punishment for worm authors
as we find out that a Canadian youth is being charged with writing and releasing the Randex worm, we hear calls for tougher sentences from economist Steven E. Landsburg:
"So if a single execution could deter just one-fifth of 1 percent of all vermiscripting for just one year, we'd gain the same $100-million benefit we earn by executing a killer. Anything over one-fifth of 1 percent, and any effects that last beyond the first year, are gravy."
you can count me on the side of people who think that this is an absurd argument and the punishment does not fit the crime. for starters, we don't have any accurate numbers on the total economic cost and damage caused by large-scale worm outbreaks, despite what mi2g may like to say.
when we have people clammoring for death sentences for worm authors, you know the problem is hitting epidemic proportions.
May 27, 2004 in government | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
fewer worms through fewer bugs?
we all know this story that's seeing renewed life in the context of the worm problem:
"Most software development processes used today do not incorporate effective tests, checks or safeguards to detect those software coding defects that result in product vulnerabilities."
source: Will code-check tools make for worm-proof software?, CNet News, May 26, 2004.
while this is true, and many devastating worms have been carried through buffer overflows, this isn't going to be the panacea some hope it will be. yes, detect and fix bugs. i'm all for static analysis (and dynamic analysis) of code t spot problems. the state of the art is improving, and tools are getting better every year. they should be used.
fix bugs and you fix security problems in the process (OpenBSD is a stunning example of this approach). static analysis tools will help there. i'm certainly not saying this shouldn't be done.
but they won't lead to "worm proof software." not all worms spread through buffer overflows. sure, Sapphire, Code Red, Sasser, Blaster, and Nimda all used buffer overflows as exploit vectors in their propagation. however, plenty of effective worms continue to be found which don't use such methods. the phatbot/agobot toolkit, for example, uses guessable or empty passwords as one of its attack methods. Nimda used a Unicode misinterpretation bug as one of its techniques (to get to a command shell). etc etc etc ... this doesn't even count mail-based worms, where all you have to do is get someone to click on an attachment and they're excuting arbitrary code in a remote context.
static analysis for buzzword compliant bugs, such as overflows, will stop some worms. but it's not even the low hanging fruit of bugs. until static analysis tools can identify basic logic or default configuration errors, the worm problem won't go away.
May 26, 2004 in Nimda, tools | Permalink
| Comments (1)
Tell others: digg submit
del.icio.us this
MS04-011: everyone's favorite vulnerability to worm?
it seems like everyone is ready to try and be the next blaster with the vulnerability described in MS04-011: Security Update for Microsoft Windows, specifically the LSASRV overflow. no less than three worms are trying to take advantage of this:
- sasser, which appeared on may 1, 2004, and spread to anywhere from 200,000 (symantec, arbor estimates) to over one million machines (microsoft numbers, based on their removal tool).
- bobax, which appeared on may 17, 2004.
- kibuv.b, which appeared on may 17, 2004, also and uses MS04-011 as it's newest vector (it has many other vectors).
these last two are responsible for a massive uptick in TCP port 5000 traffic, also. to wit:
(this is from the UMich IMS project, one of the sensor's worth of data.) however, we're not seeing the other services that kibuv.b uses also rise (ie 445/TCP) to the same degree with new traffic. hence, we're not convinced this is dominated by kibuv traffic at this point. i have to admit i've been too busy this week to dig deeply into this. additionally, when you look at this graph you see this traffic starting on about may 13, 2004, not may 17, 2004. this suggests that detection by the AV companies was, in fact, slow. the symantec description of kibuv.b says it was detected on may 14, 2004, something we tend to see supported by our data. this particular sensor monitors a single /24, so while it's seen 10,000 hosts that's only a fraction of the total hosts. what fraction i'm not sure, i would need to look at the aggregate data first.
tom ptacek and i gave a presentation at cansecwest 04 on the theory of wormability. in this work (paper forthcoming, it's one of the things i've been working on) we analyzed a bunch of vulnerabilities and, as you may have expected, MS04-011 appears. however, this appears to be wormed well before its prime time, or new rates of vulnerable population decay need to be used and worm authors recognize this.
there are other vulnerabilities in MS04-011 which are highly wormable, and many more vulnerabilities ripe for using as a worm vector which have yet to be acted upon.
May 20, 2004 in sasser | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
more archived US government testimony (2004)
Finally, SCADA systems now also seem to be victims of common Internet dangers. It has been reported that the blackout this summer may have been partially due to the widespread Blaster worm, which apparently disrupted communications among data centers controlling the grid. The Nuclear Regulatory Agency has warned nuclear power plants about infiltration by the worms and viruses after a nuclear plants systems were infected by a contractors laptop.
source: Telecommunications and SCADA: Secure Links or Open Portals to the Security of Our Nation's Critical Infrastructure", Chairman Putnam's Opening Statement on Tuesday, March 30, 2004 2:00.
May 20, 2004 in Blaster, government | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
sasser suspect caught, confesses; phatbot author also nabbed
news this morning has a common headline: the sasser suspect has been caught and confessed to german authorities.
"He made a confession and the experts at Microsoft have now confirmed that he was the cause of this worm," said police spokesman Frank Federau.
source: Teen 'confesses' to Sasser worm, BBC, Saturday, 8 May, 2004.
it's been a busy week for german authorities cracking down on worm authors:
Separately, police in the southern state of Baden-Wuerttemberg said they had arrested a 21 year-old man who confessed to programing the Internet worm "Agobot" which was later renamed as "Phatbot."
source: Sasser Worm Suspect Confesses to German Police, Reuters, Sat, May 08, 2004.
May 8, 2004 in sasser | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
recent worm papers
i've been busy reading a lot of papers lately, or "url-spotting mode" as arrigo puts it. a couple of conferences to note coming up shortly, DSN 2004 and WEIS04. a few that caught my eyes are below ...
Worms represent a substantial economic threat to the U.S.computing infrastructure. An important question is how much damage might be caused, as this figure can serveas a guide to evaluating how much to spend on defenses. We construct a parameterized worst-case analysis basedon a simple damage model, combined with our understanding of what an attack could accomplish. Althoughour estimates are at best approximations, we speculate that a plausible worst-case worm could cause $50 billionor more in direct economic damage by attacking widely used services in Microsoft Windows and carrying a highlydestructive payload.
source: A Worst-Case Worm, Nicholas Weaver and Vern Paxson, International Computer Science Institute International Computer Science Institute, WEIS04.
Our society is highly dependent on network services such as the Web, email, and collaborative P2P enterpriseapplications. But what if such infrastructures were suddenly torn down? Both past incidents and research studies show that a well-engineered Internet worm can accomplish such a task in a fairly simple way and, most notably, ina matter of a few minutes. This clearly rules out the possibility of manually countering worm outbreaks. We present a testbed that operates on a cluster of computers and emulates very large networks for purposes of experimentation.A wide variety of worm properties can be studied and network topologies of interest constructed. A reactive control system, based on the Willow architecture, operates on top of the testbed and provides a monitor/analyze/respondapproach to deal with infections automatically. The logic driving the control system is synthesized from a formal specification, which is based on control rules that correlate sensor events. Details of our highly configurable testbed,the theory of operation of the Willow architecture, the features of the specification language, and various experimental performance results are presented.
source: An Automated Defense System to Counter Internet Worms, Riccardo Scandariato, John C. Knight, DSN 2004.
If we limit the contact rate of worm traffic, can we alleviate and ultimately contain Internet worms? This paper sets out to answer this question. Specifically, we are interested in analyzing different deployment strategies of rate control mechanisms and the effect thereof on suppressing the spread of worm code. We use both analytical models and simulation experiments. We find that rate control at individual hosts or edge routers yields a slowdown that is linear in the number of hosts (or routers) with the rate limiting filters. Limiting contact rate at the backbone routers, however, is substantially more effective -- it renders a slowdown comparable to deploying rate limiting filters at every individual host that is covered. This result holds true even when susceptible and infected hosts are patched and immunized dynamically. To provide context for our analysis, we examine real traffic traces obtained from a campus computing network. We observe that rate throttling could be enforced with minimal impact on legitimate communications. Two worms observed in the traces, however, would be significantly slowed down.
source: Dynamic Quarantine of Internet Worms, Cynthia Wong, Chenxi Wang, Dawn Song, Stan Bielski, Gregory R. Ganger, DSN 2004.
May 6, 2004 in papers | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
archived US government testimony
the US government has been holding hearings as to what can be done about the growing threat of worms, viruses, and other large-scale Internet plagues. these hearings from 2003 offer great hints at what else is going on in this space from industry leaders and is worth reviewing. from the opening statetement of the hearings:
Today we continue our in-depth review of cyber security issues affecting our nation. There are several things unique to cyber attacks that make the task of preventing them particularly difficult. Cyber attacks can occur from anywhere around the globe: from the caves of Afghanistan to the war fields of Iraq, from the most remote regions of the world or simply right here in our own back yard.
source: Opening Statement of Chairman Putnam, Worm and Virus Defense: How Can We Protect Our Nation's Computers From These Serious Threats?", September 10, 2003.
a few of the many industry experts who testified are quoted below. also be sure to see the posthearing question and answer session. all of the testimony is available on the IWS archives of the event.
As we examine how to protect ourselves against malicious cyber-attacks, such as worms and viruses, it is important to view the issue not simply as an effort to avoid the annoyance of a flood of e-mails or a crashed system. The challenge must be viewed in the broader context of the potential vulnerability of our critical infrastructures.
source: Worm and Virus Defense: How Can We Protect the Nations Computers From These Threats, in Testimony of Vincent Gullotto
Vice President, Anti-Virus Emergency Response Team (AVERT), Network Associates, Inc., before the House Committee on Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, September 10, 2003.
In the 2003 CSI/FBI Computer Crime and Security Survey (www.gocsi.com), viruses were the most cited form of attack (82% of respondents were affected), with an estimated cost of $27,382,340. The lowest reported cost to a victim was $40,000, and the highest was $6,000,000.
source: Viruses and Worms: What Can We Do About Them? in Testimony of Richard D. Pethia Director, CERT Coordination Center, before the House Committee on Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census Hearing on
Worm and Virus Defense: How Can We Protect the Nation's Computers From These Threats?on September 10, 2003.
I have just analyzed 1.24 million network vulnerabilities found by our scanning service during a recent 18-month period. This vast data pool demonstrates that known risks are far more prevalent than anyone has imagined. Analytical data also demonstrates a new breed of automated, Internet-born viruses and worms that mock traditional security defenses.
source: Worm and Virus Defense: How Can We Protect the Nations Computers From These Threats? in Testimony of Gerhard Eschelbeck, Ph.D., Chief Technology Officer and V.P. of Engineering, Qualys, Inc., before the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census House Government Reform Committee on September 10, 2003.
The government continues to play a key role in efforts to secure consumers' software and data. We have recently collaborated with the Department of Homeland Security to raise awareness of cyberthreats through release of security bulletins. Such partnering between industry and the government is a vital step toward additional cybersecurity for consumers.
source: Cybersecurity & Consumer Data: What's at Risk for the Consumer? Mr. Scott Charney, Chief Trustworthy Computing Strategist, Microsoft Corporation, before the House Subcommittee on Commerce, Trade, andConsumer Protection on November 19, 2003.
Some argue that making patching easier and even automated is the solution. But there are problems with patching which I will outline. The only real long-term solution is to eliminate or at least drastically reduce the number of necessary patches by developing software with a secure development process.
source: Testimony for the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census Hearing on Worm and Virus Defense: How Can We Protect the Nation's Computers from These Threats?by Christopher Wysopal, Director of Research and Development, @stake, Inc., September, 2003.
May 6, 2004 in government | Permalink
| Comments (1)
| TrackBack
Tell others: digg submit
del.icio.us this
hunting for sasser's author, sasser's disruptions
a slew of stories today covered the announcements about the FBI and microsoft working to hunt the sasser worm author. this BBC news article provides a pretty decent summary of the story:
Hunt is on for Sasser worm writerHome users have been hit hard by Sasser
The search has begun for the creators of the Sasser Windows worm that has wrought havoc this week.Sasser's core computer code is being analysed for clues as to who might have put the malicious program together.
The worm is said to have infected more than 1 million PCs and caused trouble for net users around the world.
Worst hit seem to be home users and small businesses though some large organisations suffered serious disruption as well.
part of the motivation is that the worm has reportedly led to real-world disruptions, as well as reports that the sasser worm and netsky share code. get two incidents for the price of one ...
reports of how far the worm has spread vary wildly. some reports say millions, while other measurements suggest only a few thousand. data that i have seen is more in line with the latter.
sasser is disrupting multicast, however. it has been scanning into class D space (224/4), causing MSDP storms, tearing up routers and ultimately recreating the ramen multicast nightmare.
May 5, 2004 in sasser | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
f-secure antivirus team on NPR
the f-secure antivirus team was interviewed on the NPR today on the show the world (a joint NPR and BBC production). about the piece (which appeared today):
The Sasser computer worm continues to snarl machines worldwide. Hundreds of thousands of home users, corporations and government agencies throughout Europe, North America and Asia have been hit by the bug, which exploits a flaw in Microsoft's operating system. Computer security experts have been working around the clock to battle the Sasser worm. It's a job tailor-made for one group of anti-virus experts based in Helsinki, Finland. The World's technology reporter Clark Boyd visited Helsinki recently.
you can listen in using your laptop.
the f-secure team maintains the F-Secure Antivirus Research Weblog, which is a useful way to keep up-to-date on the world of viruses and worms. their blog is aggregated on InfosecDaily Blogs, a compendium of infosec blogs from around the world.
May 5, 2004 in media | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
just a start
i have been collecting worm links, news articles, papers, and the like for a long time. now i'll have a better chance to communicate these pieces of information using a more suitable format.
give this a few days to settle down in terms of style.
May 5, 2004 | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
