1
|
|
2
|
- This is a subset of a complete presentation entitled “The Coming Age of Defensive Worms”.
- This portion of the presentation deals only with the history of good worms.
- The complete presentation will be presented live (see the final slide for details) and made available online thereafter.
|
3
|
- “I don't know whether a good worm can be safe and effective, but this merits serious technical study.”
- - Martha Stansell-Gamm (May 26, 2003)1
Chief, Computer Crime and Intellectual Property Section, U.S. Department of Justice
|
4
|
- The history of good worms
- The problems with defensive worms
- How defensive worm problems are solved
- Possible evolutionary steps
|
5
|
- Will anyone in charge of a large network ever willingly launch a worm on their own network to protect it?
|
6
|
- A new exploit just came out.
- You have 5,000 vulnerable systems.
- The worm is coming.
- What do you do?
|
7
|
- It fixes all the systems on your network.
- It does it faster than the worm can spread.
- It only ‘infects’ your own systems.
- Do you run it?
|
8
|
|
9
|
- The history of good worms
- The problems with defensive worms
- How defensive worm problems are solved
- Possible evolutionary steps
|
10
|
- A Worm, BUT…
- BUT Still…
- Disruptive to networks
- Runs without permission
- Requires clean-up
- ILLEGAL
|
11
|
- Scan
- Listen
- Exploit
- Patch
- Disinfect
|
12
|
|
13
|
- Released 5/98 Written by Max Vision
- ADMworm Response: Scans, Patches, Backdoors
- Scans for systems vulnerable to iquery named hole
- Exploits remote system
- Patches iquery hole (upgrades named)
- Installs a backdoor
- Installs itself on system
|
14
|
- Discovered 8/15/99 Written by Mixter4
- Multiple Linux Vulns: Scans, Patches, Backdoors
- Scans for systems vulnerable to 5 remote linux holes
- Exploits remote system
- Patches 5 linux vulns
- Installs a backdoor
- Sends notification to hotmail address of infection
- Installs itself on system
|
15
|
- Discovered 5/01 Unknown Author
- Lion Worm Response: Scans, Disinfects
- Scans for systems infected by Lion
- Installs itself using backdoor left by Lion
- Removes Lion backdoor from system
|
16
|
- Code Released 9/1/2001 Written by Der HexXer
- Code Red Response: Scans, Disinfects, Patches
- Scans for systems infected with CodeRed
- Exploits ISAPI vuln on infected systems
- Removes CodeRed from system
- Installs Q300972 Hotfix on system
- Installs itself on system
|
17
|
- Code Released 9/1/2001 Written by Markus Kem
- Code Red Response: Listens, Disinfects, Patches
- Listens for CodeRed to attack it
- Exploits ISAPI vuln on CodeRed attackers
- Removes CodeRed from system
- Patches ISAPI vuln on system
- Installs itself on system
|
18
|
- “Generally Not Well Regarded”
- – eEye8
|
19
|
- “The idea of a patch worm is a nice thought,
but it is not a solution…”
- - CERT9
|
20
|
- “You cannot predict what’s going to happen. You don’t know what the impact is going to be if it’s altered. It’s never an alternative.”
- – Trend Micro10
|
21
|
- “-What about the traffic it takes up?
- -What about the boxes that don't patch properly, don't make it back after reboot, or took down etrade in the middle of a trading day?
- -How does your worm know when it's done?
- -Maybe I don't want my box patched, the patch broke my app
- -How do I tell your good worm apart from the original bad worm, or the other worm which looks like the good worm, but is really a bad worm?
- -How about people like us who track attack data, and you just skewed the heck out of it? When does www1.whitehouse.gov get to come back? If there's still *A* worm around on the 1st, which one is it?
- -Do we really want an Internet-sized game of corewars?”
- - Ryan Russell11
|
22
|
- “Visions of bots floating around in the ether waging mighty, but invisible, battles belong in books such as Neal Stephenson's "The Diamond Age," not on production Internet servers.”
- – Timothy Dyck12
|
23
|
- “… Worms are inherently uncontrollable, meaning
that good worms will cause traffic problems
and spread out of control.
- This is true of most worms today, but that's only because no one has designed a legitimate, well-coded and peer-reviewed good worm…”
- – eWeek13
|
24
|
- “The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?”
- “Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong”
- “Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...”
- “Automatic (or even semi-automatic) patching is
the *dumbest* idea on Earth.”
|
25
|
- 1. Stansell-Gamm, Martha. “Good Worms Not Mature”, May 26, 2003.
URL: http://www.eweek.com/article2/0,3959,1109605,00.asp
- 2. Vision, Max. “Origin and Brief Analysis of the Millennium Worm”, Sept, 1999.
URL: http://www.whitehats.com/library/worms/mworm/index.html
- 3. Poulsen, Kevin. “Max Vision: FBI pawn?”, May 8, 2001.
URL: http://www.securityfocus.com/news/203
- 4. Mixter. “mw06.tgz”, September 23, 1999.
URL: http://packetstormsecurity.nl/groups/mixter/mw06.tgz
- 5. Barber, Bryan. “Cheese Worm: Pros and Cons of a Friendly Worm”, July 21, 2001.
URL: http://www.sans.org/rr/papers/36/31.pdf
- 6. Hexxer, Der. “CodeGreen beta release”, September 1, 2001.
URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0575.html
- 7. Kem, Marcus. “CRClean.zip”, September 1, 2001.
URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0577.html
- 8. Permeh, Ryan & Coddington, Dale. “Decoding and Understanding Internet Worms”, November 21, 2001.
URL: http://www.blackhat.com/presentations/bh-europe-01/dale-coddington/1
- 9. Houle, Kevin. Quoted in “Cheese worm: A Linux fixer-upper? By Robert Lemos”, May 16, 2001.
URL: http://news.com.com/2100-1001-257748.html?legacy=cnet
- 10. Hartmann, Joe. Quoted in “’Cheesy’ Fix-It Worm Patches Security Flaws By Jay Lyman”, May 18, 2001.
URL: http://www.newsfactor.com/perl/story/9869.html
- 11. Russell, Ryan. “Re: Mitigating some of the effects of the Code Red worm”, July 20, 2001.
URL: http://www.securityfocus.com/archive/1/198283/2002-12-02/2002-12-08/0
- 12. Dyck, Timothy. “Thanks, but we don’t want your Cheese (worm)!”, June 30, 2001.
URL: http://www.freeos.com/printer.php?entryID=4233
- 13. Rapoza, Jim. “Up With Good Worms”, April 21, 2003.
URL: http://www.eweek.com/article2/0,3959,1037004,00.asp
- 14. Vision, Max. Personal interview with Max Vision, August 17, 2003.
|
26
|
- For the remainder of this presentation, come see it live at…
- ToorCon
- September 26 – 28, 2003
- San Diego, CA
- http://www.toorcon.org
|