worm blog

« September 2005 | Main | November 2005 »

Zotob Damages Assessed

Some numbers are in regarding how widespread the Zotob worm has been. Zotob, which spread in August, 2005, seems to have been a relatively minor threat when compared to many other worms like Blaster and Sasser.

Six percent of survey respondents said Zotob's impact on their company was moderate to major, which was defined as more than $10,000 in losses and at least one major business system affected, such as e-mail or Internet connectivity.

Alarming as it was, Zotob did far less damage than did other major worms designed to exploit Windows vulnerabilities, Cybertrust said. For example, the Nimda worm made a moderate to major impact on 60 percent of companies. MSBlast (aka Blaster) struck about 30 percent of organizations to that degree, the firm said.

Source: Zotob damage deep but not widespread, published on ZDNet News: October 26, 2005, 12:33 PM PT.

I find this figure a bit surprising given the damage reported by the Chrysler corporation and how it affected manufacturing operations in addition to other large corporations. It's possible, however, that overall we're getting that much better at containing these things and the average damage really is very small.

Note, posts may be a bit slow for a while, Typepad service has been sluggish and it's a bit tough to post at times. Thanks for your continued patronage.

October 31, 2005 in media, Zotob | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Second Life MMOPG Worm

Via Adam MacLeod and Nicholas Weaver, a report on a new worm, this one in the massive multi-player online game (MMOPG) "Second Life". Their discussion is adapted from a private mailing list.

Second Life is a large Massive-Multiplayer Online Game, fashioned more as a development environment than a competition.  Imagine a virtual space the size of, say, Rhode Island.  The computers that support this space divide up the work by simulating plots of land; each computer runs a number of virtual machines, and each virtual machine simulates a chunk of land approximately the size of a large Wal-Mart (including parking lot).  The system is set up to be as transparent as possible to users; that is to say, there should be no perceptual clue that a "seam" exists in virtual space.  Users of the system are allowed to access the VM via a specialized scripting language.  This allows users to imbue an otherwise static object in the virtual world with logic; such as a door that opens upon approach, or a record player that spins and plays a tune when touched.

Sunday night they were brought down by a piece of malcode which may be an Internet first.  I believe it meets the criteria of a worm; it self-replicated, was deliberately seeded on many machines, and spread to every vulnerable machine in their network (where "vulnerable" is defined as those hosts which contained a VM whose land plot was connected in a "land bridge" to a seeded VM).  However, it was not a worm in the traditional sense; it spread only inside the virtual world.  It took the form of a sphere which was programmed to replicate itself as fast as possible.  Within a few minutes, all virtual space was filled with hundreds of millions of spheres, and this took down the system.  Dan Ellis has asked me to explain a little on why it took so long to occur.  This was likely because of some safety precautions the architects of the system; certain calls to the VM include a delay on the order of seconds, and there exists a rule that prevents an object from instantiating another object more than ten virtual meters away from itself.  This means that, given the most efficient spread possible, the malcode would have to iterate several times before crossing onto virtual space run by another computer.

Nicholas Weaver:

Definatly meets the criteria: Objects are "code", and this is autonomous, self replicating code.  Although I'm guessing its spread (complete with 2-D/3-D geographic limits) probably would end up being modeled pretty good by bacterial colony growth. Its domain was just more restricted: the VMs composing the Second Life sandbox. The malcode could probably increase its speed substantially if objects can have velocity: On replication, split into two pieces, one with a random V+, and one with V-. Also even a bit of a "negative" charge on the balls, so they tend to natuarally repel each other. Thus it would spread farther geographically.  It would also up the grief-factor as the objects would be moving pretty quickly. Since the goal of crud like this ("GriefBomb") is to cause mayhem, mobility would really help.

 

This is not the first time malcode has spread inside virtual space; a few months ago another MMORPG called World of Warcraft developed a "plague" due to a programming bug.  I believe that this, however, is the first time an outsider (by using a free account) has been able to take down an enterprise via a Virtual Worm. 
       
Here's an article on the WoW plague: http://www.theregister.co.uk/2005/09/21/wow_virtual_plague/
The gist of it is simple; World of Warcraft is much more competition-oriented than Second Life.  Users fight "monsters" which are game constructs.  New sections of the virtual world are added on a regular basis by the WoW staff.  One such section included a monster that cast a spell upon the user during a fight.  A bug in the code representing the spell (called "corrupted blood"), caused the afflicted user to cast the spell on everyone that user came into contact with.  The effect killed off large numbers of users.       

Nicholas Weaver:

Moreso: You had some users ("griefers") who deliberately contacted the plague and spread it into towns. NPCs, with a fast heal rate, would become infected as well. But because of their heal rate, they wouldn't die, so they would act as carriers.  Entire towns became inhabitable.

 

I don't expect there to be articles yet on the Second Life worm.  However, I was able to find a screen capture someone took in the early stages of the infection.

October 29, 2005 in new trends, new worms | Permalink | Comments (26)
Tell others: digg submit del.icio.us this

Rootkit-Armed Worm Attacking AIM

One of the more interesting developments this past week (and one that's helped keep me busy and away from posting here) is a new variant of the SDBotfamily which spreads over the AOL Instant Messenger (AIM) network. While there are a few variants of the URL and malcode installed, it's always the same order of operations:

The virus spreads via messages on AOL’s AIM software, either saying HILARIOUS!!! Or see thing!!!, with a URL. Clicking on the link takes the user to a web page that attempts to download a Trojan onto the computer using patchable flaws in the browser.

Source: AOL hit by IM virus, by Iain Thomson, postd to vnunet.com 28 Oct 2005.

This is the first variant of SDBot that I've seen that uses the AIM network to propagate, but otherwise this is a radpily emerging trend for malware: bootstrap onto the system, download a number of tools including a rootkit and spyware, use an IRC network for your botnet, and continue propagating.

Other information on this threat:

• SpyWare, Worm Propagating On AOL Instant Messenger Installs Rootkit on Technology News Daily.
• Rootkit-Armed Worm Attacking AIM on Information week.
• AIM worm plays nasty new trick on News.com.
• WORM.RBOT.CJN from Trend Micro.

It looks like most of the download sits have been taken down, but we'll certainly see more of this in the coming months.

Analysis and commentary This shows that attackers have yet to really fully automated IM-based worms. They spam their victims, gathered from the user's buddy list, with URLs that they have to click to download the malicious software. Once we start seeing AIM or MSN Messenger exploits packaged into these, we'll see a fully automated IM worm. But, so far that hasn't yet happened on a laarge scale, and I don't know why. I think it's only a matter of time before some enterprising malware author decides to break down that barrier.

Update Added this post to the IM worm category, look there for more historical data on IM worms.

October 29, 2005 in editorial, IM worms, new worms | Permalink | Comments (4)
Tell others: digg submit del.icio.us this

Worms: Taxonomy and Detection

A set of slides from Mark Shaneck presented in early 2004 provide a nice overview of the worm space. Lots of topics are covered, including things like routing worms, flash worms, and detection tools like the Kalman filter. A very handy slide deck to review. See them in this PowerPoint desk entitled Worms: Taxonomy and Detection.

October 28, 2005 in detection, slides | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Two Items: MySpace Worm Redux and Wikipedia's Timeline

From a friend in KL, a couple of things. First, the MySpace worm redux, written up by Daniel Hanson. A nice little summary of what happened.

I believe we saw one possible direction of worm evolution recently with Myspace. It got some press, but I don't know if we have fully appreciated the significance of what happened. As background, Myspace is a portal site that allows people to have a profile, link to friends, essentially an online method of networking. Someone found a way to manipulate his profile in order to have other people "link" to him as a friend. This manipulation was viral, and by the end, the system was shutdown until Myspace had fixed the vulnerability that allowed this to happen. Meanwhile, the author, Samy, now had many, many friends.

Source: Evolution of Web-based worms, Daniel Hanson on SecurityFocus.

Next up, a list of noteworthy computer viruses and worms on Wikipedia. The timeline itself is a nice idea, but is missing several key worms from over the years. Being Wikipedia, some of you may be able to help fill in the gaps with descriptions and additional milestones. Not every worm needs to be listed, but some major events are worthwhile. IM worms, cellphone malware, etc.

October 25, 2005 in media, new trends | Permalink | Comments (1)
Tell others: digg submit del.icio.us this

Can a Network be Protected from Single-Packet Warhol Worms?

Given the recent back and forth debate over the wormability of a recent Snort bug (single UDP packet, a'la Witty), this paper couldn't be more timely.

Can a network be protected from single-packet Warhol worms? This paper generates and simulates random network environments to answer that question. The research assumes a perfect detection algorithm and varies the time required to perform the identification. Perfect detection alone is not sufficient; it must also be swift in recognizing threats as some cases presented here show that perfect detection offers no noticeable protection. The impact of other network factors on worm propagation and prevention are investigated as well, including: router participation in the prevention scheme, the percentage of routers involved in the traffic passing, and the ability for participating routers to communicate. The results are promising: realistic simulations without communication can protect over 50% of the network. The addition of communication increases that protection to over 80%. The key result is that emerging identification technologies such as LeBrea can be leveraged into viable automated network protection systems against single-packet worms.

Source: Can a Network be Protected from Single-Packet Warhol Worms?, Larry G. Irwin II & Richard J. Enbody.

October 24, 2005 in defense, modeling, papers, SQLSlammer, witty | Permalink | Comments (1)
Tell others: digg submit del.icio.us this

Semi-Supervised Learning on Email Characteristics for Novel Worm Detection

Posts have been a little erratic lately, exhaustion is setting in. Thanks for your continued patronage.

You know me, I love novel detection methods, and mass-mailers are always interesting in some fashion. The good news is that there's never a shortage of them.

A major drawback of unsupervised learning for worm detection is the possibility of false negatives. Previous work copes with this problem by increasing the sensitivity of the unsupervised classification algorithms. This, in turn, creates many more false positives. Our focus is narrowed to worms propagating through email.

We present the following contributions. First, we examine a wide range of features calculated on email traffic to determine indicators that discriminate between infected from normal email behavior. Using these features, we next present a new method that uses semi-supervised learning for adaptive virus detection that leverages system administrator feedback to improve classification. Our approach combines the strengths of sensitive novelty detection with a parametric classifier to drastically reduce the false positives.

Source: Semi-Supervised Learning on Email Characteristics for Novel Worm Detection, Steve Martin and Anil Sewani.

October 22, 2005 in detection, mass mailers, papers | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

Thoughts: MSDTC, October MS Pack, and Snort

A brief departure for your normal Wormblog reading, a straight up and up editorial by me, and some comments on recent news items.

First up, the MS vulns from October, 2005. Lots of folks have been wondering when the worm shoe will drop. After all, we saw a fast turnaround from vulnerability (Tuesday) to exploit (3 days later for a fully universal exploit by HoDB) and then worm (about 5 days, as I recall). This month is no different, given 9 security bulletins covering even more vulnerabilities (counting CVE identifiers). Most people seemed concerned about the MSDTC vulnerability going into the weekend, but I think that  Marc from eEye says it best, this isn't as wormable as some people think for a few reasons. It's over a week since we saw the vulnerability, so some talk of a worm has died down, but the concern remains for some.

However,I think that concern about a worm coming out of those vulnerabilities is misplaced, as is the ISC placed concern over the potential for a Snort worm given the Snort 2.4.2 spp_bo.c vulnerability disclosed this week. The Snort bug is interesting, and exploits have been written for it by various people. However, the differences in the build architectures means that the details in the exploit vary from system to system. Now, a DoS against Snort installations is possible. However, I'm not familiar enough with the Sourcefire appliances to say if you could spread a Witty-link Snort worm on them. Lots of talk of worms these days and the vulnerabilities they're likely to use. Lots of talk of wormability, and this is a good thing.

Given all of this "the next worm is probably not as looming as some people say" talk, what gives?  Is this the end of an era? Hardly, I've said it before and I'll say it again, worms are here to stay. If you have an interest in distributing malicious software, a worm is one of the best, most efficient ways to get it out there as widely as possible and, as we've seen, for as long a time as possible. Spyware is quickly outpacing software like worms in terms of economic damage, but it's often distributed using automated techniques (like a worm), and so we'll be around for a while to come.

I give us about 6 months, given the current pace of exploit and worm development, to say that attackers have probably moved on from those vulnerabilities as their primary worm interest. Then again, I'm not carrying a crystal ball, and this is all just speculation.

October 19, 2005 in editorial | Permalink | Comments (1)
Tell others: digg submit del.icio.us this

Active Technologies to Contain Internet Worm

An interesting paper, in some ways stating a conclusion that we have accepted as convention, but the approach is still hindered by false positives. Cutting off traffic automatically is always a scary proposition in a live, production network.

Most of researches focus on modeling and detection of the Internet worm propagation, but in practice, the final objects are containment and elimination of Internet worm, which have not received enough research effects. In this paper, three categories of active technologies to contain Internet worm were introduced: vaccination for containing susceptible machines, forcing shutdown for containing infected machines, and bidirectional leading for containing worm spreading traffic. These technologies can be adopted to construct one or more automated Internet worm defense systems in any phase of Internet worm defense: prevention, detection, containment and elimination. Our experiment in large scale network shows that when combined with those active technologies, automated Internet worm defense systems are more effective to contain the Internet worm and to shorten the defense time.

Source: Active Technologies to Contain Internet Worm, Hui Zheng, Haixin Duan.

October 18, 2005 in defense, papers | Permalink | Comments (0)
Tell others: digg submit del.icio.us this

A Cooperative Immunization System for an Untrusting Internet

This is another paper on cooperative detection techniques. This sort of thing has been mentioned before, basically you have an information sharing network that automates much of what humans would do to qualify the emergence of a worm as a global threat or not. One of the possible problems, if the system isn't done right, is that you miss an early part of a worm. A number of other potential problems are inherent in this sort of system without the right level of information sharing, although the idea is useful nonetheless.

Viruses and worms are one of the most common causes of security problems in computer systems today. Users attempt to protect machines from such attacks by using antivirus programs and firewalls, with a mixed record of success at best. One of the main problems with these solutions is that they rely on manual configurations and human intervention, and may fail to react in time to defend against an attack.

We present a cooperative immunization system that helps defend against these types of attacks. The nodes in our system cooperate and inform each other of ongoing attacks and the actions necessary to defend. To evaluate our proposal, we discuss a simple virus model and evaluate our system using simulation. Our measurements show that our algorithm is more effective against viruses and more robust against malicious participants in the immunization system.

Source: A Cooperative Immunization System for an Untrusting Internet, Kostas G. Anagnostakis, Michael B. Greenwald, Sotiris Ioannidis, Angelos D. Keromytis, Dekai Li.

October 17, 2005 in defense, papers | Permalink | Comments (0)
Tell others: digg submit del.icio.us this