Loading ...
Sorry, an error occurred while loading the content.
 

Re: [iwar] How bigger, badder Code Red worms are being built

Expand Messages
  • e.r.
    Does it really matter? The horse is out of the barn as with Napster. Far more serious matters of finance and international security are now in the balance
    Message 1 of 2 , Sep 6, 2001
      Does it really matter? The 'horse is out of the barn" as with Napster.
      Far more serious matters of finance and international security are now
      in the balance with Iwar. It might be useful to start looking at these
      issues as they can affect the either periodicity of war, or the
      ultimate outcome of warfare and the geostrategic balance of world
      power. Those are the "bottom line" matters we all must address. Even
      engineers must consider these factors in their calculations. How to do
      so is a difficult consideration. Netcentric is a global issue.



      --- Fred Cohen <fc@...> wrote:
      > How bigger, badder Code Red worms are being built
      >
      > Robert Vamosi,
      > Associate Editor,
      > ZDNet Reviews
      >
      > http://www.zdnet.com/anchordesk/stories/story/0,10738,2810238,00.html
      >
      > As I write this, there are two new fast-spreading Internet worms for
      > Windows
      > users: Apost
      >
      <http://www.zdnet.com/products/stories/reviews/0,4161,2810219,00.html>
      > does
      > the now-familiar "e-mail itself to everyone" thing we've come to
      > expect from
      > Windows worms and viruses, except this worm sends multiple copies of
      > itself.
      > And then there's an updated version of Magistr
      >
      <http://www.zdnet.com/products/stories/reviews/0,4161,2810225,00.html>
      > ,
      > redesigned to infect even more users with its destructive payload.
      > Faster
      > propagation has been the trend with Win32 viruses and worms, but what
      > if
      > rapid propagation methods were employed for network-savvy worms such
      > as Code
      > Red? Well, someone has already given thought to that.
      >
      >
      > Andy Warhol is famous for saying "In the future, everybody will have
      > 15
      > minutes of fame." Nicolas Weaver at UC Berkeley has written a paper
      > <http://www.cs.Berkeley.edu/~nweaver/warhol.html> proposing that
      > virus
      > writers constructing some future Code Red-like worm add a list of
      > 10,000 to
      > 50,000 "well connected" Internet servers, then launch the virus. The
      > advantage, he argues, is that even if only 10 to 20 percent of the
      > servers
      > are vulnerable to the worm's exploit, that would still be an enormous
      > jump
      > on Code Red and previous worms. Weavers adds that the initial 10
      > percent
      > infection could be achieved in the first minute or so; he then
      > proposes that
      > his "uberworm" could infect most of the Internet within 15 minutes
      > (hence
      > the Warhol worm).
      >
      > NOT TO BE OUTDONE, the team of Suart Staniford, Gary Grim, and Roelof
      > Jonkman at Silicon Defense proposed
      > <http://www.silicondefense.com/flash>
      > an even greater propagation rate: they claim they can infect the
      > Internet in
      > 30 seconds. They argue that a worm writer could scan the Internet in
      > advance
      > and identify almost all of the vulnerable systems on the Internet
      > before
      > launching the worm. With a very fast Internet connection (they
      > mention an
      > OC12 link), they argue even a 48MB address list of vulnerable
      > Internet
      > address could be sent out in about 4 minutes.
      >
      > Jose Nazario, a biochemist by trade who has previously offered
      > valuable
      > insights on digital worms
      >
      <http://www.zdnet.com/anchordesk/stories/story/0,10738,2797739,00.html>
      > ,
      > points out that neither of these papers take into account the basic
      > elements
      > of propagation on the Internet. Nazario points to an IBM paper called
      > "How
      > Topology Affects Population Dynamics
      >
      <http://researchweb.watson.ibm.com/antivirus/SciPapers/Kephart/ALIFE3/alife3
      > .html> ," which looks at lessons learned from biological infections
      > and how,
      > with an understanding of this model, programmers might better design
      > future
      > digital organisms (they don't specifically say "worms").
      >
      > Basically, the authors of both the Warhol and Flash worms assumed a
      > very
      > simple Internet model where every node to be infected is a neighbor
      > of every
      > other node. The reality is much more complicated. That's what Nazario
      > says
      > torpedoes the technical merits of both of these studies.
      > SO WHY even mention this research? Nicolas Weaver himself posts that
      > he is
      > leaving his paper up online so that people can understand, with
      > documentation, what danger there is in a homogenous Internet. Someone
      > will
      > attempt to do what these authors have proposed, and someone might
      > someday
      > make a worm that "flashes" the entire Internet with a malicious
      > payload.
      > Rather than be caught unaware, isn't it better to realize this is out
      > there
      > and take steps to minimize its impact?
      >
      > Weaver proposes that companies use context-sensitive firewalls where
      > only
      > "that which is not explicitly allowed is forbidden." He further
      > suggests
      > internal firewalls throughout the company and regular security
      > audits. He
      > adds, "regular backups are also essential." He further suggests that:
      > "Homogenous populations, whether in potatoes or computers, are always
      > more
      > vulnerable to diseases." That's something to remember when
      > implementing one
      > or multiple types of servers on your network. Just as biodiversity
      > has kept
      > life going on Earth, mixing up one's operating systems can only
      > strengthen
      > the Internet
      >



      __________________________________________________
      Do You Yahoo!?
      Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
      http://im.yahoo.com
    Your message has been successfully submitted and would be delivered to recipients shortly.