« Early Detection Of Active Internet Worms | Main | On the Design and Use of Internet Sinks for Network Abuse Monitoring »

A Theoretical Superworm

The ISTS at Dartmouth has been doing some great computer security research over the years. This is a report of theirs from 2002.

This report will explain the current model of vulnerability detection, assessment, and response. The current cycle is as follows:

  • Identification of vulnerability
    • Inform security community and/or appropriate vendor and/or press
    • Scan for possible existing exploits of vulnerability
  • Development of response, i.e. patches
    • Inform the community of security measures to be taken
    • Hope everyone takes responsibility for applying patches
  • Observe effects of vulnerability/exploit on unprepared systems
  • Learn from observations, develop new strategies and tactics, and identify new vulnerabilities

The creation of a SuperWorm, malicious code written to incorporate the most successful features of known worms and other malware, could threaten the economy or national security.

The SuperWorm has three tasks:

  • The worm’s programmer identifies multiple exploitation vulnerabilities that affect a large number of operating systems
  • Propagation
  • Delivery of payload and damage The SuperWorm programmer could learn from and utilize the speed of Code Red and CodeRed2, the multiple means of proliferation utilized by Nimda, the ability to incorporate other virus code to be transported with the worm seen with variations of the Klez worm, the ability to access and send files from a hard drive as seen with SirCam, and the destructive payload of Magistr.

    The Incident at XYZ University provides an example of a network that was established with information sharing and open education in mind. The security features of the network do not provide adequate protection against an advanced threat. Additionally, the limited resources of the systems administrators do not facilitate either the rapid response to vulnerabilities or the collection and analysis of the evidence of an attack. These factors limit the ability of the administrators of this network, and networks similar to this University, to defend their system against a sophisticated, rapid cyberattack.

    The early warning system described in the Early Detection of Active Internet Worms by Metering ICMP Destination Unreachable Messages section provides an example of a security technology capable of detecting worm activity. Early detection will allow security experts to learn about the technical specifications of the worm, and the vulnerabilities exploited by the worm, and give them time to develop a response to the threat. Additionally, the warning system provides data for further analysis of worm and attacker behavior that will enhance the ability to defend against future attacks.

    The Modified Reverse Proxy Server (JEANNE) is an example of a security technology that mitigates the threat of worm proliferation on a web server. The technology is a proactive means to address possible threats before they manifest themselves in the wild.

    • Source: A Theoretical Superworm.

    October 4, 2006 in new worms, papers | Permalink
    Tell others: digg submit | del.icio.us this | Reddit

    Comments

    Great site this www.wormblog.com and I am really pleased to see you have what I am actually looking for here and this this post is exactly what I am interested in. I shall be pleased to become a regular visitor :)

    Posted by: aNenceNer | Apr 5, 2009 12:05:55 PM

    Recommend it to anyone.
    Search-and-destroy Antispyware is the best scan that I have used to keep my PC clean and working like new. It’s a great scanner that finds all the same bugs that other scans such as Norton can find. What’s even better is that it cost less than many of the other options. I found the antispyware solution from Search-and-destroy at http://www.Search-and-destroy.com and decided to give it a try. That was one of the best decisions I ever made. I’m very happy with this scanner and would recommend it to anyone that wants to protect and care for their PC so it will last as long as possible.

    Posted by: Chezy | May 1, 2009 1:18:36 PM

    The comments to this entry are closed.