Results 1 to 7 of 7

Thread: Researchers predict worm that eats the Internet in 15 minutes

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050

    Researchers predict worm that eats the Internet in 15 minutes

    hey this is a scary thought although this isnt true think about it if it did happen and it could or couldnt happen ? what are your views on this ?

    http://www.nwfusion.com/news/2002/1021worm.html



    Computer science researchers are predicting new types of dangerous worms that would be able to infect Web servers, browsers and other software so quickly that the working Internet itself could be taken over in a matter of minutes.

    Though still in the realm of theory, the killer worms described in a research paper entitled, "How to Own the Internet in Your Spare Time", are triggering some skepticism but the idea of them is seldom dismissed as outlandish science fiction.
    Advertisement:

    The three authors of the research, published two months ago, present a future where worm-based attacks use "hit lists" to target vulnerable Internet hosts and equipment, such as routers, rather than scanning aimlessly as the last mammoth worm outbreaks, Nimda and Code Red , did last year. And this new breed of worms will carry dangerous payloads to allow automated denial-of-service and file destruction through remote control.

    "Code Red and Nimda could have spread faster, and they didn't have powerful payloads," asserts Stuart Staniford, president of Silicon Defense, and co-author of the research paper. The other authors are Vern Paxson, a staff scientist at both the Berkeley-based ICSI Center for Internet Research and Lawrence Berkeley National Lab's network research group, and Nicholas Weaver, a graduate student at the University of California at Berkeley.

    The paper argues that this next generation of computer worms -- which would certainly have military application during war – would carry knowledge about a specific server's vulnerability and propagate at a breathtakingly high rate of infection, "so that no human-mediated counter-response is possible."

    Remedying software vulnerabilities remains a huge problem, with many corporations admitting it takes about a day or two -- at best -- to apply software patches once a software vendor has acknowledged a vulnerability in product coding and supplied a fix for it. And home computer users online are often wholly unaware of these types of problems.

    Staniford says they tested the paper's thesis in a lab simulation of a computer worm designed to subvert 10 million Internet hosts over both low-speed and high-speed lines. Supplied with its own "hit list" of IP addresses and vulnerabilities gained through prior scanning, the theoretical worm could infect more than nine million servers in a quarter hour or so.

    They called this the "Warhol worm" after artist Andy Warhol's well-known quote that in the future, everyone will be famous for 15 minutes. A similar, theoretical worm they coined the Flash worm, blasted out from a 622M bit/sec link, would take even less time to "own" the Internet.

    The authors conclude that just as the U.S. government has established the "Centers for Disease Control" in Atlanta as the central voice in matters related to new health risks for the nation, it would benefit the country to set up an operations center on virus- and worm-based threats to cybersecurity.

    Richard Clarke, the advisor to President Bush on cybersecurity matters, said that while he hadn't read the Flash-worm research paper, he wouldn't discount the idea of a very-fast-moving worm of this type.

    As it happens, the draft "National Strategy to Secure Cyberspace" report issued last month, for which Clarke is asking for public comment, contained the recommendation that the government fund a network operations center as a central point for threat analysis.

    Another U.S. government official, Bob Dacey, director of information security issues at the U.S. General Accounting Office, said of the theoretical worms: "The risk is there, though I can't speak to the 15 minutes. When you look at Nimda and Code Red, you see greatly developed delivery mechanisms."

    To date, the Internet hasn't seen a worm with a really dangerous payload to destroy systems combined with rapid delivery but it certainly might be out there in the future, said Dacey, who's in charge of overseeing vulnerability-testing of federal agencies' networks.

    Dacey said agencies need to do a better job of applying software patches, and to that end the federal government is seeking to award a contract for an outside patch-management service to help agencies install patches quickly.

    The terms "Flash" and "Warhol" worms are not yet part of the common vocabulary of the antivirus software business and its technologies. At first glance, the idea of a worm devouring the Internet in 15 minutes sounds far-fetched to many.

    "It's hard to imagine such a thing could happen," responds Bob Justus, vice president of security at Union Bank of California, but then he adds: "But I guess it's possible."

    Antivirus software vendors and the security industry as a whole seem to be taking the research paper seriously though it's unclear what defenses there may be for a worm that attacks the whole Internet in seconds.

    "It's definitely plausible," says TruSecure's virus expert, Roger Thompson. "It's highly likely we'll see them."

    Traditional antivirus software relies on signature updates to stop a worm or virus once it's identified, but with fast-moving Flash and Warhol worms, this wouldn't work, Thompson pointed out.

    "We haven't seen a 'Flash' worm yet, but now that there's a paper on it, we probably will," says Mikko Hyponnen, manager of anti-virus research at F-Secure.

    This research indeed has "credibility," said a spokesman for Moscow-based Kaspersky Labs, but he added, "Actually, we predicted this technology two years ago but never published it because it may give virus writers another clue how to improve their malware. The Berkeley guys did this and they are half-guilty for such a worm [appearing] that may easily cause the Internet to be down in just an hour, so users will not be able to download anti-virus updates."

    Staniford admits he's taken some heat for describing how the worms would work, but tried not be too obvious. He said there may not be much way to defend against a Flash worm today, but Silicon Defense, has something in the works, which he declined to discuss, that may be ready by next February.

    Not all security firms think the killer worms are an identifiable problem yet. Security firm Network Associates research division, Avert Labs, said the concept of a Flash worm is "possible," but added with a note of skepticism, "there is a big step between theory and practice.'

    Others security firms are also a bit dubious about Flash. Trend Micro's product manager Bob Hansen said, "The threat from this type of thing is definitely growing," but that "it takes a ton of research to design one of these things."

    Nevertheless, Hansen said it's "certainly credible to think that a worm designed as a targeted hacker tool could be created to bring down 20 or 30 of the major business Web sites within a matter of minutes."

    While signature-based updates wouldn't be ready fast enough, behavior-based technologies, such as Trend Micro's Applet Trap, which he noted isn't a big seller, might be successful in blocking such an attack.

    Okena, which makes behavior-based intrusion-detection software, weighed in on the Flash worm. Director of product management Ted Doty said if a Flash worm does appear in the future, Okena's StormWatch software for servers and desktop might be able to block it as it did Nimda or Code Red by blocking unauthorized behavior. However, few companies are using any type of behavior-blocking software today.

    "You can detect attacks you haven't known about before," says Rob Clyde, chief technology officer at Symantec about the idea of a Flash worm. "But it's not going to be easy."
    heres a link to the paper discussed its called how to own the internet in your spare time
    http://www.icir.org/vern/papers/cdc-...c02/index.html
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    130
    Now that is scary, and how long would it be before some skiddie site bought out a 'worm tool kit' that would allow you to create your own customised worm to let you own the net .... aghhh. Serously though, until some companies take security more seriously there is always going to be a massive problem. I mean take the code red worm for instance, I know someone who had a pathed server, but at one point they ended up off of the net because of it, the sheer amount of traffic from infected computers had taken up all of their bandwidth.

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    121
    I just read that 2 minutes before I came here and of course I am not supprised it's already on the boards. The idea of a controlale worm that attacks with a specific pattern I am sure has been thought of so why hasnt it been already done? The size could be an issue I suppose, you can drop the "main" worm onto high speed connections while it could use maybe a week linux server that has most of the tools it needs on it already and it would only have to send part of the "origional" worm to that server etc... I think it could always be an issue but how practicle is it --right now-- lol, I know in a year or 2 that with a larger market of broadband and local users having DSL or cable... it could easily occupy a home user who doesnt update on software vulnerabilities and has a low 'security sense' (no firewall etc) Well anyone do you think it's practicle to worry about it in the next 4 months?

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    As much as it is scary, the idea is too far off and I doubt it would ever happen. For one, it would be one hell of a worm, and it's design and purpose is to "big" in my opinion. Taking over the ENTIRE internet within minutes? I'm not sure if someone or a virus could do that in any amount of time. It's a scary thought, but to "science fiction-like" if you ask me.

    [Sorry, I'm looking for another word other than science fiction-like. I can't find the word I'm looking for.]
    Space For Rent.. =]

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    I agree that in theory anything is possible. I think the flaw however is in the fact the research pointed out a couple of M$ server type viri. And lets face it Windows is as easy to break into then well a real life window just hit it and it shatters, imagine if there were 1000,000 people roaming your neighborhood and smash your front window go in help their self to what ever not their fault. Yes there was proof of concept in many viri and code red was a good one. One problem is however not taken into account. In view of current computing and network attempts one has yet to produce a cross platform attack that well is not about a default install from any OS producer. For this to actucally work they would have to know every fault in every OS as well as assume their flaw if exploited was not seen and disabled by the installer or net admin. At best at least now such things will be targeted to newbies just on the web. Oh then throw in firewalls. Seems the latest attempt to "Own the Net in and hour" did not work. Why, cause pings are old and the people that did it had no clue on how the internet works and sorry that 15 minutes is more like 15 seconds in net time. Ping flood LOL in short there is more money in research and press releases then there is in making things work.....nothing short of an AI program could adapt to the millions of servers, configs etc of all systems.
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  6. #6
    Senior Member
    Join Date
    Jun 2002
    Posts
    144
    Heres my 2 cents, whether anyone really wants to read it or not.....LOL....
    Anyways, Why would you necessarily have to know the weaknessess of all os's? Couldn't it be enought to know the weaknesses of all the routers? Just think about it.....How many companies use Cisco routers? What percentage? If you knew every weakness of the Cisco brand, granted, it would be a fairly large worm, but ...just hypothetically speaking...If you attacked all Cisco routers, wouldn't that take down a big chunk of the internet? Concider this.....Most, if not all, these routers have flashable firmware. If there was possibly(I'm not a Cisco expert) a weakness in the router's firmware, and you could somehow flash your own "special" firmware to it, wouldn't that cause more damage? Again, this is all hypothetical and just a brainstorming session. I think that this worm may not be as far off as we hope. As one redneck once said, "There is more than one way to skin a cat."
    M$ support is like shooting yourself in the left foot and then putting a band-aid on the right one.

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Just like real pathogens, the thing which prevents these worms the best is diversity. The reason why "The Internet Worm", and "Code Red" were so successful is that they targetted the single OS that formed the majority of systems on the internet (SunOS and Windows NT respectively).

    As long as there is a reasonable level of competition between different OSs, no worm can wholly kill off more than one (or possibly two (Nimda)) of them. Therefore, the others are unaffected.

    The reason that Linux worms have failed to be as spectacular as either NT or SunOS ones is not because there are fewer Linux boxes, but because they're all running different versions of the OS and/or application server software. In order to target all the vulnerable ones, a worm would need to be able to apply dozens of different vulnerabilities.

    Now look at M$ Windows - they not only have very few versions, but *ALSO* they encourage the vast majority of their users to use application servers bundled with the OS, giving the worms a sea of uniformity of exploit. Thus with a single 0-day sploit, a worm can take out perhaps nearly 100% of the M$ boxes, but only a small fraction of the Linux ones.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •