[iwar] [fc:Coming.Soon:.Attack.Of.The.Super.Worms]

From: Fred Cohen (fc@all.net)
Date: 2002-07-27 10:39:53
Next message: Fred Cohen: "[iwar] [fc:Cybercorps.to.extend.to.states]"
Previous message: Fred Cohen: "[iwar] [fc:50%.Websites.of.Indian.Firms.Hacked.Into]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200207271739.g6RHdrp31369@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Sat, 27 Jul 2002 10:39:53 -0700 (PDT)
Subject: [iwar] [fc:Coming.Soon:.Attack.Of.The.Super.Worms]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Coming Soon: Attack Of The Super Worms
Date:  Wednesday, 24 July 2002

Source:  Silicon Valley News
<a href="http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8576">http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8576>

Story:  The threat to computer networks from worms is multiplying in
both sophistication and potential for damage, according to security
experts. The industry is on the cusp of an evolution in computer worms
-- those malicious programs that replicate themselves and can spread
automatically over the network from one machine to another, wreaking
havoc as they go. And that evolution is bringing a new breed of problems
for network and security administrators.

"I think there's a lot of potential for damage coming down the pike,"
says Stephen Trilling, senior director of research at Symantec Corp., an
Internet security company based in Cupertino, Calif. "We will see worms
with increasing sophistication. We'll see worms with new ways of
spreading. We'll see worms that can spread themselves through Instant
Messaging...They can steal documents and information from your machine.
They can create new holes in your system, and once they've taken over
your machine, they can launch attacks from it."

A few recent worms and viruses -- such as the Frethem.E and the Simile.D
-- didn't wreak any havoc on the Internet but they did serve as a
warning for future worm attacks, say security analysts.

The Frethem worm had the ability to propagate itself. It collected email
addresses from the Windows Address Book and used its own SMTP engine to
send out infected messages. The Simile virus is largely considered the
first complicated virus with cross-platform capabilities -- able to
attack both Windows and Linux operating systems.

And that's just a taste of what's to come, according to George Bakos,
senior security expert at the Institute for Security Technology Studies
at Dartmouth College in Hanover, N.H.

"Hybrid worms are going to become more and more common," says Bakos.
"They're going to be attacking multiple vulnerabilities, maybe on
multiple operating systems."

Bakos says the industry should be expecting the arrival of worms with
new and powerful capabilities. He says to expect worms that infect a
computer and then set up a communication channel so it can communicate
with its controller. He also warns that administrators should be aware
of more polymorphic worms, which are worms designed to hide their own
presence.

Sleeper Worms Waiting To Strike

"If you had a worm that incorporated these points, you'd have a whole
new life form," says Bakos. "And it would have a long life."

Dan Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a
wholly owned subsidiary of Raytheon, says the industry is looking at the
coming of such attacks as super worms and sleeper worms.

A sleeper worm infects a computer but doesn't automatically attack the
system as soon as it's in. Instead, the worm waits for a signal before
it attacks. The signal could be a predetermined time or date, or the
arrival of a certain email, or simply the 17th time that the user logs
onto her system.

"It goes in and waits for a while and then resurfaces after you think
you've cleaned out your system," says Woolley. "They can be placed there
and you have no idea they're there...Worms can be very quiet. It can be
hidden in a file you don't even know exists. It's not something the
average Joe Blow script kiddie is not going to come up with. It's very
sophisticated."

Symantec's Trilling says sleeper worms are particularly dangerous
because they can be spread across the Internet and then awakened all at
once to launch a targeted attack on a particular company, organization,
sector of the Internet or even a country.

"There are a lot of machines out there that are vulnerable and once
they're all harnessed, they can do a lot of damage," says Trilling.

Another category of attack is the super worm, which is generally
considered to be a blended or hybrid worm. That means it generally can
propagate itself and can pack a number of vulnerabilities into one
payload. For instance, a super worm would get into a system and not just
try to attack one vulnerability. It would try one known vulnerability
and then another and another.

"It will pack a number of vulnerability attacks into a single warhead
and one of them is bound to stick," says Woolley. "It will find
something that you haven't patched and you'll be caught. I don't think
any company is completely patched up. Look at all the vulnerabilities
that come out on a day-to-day basis and think of a large corporation
that has multiple servers, multiple systems and multiple networks. How
do you stay on top of them all? Administrators often times have systems
out there they don't even know exist, and if you don't know they're
there, how can you possibly patch them?"

IM Vulnerabilities

And while administrators are trying to patch their networks, they also
need to be keeping a close eye on Instant Messaging, says Symantec's
Trilling.

Trilling says he's starting to see worms that spread themselves over IM.
A hacker sends a link to an IM user, the user clicks on it and a worm
spreads to everyone in the user's IM address book.

"With Instant Messenger, you're connected all the time so you're
vulnerable all the time," says Trilling. "Over the next year to two
years, we'll see much more of this."

Keith Rhodes, chief technologist at the U.S. General Accounting Office
in Washington, D.C., says administrators should be patching up their
systems, updating their anti-virus software and educating their
employees because worm attacks are about to get much worse.

"I think we're on the cusp of something," says Rhodes. "As computing
evolves, so do the malicious attacks. Your ability to understand them
improves so your opponent also improves. The attacks become faster. The
software becomes more complex and buggier. Your opponents, therefore,
have much more opportunity to attack you."

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Will You Find True Love?
Will You Meet the One?
Free Love Reading by phone!
http://us.click.yahoo.com/7dY7FD/R_ZEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Cybercorps.to.extend.to.states]"
Previous message: Fred Cohen: "[iwar] [fc:50%.Websites.of.Indian.Firms.Hacked.Into]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT