The worm
invasion will feature distributed denial-of-service (DDoS) attacks
against Microsoft's website and those of anti-virus software vendors
or spam prevention websites. This will hinder distribution of removal
tools and prevent detection of worm spam.
The SuperWorm would combine the capabilities of recent worms/viruses.
This hi-tech worm could lever itself into becoming a "WormNet"
inside the existing Internet, with worms on individual infected computers
sending encrypted communications to each other. Worms could exchange
latest worm-code updates and get lists of new attack targets. These
features would even enable them to morph into new worm generations.
Once established, the SuperWorm would be a permanent presence on the
Internet. It could be scaled up and down in intensity or retargeted
by its human controller(s). It could also be used to untracably broadcast
to the world audience on the Internet.
THE BIG ONE
The FBI just spent two weeks catching the incredibly inept teenage
author of a Blaster worm variant. Meanwhile the much more dangerous
threat comes from the creator(s) of the Sobig
worm.
Is it just a coincidence that the Sobig.F variant expires on the 10th
of September? Meaning the next release is due on September 11th.
"The MO of the author is to release a new version just before the
expiry of the last one," said
Mark Summer, at security firm MessageLabs.
Curiously, the Sobig author(s) recently took a break. The last SoBig.F
version followed on from A, B, C, D and E. Each bigger and better
than the last. But there was an untypical gap of a full month between
E and F.
"We think he may have taken a vacation or something," said
one reportedly exasperated FBI source.
Perhaps not. Maybe Sobig.F was delayed a month so that the imminent
Sobig.G release would fall on the 11th September target date.
Therefore the 9/11 Sobig release date is a clear warning of a catastrophic
attack on 9-11-'03. The author(s) are hinting of a calamity.
Do they have the capability to seriously disrupt the Internet. You
bet. These are no 'script-kiddies.' They are professional. Security
experts agree:
"This is the undisputed heavyweight champion of viruses," according
to Scott Petry of email-security firm Postini in Redwood City, California.
"It is very well planned, very well designed and very well executed,"
said
Mikko Hypponen, director of antivirus research for F-Secure of
Finland.
Let's go further than that. Let's say that Sobig.F was so slick that
the author(s) were toying with us as they road tested their 9/11 worm
release.
ULTIMATE WORMWARE
With inbuilt encryption and email, coupled to sophisticated delivery,
defense and updating capabilities, Sobig.F was advanced wormware.
Security analysts think it got a power-assisted launch on the Internet
by an initial mass-mailing to a spammer's list of email addresses.
That spam launch may have come from hijacked open-relays on already
compromised computers.
Even as Sobig spread, the Blaster
worm had already spawned an army of worms which has easily taken Microsoft's
Windowsupdate.com
website off-line. Try the link. It's still off-line, and not expected
to return. The next Sobig variant could adopt this Blaster tactic
and have a list of targets designed to hinder user access to the patches
needed to fix infections.
Sobig.F was programmed to seek an update of it's code from about 20
compromised computers on the Net. By decrypting the Sobig.F code,
a list of these sites was discovered and they were shut down. Only
just in time too.
However, only one update site had content. And that merely redirected
to a sex site. In truth, the author(s) likely never intended to place
new code on the 20 update sites anyway. The technique looks like a
test or even a decoy. But the intent to make updates possible is worrying.
Suppose we could not stop the update.
If the upcoming Sobig.G enables the worms themselves to exchange new
updates and avoids naming update sites explicitly in the virus code,
we are powerless to stop the updates. Instead of taking directions
from named update servers, the worms could sniff each other out on
the net to swap latest code.
WORMNET WRIGGLE
This "WormNet" concept has been discussed in a
prior theoretical wishlist, detailing the architecture of a possible
superworm. Sobig is definitely slick enough to implement this ultimate
wormware.
Once the Internet gets infected with "WormNet," the worm
updates could be automatically distributed to all worms faster than
the anti-virus vendors could persuade humans to get patches. Especially
if their websites are under denial of service attacks.
Secreted on hundreds of thousands of computers, WormNet would become
an intractably persistent presence --piggybacking on existing Internet
communications protocols.
We would be unable to break into the "WormNet" distribution
system, because worm messages would be encrypted and signed with unique
codes. Each message would have to be individually cracked.
Finally, imagine a "WormNet" which was exchanging Blaster-type
virus code that enabled it to spread without users having to
open infected emails, but by tapping open-port vulnerabilities on
Internet connections. Doesn't bear thinking about.
WORM INTELLIGENCE
The worms would need a map of vulnerable ports on the Internet.
As it happens, stealth activity has been crisscrossing the Internet
for the last few months, which indicates that someone may be preparing
just such a map.
In June, 2003 security researchers at Intrusec said
say a sneaky Trojan application called 55808, has installed itself
on an unknown number of Internet-connected servers and is scanning
and mapping the Internet. The traffic consists of data packets with
a window size of 55,808 bytes.
Another firm, Lancope, said
the Trojan probes were at a rate that would lead to 63% of the IP
addresses on the Internet being probed every 17 hours.
The Trojan is a distributed port scanner which is very difficult to
detect. It communicates by sending out information to random addresses
hoping that another computer infected with the program is listening.
This way the communications are untraceable.
"Though there isn't a direct communication channel, all of these Trojan
agents, or zombies, are working together," said
Dan Ingevaldson, team leader for Internet Security Systems. "Someone
is trying to map Internet-connected networks."
JOINING THE DOTS
In Sobig, Blaster and 55808, we are seeing Internet attack components
which individually are a nuisance. Even if these are entirely unrelated
attacks, their proven success immediately adds these tactics to the
pool of malware.
If the inept FBI suspect managed to cobble together two tactics in
his Blaster variant, the slicker operators elsewhere can readily deploy
a SuperWorm which brings these components together and would be unstoppable
with our current defenses. Such a worm is now clearly possible, and
eventually inevitable.
Sobig.F has been blamed on spammers trying to hijack open relays and
use them as spam mail servers. If so, why would these profit-focussed
spammers set a 9/11 release date with ominous political/terror overtones?
Not good business.
Some person(s) went to a lot of trouble to launch Sobig.F and they
have indicated it was the penultimate virus. To be followed by the
ultimate. Despite the clear intent on display, our response has been
meager.
So-called "market forces" are not solving the Internet security
problem. They are ensuring it remains a problem. Antivirus vendors
are content to play the attack/defend cycle forever --and they do
serve a purpose. But their presence in the market lends Microsoft
a plausible deniability of final responsibility.
DEFENDING THE NET
The virus/worm issue just got critical. Are we going to sit around
and wait for the inevitable on 9/11/'03 or not long after? Or are
we going to take bold steps to protect the Internet before it's too
late.
Perhaps it's time for the the IT industry, the anti-virus vendors
and Microsoft to come together and raise the level of voluntary inoculation
by users.
Or maybe it's time to release our own Defender.A worm which could
invasively close down the relevant "holes" in Internet security.
A defensive worm could use standard intrusion tactics for benign result.
For example, it could worm it's way into Windows XP computers and
get the owner's permission to turn their firewalls on. It could survey
open TCP/IP ports and offer to close them.
Such a defensive worm, armed with full ISP and backbone support, could
lock down 95% of existing Internet vulnerabilities in 48 hours.
The ongoing failure to address Internet security issues is set to
cost us dearly. Is there really the political will to safeguard the
greatest free speech medium developed by humanity? If there is not,
then it is up to the Internet community to protect it ourselves.
1st
September, 2003
Feedback, Tips, etc.
to Fintan
Dunne,
Editor, GuluFuture.com
The
Superworm Articles
Superworm to Storm the Net
Kiss The Net Goodbye
Sneak
Trojan Maps Net
Ultimate
Worm Wishlist
Latest
News & Analysis
Mysterious Net traffic
Mysterious Net traffic
spurs code hunt
CNET News, June 20, 2003
ELF_TYPOT.A
Worm? Trojan? Attack tool? Network administrators and security experts
continue to search for the cause of an increasing amount of odd
data that has been detected on the Internet. News.com
The threat throws off lots of noise
and seems to be mapping the Internet.
By George V. Hulme
There's a new security threat out on the Internet, but it's not
clear how much of a threat it really is. A sneaky new Trojan application
that has installed itself on an unknown number of Internet-connected
servers and is attempting to scan and map networks connected to
the Internet and send that information back to its controller.
http://www.intrusec.com/55808.html
PROTOTYPING THE
ULTIMATE VIRUS / WORM
http://slashdot.org/
Over year ago, with couple of friends, we started writing a project,
called 'Samhain' . We wanted to see if it's difficult
to write deadly harmful Internet worm, probably much more dangerous
than Morris's worm.
...READ MORE
|
|
Interviews
with
author Fintan Dunne
Archive: Tue
1st Sept.
T O N I G H T W
E D
Wed
3rd @ 9pmEST
with Alex Merklinger
Reference Links
The SoBig.F virus is programmed to deactivate on
September 10, so that a new version can appear sometime around September
11.
"The MO of the author is to relase a new version just before the
expiry of the last one," said Mark Summer, chief technology officer
at security firm MessageLabs.
"A potential risk is that the massive army created by Sobig.F
could be used to launch an all out attack on large Internet infrastructures,"
said Steven Sundermeier at security firm, Central
Command. ArabTimesOnline
Worse
Windows worms
to come, warn experts
SPAM BLOCKERS HIT
BY DENIAL OF SERVICE
Sobig
May Be
Working for Spammers
Sobig worm appears to lead sustained attacks on computers running
antispam 'blocklists.'
The target sites have been intermittently inaccessible. According
to reports posted in online discussion forums, Osirusoft has shut
down permanently.
.... MORE LATEST
NEWS
MICROSOFT
ON GUARD
Microsoft made drastic
changes in their internet setup on Friday. First of all, they moved
most of their main web servers under heavy web clusters operated
by the mirroring company Akamai.
As to windowsupdate.com, they just surrendered. Microsoft
simply disconnected this server from the web and removed it's name
from domain name systems. It will probably never return.
.... MORE LATEST
NEWS
SOBIG
WORM
IS SO SLICK
Mr Vincent Weafer, the senior
director of Symantec's Security Response centre, said the culprit
behind the virus wanted to 'build up a (robot) net by creating zombie
machines he can control'. straitstimes.com
In a single day, 1 in every 17 mails sent worldwide came from
Sobig.F. Experts were shocked and awed by the worm's unprecedented
clip.
"This is the undisputed heavyweight champion of viruses,"
declared Scott Petry of email-security firm Postini in Redwood City,
Calif. Which may be just the kind of recognition Sobig.F's still
mysterious author was hoping for. time.com
"Whoever wrote this virus has knowledge of how AV systems
operate and has written the code with obfuscation in mind.
Thus far, MessageLabs has blocked "in excess of three million copies"
of Sobig, an "unheard of figure", Wood said.
TheRegister.co.uk
Profile
of the Superworm:
SoBig.E Exposed
He also may have had a holiday
recently. The 'F' at the end of SoBig denotes that it is the sixth
generation of the virus to be put into cyberspace, following on
from A, B, C, D and E. Each one has been bigger and faster than
the last. Yet there was a gap of four weeks between
E and F. 'We think he may have taken a vacation or something,'
said one exasperated FBI source. Observer.guardian.co.uk
Government and industry security experts raced against the clock
Friday to take offline 19 of the 20 home computers, thwarting an
attack before the 12 noon deadline, said Mikko Hypponen, anti-virus
research manager at F-Secure of Finland.
The computers were located
in the United States, Canada and South Korea, he said. The remaining
master computer, which was in the United States, was taken down
shortly after the deadline, experts said. cnn.com
http://sfgate.com
Originally, SoBig appeared to be nothing more than an unusually
effective version of a common online bug: the mass mailer, which
annoys people by flooding e-mail boxes worldwide with copies of
itself, but which does no real damage to hardware. Now that the
SoBig worm turns out to be more complex, some experts believe its
creator is much more sophisticated than the youths who release garden-variety
worms on a daily basis.
"Looks like organized crime
to me," said Mikko Hypponen, F-Secure's director of antivirus research,
in a prepared release.
http://lists.netsys.com
After reviewing the actual firewall logs I find my initial report
was not entirely correct. There were two variants, not three,
and the second variant contacted a list of 5 hosts, none of which
were on the "big" list of 20 hosts.
The second list of five addresses
(all seem to be on cable or dsl networks) is given below.
This page shows status of those
ips:
http://207.195.54.37/sobig.html
SOBIG
ON
SLASHDOT
MAIN
SLASHDOT THREAD
THE
SOBIG
UPDATER
http://www.f-secure.com/
The expected Internet activation of the Sobig.F worm has been prevented.
The activation was prevented through a 24-hour race against the clock
by various organizations around the world. FBI and Microsoft were
able to locate and disconnect or shut down most of the master servers
necessary for the activation to be successful.
techrepublic.com
F-Secure reports its analysis of the code provides some server addresses
that don't lead to anything right now, and speculates that the server
addresses will be forwarded to some other address just seconds before
the Trojan activates in order to prevent antivirus analysts from
reading the program and working out countermeasures in advance.
F-Secure is also providing
some additional details, such as the fact that SoBigF appears
to have infected nearly 100 million systems in just over four days.
For now, it isn't known whether the Trojan will try to co-opt other
systems already compromised by SoBig.F or will launch some entirely
different sort of attack.
...This is a highly sophisticated
attack, even using atomic clocks to synchronize the activation
of the Trojan...
http://www.f-secure.com
All the infected computers are entering a second phase today, on
Friday the 22nd of August, 2003. These computers are using atom
clocks to synchronize the activation to start exactly at the same
time around the world: at 19:00:00 UTC.
On this moment, the worm starts
to connect to machines found from an encrypted list hidden in the
virus body.
The worm connects to one
of these 20 servers and authenticates itself with a secret 8-byte
code. The servers respond with a web address. Infected machines
download a program from this address – and run it. At this
moment it is completely unknown what this mystery program will do.
F-Secure has been able to break
into this system and crack the encryption, but currently the web
address sent by the servers doesn’t go anywhere. “The
developers of the virus know that we could download the program
beforehand, analyse it and come up with countermeasures”,
says Hypponen. “So apparently their plan is to change the
web address to point to the correct address or addresses just seconds
before the deadline. By the time we get a copy of the file,
the infected computers have already downloaded and run it”.
With Sobig.E, the worm
downloaded a program which removed the virus itself (to hide its
tracks), and then started to steal users network and web passwords.
After this the worm installed a hidden email proxy, which has been
used by various spammers to send their bulk commercial emails through
these machines without the owners of the computers knowing anything
about it.
The advanced techniques
used by the worm make it quite obvious it’s not written by
a typical teenage virus writer. The fact that previous Sobig
variants we’re used by spammers on a large scale adds an element
of financial gain. Who’s behind all this? “Looks like
organized crime to me”, comments Mikko Hypponen.
http://slashdot.org/
My thoughts about possible "improvements", from my yesterdays
post [slashdot.org]:
Too bad for
the virus that it depended on this list of servers to update. However,
there are reports that it also contains a backdoor enabling updating
it. Here is my worst case scenario what could happen further:
1. The authors
of worm quickly release new worm, which uses same methods to propagate
and which main purpose would be to scan IP's for already infected
computers and update them to new version.
2. New versions
of worm contain a strong encryption key to recognize next updates.
They also contain a block of "secret", encrypted payload code, key
to which is contained in update. This way this block can be instantly
run right after getting key in update, without waiting to download
whole update, speeding things up.
3. New versions
do not depend on fixed port numbers for communications, which can
be easily blocked in routers. Instead they listen on number of random
ports and/or intercept commonly used ports which cannot well be
blocked globally.
4. IP of previous
computer in infection chain is kept by infected computer, also it
actively scans ports for other infected hosts and keeps a list of
found IP's. This list is also encrypted, with key coming in next
update. When next update comes, list is decrypted and update quickly
forwarder to all computers in it with previous version. This distributed
network is similar to current p2p networks and makes global updates
very, very fast and impossible to track beforehand.
5. New versions
will continue to use email scams and windows security holes to continue
spreading.
So now we have
global network of infected computers that can be quickly updated
by its controllers to stay ahead of any countermeasures that security
people may think of, all continuing to spread and containing a secret
payload which could be triggered even faster than update.
|
