Researchers predict worm that eats the Internet in 15 minutes

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2002/1021worm.html

By Ellen Messmer
Network World Fusion
10/21/02

Computer science researchers are predicting new types of dangerous
worms that would be able to infect Web servers, browsers and other
software so quickly that the working Internet itself could be taken
over in a matter of minutes.

Though still in the realm of theory, the killer worms described in a
research paper entitled, "How to Own the Internet in Your Spare Time",
are triggering some skepticism but the idea of them is seldom
dismissed as outlandish science fiction.

The three authors of the research, published two months ago, present a
future where worm-based attacks use "hit lists" to target vulnerable
Internet hosts and equipment, such as routers, rather than scanning
aimlessly as the last mammoth worm outbreaks, Nimda and Code Red, did
last year. And this new breed of worms will carry dangerous payloads
to allow automated denial-of-service and file destruction through
remote control.

"Code Red and Nimda could have spread faster, and they didn't have
powerful payloads," asserts Stuart Staniford, president of Silicon
Defense, and co-author of the research paper. The other authors are
Vern Paxson, a staff scientist at both the Berkeley-based ICSI Center
for Internet Research and Lawrence Berkeley National Lab's network
research group, and Nicholas Weaver, a graduate student at the
University of California at Berkeley.

The paper argues that this next generation of computer worms -- which
would certainly have military application during war - would carry
knowledge about a specific server's vulnerability and propagate at a
breathtakingly high rate of infection, "so that no human-mediated
counter-response is possible."

Remedying software vulnerabilities remains a huge problem, with many
corporations admitting it takes about a day or two -- at best -- to
apply software patches once a software vendor has acknowledged a
vulnerability in product coding and supplied a fix for it. And home
computer users online are often wholly unaware of these types of
problems.

Staniford says they tested the paper's thesis in a lab simulation of a
computer worm designed to subvert 10 million Internet hosts over both
low-speed and high-speed lines. Supplied with its own "hit list" of IP
addresses and vulnerabilities gained through prior scanning, the
theoretical worm could infect more than nine million servers in a
quarter hour or so.

They called this the "Warhol worm" after artist Andy Warhol's
well-known quote that in the future, everyone will be famous for 15
minutes. A similar, theoretical worm they coined the Flash worm,
blasted out from a 622M bit/sec link, would take even less time to
"own" the Internet.

The authors conclude that just as the U.S. government has established
the "Centers for Disease Control" in Atlanta as the central voice in
matters related to new health risks for the nation, it would benefit
the country to set up an operations center on virus- and worm-based
threats to cybersecurity.

Richard Clarke, the advisor to President Bush on cybersecurity
matters, said that while he hadn't read the Flash-worm research paper,
he wouldn't discount the idea of a very-fast-moving worm of this type.

As it happens, the draft "National Strategy to Secure Cyberspace"  
report issued last month, for which Clarke is asking for public
comment, contained the recommendation that the government fund a
network operations center as a central point for threat analysis.

Another U.S. government official, Bob Dacey, director of information
security issues at the U.S. General Accounting Office, said of the
theoretical worms: "The risk is there, though I can't speak to the 15
minutes. When you look at Nimda and Code Red, you see greatly
developed delivery mechanisms."

To date, the Internet hasn't seen a worm with a really dangerous
payload to destroy systems combined with rapid delivery but it
certainly might be out there in the future, said Dacey, who's in
charge of overseeing vulnerability-testing of federal agencies'
networks.

Dacey said agencies need to do a better job of applying software
patches, and to that end the federal government is seeking to award a
contract for an outside patch-management service to help agencies
install patches quickly.

The terms "Flash" and "Warhol" worms are not yet part of the common
vocabulary of the antivirus software business and its technologies. At
first glance, the idea of a worm devouring the Internet in 15 minutes
sounds far-fetched to many.

"It's hard to imagine such a thing could happen," responds Bob Justus,
vice president of security at Union Bank of California, but then he
adds: "But I guess it's possible."

Antivirus software vendors and the security industry as a whole seem
to be taking the research paper seriously though it's unclear what
defenses there may be for a worm that attacks the whole Internet in
seconds.

"It's definitely plausible," says TruSecure's virus expert, Roger
Thompson. "It's highly likely we'll see them."

Traditional antivirus software relies on signature updates to stop a
worm or virus once it's identified, but with fast-moving Flash and
Warhol worms, this wouldn't work, Thompson pointed out.

"We haven't seen a 'Flash' worm yet, but now that there's a paper on
it, we probably will," says Mikko Hyponnen, manager of anti-virus
research at F-Secure.

This research indeed has "credibility," said a spokesman for
Moscow-based Kaspersky Labs, but he added, "Actually, we predicted
this technology two years ago but never published it because it may
give virus writers another clue how to improve their malware. The
Berkeley guys did this and they are half-guilty for such a worm
[appearing] that may easily cause the Internet to be down in just an
hour, so users will not be able to download anti-virus updates."

Staniford admits he's taken some heat for describing how the worms
would work, but tried not be too obvious. He said there may not be
much way to defend against a Flash worm today, but Silicon Defense,
has something in the works, which he declined to discuss, that may be
ready by next February.

Not all security firms think the killer worms are an identifiable
problem yet. Security firm Network Associates research division, Avert
Labs, said the concept of a Flash worm is "possible," but added with a
note of skepticism, "there is a big step between theory and practice.'

Others security firms are also a bit dubious about Flash. Trend
Micro's product manager Bob Hansen said, "The threat from this type of
thing is definitely growing," but that "it takes a ton of research to
design one of these things."

Nevertheless, Hansen said it's "certainly credible to think that a
worm designed as a targeted hacker tool could be created to bring down
20 or 30 of the major business Web sites within a matter of minutes."

While signature-based updates wouldn't be ready fast enough,
behavior-based technologies, such as Trend Micro's Applet Trap, which
he noted isn't a big seller, might be successful in blocking such an
attack.

Okena, which makes behavior-based intrusion-detection software,
weighed in on the Flash worm. Director of product management Ted Doty
said if a Flash worm does appear in the future, Okena's StormWatch
software for servers and desktop might be able to block it as it did
Nimda or Code Red by blocking unauthorized behavior. However, few
companies are using any type of behavior-blocking software today.

"You can detect attacks you haven't known about before," says Rob
Clyde, chief technology officer at Symantec about the idea of a Flash
worm. "But it's not going to be easy."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.