In some ways, network worms are the scariest of Internet attacks. The idea that your computer can be attacked while just sitting around minding its own business is rightly considered a greater threat than one that requires the user to perform some affirmative action.
There have been a few major worm attacks over the last few years, generally exploiting buffer overflows in network protocols in Windows. Hence the bug in the RPC handler brought us Blaster, the bug in LSASS brought us Sasser, and so on.
In every case, as far as I remember, there was a period of at least several weeks between the release of the worm and the release of the advisory and the patch for the bug. And we may have a new worm in the offing to take advantage of the recently revealed flaws in the Windows TCP/IP stack in Windows 2000 and Windows XP SP1.
Thus, two researchers at the University of Florida have devised an “Internet-worm early warning system” to assist in quick protection against the threat. Its not an easy document to read, but I gave it my best shot, and Im really unimpressed. The paper glosses over significant aspects of how the system would actually work, and I have doubts about how new anything in it really is. Instead, it focuses on the algorithm for detecting that network scanning traffic is a pre-attack probe for a worm, and gets quite mathematical in the process.
For example, there is only a passing mention of how warnings get issued to the outside world from the EWS. Its also basically silent, as far as I can tell, on how the signatures get created, other than an offhand reference to string-matching and the challenges of polymorphic worms. But even though the abstract for the paper says that the system should provide possible signatures, theres nothing new here in that regard. I assumed that the paper would include some automated system for generating signatures.
The premise of this system is that many users arent going to patch their systems, so vulnerabilities need to be addressed some other way, specifically through IDS/IPS using signatures gathered through systems such as this. The authors brush off the idea that people should be strongly advised to patch vulnerabilities; they do presume, of course, that this system will be frictionless.
Also, “the focus of the paper is on TCP-based worms,” with UDP and “targeted scanning worms” to be addressed in a future paper. This is not an unimportant distinction; Slammer, perhaps the most devastating of the worms at its peak, is UDP-based, and that was a big part of what made it so fast.
Finally, is there really anything new here? There are already private warning systems such as Symantecs DeepSight Threat Management System. It takes probe info from a huge customer base of systems all over the world and feeds it back to the company, which issues warnings through a variety of mechanisms.
Consider this quote I got from an e-mail from Symantec about Blaster on Aug. 11, 2003: “Through Symantecs DeepSight Threat Management System, Symantec has identified that over 57,000 systems have been infected and are currently launching probes against Port 135. This number has grown exponentially in the last 24 hours as the average was 1000 – 2000 as of August 10th. Symantecs Managed Security Services reports that W32.Blaster.Worm is propagating at a rate of roughly 20% that of the Slammer worm, in terms of instances of infection (unique IP addresses) per hour passing through our clients security devices.”
How new can the UFL method really be? I see incremental improvements in some regards, but nothing really noteworthy.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer