and really admire his research work. Today was for me the first opportunity to
see this guy. He gave a fantastic talk on Internet worms. The first surprise for
me was how he distinguished worms from viruses: a work is something that acts
without the help of users, while viruses require some user action to infect the
machine (I always thought that worms are just loading down servers while viruses
are destroying something — not a very good distinction now that I think of it).
Vern started out with Code Red and showed how it spread, and how successive
versions and new worms improved. The upshot is that worms are starting to show
their destructive power. Fascinating was to see how over many months various
worms reappeared because of system clocks being way off, and how they suddenly
disappeared because some other worm cancelled them out.
So far only a small community of
amateurs are creating them. But there are first signs that money can be made
with creating worms. Vern mentions “netbots”, sites on the Internet that can be
rented to start worm attacks. Of course all this is an underground economy.
Someone in the audience asked how payment works there. Someone else answered:
stolen credit card numbers. The trend is that there is going to be a decoupling
of worm experts and people with motivations (and money). The potential for
damage is huge. Someone in the audience pointed out how public companies such as
eBay could be targeted while shortselling them on the stock market.
The most fascinating worms were the
most recent called “Sapphire”
which infected via a single UDP packet and spread orders of magnitude faster
than any other worm before (paper),
and “Witty” which
infected Internet Security System network monitors. But it was clear that Vern’s
research team have already much deadlier strategies. One important aspect is
seeding which, if done right, enables a worm to spread almost instantly. There
are tricks to scan lots of machines for vulnerabilities without setting off
alarms, and then attack them all at the same time. There are tricks on how to
partition the IP space in such a way that worms minimize spending time
double-infecting servers.
My opinion:
nature shows that diseases are part of life. Evolution has developed an
incredible array of ingenious immunity mechanisms but the arms race between
disease and immunity system does never end. People who care about the Internet
have no choice but to participate in this arms race. There are however a few
fundamental ways to prevent diseases from being too successful. One of them is
diversity. Today, worms have an easy time attacking the monoculture of Microsoft
Windows. MacOS, Linux, and BSD systems are fairly unharmed. But that can change
pretty quickly, especially since an increasing number of servers are running
Linux. Also, complex organisms like mammals have really sophisticated
immunity systems because their internal structure provides an
otherwise ideal growth environment for parasites. The cancellation of worms by
other worms seems to indicate that one way to fight worms is to have anti-worms
that implement a distributed defense but are “trained” at a central place (I
wonder when a company like “Internet Thymus Inc.” comes along).
Post a Comment