[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Slightly OT: Worms: Exploit Plug-ins and Benevolent Worms
- To: Shlomi Fish <shlomif(at-nospam)techst02.technion.ac.il>
- Subject: Re: Slightly OT: Worms: Exploit Plug-ins and Benevolent Worms
- From: "Nadav Har'El" <nyh(at-nospam)math.technion.ac.il>
- Date: Mon, 6 Aug 2001 21:52:24 +0300
- Cc: linux-il(at-nospam)linux.org.il
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Hebrew-Date: 18 Av 5761
- In-Reply-To: <Pine.GSO.4.33.0108061640280.24455-100000@techst02.technion.ac.il>; from shlomif@techst02.technion.ac.il on Mon, Aug 06, 2001 at 04:53:21PM +0300
- References: <Pine.GSO.4.33.0108061640280.24455-100000@techst02.technion.ac.il>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
- User-Agent: Mutt/1.2i
On Mon, Aug 06, 2001, Shlomi Fish wrote about "Slightly OT: Worms: Exploit Plug-ins and Benevolent Worms":
>
> Just a thought I had in mind. It is probably a matter of time before some
> smart hacker will write a worm that can be linked with the code or the
> specification of various exploits. That way, this worm can propagate into
> many computers, and in a way live on, assuming its source code is
> available.
There was something that came close to this: they "Hubris" virus that appeared
about 6 months ago. [note that I'm writing this from memory so I hope I'm
not making a foold of myself here - look it up in one of the antivirus sites
for more authoritative information]
This was an email worm (the type that relies on gullible Microsoft users,
not on buffer overflow exploits), that had several new and interesting
characteristics. One of them was the fact that it installed its own TCP
stack that "sniffed" your entire communications, and looked in it for email
addresses to send the worm to (rather then just assume the user was using
a specific mail client and look in it for a list of friends). This made it
spread more quickly and reliably, and it made it almost impossible to warn
your friends that they have this worm (you have no idea who the worm copy
is coming from - I got several from random people surfing one of my sites,
for example).
But another interesting characteristic of that worm, and the one relevant
to what you talked about is that it (ab)used newsgroups: every copy of the
worm would once in a while connect to one of several large newsgroup servers
(that could never be all shut down), and listen for a message with a specific
structure. When such a message (written by the worm writer through several
layers of anonymizers) was seen, the worm would check the message's signature
(using a very secure public-key signature mechanism to which only the worm
writer held the secret-key), and if it matched it would overwrite one of its
"modules" with the new code. The worm had several modules - the tcp sniffer,
the spreading (mailer) module, the payload module (putting a secured backdoor,
and formatting c:, or whatever, at the right time). The Hubris virus couldn't
have the problem of the original Code Red which tried to attack an inactive
IP address: the hubris author could (and reportedly did) "upgrade" all the
worms "installed" in the world at any time.
The hubris worm had another interesting solution to following problem: imagine
you write a worm that places backdoors in every system it "owns" (and if
you're smart you put a secret key on that backdoor). How will you (the
worm writer) then find all the systems in the world that have your backdoor?
If you scan the entire Internet (like some idiots are doing for the SubSeven,
NetBus, backOrifice, and other trojans), you'll need a very large amount of
bandwidth, and run a high risk of getting caught (if anybody cares enough
to try to catch you).
The Code Red II writer chose one alternative method: each of the "owned"
machines continues to probe other random machines, at a very high rate
(300 threads of spreading, or 600 on chinese(!)-language machines) until
October 1 this year, so all the worm writer has to do is sit at his machine
(or better yet, a selection of machines he previously "owns" in various
networks throughout the internet) and collect the port-80 logs. Of course,
since the backdoors are not protected in any way, everyone else can do the
same - hence the potential for mayhem and the fact that the original worm
writer will probably never gain anything from this worm.
But Hubris did something different: each copy of the worm would infect
other machines and collect the list of IPs it infected. Once a large-enough
list was collected by a worm "installation", it was encrypted (with a public
key, of course, so that even if the worm binary was recovered it wouldn't
help for decrypting the messages) and posted on a newsgroup (alt.virus?).
Then, all the worm writer needed to do was to read this newsgroup (like
thousands of other people are doing, so he wouldn't look suspicious), collect
the encrypted messages, and decrypt them. Nobody else (who didn't know his
secrect key) could get the list of infected hosts, and even if they did,
nobody else could enter the backdoor without the secret key.
The original Code Red got its (in)fame from the fact that it wasted a lot of
bandwidth on probing, the fact that it was supposed to attack whitehouse.gov,
and the fact that it was not only hurting "gullible" attachment-clickers
(some people think such saps deserve to get worms ;)). Code Red II got its
(in)fame from the fact that it created wide-open backdoors on over a hundred
thousand machines. But in my opinion, Hubris was a much more dangerous
technology.
> Now, I know there are differences of architectures and systems and that
> not all computers are affected by the same worm (unless it compiles itself
> or is written in perl or something like that), but it is still a very big
> hazzard.
Six years ago I saw a self-compiling worm in action: once it was in a Unix
host it ftp'ed in some toolkits, compiled one for the appropriate machine
type, became root (using some local root hole), compiled and installed a
sniffer (to get passwords to yet more machines), and when it got passwords
to remote machines it automatically propagated to those machines too. It
also installed a "rootkit" - a set of replacement programs like ls, ps, etc.,
to hide its processes and files. At the time I assumed such a complicated
setup (which I hadn't seen before) must have been the doing of some foreign
national agency, with a lot of money and man-power for designing such
ingenious tricks, but I no longer believe that this is necessarily the case:
there were enough crackers in the world, even back then (before the huge
Internet hype), who could write such a thing on their own.
> What could be done to solve it, is to make the worm a benevolent one. I.e:
> one that closes the exploits as soon as it infiltrated the computer. This
> is still illegal according to the law, but it's probably the best solution
> yet. The worm should also make the existence of the potential exploit
> known to the administrator, so he can fix it.
The moral problem with that solution is what happens if you have bug in your
program? Say your program blue-screen-of-death's the machine, which was at
the time running a server responsible for income of $1,000,000 an hour to the
company running it.
You can argue all you want that if you didn't penetrate that machine some
other worm will, but I wouldn't want to be your lawyer... (I wouldn't want
to be a lawyer at all, but that's another issue :))
--
Nadav Har'El | Monday, Aug 6 2001, 18 Av 5761
nyh@math.technion.ac.il |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |The 3 stages of sex: Tri-weekly, try
http://nadav.harel.org.il |weekly, try weakly.
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il