<<< Date Index >>>     <<< Thread Index >>>

Re: Will a smart worm be made in the near future?



your worst case scenario all depends on what your goal is.

widespread financial devastation can occur through many mechanisms.
hardware destruction is just one of them, but in the end what does that
get you? you would probably disrupt a national economy for a few months,
and probably cause a few business to go bankrupt.

causing this disruption can occur through many different means, however.
causing everyone's hardware to go belly up isn't even required. remember
the klez mail-based worm/virus? it would spew random documents from a
system to random recipients. various private documents from sensitive
sources wound up publicly viewable. think about the likely damage of
corporate secrets getting out, including private methods and techniques.

long term DDoS attacks can cripple enterprises. as long as you have an
army of hosts you gathered with a worm, why not do something useful with
it? flood an opponent with spam, flood 'em with packets, etc ...

besides, if you do flooding for pay (or spam for pay), you'll make a few
bucks. why not use a worm, a highly efficient mechanism to deliver a
payload far and wide, to do this.

the worm's spread as a DDoS is a double edged sword. in a matter of a few
hours widespread filtering was going on in the core for the SQLSlammer
worm. but for a few hours it fouled a lot of things up. this is because
the worm used a service that had no business going across the backbone.
now consider such a worm using a service that is critical to Internet
operations, is DNS on UDP. how soon would that get blindly filtered?
network saturation to the point that infections cannot occur any longer
occurs only after you've gone well beyond a critical mass and widespread
topological dispersion.

i cover a number of these proposed worst-case scenarios in my book
"Defense and Detection Strategies against Internet Worms" (2003, Artech
House). they include some zalewski has proposed, i have proposed (along
with anderson, wash and connolley), weaver has proposed, and staniford has
proposed.

more recently vogt investigated the effects of propagation methods on the
pace of a worm's progress:

        http://www.securityfocus.com/data/library/WormPropagation.pdf

you should definitely have a look at this and consider what would happen
if the host were "killed" too soon after infection.

lastly, a very recent paper from weaver and paxson is worth reading:

        http://www.dtc.umn.edu/weis2004/weaver.pdf

the looks at pretty much the scenario you schemed up with more detail. in
the end it's a lot of speculation, but if you're interested in potential
large-scale hardware damage have a look at that.

finally, ptacek and myself presented some work we're currently working on,
a theory of wormability, at cansecwest last month. in it we discuss
scenarios like "printer slammer" (a fast moving worm targetted at embedded
printers ... imagine every printer in major enterprises being shut down),
which we feel are very real threats (printer vulnerabilities which allow
for network code execution, slow remediation rates, costly downtime).

as to your points 4 and 5, upgradable and stealthy worms are already out
there and yep, they're sinister. we said back in 2000 and 2001 that you'd
be seeing them appear more significantly and yep, we are.

in short you're not the first person to scheme this up, you wont be the
last, and i encourage you to think about goals (ie widespread financial
devastation, in your case) and ways of doing it without ultimately
stopping the worm. remember, what you seek to destroy is also your home
(the network and host systems).

________
jose nazario, ph.d.                     jose@xxxxxxxxxx
http://monkey.org/~jose/                http://infosecdaily.net/