Worm Early Warning System Late to the Game

By Larry Seltzer  |  Posted 2005-04-20 Print this article Print

Opinion: It's sure got a whole mess of Greek characters and superscripts, but there's not a whole lot that's new in the proposed early warning system for Internet worms.

In some ways, network worms are the scariest of Internet attacks. The idea that your computer can be attacked while just sitting around minding its own business is rightly considered a greater threat than one that requires the user to perform some affirmative action. There have been a few major worm attacks over the last few years, generally exploiting buffer overflows in network protocols in Windows. Hence the bug in the RPC handler brought us Blaster, the bug in LSASS brought us Sasser, and so on. In every case, as far as I remember, there was a period of at least several weeks between the release of the worm and the release of the advisory and the patch for the bug. And we may have a new worm in the offing to take advantage of the recently revealed flaws in the Windows TCP/IP stack in Windows 2000 and Windows XP SP1.

Thus, two researchers at the University of Florida have devised an "Internet-worm early warning system" to assist in quick protection against the threat. Its not an easy document to read, but I gave it my best shot, and Im really unimpressed. The paper glosses over significant aspects of how the system would actually work, and I have doubts about how new anything in it really is. Instead, it focuses on the algorithm for detecting that network scanning traffic is a pre-attack probe for a worm, and gets quite mathematical in the process.

For example, there is only a passing mention of how warnings get issued to the outside world from the EWS. Its also basically silent, as far as I can tell, on how the signatures get created, other than an offhand reference to string-matching and the challenges of polymorphic worms. But even though the abstract for the paper says that the system should provide possible signatures, theres nothing new here in that regard. I assumed that the paper would include some automated system for generating signatures.

The premise of this system is that many users arent going to patch their systems, so vulnerabilities need to be addressed some other way, specifically through IDS/IPS using signatures gathered through systems such as this. The authors brush off the idea that people should be strongly advised to patch vulnerabilities; they do presume, of course, that this system will be frictionless. Also, "the focus of the paper is on TCP-based worms," with UDP and "targeted scanning worms" to be addressed in a future paper. This is not an unimportant distinction; Slammer, perhaps the most devastating of the worms at its peak, is UDP-based, and that was a big part of what made it so fast.

Finally, is there really anything new here? There are already private warning systems such as Symantecs DeepSight Threat Management System. It takes probe info from a huge customer base of systems all over the world and feeds it back to the company, which issues warnings through a variety of mechanisms. Consider this quote I got from an e-mail from Symantec about Blaster on Aug. 11, 2003: "Through Symantecs DeepSight Threat Management System, Symantec has identified that over 57,000 systems have been infected and are currently launching probes against Port 135. This number has grown exponentially in the last 24 hours as the average was 1000 - 2000 as of August 10th. Symantecs Managed Security Services reports that W32.Blaster.Worm is propagating at a rate of roughly 20% that of the Slammer worm, in terms of instances of infection (unique IP addresses) per hour passing through our clients security devices."

How new can the UFL method really be? I see incremental improvements in some regards, but nothing really noteworthy.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel