Return-Path: <sentto-279987-1702-999797559-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 06 Sep 2001 10:34:08 -0700 (PDT) Received: (qmail 16622 invoked by uid 510); 6 Sep 2001 17:32:50 -0000 Received: from n10.groups.yahoo.com (216.115.96.60) by 204.181.12.215 with SMTP; 6 Sep 2001 17:32:50 -0000 X-eGroups-Return: sentto-279987-1702-999797559-fc=all.net@returns.onelist.com Received: from [10.1.4.52] by ej.egroups.com with NNFMP; 06 Sep 2001 17:32:39 -0000 X-Sender: fastflyer28@yahoo.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-7_3_2_1); 6 Sep 2001 17:32:38 -0000 Received: (qmail 54104 invoked from network); 6 Sep 2001 17:17:08 -0000 Received: from unknown (10.1.10.27) by m8.onelist.org with QMQP; 6 Sep 2001 17:17:08 -0000 Received: from unknown (HELO web14507.mail.yahoo.com) (216.136.224.70) by mta2 with SMTP; 6 Sep 2001 17:17:08 -0000 Message-ID: <20010906171708.86696.qmail@web14507.mail.yahoo.com> Received: from [12.78.121.180] by web14507.mail.yahoo.com via HTTP; Thu, 06 Sep 2001 10:17:08 PDT To: iwar@yahoogroups.com In-Reply-To: <200109060512.WAA16958@big.all.net> From: "e.r." <fastflyer28@yahoo.com> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 6 Sep 2001 10:17:08 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: Re: [iwar] How bigger, badder Code Red worms are being built Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Does it really matter? The 'horse is out of the barn" as with Napster. Far more serious matters of finance and international security are now in the balance with Iwar. It might be useful to start looking at these issues as they can affect the either periodicity of war, or the ultimate outcome of warfare and the geostrategic balance of world power. Those are the "bottom line" matters we all must address. Even engineers must consider these factors in their calculations. How to do so is a difficult consideration. Netcentric is a global issue. --- Fred Cohen <fc@all.net> wrote: > How bigger, badder Code Red worms are being built > > Robert Vamosi, > Associate Editor, > ZDNet Reviews > > http://www.zdnet.com/anchordesk/stories/story/0,10738,2810238,00.html > > As I write this, there are two new fast-spreading Internet worms for > Windows > users: Apost > <http://www.zdnet.com/products/stories/reviews/0,4161,2810219,00.html> > does > the now-familiar "e-mail itself to everyone" thing we've come to > expect from > Windows worms and viruses, except this worm sends multiple copies of > itself. > And then there's an updated version of Magistr > <http://www.zdnet.com/products/stories/reviews/0,4161,2810225,00.html> > , > redesigned to infect even more users with its destructive payload. > Faster > propagation has been the trend with Win32 viruses and worms, but what > if > rapid propagation methods were employed for network-savvy worms such > as Code > Red? Well, someone has already given thought to that. > > > Andy Warhol is famous for saying "In the future, everybody will have > 15 > minutes of fame." Nicolas Weaver at UC Berkeley has written a paper > <http://www.cs.Berkeley.edu/~nweaver/warhol.html> proposing that > virus > writers constructing some future Code Red-like worm add a list of > 10,000 to > 50,000 "well connected" Internet servers, then launch the virus. The > advantage, he argues, is that even if only 10 to 20 percent of the > servers > are vulnerable to the worm's exploit, that would still be an enormous > jump > on Code Red and previous worms. Weavers adds that the initial 10 > percent > infection could be achieved in the first minute or so; he then > proposes that > his "uberworm" could infect most of the Internet within 15 minutes > (hence > the Warhol worm). > > NOT TO BE OUTDONE, the team of Suart Staniford, Gary Grim, and Roelof > Jonkman at Silicon Defense proposed > <http://www.silicondefense.com/flash> > an even greater propagation rate: they claim they can infect the > Internet in > 30 seconds. They argue that a worm writer could scan the Internet in > advance > and identify almost all of the vulnerable systems on the Internet > before > launching the worm. With a very fast Internet connection (they > mention an > OC12 link), they argue even a 48MB address list of vulnerable > Internet > address could be sent out in about 4 minutes. > > Jose Nazario, a biochemist by trade who has previously offered > valuable > insights on digital worms > <http://www.zdnet.com/anchordesk/stories/story/0,10738,2797739,00.html> > , > points out that neither of these papers take into account the basic > elements > of propagation on the Internet. Nazario points to an IBM paper called > "How > Topology Affects Population Dynamics > <http://researchweb.watson.ibm.com/antivirus/SciPapers/Kephart/ALIFE3/alife3 > .html> ," which looks at lessons learned from biological infections > and how, > with an understanding of this model, programmers might better design > future > digital organisms (they don't specifically say "worms"). > > Basically, the authors of both the Warhol and Flash worms assumed a > very > simple Internet model where every node to be infected is a neighbor > of every > other node. The reality is much more complicated. That's what Nazario > says > torpedoes the technical merits of both of these studies. > SO WHY even mention this research? Nicolas Weaver himself posts that > he is > leaving his paper up online so that people can understand, with > documentation, what danger there is in a homogenous Internet. Someone > will > attempt to do what these authors have proposed, and someone might > someday > make a worm that "flashes" the entire Internet with a malicious > payload. > Rather than be caught unaware, isn't it better to realize this is out > there > and take steps to minimize its impact? > > Weaver proposes that companies use context-sensitive firewalls where > only > "that which is not explicitly allowed is forbidden." He further > suggests > internal firewalls throughout the company and regular security > audits. He > adds, "regular backups are also essential." He further suggests that: > "Homogenous populations, whether in potatoes or computers, are always > more > vulnerable to diseases." That's something to remember when > implementing one > or multiple types of servers on your network. Just as biodiversity > has kept > life going on Earth, mixing up one's operating systems can only > strengthen > the Internet > __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com ------------------------ Yahoo! Groups Sponsor ---------------------~--> Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide: "Securing Your Web Site for Business." Get it Now! http://us.click.yahoo.com/n7RbFC/zhwCAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:40 PDT