Continuous improvement
Aug. 24th, 2003 10:41 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
doc_strangeThe worm world is not seeing continuous improvement. Ok, probably overstated. There's always lame releases of software even if the trend is upwards.
With worms, let's say there are "loud" and "quiet" ones. Nimda was more or less the pinnacle of "loud" worms, using several infection vectors, tearing through systems, taking advantage of past worms, and cleverly moving itself about through multiple means. It was "loud" because it scanned like mad, causing network disruption, and once in a system, it failed to obfuscate its presence. The SQL slammer worm was perhaps the pinnacle of speed-over-subtlety in a univector worm. More of a proof of concept and severe availability disruption than a true security threat.
Quiet 'worms' receive scant press attention, and indeed, scant attention from the antivirus companies. Indeed, they are not really worms, in that any self-spreading, scanning code will ultimately produce significant "noise" once distribution becomes high -- it may just take more time to hit the exponential function's elbow. The real quiet automated attack-and-backdoor programs infect n number of systems, subvert them, associate each with a control network, then sit idle, awaiting further instruction. Thus, like the recent, fairly sophisticated Gaobot.AA, these will infect systems, and bring each under a control umbrella. Unlike Gaobot.aa, they don't continue to scan and attack ad infinitum.
Quiet worms are not, however, to be confused with straightforward 'break in and backdoor' kits, even when those kits are fairly complex break-and-backdoor tools. Semi-automated hacking kits with remote-control and hierarchical components, a quiet worm will spread in ill-detectable shudders and jumps as directed by the person or algorithm initiating the sequence of breakins. A stripped-down example would be the Randex.E "worm" which breaks in via the MS-03-026RPC/DCOM vulnerability, then joins an IRC channel and awaits commands, including instructions to break into further hosts.
Ultimately, successful worms become loud because of the (near) exponential growth they experience. They grab attention not only from infiltrating thousands of systems, but from causing significant network disruption. A truly sophisticated worm would start with less disruptive scan rates, and tune its scan and attack frequency over time in the effort to remain "below the radar." Today, such strategies appear to remain in the hands of a human initiator. Eventually, and I would say, soon enough, we can expect the algorithms preventing exponential growth to reach a level at which their behavior will conform to that of furtive, clever individuals.
That said, there's fresher and fresher worms taking advantage of vulnerabilities made public over the last six months, and to top off a bad week, M$ released two new advisories. One is for rollup addressing a suite of Internet Explorer bugs (one of which is so bad, merely visiting a naughty web page can leave your computer backdoored to heck and back). With the reigning "tweak Microsoft's nose" mood, these don't bode well.
With worms, let's say there are "loud" and "quiet" ones. Nimda was more or less the pinnacle of "loud" worms, using several infection vectors, tearing through systems, taking advantage of past worms, and cleverly moving itself about through multiple means. It was "loud" because it scanned like mad, causing network disruption, and once in a system, it failed to obfuscate its presence. The SQL slammer worm was perhaps the pinnacle of speed-over-subtlety in a univector worm. More of a proof of concept and severe availability disruption than a true security threat.
Quiet 'worms' receive scant press attention, and indeed, scant attention from the antivirus companies. Indeed, they are not really worms, in that any self-spreading, scanning code will ultimately produce significant "noise" once distribution becomes high -- it may just take more time to hit the exponential function's elbow. The real quiet automated attack-and-backdoor programs infect n number of systems, subvert them, associate each with a control network, then sit idle, awaiting further instruction. Thus, like the recent, fairly sophisticated Gaobot.AA, these will infect systems, and bring each under a control umbrella. Unlike Gaobot.aa, they don't continue to scan and attack ad infinitum.
Quiet worms are not, however, to be confused with straightforward 'break in and backdoor' kits, even when those kits are fairly complex break-and-backdoor tools. Semi-automated hacking kits with remote-control and hierarchical components, a quiet worm will spread in ill-detectable shudders and jumps as directed by the person or algorithm initiating the sequence of breakins. A stripped-down example would be the Randex.E "worm" which breaks in via the MS-03-026RPC/DCOM vulnerability, then joins an IRC channel and awaits commands, including instructions to break into further hosts.
Ultimately, successful worms become loud because of the (near) exponential growth they experience. They grab attention not only from infiltrating thousands of systems, but from causing significant network disruption. A truly sophisticated worm would start with less disruptive scan rates, and tune its scan and attack frequency over time in the effort to remain "below the radar." Today, such strategies appear to remain in the hands of a human initiator. Eventually, and I would say, soon enough, we can expect the algorithms preventing exponential growth to reach a level at which their behavior will conform to that of furtive, clever individuals.
That said, there's fresher and fresher worms taking advantage of vulnerabilities made public over the last six months, and to top off a bad week, M$ released two new advisories. One is for rollup addressing a suite of Internet Explorer bugs (one of which is so bad, merely visiting a naughty web page can leave your computer backdoored to heck and back). With the reigning "tweak Microsoft's nose" mood, these don't bode well.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2003-08-24 06:02 pm (UTC)A truly malicious individual would use a low-volume worm for collection of data, followed by various exploitatures aimed at 0wnage. 0wnage covers box exploitation of removal of files, storage of files, or simply a jumpoff point for further exploitation of others (track coverage.) There are most likely other scenarios I have not experienced/thought of, as well.
The unclued individuals are not recognizing that they are not really hurting Microsoft in the way they would like; sure, some people are questioning why they use Microsoft products but that happens ANYWAY. Just like use of any software product. Microsoft itself relies on this to keep people upgrading, as do all other software companies. And hardware companies. The main 'annoyance' of the noisy worm is at the back end, the technicians and others who probably ALREADY would like to do something about the prevailing problem. Reports of infections from CIO's and network leads (the people who should "know better") are common. This emphasises that no one is switching to an alternate OS as a result of a worm.
Equivalent: Linsux loosers spamming a BSD irc channel with "BSD SUCKS" or similar trolls on mailing lists. (I do recognize that this happens with all zealots, but I've encountered approximately 8000% more annoying Linsux users than any other OS. And that includes Windows, tho they are creeping up there much faster than BSD or other platforms.)
And it's that proliferation of people of that ilk who are going to continue to put out worms of this sort. (Excepting those putting out a 'cover worm' so as to distract from the silent-but-deadly worm.)
Ah, tactics... Aren't you glad you're fighting a war where your leaders are selling the enemy weapons to kill you? Odd how that matches, isn't it?