Sasser: The Last Big Network Worm?The Sasser worm from May, 2004, was one of the last major worm outbreaks on the Internet. This article in eWeek takes a look at the situation since then and what may have caused this change.
"Within minutes, we knew what needed to be done to protect customers," [Debby Fry] Wilson said, recalling that the initial guidance was for customers to enable a firewall and download/deploy the MS04-011 patch. [Wilson ... is the director at the MSRC responsible for mobilizing Microsoft's security response communication. - ed]Sasser: The Last Big Network Worm?, by Ryan Naraine, May 16, 2005, eWeek online.
"Then, we worked on the first version of a click-and-clean worm removal tool for customers who had been infected."
"We had implemented a pre-defined process for identifying and evaluating a security incident, and it worked very well. We were able to determine the appropriate response and minimize the damages."
"With Blaster, recovery took 38 days. With Sasser, we brought that down to five days," Wilson said.
Sasser, which seemed to affect about half as many systems in the same time frame as Blaster did, is an interesting case study. It's almost a cookie cutter copy of the Blaster worm: similar targeting algorithm, very similar exploit, and a TFTP-command shell combination. Yet businesses were able to remediate the problem and neutralize the threat much more efficiently. Wilson goes on to say that she thinks that Windows XP SP2 had a role in that, but recall that XP SP2 has been getting the cold shoulder at many enterprises. Instead, it seems to be a combination of filtering of the Windows-specific ports by many ISPs, better reaction mechanisms, and better patching by enterprises that causes Sasser to be less significant than Blaster was.
I dunno about this. I'm given to understand that people consider using an exploit on a worm something of a waste: everybody gets patched against that exploit pretty quick.
What's your take, Jose? Has MSFT worked out all "wormable" exploits from XP? (see Andy Ozment's recent paper: http://www.cl.cam.ac.uk/users/jo262/papers/weis05-ozment-vulnrediscovery.pdf) Have any of the vulnerabilities patched recent had a high "wormability" factor?
Posted by: Bruce Ediger | May 23, 2005 5:02:10 PM
people get patched slower than you may suspect. look at arbor's CR, Nimda and Blaster stats. we have a new Blaster paper appearing in IEEE S&P soon, you'll see what i mean. long term trend analysis suggests that the patch adoption rate slows dramatically and quickly (ie nearly done within 30 days), and never hits a fully patched population.
as for 'wormable' vulns, a few exist and are diminishing slowly based upon our wormability work. a small but serious number of holes in SP2's stack protection have been found, and it doesn't protect against format string attacks, for example, or a few other attacks. i'm only considering remote, anonymous and autonomous attacks for worms. you can spam enough crap out and get a decent double click rate to make a mass mailer effective until the end of time.
one of the last truly juicy, delicious wormable vulns was MS04-012, but that's over a year old and past it's wormability prime. enough XP boxes exist which aren't updated to make it interesting to worm authors if they wanted, but history has shown that they're unlikely to strike at such an older vulnerability. the ASN.1 vulns from a year ago were also interesting (and a number of exploit tools emerged to capitalize on it), but never materialized as a worm. MS05-019 (TCP/IP vuln) wont work as a remot worm since most routers wont pass the malformed packets required to execute it over the long, routed path ...
i don't think that MS has worked out all of the wormable holes, not by a long shot. and that doesn't matter for a while, anyhow, as long as boatloads of vulnerable software is still run (various studies back this up). i think that they've done a good job, but i think wormable vulnerabilities still lurk, but they're harder to find for the average worm launcher (take an exploit developed by someone else, wrap it in some crappy code, launch).
so, where have all the worm authors gone? I'm not entirely sure, but they're still out there, we see them working. they added payloads to their worms (aka bots, but they still use a worm delivery mechanism), and they're rolling exploits into their own private Rbot variants. my guess is they'll move on to other software soon (a'la witty), especially stuff not covered by the SP2 stack protection mechanisms.
Posted by: jose | May 23, 2005 7:00:12 PM
What about the "santy" worm (and variants)? Does "santy" comprise moving on to other software? I did a few "xprobes" on IP addresses of machines that tried the Santy Perl injection on my home machine, and it seemed like Santy was cross-platform: xprobe2 seemed to think that Solaris, FreeBSD, Linux and Windows boxes had tried the Perl injection on my home machine. Maybe because Santy didn't infect large boatloads of Windows boxes it wasn't "Big"?
So what you're saying in your other comments is that the people with the skill and knowledge to write worms have given it up for other pasttimes, probably specifically targetted attacks. Other, sociological factors have to account for the non-existance of "Big Network Worms"?
Posted by: Bruce Ediger | May 27, 2005 2:27:34 PM
The comments to this entry are closed.