IMAGINE THIS SCENARIO: A talented programmer has a cool idea. The programmer codes a prototype in a few days, the prototype is reviewed and improved by a collection of the best programming talent on the globe, and a robust final product is released less than a week after the birth of the idea. Further, the product undergoes a continuous revision, improvement and release cycle, always including the latest and greatest techniques from a tireless worldwide team of talented programmers. Dreamland? Hardly?this scenario is taken from real life. But before you dust off that killer app proposal, call the venture capitalists and order the Mercedes, professional ethics obligate me to tell you that I’m talking about the world of Internet worms.
The recent history of worm attacks provides a diversity that Darwin himself would have appreciated: L10n attacked Unix systems with a single exploit. Ramen attacked Unix systems with multiple exploits. Sadmind/IIS was multiplatform. Cheese was a “good” worm. Code Red exploited Internet information server vulnerabilities and was actively modified and rereleased. Nimda expanded Code Red’s exploits, infected clients as well as servers and modified the scanning algorithm. Leaves attacked already compromised systems and could be updated and controlled remotely. And a slew of worms used e-mail to propagate.
As if a quick and creative worm-writing community wasn’t threatening enough, two factors make me believe the storm has yet to hit. First, clever ideas are circulating in public forums and have not yet been successfully implemented in a widespread worm. Here are a few examples.
- Abuse of trust relationships, like instant messaging systems and peer-to-peer file sharing applications; why break a window when your victim invites you in?
- Scalable remote control of compromised systems; Internet relay chat (IRC) is the de facto control mechanism (bad guys can use the chat channels to issue system commands), but it has its limitations.
- Lightweight worms that download updated or specialized code from other servers; Leaves tried this in a limited sense, but the possibilities are much broader.
- Incorporation of “zero-day” exploits; if someone burns a zero-day (an attack as yet unknown by the public) on a worm, expect it to do more than spread and deface with a harmless pseudopolitical message.
- Stealth spreading and infection; current worms are as subtle as your e-commerce Web server crashing, but new worms will tiptoe in and hide in the shadows.
- Polymorphism (code that changes every time it propagates); existing worms are easy to recognize, but polymorphic worms are well-disguised.
Second, the less creative (and usually less skilled) writers continue to package existing tools and techniques to create new worms. The combination of a lower skill requirement and larger target population means more worms that affect more systems.
We cannot eradicate Internet worms any more than we can eradicate biological viruses, but we will survive with a similarly mixed strategy of preventive and reactive defenses. In biology, we inoculate against known pathogens, react quickly when a new threat is identified and treat the patient once infected. On the Internet, inoculation equates to applying patches promptly, implementing sound perimeter security defenses and keeping virus definitions up-to-date. Reacting quickly to new threats requires a robust information-sharing and analysis network. Such a framework is emerging, and I encourage you to tap into one or more of the available sources (www.itisac.com, www.nipc.gov, www.sans.org and www.cert.org, for example). Finally, treating the infection requires a prearranged response capability, access to actionable intelligence about the threat (see the information-sharing sites, above) and an accurate picture of your operational environment and defensive options.