Make way for the uber worm

From this article: http://www.vnunet.com/News/1132084

"By James Middleton [24-05-2002]

Hackers work on worm that could hit 10 million sites in hours

Virus writers could "own the internet in their spare time", according to research from three well respected industry experts.

A highly effective uber worm, capable of hitting up to 10 million internet hosts in a matter of hours, may be just around the corner.

As the SQLsnake worm continues its march - topping the list as the most prolific attacker on the net today with infection attempts hitting the 600,000 mark - experts have warned of the potential for an even greater danger.

A report compiled by Stuart Staniford of security firm Silicon Defense, Vern Paxson of the ICSI centre for internet research and Nicholas Weaver of Berkeley University, claims that: "It is reasonable for an attacker to gain control of a million internet hosts, or perhaps even 10 million.

"Once subverted, these hosts can not only be used to launch massive denial-of-service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways."

The paper, How to 0wn the Internet in Your Spare Time, is a pre-release of a presentation to be given at this year's Usenix Security Forum in August, and reveals that worms such as SQLsnake, Code Red and Nimda have only been precursors for what is to come.

"There are several techniques which, although not yet employed, could further significantly increase the virulence of a worm," warned the researchers.

Additional strategies a worm author could employ include "hit-list scanning", which would give us the Warhol worm - capable of infecting thousands of hosts within 15 minutes.

"Permutation scanning worms", which are self co- ordinated in their attacks, are also a potential threat, as are "internet scale hit-lists", or flash-flood worms.

Improved scanning technology could mean that a worm- infected machine could easily exceed 100 attacks per minute.

Worm writers are also focusing on the more highly homogeneous, highly deployed services to maximise the potential for faster spreading and infection of the greatest number of machines, "considerably faster than any possible human-mediated response".

Such a worm today could arguably subvert upwards of 10 million internet hosts, say the trio. A sobering thought, seeing as one million hosts can cause enormous damage.

"You can launch distributed denial-of-service (Ddos) attacks so immensely diffuse that mitigating them is well beyond the state-of-the-art for Ddos traceback and protection technologies. Such attacks could readily bring down ecommerce sites, news outlets, command and co- ordination infrastructure, specific routers, or the root name servers," the report warned.

"In short, if you could control a million internet hosts, the potential damage is truly immense: on a scale where such an attack could play a significant role in warfare between nations or in the service of terrorism."

By way of defence, Staniford, Paxson and Weaver argue for the pressing need to develop a Centre for Disease Control, an analogue for virus- and worm-based threats to national cybersecurity.

In their paper, available here: http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html , they sketch an outline for such a project."