Security experts are warning that the problems spawned by the malicious computer program Code Red may be dwarfed by the pain that lies ahead. Some worry Internet security problems are going to get really bad, really soon, especially because of the “polymorphic worm,” an impending threat thats nearly undetectable.
“Code Red is just the beginning,” said Nir Zuk, chief technology officer of OneSecure, which designs Internet security technology. Zuk said threats, including polymorphic worms, are on the way, and no viable defenses exist. “The entire security of the Internet really doesnt work, and something new has to come out [to improve security], and were still waiting for it.”
The Code Red worm uses a well-known buffer overflow vulnerability in Microsofts Internet Information Server to penetrate the server, deface the Web site and use it to scan the Internet for more vulnerable systems.
The July version of Code Red infected 280,391 computers, but the August incarnation spread to 343,345 by Friday, Aug. 3, according to the SANS Institute, which tracks such threats.
But Code Red is really small potatoes compared with a new type of attack called a polymorphic buffer overflow, said Ed Skoudis, vice president of security strategy of Predictive Systems, a network-security consulting firm.
While it may sound like a setting on a Klingon disruptor from the Star Trek television series, polymorphic buffer overflow is a very real 21st century threat. The idea has been around for years, and it has been used to improve the efficiency of Internet viruses. But the hacker known as K2 was the first to make some use of it in attacking Web servers, as he demonstrated at the recent Def Con hacker conference in Las Vegas.
A polymorphic buffer overflow morphs part of its code every time it propagates. So any system designed to stop it can never identify it, yet the initial buffer overflow attack code remains intact. Skoudis said he expects to see attacks using polymorphics in the next couple months, and doesnt believe current intrusion detection systems (IDS) will be able to stop it.
Such detection systems are the burglar alarms of Internet security. They provide real-time monitoring of systems to detect if something out of the ordinary is going on. They sound alerts when they find a problem.
“The next step will be a polymorphic worm, and if the worm could alter its appearance, it could get really nasty,” Skoudis said. “Every time it has a different signature, and IDS wont be able to pick it up.”
K2 — who never reveals his real name — has put together data on polymorphics for other hackers to use and distribute en masse.
“This is a big problem because current solutions like IDS look for specific strings or lengths and look for things they know about,” said Chad Harrington, an executive of Entercept Security Technologies. “When there are ways you can play games with that to fly through those buffers, thats a game we wont win.”
Some IDS vendors, including Martin Roesch, president of Sourcefire and creator of Snort, the most popular open source IDS system, arent convinced polymorphics are such a big threat.
“Intrusion detection is electronic warfare — measures and countermeasures,” Roesch said. “We try to make a better radar detector and they make a better radar.”
However, K2 said in an e-mail interview that he used an IDS sensor in his Def Con demonstration and it failed to pick up anything. “No [IDS] vendor has demonstrated any detection capabilities thus far to myself,” he said.
George Kurtz agreed with K2, and said IDS is “inherently flawed.” Kurtz is CEO of Foundstone, an organization that tests network security. One IDS circumvention hackers use today is to worm their way through the Secure Sockets Layer (SSL) ports of Web servers, which are encrypted tunnels. This blinds any IDS system that might try to watch for an attack.
“Most Web servers have an SSL component today,” Kurtz said. He also knows K2 and can vouch for his ability to make polymorphics work. “Hes amazing. There are a few people capable of putting that stuff together, and hes definitely one of them.”
But its not clear K2s technology is necessary, because most companies arent applying even the most basic security to protect their networks, said Christopher Klaus, chief technology officer of Internet Security Systems, which recently acquired Network ICE, maker of one of the most widely used Windows-based IDS programs.
“The attacks K2 is coming out with can get through some of the IDS out there, but the bigger issue is these systems are wide open to begin with,” Klaus said. “Hes come up with a super-secret way to circumvent the burglar alarms when the front door is wide open.”
Kurtz, however, is worried about the next weapon in the hacker arsenal: the ability to create one worm that can infect different vulnerabilities in different software systems. The worm will be smart enough to use the right attack for the right situation.
Code Red, which only exploits one vulnerability, caused massive disruption. A worm that can exploit multiple holes could be devastating, security expert say.