« June 2004 | Main | August 2004 »
Measuring Worm Activity
Some data from Kamal, using Hogwash on a /28 network for an extened period of time. "Data is taken from an IPS (Feb to Jun, 2004) where Nachi (aka cyberkit) and SQLslammer were blocked. It is interesting to note that both worms carried a payload which, during its peak activity, lead to congested networks. Another point that is interesting to note is that there are still a lot of vulnerable and active machines out there. Slammer pretty much remains constant, an average of 40 packets per day. Nachi's ping is going down quickly, and there is a line due to its due date, 1 Jan, 2004."
Note that Nachi's activity was supposed to stop on any infected host after January 1, 2004. However, this requires a restart, as the date check is done only at worm binary startup.
July 14, 2004 in tools | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
betting on new worms
"By the end of the year we will have contracts relating to technology issues. Several people have contacted us for contracts related to DDoS attacks -- such as 'when will eBay be brought down by a DDoS attack?'," said Delaney.source: Have a flutter on a worm, Munir Kotadia, July 12, 2004.
tradesport has all sorts of betting contracts open, including politics, gas, money, and soon, Internet disasters. most people became aware of this sort of thing through FutureMAP, the US Pentagon program to wager on geopolitical events like assassinations. this appaled most people, mainly because it had to do with death and real people. however, this sort of thing has going on for a while now, in places like the iowa electronic markets.
we thought about doing this at infosecdaily. however, we never allocated the time and we never solved major issues related to fairness. after all, how can you control a commuity that can take advantage of the winnings so easily. obviously, you should disqualify people from winning when they can manipulate the outcome so easily ... we never solved this, and hence our project never came to fruition.
sitll, this could be interesting. how does this related to worm blog? reportedly, predicting when a worm will strike (presumably with what vulnerability it will use) will be allowed. now if only i had a way of predicting such events ...
July 13, 2004 in media | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
Reflections on Witty: Analyzing the Attacker
The current edition of ;login, the Usenix publication, has a piece by Nick Weaver and Dan Ellis entitred Reflections on Witty: Analyzing the Attacker. it's not much different than the original caida analysis from march, but worth reading:
On March 20th, 2004, an attacker released a single-packet UDP worm, Witty, into the wild. Although only infecting roughly 12,000 machines, and less than 700 bytes long, this worm represents a dangerous trend in malicious code. The attack is well understood: there have been several analyses [lurhq, disassembly] of the worm itself, and an excellent analysis by Moore and Shannon on the network propagation [caida_witty], including the presence of seeding or hitlisting (starting the worm on a group of systems to speed the initial propagation). But what can we learn about the attacker?
thanks to kamal for reminding me.
July 12, 2004 in papers, witty | Permalink
| Comments (0)
Tell others: digg submit
del.icio.us this
Host-based worm protection
Yet another piece of news from Kamal. Found in the MIT Technology Review, there's a review of Determina's software which is attempting to stop the worm threat through a host-based solution. Determina is an MIT research offshoot.
In contrast, Determina’s software works by closely monitoring a fundamental set of instructions common to most applications. These instructions are the worm writer’s favorite target. By breaking the rules that govern them, a worm can run its own code, take control of the application, and propagate itself. SecureCore, which sells for between $500 and $1,500 for each server, makes sure these rules aren’t broken. Because the rules are universal to all applications running on a particular operating system, such as Windows, and violating them is almost always a malicious activity, this is a more accurate method of spotting intrusions, and one that doesn’t require any updates or a “learning” period, says Amarasinghe.
I wrote about such host based systems in my worms book, published last year. Several company's are bringing such approaches to market having investigated them for a number of years in academic and government research.
July 7, 2004 | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
New Worm Identification
i've been lax in getting this up, USENIX technical was over a week ago. again, some news on worm detection technologies via kamal. Aggregating Detectors for New Worm Identification, Eric Anderson and Jun Li, University of Oregon.
Abstract: Internet worms have resulted in considerable disruption of our communications infrastructure and could cause much more. We propose a design for coordinating a widely distributed set of network monitors to detect the emergence of new high-speed worms, develop and validate signatures for their identification, and model their spreading dynamics in real time. The primary new contribution of our design is a mechanism for going from the observation that there is a possible worm to automatically validating that observation, developing a signature for the worm if one does not already exist, providing a predictive model for the worm's spreading, and statistically quantifying the level of confidence in these characterizations.
i haven't seen it in action, but this looks interesting. we'll see how well it works ...
July 6, 2004 in papers | Permalink
| Comments (0)
| TrackBack
Tell others: digg submit
del.icio.us this
