lennart
03-09-03, 14:11
The worm invasion will feature distributed denial-of-service (DDoS) attacks against Microsoft's website and those of anti-virus software vendors or spam prevention websites. This will hinder distribution of removal tools and prevent detection of worm spam.
The SuperWorm would combine the capabilities of recent worms/viruses. This hi-tech worm could lever itself into becoming a "WormNet" inside the existing Internet, with worms on individual infected computers sending encrypted communications to each other. Worms could exchange latest worm-code updates and get lists of new attack targets. These features would even enable them to morph into new worm generations.
Once established, the SuperWorm would be a permanent presence on the Internet. It could be scaled up and down in intensity or retargeted by its human controller(s). It could also be used to untracably broadcast to the world audience on the Internet.
THE BIG ONE
The FBI just spent two weeks catching the incredibly inept teenage author of a Blaster worm variant. Meanwhile the much more dangerous threat comes from the creator(s) of the Sobig worm.
Is it just a coincidence that the Sobig.F variant expires on the 10th of September? Meaning the next release is due on September 11th.
"The MO of the author is to release a new version just before the expiry of the last one," said Mark Summer, at security firm MessageLabs.
Curiously, the Sobig author(s) recently took a break. The last SoBig.F version followed on from A, B, C, D and E. Each bigger and better than the last. But there was an untypical gap of a full month between E and F.
"We think he may have taken a vacation or something," said one reportedly exasperated FBI source.
Perhaps not. Maybe Sobig.F was delayed a month so that the imminent Sobig.G release would fall on the 11th September target date.
Therefore the 9/11 Sobig release date is a clear warning of a catastrophic attack on 9-11-'03. The author(s) are hinting of a calamity.
Do they have the capability to seriously disrupt the Internet. You bet. These are no 'script-kiddies.' They are professional. Security experts agree:
"This is the undisputed heavyweight champion of viruses," according to Scott Petry of email-security firm Postini in Redwood City, California.
"It is very well planned, very well designed and very well executed," said Mikko Hypponen, director of antivirus research for F-Secure of
Finland.
Let's go further than that. Let's say that Sobig.F was so slick that the author(s) were toying with us as they road tested their 9/11 worm release.
ULTIMATE WORMWARE
With inbuilt encryption and email, coupled to sophisticated delivery, defense and updating capabilities, Sobig.F was advanced wormware.
Security analysts think it got a power-assisted launch on the Internet by an initial mass-mailing to a spammer's list of email addresses. That spam launch may have come from hijacked open-relays on already compromised computers.
Even as Sobig spread, the Blaster worm had already spawned an army of worms which has easily taken Microsoft's Windowsupdate.com website off-line. Try the link. It's still off-line, and not expected to return. The next Sobig variant could adopt this Blaster tactic and have a list of targets designed to hinder user access to the patches needed to fix infections.
Sobig.F was programmed to seek an update of it's code from about 20 compromised computers on the Net. By decrypting the Sobig.F code, a list of these sites was discovered and they were shut down. Only just in time too.
However, only one update site had content. And that merely redirected to a sex site. In truth, the author(s) likely never intended to place new code on the 20 update sites anyway. The technique looks like a test or even a decoy. But the intent to make updates possible is worrying. Suppose we could not stop the update.
If the upcoming Sobig.G enables the worms themselves to exchange new updates and avoids naming update sites explicitly in the virus code, we are powerless to stop the updates. Instead of taking directions from named update servers, the worms could sniff each other out on the net to swap latest code.
WORMNET WRIGGLE
This "WormNet" concept has been discussed in a prior theoretical wishlist, detailing the architecture of a possible superworm. Sobig is definitely slick enough to implement this ultimate wormware.
Once the Internet gets infected with "WormNet," the worm updates could be automatically distributed to all worms faster than the anti-virus vendors could persuade humans to get patches. Especially if their websites are under denial of service attacks.
Secreted on hundreds of thousands of computers, WormNet would become an intractably persistent presence --piggybacking on existing Internet communications protocols.
We would be unable to break into the "WormNet" distribution system, because worm messages would be encrypted and signed with unique codes. Each message would have to be individually cracked.
Finally, imagine a "WormNet" which was exchanging Blaster-type virus code that enabled it to spread without users having to open infected emails, but by tapping open-port vulnerabilities on Internet connections. Doesn't bear thinking about.
WORM INTELLIGENCE
The worms would need a map of vulnerable ports on the Internet. As it happens, stealth activity has been crisscrossing the Internet for the last few months, which indicates that someone may be preparing just such a map.
In June, 2003 security researchers at Intrusec said say a sneaky Trojan application called 55808, has installed itself on an unknown number of Internet-connected servers and is scanning and mapping the Internet. The traffic consists of data packets with a window size of 55,808 bytes.
Another firm, Lancope, said the Trojan probes were at a rate that would lead to 63% of the IP addresses on the Internet being probed every 17 hours.
The Trojan is a distributed port scanner which is very difficult to detect. It communicates by sending out information to random addresses hoping that another computer infected with the program is listening. This way the communications are untraceable.
"Though there isn't a direct communication channel, all of these Trojan agents, or zombies, are working together," said Dan Ingevaldson, team leader for Internet Security Systems. "Someone is trying to map Internet-connected networks."
JOINING THE DOTS
In Sobig, Blaster and 55808, we are seeing Internet attack components which individually are a nuisance. Even if these are entirely unrelated attacks, their proven success immediately adds these tactics to the pool of malware.
If the inept FBI suspect managed to cobble together two tactics in his Blaster variant, the slicker operators elsewhere can readily deploy a SuperWorm which brings these components together and would be unstoppable with our current defenses. Such a worm is now clearly possible, and eventually inevitable.
Sobig.F has been blamed on spammers trying to hijack open relays and use them as spam mail servers. If so, why would these profit-focussed spammers set a 9/11 release date with ominous political/terror overtones? Not good business.
Some person(s) went to a lot of trouble to launch Sobig.F and they have indicated it was the penultimate virus. To be followed by the ultimate. Despite the clear intent on display, our response has been meager.
So-called "market forces" are not solving the Internet security problem. They are ensuring it remains a problem. Antivirus vendors are content to play the attack/defend cycle forever --and they do serve a purpose. But their presence in the market lends Microsoft a plausible deniability of final responsibility.
DEFENDING THE NET
The virus/worm issue just got critical. Are we going to sit around and wait for the inevitable on 9/11/'03 or not long after? Or are we going to take bold steps to protect the Internet before it's too late.
Perhaps it's time for the the IT industry, the anti-virus vendors and Microsoft to come together and raise the level of voluntary inoculation by users.
Or maybe it's time to release our own Defender.A worm which could invasively close down the relevant "holes" in Internet security. A defensive worm could use standard intrusion tactics for benign result. For example, it could worm it's way into Windows XP computers and get the owner's permission to turn their firewalls on. It could survey open TCP/IP ports and offer to close them.
Such a defensive worm, armed with full ISP and backbone support, could lock down 95% of existing Internet vulnerabilities in 48 hours.
The ongoing failure to address Internet security issues is set to cost us dearly. Is there really the political will to safeguard the greatest free speech medium developed by humanity? If there is not, then it is up to the Internet community to protect it ourselves.
http://www.gulufuture.com/superworm.htm
The SuperWorm would combine the capabilities of recent worms/viruses. This hi-tech worm could lever itself into becoming a "WormNet" inside the existing Internet, with worms on individual infected computers sending encrypted communications to each other. Worms could exchange latest worm-code updates and get lists of new attack targets. These features would even enable them to morph into new worm generations.
Once established, the SuperWorm would be a permanent presence on the Internet. It could be scaled up and down in intensity or retargeted by its human controller(s). It could also be used to untracably broadcast to the world audience on the Internet.
THE BIG ONE
The FBI just spent two weeks catching the incredibly inept teenage author of a Blaster worm variant. Meanwhile the much more dangerous threat comes from the creator(s) of the Sobig worm.
Is it just a coincidence that the Sobig.F variant expires on the 10th of September? Meaning the next release is due on September 11th.
"The MO of the author is to release a new version just before the expiry of the last one," said Mark Summer, at security firm MessageLabs.
Curiously, the Sobig author(s) recently took a break. The last SoBig.F version followed on from A, B, C, D and E. Each bigger and better than the last. But there was an untypical gap of a full month between E and F.
"We think he may have taken a vacation or something," said one reportedly exasperated FBI source.
Perhaps not. Maybe Sobig.F was delayed a month so that the imminent Sobig.G release would fall on the 11th September target date.
Therefore the 9/11 Sobig release date is a clear warning of a catastrophic attack on 9-11-'03. The author(s) are hinting of a calamity.
Do they have the capability to seriously disrupt the Internet. You bet. These are no 'script-kiddies.' They are professional. Security experts agree:
"This is the undisputed heavyweight champion of viruses," according to Scott Petry of email-security firm Postini in Redwood City, California.
"It is very well planned, very well designed and very well executed," said Mikko Hypponen, director of antivirus research for F-Secure of
Finland.
Let's go further than that. Let's say that Sobig.F was so slick that the author(s) were toying with us as they road tested their 9/11 worm release.
ULTIMATE WORMWARE
With inbuilt encryption and email, coupled to sophisticated delivery, defense and updating capabilities, Sobig.F was advanced wormware.
Security analysts think it got a power-assisted launch on the Internet by an initial mass-mailing to a spammer's list of email addresses. That spam launch may have come from hijacked open-relays on already compromised computers.
Even as Sobig spread, the Blaster worm had already spawned an army of worms which has easily taken Microsoft's Windowsupdate.com website off-line. Try the link. It's still off-line, and not expected to return. The next Sobig variant could adopt this Blaster tactic and have a list of targets designed to hinder user access to the patches needed to fix infections.
Sobig.F was programmed to seek an update of it's code from about 20 compromised computers on the Net. By decrypting the Sobig.F code, a list of these sites was discovered and they were shut down. Only just in time too.
However, only one update site had content. And that merely redirected to a sex site. In truth, the author(s) likely never intended to place new code on the 20 update sites anyway. The technique looks like a test or even a decoy. But the intent to make updates possible is worrying. Suppose we could not stop the update.
If the upcoming Sobig.G enables the worms themselves to exchange new updates and avoids naming update sites explicitly in the virus code, we are powerless to stop the updates. Instead of taking directions from named update servers, the worms could sniff each other out on the net to swap latest code.
WORMNET WRIGGLE
This "WormNet" concept has been discussed in a prior theoretical wishlist, detailing the architecture of a possible superworm. Sobig is definitely slick enough to implement this ultimate wormware.
Once the Internet gets infected with "WormNet," the worm updates could be automatically distributed to all worms faster than the anti-virus vendors could persuade humans to get patches. Especially if their websites are under denial of service attacks.
Secreted on hundreds of thousands of computers, WormNet would become an intractably persistent presence --piggybacking on existing Internet communications protocols.
We would be unable to break into the "WormNet" distribution system, because worm messages would be encrypted and signed with unique codes. Each message would have to be individually cracked.
Finally, imagine a "WormNet" which was exchanging Blaster-type virus code that enabled it to spread without users having to open infected emails, but by tapping open-port vulnerabilities on Internet connections. Doesn't bear thinking about.
WORM INTELLIGENCE
The worms would need a map of vulnerable ports on the Internet. As it happens, stealth activity has been crisscrossing the Internet for the last few months, which indicates that someone may be preparing just such a map.
In June, 2003 security researchers at Intrusec said say a sneaky Trojan application called 55808, has installed itself on an unknown number of Internet-connected servers and is scanning and mapping the Internet. The traffic consists of data packets with a window size of 55,808 bytes.
Another firm, Lancope, said the Trojan probes were at a rate that would lead to 63% of the IP addresses on the Internet being probed every 17 hours.
The Trojan is a distributed port scanner which is very difficult to detect. It communicates by sending out information to random addresses hoping that another computer infected with the program is listening. This way the communications are untraceable.
"Though there isn't a direct communication channel, all of these Trojan agents, or zombies, are working together," said Dan Ingevaldson, team leader for Internet Security Systems. "Someone is trying to map Internet-connected networks."
JOINING THE DOTS
In Sobig, Blaster and 55808, we are seeing Internet attack components which individually are a nuisance. Even if these are entirely unrelated attacks, their proven success immediately adds these tactics to the pool of malware.
If the inept FBI suspect managed to cobble together two tactics in his Blaster variant, the slicker operators elsewhere can readily deploy a SuperWorm which brings these components together and would be unstoppable with our current defenses. Such a worm is now clearly possible, and eventually inevitable.
Sobig.F has been blamed on spammers trying to hijack open relays and use them as spam mail servers. If so, why would these profit-focussed spammers set a 9/11 release date with ominous political/terror overtones? Not good business.
Some person(s) went to a lot of trouble to launch Sobig.F and they have indicated it was the penultimate virus. To be followed by the ultimate. Despite the clear intent on display, our response has been meager.
So-called "market forces" are not solving the Internet security problem. They are ensuring it remains a problem. Antivirus vendors are content to play the attack/defend cycle forever --and they do serve a purpose. But their presence in the market lends Microsoft a plausible deniability of final responsibility.
DEFENDING THE NET
The virus/worm issue just got critical. Are we going to sit around and wait for the inevitable on 9/11/'03 or not long after? Or are we going to take bold steps to protect the Internet before it's too late.
Perhaps it's time for the the IT industry, the anti-virus vendors and Microsoft to come together and raise the level of voluntary inoculation by users.
Or maybe it's time to release our own Defender.A worm which could invasively close down the relevant "holes" in Internet security. A defensive worm could use standard intrusion tactics for benign result. For example, it could worm it's way into Windows XP computers and get the owner's permission to turn their firewalls on. It could survey open TCP/IP ports and offer to close them.
Such a defensive worm, armed with full ISP and backbone support, could lock down 95% of existing Internet vulnerabilities in 48 hours.
The ongoing failure to address Internet security issues is set to cost us dearly. Is there really the political will to safeguard the greatest free speech medium developed by humanity? If there is not, then it is up to the Internet community to protect it ourselves.
http://www.gulufuture.com/superworm.htm