doc_strange (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
doc_strange) wrote2003-08-24 10:41 am
doc_strange) wrote2003-08-24 10:41 am
Continuous improvement
The worm world is not seeing continuous improvement. Ok, probably overstated. There's always lame releases of software even if the trend is upwards.
With worms, let's say there are "loud" and "quiet" ones. Nimda was more or less the pinnacle of "loud" worms, using several infection vectors, tearing through systems, taking advantage of past worms, and cleverly moving itself about through multiple means. It was "loud" because it scanned like mad, causing network disruption, and once in a system, it failed to obfuscate its presence. The SQL slammer worm was perhaps the pinnacle of speed-over-subtlety in a univector worm. More of a proof of concept and severe availability disruption than a true security threat.
Quiet 'worms' receive scant press attention, and indeed, scant attention from the antivirus companies. Indeed, they are not really worms, in that any self-spreading, scanning code will ultimately produce significant "noise" once distribution becomes high -- it may just take more time to hit the exponential function's elbow. The real quiet automated attack-and-backdoor programs infect n number of systems, subvert them, associate each with a control network, then sit idle, awaiting further instruction. Thus, like the recent, fairly sophisticated Gaobot.AA, these will infect systems, and bring each under a control umbrella. Unlike Gaobot.aa, they don't continue to scan and attack ad infinitum.
Quiet worms are not, however, to be confused with straightforward 'break in and backdoor' kits, even when those kits are fairly complex break-and-backdoor tools. Semi-automated hacking kits with remote-control and hierarchical components, a quiet worm will spread in ill-detectable shudders and jumps as directed by the person or algorithm initiating the sequence of breakins. A stripped-down example would be the Randex.E "worm" which breaks in via the MS-03-026RPC/DCOM vulnerability, then joins an IRC channel and awaits commands, including instructions to break into further hosts.
Ultimately, successful worms become loud because of the (near) exponential growth they experience. They grab attention not only from infiltrating thousands of systems, but from causing significant network disruption. A truly sophisticated worm would start with less disruptive scan rates, and tune its scan and attack frequency over time in the effort to remain "below the radar." Today, such strategies appear to remain in the hands of a human initiator. Eventually, and I would say, soon enough, we can expect the algorithms preventing exponential growth to reach a level at which their behavior will conform to that of furtive, clever individuals.
That said, there's fresher and fresher worms taking advantage of vulnerabilities made public over the last six months, and to top off a bad week, M$ released two new advisories. One is for rollup addressing a suite of Internet Explorer bugs (one of which is so bad, merely visiting a naughty web page can leave your computer backdoored to heck and back). With the reigning "tweak Microsoft's nose" mood, these don't bode well.
With worms, let's say there are "loud" and "quiet" ones. Nimda was more or less the pinnacle of "loud" worms, using several infection vectors, tearing through systems, taking advantage of past worms, and cleverly moving itself about through multiple means. It was "loud" because it scanned like mad, causing network disruption, and once in a system, it failed to obfuscate its presence. The SQL slammer worm was perhaps the pinnacle of speed-over-subtlety in a univector worm. More of a proof of concept and severe availability disruption than a true security threat.
Quiet 'worms' receive scant press attention, and indeed, scant attention from the antivirus companies. Indeed, they are not really worms, in that any self-spreading, scanning code will ultimately produce significant "noise" once distribution becomes high -- it may just take more time to hit the exponential function's elbow. The real quiet automated attack-and-backdoor programs infect n number of systems, subvert them, associate each with a control network, then sit idle, awaiting further instruction. Thus, like the recent, fairly sophisticated Gaobot.AA, these will infect systems, and bring each under a control umbrella. Unlike Gaobot.aa, they don't continue to scan and attack ad infinitum.
Quiet worms are not, however, to be confused with straightforward 'break in and backdoor' kits, even when those kits are fairly complex break-and-backdoor tools. Semi-automated hacking kits with remote-control and hierarchical components, a quiet worm will spread in ill-detectable shudders and jumps as directed by the person or algorithm initiating the sequence of breakins. A stripped-down example would be the Randex.E "worm" which breaks in via the MS-03-026RPC/DCOM vulnerability, then joins an IRC channel and awaits commands, including instructions to break into further hosts.
Ultimately, successful worms become loud because of the (near) exponential growth they experience. They grab attention not only from infiltrating thousands of systems, but from causing significant network disruption. A truly sophisticated worm would start with less disruptive scan rates, and tune its scan and attack frequency over time in the effort to remain "below the radar." Today, such strategies appear to remain in the hands of a human initiator. Eventually, and I would say, soon enough, we can expect the algorithms preventing exponential growth to reach a level at which their behavior will conform to that of furtive, clever individuals.
That said, there's fresher and fresher worms taking advantage of vulnerabilities made public over the last six months, and to top off a bad week, M$ released two new advisories. One is for rollup addressing a suite of Internet Explorer bugs (one of which is so bad, merely visiting a naughty web page can leave your computer backdoored to heck and back). With the reigning "tweak Microsoft's nose" mood, these don't bode well.