Information Security News mailing list archives
Re: Researchers predict worm that eats the Internet in 15 minutes
From: InfoSec News <isn () c4i org>
Date: Wed, 23 Oct 2002 00:55:21 -0500 (CDT)
Forwarded from: Russell Coker <russell () coker com au> On Tue, 22 Oct 2002 10:56, InfoSec News wrote:
http://www.nwfusion.com/news/2002/1021worm.html By Ellen Messmer Network World Fusion 10/21/02 The three authors of the research, published two months ago, present a future where worm-based attacks use "hit lists" to target vulnerable Internet hosts and equipment, such as routers, rather than scanning aimlessly as the last mammoth worm outbreaks, Nimda and Code Red, did last year. And this new breed of worms will carry dangerous payloads to allow automated denial-of-service and file destruction through remote control.
Let's talk about "dangerous payloads". A large part of the problem here is that daemons get too much access to a typical server. There's no need for a daemon to have access to write any file on the system (root access on a typical Unix machine). Posix capabilities combined with non-root operation are a good step in the right direction but still aren't as comprehensive as you would like. Also Posix capabilities don't work well when a program has a need to change UIDs or write files owned by other users on occasion. Any decent Mandatory Access Control scheme should allow the daemons to be restricted enough that they have minimal opportunities to do damage. Even a compromised sshd should not result in the server being killed! However if "dangerous payload" means a DOS attack on whitehouse.gov then that's something that is probably impossible to prevent.
The paper argues that this next generation of computer worms -- which would certainly have military application during war - would carry knowledge about a specific server's vulnerability and propagate at a breathtakingly high rate of infection, "so that no human-mediated counter-response is possible."
Why would you bother having lists of pre-scanned servers? Servers can change between scan time and access time. Also configuring servers to misreport their version numbers is a reasonably common practise. A worm that's properly designed would spread exponentially, so an untargetted attack would cover the entire net fast enough. The only difficult part would be choosing suitable pseudo-random algorithms to ensure that all the machines don't concentrate their attacks on a small range of addresses while only providing minimal cover for other ranges (a problem that past worms had).
Staniford says they tested the paper's thesis in a lab simulation of a computer worm designed to subvert 10 million Internet hosts over both low-speed and high-speed lines. Supplied with its own "hit list" of IP addresses and vulnerabilities gained through prior scanning, the theoretical worm could infect more than nine million servers in a quarter hour or so.
I'm surprised it couldn't go faster.
The authors conclude that just as the U.S. government has established the "Centers for Disease Control" in Atlanta as the central voice in matters related to new health risks for the nation, it would benefit the country to set up an operations center on virus- and worm-based threats to cybersecurity.
However the government does have a basic understanding of diseases, but little clue about computers. Better to just punish companies that publish the software that has security holes if they don't fix them fast enough. I suggest that they lose a year's revenue from product sales if the bug isn't fixed within 1 working day. However legislation may not be the best way of doing this, I suggest class-action law suits. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 22)
- <Possible follow-ups>
- Re: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 23)
- Re: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 23)
- Re: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 24)
- RE: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 24)
- Re: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 26)