worm blog: The Future of Bot Worms

« Los Alamos enters market with worm defense | Main | Protocol-Independent Adaptive Replay of Application Dialog »

The Future of Bot Worms

Another white paper from Trend Micro, but this one is much shorter.

The current trend in worms seems to go the bot route. Bots—programs that operate as an agent for a user or another program—are most often seen as malware and keep attacking unsuspected users in surprisingly high numbers. This document details the possible new additions and modifications that bot authors might incorporate to their hideous creations in the very near future.

Source: The Future of Bot Worms, Trend Micro, August 18, 2005.

Top three findings in the whitepaper:

a continued shortening of the time between vuln described, exploit released and a worm launched.
RSS feed hijacking
polymorphic shellcode attack vectors

Take them as you will, the paper itself is short and offers little in the way of justification for these findings and predictions.

Comments, analysis and thoughts

The first is something all corporate marketing organizations have been saying for some time now, although the data I compiled for our wormability paper last year does bear this out. We're seeing a decrease in some cases, although we're continuing to see a lot of old vulnerabilities, exploits, and a lot of old cruft (ie password guessing attacks) still work in many worms.

RSS feed hijacking I don't forsee, but perhaps I'm being too simplistic. While it's an automatic threat delivery vector, an attacker would have to compromise some major websites to get the readership that's worthwhile (for example, my blog's readers are so small in number I think I'm safe). However, recent bugs like the XML-RPC worm, which affected several PHP-based blogging systems like Word Press, can help speed this along and get coverage in the number of feed sources, and thus audience, as opposed to a single point of distribution. However, if you do accomplish that, what do you get? You get a huge disparity in RSS feed readers people use (trying to find the status in my archives, see Surprising RSS Reader Usage Stats: What Do They Mean for Marketers? (The Marketing Diary, July, 2005) and Aggregator usage is a power law too (Dive Into Mark, 2003)). Until MS Longhorn or IE7 deploy a popular RSS reader (which is coming, according to Microsoft RSS cat out of the bag and What Microsoft Longhorn RSS means to me: sane, peaceful mornings, both from Charlene Li's Blog where she posts about online marketingt trends) we wont see a huge footprint of any single point of entry.

Finally, polymorphc shellcode techniques (see Polymorphic Shellcode Engine from Phrack 61, What is polymorphic shell code and what can it do? from the SANS Reading Room, KTwo's README file for his ADMutate tool (A9 search engine archive, the original appears to be offline)) have been on everyone's radar for years (including mine), but we have yet to really see them. Polymorphic viruses have been around for years (see this Symantec writeup for a nice overview), but we haven't really seen the same sort of thing in the worm world. This is a growing likelyhood in terms of payload, simply using dynamically encrypting packers is becoming widely adopted, but the attack vectors themselves being polymorphic has yet to really catch on. I'm not entirely sure why, but I don't think the time is right for worm authors to include that just yet. So, probably in a year or two (as techniques like those in Metasploit and Canvas become more widely understood and adopted) before we see that getting used. However, I'm sure some enterprising young RBot variant user is looking at hooking it in.

In short, I disagree with much of what the prediction holds, but I'm definitely open to being corrected and shown ot be wrong. I certainly don't possess a crystal ball, I just analyze data.

November 28, 2005 in editorial, new trends | Permalink
Tell others: digg submit | del.icio.us this | Reddit