spreading Internet worms for
Windows users: Apost does the now-familiar "e-mail itself to everyone"
thing we've come to expect from Windows worms and viruses, except this
worm sends multiple copies of itself. And then there's an updated
version of Magistr, redesigned to infect even more users with its
destructive payload. Faster propagation has been the trend with Win32
viruses and worms, but what if rapid propagation methods were employed
for network-savvy worms such as Code Red? Well, someone has already
given thought to that.

Andy Warhol is famous for saying "In the future, everybody will have
15 minutes of fame." Nicolas Weaver at UC Berkeley has written a paper
proposing that virus writers constructing some future Code Red-like
worm add a list of 10,000 to 50,000 "well connected" Internet servers,
then launch the virus. The advantage, he argues, is that even if only
10 to 20 percent of the servers are vulnerable to the worm's exploit,
that would still be an enormous jump on Code Red and previous worms.
Weavers adds that the initial 10 percent infection could be achieved
in the first minute or so; he then proposes that his "uberworm" could
infect most of the Internet within 15 minutes (hence the Warhol worm).

NOT TO BE OUTDONE, the team of Suart Staniford, Gary Grim, and Roelof
Jonkman at Silicon Defense proposed an even greater propagation rate:
they claim they can infect the Internet in 30 seconds. They argue that
a worm writer could scan the Internet in advance and identify almost
all of the vulnerable systems on the Internet before launching the
worm. With a very fast Internet connection (they mention an OC12
link), they argue even a 48MB address list of vulnerable Internet
address could be sent out in about 4 minutes.

Jose Nazario, a biochemist by trade who has previously offered
valuable insights on digital worms, points out that neither of these
papers take into account the basic elements of propagation on the
Internet. Nazario points to an IBM paper called "How Topology Affects
Population Dynamics," which looks at lessons learned from biological
infections and how, with an understanding of this model, programmers
might better design future digital organisms (they don't specifically
say "worms").

Basically, the authors of both the Warhol and Flash worms assumed a
very simple Internet model where every node to be infected is a
neighbor of every other node. The reality is much more complicated.
That's what Nazario says torpedoes the technical merits of both of
these studies.

SO WHY even mention this research? Nicolas Weaver himself posts that
he is leaving his paper up online so that people can understand, with
documentation, what danger there is in a homogenous Internet. Someone
will attempt to do what these authors have proposed, and someone might
someday make a worm that "flashes" the entire Internet with a
malicious payload. Rather than be caught unaware, isn't it better to
realize this is out there and take steps to minimize its impact?

Weaver proposes that companies use context-sensitive firewalls where
only "that which is not explicitly allowed is forbidden." He further
suggests internal firewalls throughout the company and regular
security audits. He adds, "regular backups are also essential." He
further suggests that: "Homogenous populations, whether in potatoes or
computers, are always more vulnerable to diseases." That's something
to remember when implementing one or multiple types of servers on your
network. Just as biodiversity has kept life going on Earth, mixing up
one's operating systems can only strengthen the Internet.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.