Notes
Slide Show
Outline
1
The Coming Age of Defensive Worms
(The History of Good Worms)


David J. Meltzer

CTO, Intrusec
2
Preface
  • This is a subset of a complete presentation entitled “The Coming Age of Defensive Worms”.


  • This portion of the presentation deals only with the history of good worms.


  • The complete presentation will be presented live (see the final slide for details) and made available online thereafter.
3
Why?


  • “I don't know whether a good worm can be safe and effective, but this merits serious technical study.”
  • - Martha Stansell-Gamm (May 26, 2003)1
       Chief, Computer Crime and Intellectual Property Section,     U.S. Department of Justice
4
What Will You Learn?
  • The history of good worms


  • The problems with defensive worms


  • How defensive worm problems are solved


  • Possible evolutionary steps
5
The Question


  • Will anyone in charge of a large network ever willingly launch a worm on their own network to protect it?
6
Worm Reality
  • A new exploit just came out.


  • You have 5,000 vulnerable systems.


  • The worm is coming.


  • What do you do?
7
The Worm Antidote
  • It fixes all the systems on your network.


  • It does it faster than the worm can spread.


  • It only ‘infects’ your own systems.


  • Do you run it?


8
Which Worm Do You Want?
9
What Will You Learn?
  • The history of good worms


  • The problems with defensive worms


  • How defensive worm problems are solved


  • Possible evolutionary steps
10
“Good Worms”
  • A Worm, BUT…
    • A “beneficial” payload


  • BUT Still…
    • Disruptive to networks
    • Runs without permission
    • Requires clean-up
    • ILLEGAL





11
What Do “Good Worms” Do?
  • Scan


  • Listen


  • Exploit


  • Patch


  • Disinfect





12
Timeline of “Good Worms”
13
Case Study:  AntiADM3,14
  • Released 5/98 Written by Max Vision
  • ADMworm Response: Scans, Patches, Backdoors


  • Scans for systems vulnerable to iquery named hole
  • Exploits remote system
  • Patches iquery hole (upgrades named)
  • Installs a backdoor
  • Installs itself on system




14
Case Study:  Millenium2
  • Discovered 8/15/99 Written by Mixter4
  • Multiple Linux Vulns: Scans, Patches, Backdoors


  • Scans for systems vulnerable to 5 remote linux holes
  • Exploits remote system
  • Patches 5 linux vulns
  • Installs a backdoor
  • Sends notification to hotmail address of infection
  • Installs itself on system




15
Case Study:  Cheese5
  • Discovered 5/01 Unknown Author
  • Lion Worm Response: Scans, Disinfects


  • Scans for systems infected by Lion
  • Installs itself using backdoor left by Lion
  • Removes Lion backdoor from system





16
Case Study:  Code Green6
  • Code Released 9/1/2001 Written by Der HexXer
  • Code Red Response: Scans, Disinfects, Patches


  • Scans for systems infected with CodeRed
  • Exploits ISAPI vuln on infected systems
  • Removes CodeRed from system
  • Installs Q300972 Hotfix on system
  • Installs itself on system





17
Case Study:  CRClean7
  • Code Released 9/1/2001 Written by Markus Kem
  • Code Red Response: Listens, Disinfects, Patches


  • Listens for CodeRed to attack it
  • Exploits ISAPI vuln on CodeRed attackers
  • Removes CodeRed from system
  • Patches ISAPI vuln on system
  • Installs itself on system





18
Industry Thinking on
“Good Worms”



  • “Generally Not Well Regarded”
  •  – eEye8


19
Industry Thinking on
“Good Worms” - Continued



  • “The idea of a patch worm is a nice thought,
    but it is not a solution…”
  • - CERT9
20
Industry Thinking on
“Good Worms” - Continued



  • “You cannot predict what’s going to happen.  You don’t know what the impact is going to be if it’s altered. It’s never an alternative.”
  • – Trend Micro10
21
Industry Thinking on
“Good Worms” - Continued

  • “-What about the traffic it takes up?
  • -What about the boxes that don't patch properly, don't make it back after reboot, or took down etrade in the middle of a trading day?
  • -How does your worm know when it's done?
  • -Maybe I don't want my box patched, the patch broke my app
  • -How do I tell your good worm apart from the original bad worm, or the other worm which looks like the good worm, but is really a bad worm?
  • -How about people like us who track attack data, and you just skewed the heck out of it? When does www1.whitehouse.gov get to come back? If there's still *A* worm around on the 1st, which one is it?
  • -Do we really want an Internet-sized game of corewars?”
  • - Ryan Russell11
22
Industry Thinking on
“Good Worms” - Continued



  • “Visions of bots floating around in the ether waging mighty, but invisible, battles belong in books such as Neal Stephenson's "The Diamond Age," not on production Internet servers.”
  • – Timothy Dyck12


23
Industry Thinking on
“Good Worms” - Continued

  • “… Worms are inherently uncontrollable, meaning
    that good worms will cause traffic problems
    and spread out of control.
  • This is true of most worms today, but that's only because no one has designed a legitimate, well-coded and peer-reviewed good worm…”
  • – eWeek13


24
/. Wisdom

  • “The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?”


  • “Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong”
  • “Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...”


  • “Automatic (or even semi-automatic) patching is
    the *dumbest* idea on Earth.”
25
References
  • 1. Stansell-Gamm, Martha.  “Good Worms Not Mature”, May 26, 2003.
    URL: http://www.eweek.com/article2/0,3959,1109605,00.asp
  • 2. Vision, Max. “Origin and Brief Analysis of the Millennium Worm”, Sept, 1999.
    URL: http://www.whitehats.com/library/worms/mworm/index.html
  • 3. Poulsen, Kevin. “Max Vision: FBI pawn?”, May 8, 2001. 
    URL: http://www.securityfocus.com/news/203
  • 4. Mixter. “mw06.tgz”, September 23, 1999.
    URL: http://packetstormsecurity.nl/groups/mixter/mw06.tgz
  • 5. Barber, Bryan. “Cheese Worm: Pros and Cons of a Friendly Worm”, July 21, 2001. 
    URL: http://www.sans.org/rr/papers/36/31.pdf
  • 6. Hexxer, Der. “CodeGreen beta release”, September 1, 2001.
    URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0575.html
  • 7. Kem, Marcus. “CRClean.zip”, September 1, 2001.
     URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0577.html
  • 8. Permeh, Ryan & Coddington, Dale. “Decoding and Understanding Internet Worms”, November 21, 2001.
    URL: http://www.blackhat.com/presentations/bh-europe-01/dale-coddington/1
  • 9. Houle, Kevin. Quoted in “Cheese worm: A Linux fixer-upper? By Robert Lemos”, May 16, 2001. 
    URL: http://news.com.com/2100-1001-257748.html?legacy=cnet
  • 10. Hartmann, Joe. Quoted in “’Cheesy’ Fix-It Worm Patches Security Flaws By Jay Lyman”, May 18, 2001.
    URL: http://www.newsfactor.com/perl/story/9869.html
  • 11. Russell, Ryan. “Re: Mitigating some of the effects of the Code Red worm”, July 20, 2001.
    URL: http://www.securityfocus.com/archive/1/198283/2002-12-02/2002-12-08/0
  • 12. Dyck, Timothy. “Thanks, but we don’t want your Cheese (worm)!”, June 30, 2001.
    URL: http://www.freeos.com/printer.php?entryID=4233
  • 13. Rapoza, Jim. “Up With Good Worms”, April 21, 2003.
    URL: http://www.eweek.com/article2/0,3959,1037004,00.asp
  • 14. Vision, Max. Personal interview with Max Vision, August 17, 2003.




26
More to Come…
  • For the remainder of this presentation, come see it live at…


  • ToorCon
  • September 26 – 28, 2003
  • San Diego, CA
  • http://www.toorcon.org