Coming Soon: Attack Of The Super Worms!

The threat to computer networks from worms is multiplying in both sophistication and potential for damage, according to security experts.
The industry is on the cusp of an evolution in computer worms -- those malicious programs that replicate themselves and can spread automatically over the network from one machine to another, wreaking havoc as they go. And that evolution is bringing a new breed of problems for network and security administrators.

"I think there's a lot of potential for damage coming down the pike," says Stephen Trilling, senior director of research at Symantec Corp., an Internet security company based in Cupertino, Calif. "We will see worms with increasing sophistication. We'll see worms with new ways of spreading. We'll see worms that can spread themselves through Instant Messaging...They can steal documents and information from your machine. They can create new holes in your system, and once they've taken over your machine, they can launch attacks from it."

A few recent worms and viruses -- such as the Frethem.E and the Simile.D -- didn't wreak any havoc on the Internet but they did serve as a warning for future worm attacks, say security analysts.

The Frethem worm had the ability to propagate itself. It collected email addresses from the Windows Address Book and used its own SMTP engine to send out infected messages. The Simile virus is largely considered the first complicated virus with cross-platform capabilities -- able to attack both Windows and Linux operating systems.

And that's just a taste of what's to come, according to George Bakos, senior security expert at the Institute for Security Technology Studies at Dartmouth College in Hanover, N.H.

"Hybrid worms are going to become more and more common," says Bakos. "They're going to be attacking multiple vulnerabilities, maybe on multiple operating systems."

Bakos says the industry should be expecting the arrival of worms with new and powerful capabilities. He says to expect worms that infect a computer and then set up a communication channel so it can communicate with its controller. He also warns that administrators should be aware of more polymorphic worms, which are worms designed to hide their own presence.

Sleeper Worms Waiting To Strike
"If you had a worm that incorporated these points, you'd have a whole new life form," says Bakos. "And it would have a long life."

Dan Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a wholly owned subsidiary of Raytheon, says the industry is looking at the coming of such attacks as super worms and sleeper worms.

A sleeper worm infects a computer but doesn't automatically attack the system as soon as it's in. Instead, the worm waits for a signal before it attacks. The signal could be a predetermined time or date, or the arrival of a certain email, or simply the 17th time that the user logs onto her system.

"It goes in and waits for a while and then resurfaces after you think you've cleaned out your system," says Woolley. "They can be placed there and you have no idea they're there...Worms can be very quiet. It can be hidden in a file you don't even know exists. It's not something the average Joe Blow script kiddie is not going to come up with. It's very sophisticated."

Symantec's Trilling says sleeper worms are particularly dangerous because they can be spread across the Internet and then awakened all at once to launch a targeted attack on a particular company, organization, sector of the Internet or even a country.

"There are a lot of machines out there that are vulnerable and once they're all harnessed, they can do a lot of damage," says Trilling.

Another category of attack is the super worm, which is generally considered to be a blended or hybrid worm. That means it generally can propagate itself and can pack a number of vulnerabilities into one payload. For instance, a super worm would get into a system and not just try to attack one vulnerability. It would try one known vulnerability and then another and another.

"It will pack a number of vulnerability attacks into a single warhead and one of them is bound to stick," says Woolley. "It will find something that you haven't patched and you'll be caught. I don't think any company is completely patched up. Look at all the vulnerabilities that come out on a day-to-day basis and think of a large corporation that has multiple servers, multiple systems and multiple networks. How do you stay on top of them all? Administrators often times have systems out there they don't even know exist, and if you don't know they're there, how can you possibly patch them?"

IM Vulnerabilities
And while administrators are trying to patch their networks, they also need to be keeping a close eye on Instant Messaging, says Symantec's Trilling.

Trilling says he's starting to see worms that spread themselves over IM. A hacker sends a link to an IM user, the user clicks on it and a worm spreads to everyone in the user's IM address book.

"With Instant Messenger, you're connected all the time so you're vulnerable all the time," says Trilling. "Over the next year to two years, we'll see much more of this."

Keith Rhodes, chief technologist at the U.S. General Accounting Office in Washington, D.C., says administrators should be patching up their systems, updating their anti-virus software and educating their employees because worm attacks are about to get much worse.

"I think we're on the cusp of something," says Rhodes. "As computing evolves, so do the malicious attacks. Your ability to understand them improves so your opponent also improves. The attacks become faster. The software becomes more complex and buggier. Your opponents, therefore, have much more opportunity to attack you."

source: internetnews


Technodrome

 

And the flip side of that (point/counter-point):

http://online.securityfocus.com/columnists/97

 

And now this: "Big software pushes hard for national Gestapo" (from this article: http://www.theregus.com/content/55/25742.html ).

(This is getting too serious NOT to include the whole article, folks).

"I was puzzled last month when industry lobby the Business Software Alliance (BSA) released a cyberterror FUD bomb. Or, rather, a FUD dud -- a laughably meaningless survey of the opinions of so-called "IT pros" all laboring under the delusion that a deadly national catastrophe by electronic means is just around the corner.

Was that a one-off lapse in judgment, I wondered. A quick and dirty publicity stunt? Why would the BSA suddenly become concerned with cyberterror? Are they developing some software-based national-defense panacea? I found it puzzling enough to solicit readers for insight and theory. I thank everyone who contributed their ideas, but I must say that even with their help I couldn't quite add it all up.

But now the BSA is at it again, repeating its bizarre performance, and it's all suddenly making sense.

Consider that the Bush Junior Administration and Congress are moving to entrust considerable cyber-defense powers to the new Department of Homeland Security, a proposed national Gestapo with a budget of $37 billion and exemptions from the Freedom of Information Act (FOIA) and other privileges.

And of course that spells pork -- big, juicy, fat gobbets of pork. No wonder the BSA is at it again, saying essentially the same thing while using nothing better than hearsay for its standard of evidence. They're tossing out empty soundbites for Congresspersons to mimic in their little speeches on the floor, as they pretend to agonize over the safety of innocent Americans at the hands of demonic IP warriors.

"The sobering results of these surveys underscore the need for Congress and the Administration to ensure that the security of our nation's information networks is a top priority in homeland security legislation now being debated on Capitol Hill," BSA President Robert Holleyman whines.

"While Y2K was a one-time event, cyber attacks represent persistent threats that need to be treated with the same concerted urgency that successfully averted Y2K disasters," he goes on. "We think it is important that the government take a strong lead like it did for Y2K and set a tone that business will follow."

All right, when you get an industry lobby pretending to solicit government 'leadership', you know something stinks. Big Software likes this legislation, ergo the man in the street is going to hate it. And they've got a frightened lapdog, House Energy and Commerce Chairman Billy Tauzin (Republican, Louisiana), to serve as their pitch man.

"Ninety percent of the nation's most important critical infrastructures are privately owned and operated; that's why it is crucial that we make sure the public and private sectors are working together to protect the information networks that increasingly impact nearly every aspect of our daily lives," the BSA quotes Tauzin as saying.

'Working together' indeed. That means government contracts -- billions in public funds, vast hunks of corporate welfare, just so some script kiddie has a slightly harder time defacing Uncle Sam's Web sites. It also means 'upgrading' to the latest and greatest database and office software, and of course the very finest in operating systems.

And on the return trip, it means blessed secrecy for software giants and other major IT companies, all of whom desperately want FOIA exemption on the hollow pretext that they could then share information about cyber-attacks and in this way selflessly contribute to the national anti-terror brain trust and the public's safety. Of course the truth there is a good deal simpler: companies want secrecy regarding cyberattacks because they're embarrassing, and because the public would probably stop dealing with hundreds of them if they found out how poorly-defended their data really is. An FOIA exemption of that sort would be the Mother of all security- through-obscurity programs, but it has not been forthcoming on the Hill, and probably won't materialize as part of the Gestapo legislation.

Perhaps the new Homeland Defense Office will be able to extend the umbrella of its own freedom from information act (FFIA) as a partial shield. And that may well pass; recent proposed amendments would limit public access to corporate records only if they're submitted to Gestapo Headquarters, and then only the bits dealing with security would be exempt. Of course there's a lot of wiggle room there. Pretty much anything can be said to have security implications, as Kafka often noted.

This happy alliance will also likely mean closer government cooperation in fighting the evils of software piracy. Clearly the BSA's patrons regard the FBI as their own personal 'piracy 911'. No doubt enhanced access via the new department is anticipated, and high hopes of further influencing national law-enforcement priorities entertained.

So what we have is a bid for Homeland Security pork using hearsay and FUD, cleverly disguised as something serious. But what else would you expect from an organization that routinely lies about piracy, slickly including open source products in their 'loss' statistics? ®

BSA members include Adobe, Apple Computer, Autodesk, Bentley Systems, Borland, CNC Software/Mastercam, Dell, EDS, Entrust, HP, IBM, Intel, Intuit, Macromedia, Microsoft, Network Associates, Novell, Sybase, and Symantec. [Wow, some of the world's biggest defense contractors. We're impressed. --ed]"

 

How refreshing to read somebody with a voice who has enough 20-20 vision to make sh!t transparent.

 

Not at all. Not at all! (Did you read the user responses, incidentally?) Nice command of the English language, however. Must admit it sent me off to the dictionary several times. Still, I have to agree with many of the respondents -- long on (excellent) grammar; short on substance.

Quite frankly, I have no idea as to whether the target of this article is whistling Dixie through his *ss or not; nor did this article enlighten me on that subject.

 

Love it..now maybe we can dig out the old stuff about "flash worms". They were floating around in the bowl for a while.


What this world needs is a good worm to get the economy going again.

 

LOL....LOL....LOL....

Good One!


Technodrome

 

Fretham is the first worm to be compiled in Digital Spawn, which creates the self-mutating worm. It won't be long before we see a LOT more output from this compiler, both worms and RATs.

BOClean 4.10 was designed to detect these (we added Fretham once, it's now detecting all its mutants as well).