Grey Goo hits Second Life
This isn't the first time a worm (self replicating code) has hit a a large online game, and it wont be the last. Via various news outlets (like this BBC story, Slashdot, and the official Second Life blog:
[PST 2:44PM] An attack of self-replicators is causing heavy load on the database, which is in turn slowing down in-world activity. We have isolated the grey goo and are currently cleaning up the grid. We’ll keep you updated as status changes.
This appearantly took them offline for a few hours. (I don't use Second Life or any of these online communities, so all of my information is second hand.)
Grey Goo within Second life, from richardparent.net.
I have to admit, I like the idea of being able to watch the worm infect a world, sort of like a visible germ cloud or something. Way more interesting than looking at traffic stats when things go awry.
November 20, 2006 in media, new trends, new worms | Permalink | Comments (2)
Zotob Damages Assessed
Some numbers are in regarding how widespread the Zotob worm has been. Zotob, which spread in August, 2005, seems to have been a relatively minor threat when compared to many other worms like Blaster and Sasser.
Six percent of survey respondents said Zotob's impact on their company was moderate to major, which was defined as more than $10,000 in losses and at least one major business system affected, such as e-mail or Internet connectivity.
Alarming as it was, Zotob did far less damage than did other major worms designed to exploit Windows vulnerabilities, Cybertrust said. For example, the Nimda worm made a moderate to major impact on 60 percent of companies. MSBlast (aka Blaster) struck about 30 percent of organizations to that degree, the firm said.
Source: Zotob damage deep but not widespread, published on ZDNet News: October 26, 2005, 12:33 PM PT.
I find this figure a bit surprising given the damage reported by the Chrysler corporation and how it affected manufacturing operations in addition to other large corporations. It's possible, however, that overall we're getting that much better at containing these things and the average damage really is very small.
Note, posts may be a bit slow for a while, Typepad service has been sluggish and it's a bit tough to post at times. Thanks for your continued patronage.
October 31, 2005 in media, Zotob | Permalink | Comments (0)
Two Items: MySpace Worm Redux and Wikipedia's Timeline
From a friend in KL, a couple of things. First, the MySpace worm redux, written up by Daniel Hanson. A nice little summary of what happened.I believe we saw one possible direction of worm evolution recently with Myspace. It got some press, but I don't know if we have fully appreciated the significance of what happened. As background, Myspace is a portal site that allows people to have a profile, link to friends, essentially an online method of networking. Someone found a way to manipulate his profile in order to have other people "link" to him as a friend. This manipulation was viral, and by the end, the system was shutdown until Myspace had fixed the vulnerability that allowed this to happen. Meanwhile, the author, Samy, now had many, many friends.Source: Evolution of Web-based worms, Daniel Hanson on SecurityFocus.
Next up, a list of noteworthy computer viruses and worms on Wikipedia. The timeline itself is a nice idea, but is missing several key worms from over the years. Being Wikipedia, some of you may be able to help fill in the gaps with descriptions and additional milestones. Not every worm needs to be listed, but some major events are worthwhile. IM worms, cellphone malware, etc.
October 25, 2005 in media, new trends | Permalink | Comments (1)
Web 2.0 Worms Make Their Appearance: MySpace
While we're all hunkered down over what may be the nest MS worm, the real news this week on the worm front is the appearance of a cross sit scripting worm that hit MySpace:
One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 million friends on the popular online community.
If you're curious, you can read the author's writeup and examine the JavaScript worm source. Cross site scripting vulnerabilities, which aren't going away, are described in this CERT advisory from 2000. And finally, Paul Bissex has a nice writeup about the worm on his site.
October 15, 2005 in media, new trends, new worms | Permalink | Comments (0)
UK hackers jailed for global computer worm plot (TK worm)
While getting caught up on the recent news I came across this. I have been swamped at work, especially as I dig out from the week I was away at HITB in Malaysia. (A special thanks to everyone there for everything, it's good to meet so many of you and see so many friends again.)LONDON: Two British hackers were jailed on Friday for helping to spread a computer worm which affected thousands of machines around the world including some at the U.S. Department of Defense. Jordan Bradley, 22, and Andrew Harvey, 23, were part of an international hacking group called "TH34t Krew" which created the "TK worm", a so-called "Trojan" programme that surfaced on the Internet sometime before February 2003.
Source: UK hackers jailed for global computer worm plot, Reuters (in CIOL News).
Additional information:
- Owned by the THR34T Krew...Part II, from Air Scanner, a description of the TKBot traffic and how it was investigated.
- Hackers Jailed for Global Computer Virus in Red Nova.
- Bedroom IT Skills Were Designed to Create a Devastating Worm, also in Red Nova.
While nothing too major, it's good to see malware authors getting traced, caught, and sentenced.
October 12, 2005 in government, media | Permalink | Comments (1)
Morocco to try suspected computer worm author
It looks like the the Zotob trial will be held overseas (at least for us not in Morocco), but more importantly it's happening swiftly. I wonder how much of a dent this will make in things given the popularity of Zotob variants and the proliferation of credit card theft tools in the past year.
An 18-year-old math student will go on trial in Morocco this month for unleashing computer worms that disrupted the networks of major U.S. firms, a Justice Ministry official said today.
The FBI last week announced Moroccan Farid Essebar's arrest in Rabat as well as the arrest in Turkey of 21-year-old Attila Ekici. Both are suspected of releasing the Zotob worm that hit the Internet three weeks ago.
The official said Essebar's trial would start Sept. 13 and he would remain in custody near Rabat until then. "The hearing will specify charges against him for the trial," the ministry official told Reuters.
Source: Morocco to try suspected computer worm author, by Souhail Karam, posted September 2, 2005 (REUTERS).
September 10, 2005 in government, media, Zotob | Permalink | Comments (2)
The Latest in Internet Attacks: Web Application Worms
Kamal contributes this article he found recently posted describing how web application worms may be a nefarious subject we'll see more of in the future. We've posted about this on wormblog before (see Web Application Worms: Myth or Reality? and Anatomy of the web application worm, both posted within the past few months).
By taking a look at how Web application worms work, it is apparent that these Internet attacks have similar problems with widespread success as seen with traditional network worms, but to a lesser extent. For instance, the ability to identify targets for attacks becomes a much easier game. No longer do Internet worms have to guess at which targets to hit. Search engines create this list for them and even narrow it down to the most vulnerable targets. The most dangerous part of Web application worms’ Internet attacks is that most of the application-level issues they aim to exploit are development errors within the application code and are not simply corrected by installing a patch.
Source: The Latest in Internet Attacks: Web Application Worms, Caleb Sima, posted to Security Park on September 7, 2005.
My take on the article is not very favorable. It seems to me that Mr. Sima's marketing piece is nothing more than promoting solutions from his company. The statement from the above quote, that application worms are a threat because "the application-level issues they aim to exploit are development errors within the application code and are not simply corrected by installing a patch" is patently wrong. Plenty of web application errors like file upload errors, cross site scripting, SQL injection issues are fixed by issuing patches. The Santy worm, which the article focuses on as a great example of a web application worm, was unable to spread to hosts that had been patched. I suppose the take home message Mr. Sima is shooting for us to think that his company's proprietary solution is the only remedy in the face of patches that don't work.
September 9, 2005 in editorial, media, new trends | Permalink | Comments (0)
16 more Zotob suspects
News reports this morning are noting that the FBI and Turkish authorities have announced that they have identified 16 more suspects in the Zotob case. No word yet on how the additional 16 suspects were identified, however given the appearant financial motives behind the incident and the scale of the operation, it may have been classic detective work that lead to this latest development.
The FBI said the Turkish authorities have identified 16 more individuals as suspects in the recent Zotob and the Mytob worm attacks. But Louis M. Reigel III, assistant director of the FBI’s cyber division, said no additional arrests had been made as of Monday.
Based on a code analysis of the worm and its variants, there are at least three gangs of hackers involved with the worm, believes Finnish anti-virus software maker F-secure, according to Mikko Hypponen, director of the company’s anti-virus research. If Turkish officials make the arrests, the action would represent the biggest roundup in the history of the information security business, said Mr. Hypponen.
Source: 16 Sought in Zotob Gang Dragnet, Red Herring online, August 30, 2005. Also see Cyber-cops arrest 16 more Zotob suspects, by Robert Jaques, posted to vnunet.com 31 Aug 2005.
August 31, 2005 in government, media, Zotob | Permalink | Comments (0)
A financial twist to the Zotob case
Some more information on the story around the arrest of two suspects in the Zotob, and Mytob, cases. A story in the Washington Post on Friday reports that there is a financial information theft aspect to the Zotob worm, as well as the Mytob worm. This perspective is also being reported in Maghreb Arabe Presse in Morocco.
Louis M. Reigel III, director of the FBI's Cyber Division, said evidence indicates Ekici paid Essebar to develop the worms, which the two used for financial gain. Reigel declined to say whether the men were connected to a larger criminal enterprise. But according to information released by the Moroccan government, the two men are alleged to have forwarded financial information stolen from victims' computers to a credit card fraud ring.
And finally, eWeek has an interesting summary of the Zotob timeline from the Microsoft perspective. Source: Suspected Zotob Worm Authors Arrested, by Brian Krebs, posted on Washingtonpost.com on Friday, August 26, 2005.
So how did they break this case so quickly? According to the F-Secure antivirus weblog, the handles used by the men, "diabl0" and "coder", are appearant in the worm. This has shades of the Blaster.C variant and the "teekids" handle.
Both nicknames can be found from the code of Zotob.A: the worm connected to a irc server named "diabl0.turkcoders.net" and contained the words "Greetz to good friend Coder".
Source: Breaking news: two arrests in the Zotob case, Friday, August 25, 2005.
August 27, 2005 in government, media, Zotob | Permalink | Comments (1)
Jose Nazario discusses worms
At the risk of looking like I'm just tooting my own horn, I'll make mention of a recent interview I had about the worm problem. In a recent SecurityFocus interview, I spoke at length about the worm problem. The interview focused mostly on counterworms, a subject which comes up here from time to time. Here's an excerpt:It's tempting to think about fighting fire with fire when a worm hits -- launching a counterworm to stop the worm. The most natural thing to do is to deliver a counterworm with a payload that contains the patch for the security vulnerability exploited by the worm, which would prevent its spread.Source: Jose Nazario discusses worms, an interview by Federico Biancuzzi, posted on 2005-08-16 at SecurityFocus.However, remember the following things. Even if you knew instantly what vulnerabilities the worm was exploiting and how to prevent its use of that hole, how would you prepare a worm with the patch payload in time to launch it in a meaningful time period? How would you outpace the worm (in about 6 hours, Blaster had reached it's peak propagation speed; SQLSlammer reached that speed in a matter of a few minutes; Witty hit that point in a matter of minutes, too)?
August 23, 2005 in counterworms, editorial, media | Permalink | Comments (1)
