« Analyzing Cooperative Containment of Fast Scanning Worms | Main | The Blaster Worm: Then And Now »
Net worms could wriggle around warning systems
At last week's Usenix Security 2005, an interesting paper was presented (actually, one of two very related papers). Mapping Internet Sensors With Probe Response Attacks by John Bethencourt, Jason Franklin, and Mary Vernon showed how easy it is for attackers with meager means to reliably identify various early detection networks. The authors focused on the ISC detection network, organized by SANS, but it's a problem that applies to many of these approaches.
Some people are worried about the effect this could have on worm authors. If they discover these networks, can't they simply avoid them in their worm propagation algorithms?
Armed with this information, the creator of a computer worm could create code that bypasses these traps and infects more computers as it spreads. The researchers say the same principle could enable troublemakers to bypass other forms of network defences, including blocks against intruders probing the system and barriers to prevent so-called denial of service attacks.
Several sensor networks provide network administrators with early warning of a possible worm outbreak. These include the SANS Institute's Internet Storm Center based in Maryland, US, the University of Michigan's Internet Motion Sensor and Symantec's DeepSight.
Source: Net worms could wriggle around warning systems, posted on 05 August 2005, via the NewScientist.com news service, written by Will Knight.
Frankly, I'm not very worried about this in the case of worm authors for three main reasons. First, we've seen this sort of thing before. SQLSnake used a list of class A networks with weighting for their relative populations. Still, people found the worm quickly, captured it an danalyzed it because they have live networks instrumented, honeypots in place, and in general watch their networks. Secondly, we've seen a growing prevalence for "island hopping" techniques, for example as used by the Nimda worm. Quoting from the CERT advisory for Nimda:
The selection of potential target IP addresses follows these rough probabilities:
- 50% of the time, an address with the same first two octets will be chosen
- 25% of the time, an address with the same first octet will be chosen
- 25% of the time, a random address will be chosen
This is not the only worm that has used this technique, many worms these days use this technique. Because the larger dark sensor networks are their own /16s, or even /8s, island hopping propagation tehcniques don't hit those networks as often as they would hit other, nearby allocated networks. It's especially effective at spreading, and yet the worms are caught, analyzed, and alerts are created. Thirdly, plenty of live networks, and dark networks, too, are monitored and the reports are not widely distributed. This defeats the attack mechanism (although other detection techniques are available to the determined attacker) described in the paper, and keeps the world's networks detecting worms.
The benefit of an open project like the ISC, MyNetWatchman and related projects is that they make wide scale statistics available to anyone. The real users of this technique (avoiding these networks) will be individual attackers, not the worm authors, or people interested in poisoning the observations from these networks. No one relies on them for their total attack detection mechanism, so the threat level involved in this is relatively low.
August 9, 2005 in detection, editorial, honeypots, media, papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
Worms can avoid such public detection networks, and as you have pointed out, are already employing some techniques to do so. This goes to show that one cannot rely on outside help when a worm outbreak in your own network needs to be contained, and that one better has means for detection and containment in place in the affected network itself. See also here:
http://esphion.blogs.com/esphion/2005/08/worm_detection_.html
Juergen
Posted by: Juergen Brendel | Aug 9, 2005 3:16:08 PM
The comments to this entry are closed.
