worm blog: September 2004

« August 2004 | Main | October 2004 »

NSF Awards $13 Million For Anti-Worm Research

The US government is getting into the game of setting up worm and malware research centers. You may recall that Staniford et al. called for this sort of thing in 2002 with their paper How to 0wn the Internet in your spare time (USENIX Security 2002). From an article on the announcement:

At the Center for Internet Epidemiology and Defenses, which is led by Stefan Savage, a computer science professor at the University of California, San Diego, and Vern Paxson of the International Computer Science Institute (ICSI) at UC Berkeley, researchers will devise a global-scale early warning system to detect digital epidemics in their early stages, create models to analyze large infections, and to come up with techniques to suppress outbreaks before they become pandemic. The NSF will fund Savage's and Paxson's research to the tune of $6.2 million over five years.

Source: NSF Awards $13 Million For Anti-Worm Research, Friday, September 24, 2004.

Many of the searchers involved in this already have existing Internet measurement and analsyis backgrounds and facilities. We'll see what comes out of this in the future. This story was suggested by Kamal, who's pointed out a number of interesting stories lately. Thanks!

September 30, 2004 in government | Permalink | Comments (0) | TrackBack
Tell others: digg submit del.icio.us this

Sniffing Worm in Real World Circulation

"The complete SDBot family is dangerous, but it's not spreading that fast so our risk rating is low," said Raymund Genes, European president of Trend Micro. "The SDBot is perfect for spying, but anyone with updated antivirus protection should be fine."

Source: Sniffing worm snoops network PCs, Dan Ilett, ZDNet UK, 15 September 2004.

A worm found in the wild is one of the first widespread worms to include sniffing functions as a mechanism to gather logins and online banking information, according to this writeup of the WORM_SDBOT.VQ technical details, from Trend Micro. The worm has several exploits it uses, several data gathering techniques, and basically rolls in several well known tools and techniques. Nothing special aside from rolling it all together.

I distinctly recall talking about this back in 2001, when we discussed how a worm would be a perfect mechanism to distribute massive amounts of spyware. The variants of SDBot and Agobot are bearing this out in large measure.

September 19, 2004 in media, new trends, new worms | Permalink | Comments (0) | TrackBack
Tell others: digg submit del.icio.us this

Sasser Author Hired for his Skills

"He has a certain know-how in this field," a company spokesman said.

Source: Sasser creator hired by security firm, The age, September 20, 2004.

The German eighteen-year-old, Sven Jaschan, has been hired on by the German computer security firm Securepoint. He's reportedly being brought on to help develop firewall software.

For those interested in opinion, the sasser worm really didn't show any "know-how" in any field, other than recycling exploits from public sources and wrapping them in existing routines, also with source code available. I don't recall anything remarkable about Sasser, other than it showed just how easy it is to write worms these days. Luckily it didn't cause as much damage as, say, Blaster.

September 19, 2004 in sasser | Permalink | Comments (0) | TrackBack
Tell others: digg submit del.icio.us this

Anatomy of a worm

Friend and fearless wormblogger Jose wrote a piece recently for Computerworld entitled "Anatomy of a worm". In the abbreviated opinion article, Jose makes two key points. First, worms are becoming easier to create. Widespread code re-use is making it easier and faster to build worms for the thousands of unused wormable vulnerabilities. Secondly that worms change the traffic on the networks they propagate over. Techniques such as behavioral profiling of hosts as well as general traffic characterization hold promise for detecting and tracking these threats.

September 19, 2004 in media | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

The Spread of the Witty Worm in IEEE S&P

Witty was the first widespread Internet worm to attack a security product. While technically the use of a buffer overflow exploit is commonplace, the fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end users apply patches to plug security holes is not viable.

In one of the most recent IEEE Security & Privacy magazine issues, a piece covered the March, 2004, Witty worm. In The Spread of the Witty Worm, Colleen Shannon and David Moore, both from the Cooperative Association for Internet Data Analysis (CAIDA), cover the data they collected using their dark IP sensor on the Witty worm's spread. This is almost a complete reprint of their original witty worm analysis, also calledThe Spread of the Witty Worm.

September 19, 2004 in papers, witty | Permalink | Comments (0) | TrackBack
Tell others: digg submit del.icio.us this