Researchers predict worms that could take over the Internet

Computer science researchers are predicting new types of dangerous worms that would be able to infect Web servers, browsers and other software so quickly that the Internet itself could be taken over in a matter of minutes.

Though still in the realm of theory, the killer worms described in a research paper entitled "How to Own the Internet in Your Spare Time" are triggering skepticism, but the idea of them is seldom dismissed as science fiction.

The three authors of the research, which was published two months ago, presented a future where worm-based attacks use "hit lists" to target vulnerable Internet hosts and equipment, such as routers, rather than scanning aimlessly as other worm outbreaks, like Nimda and Code Red, did last year. These worms would carry dangerous payloads to allow automated denial-of-service and file destruction through remote control.

"Code Red and Nimda could have spread faster and they didn't have powerful payloads," asserted Stuart Staniford, president of Silicon Defense Inc., and co-author of the research paper. The other authors are Vern Paxson, a staff scientist at both the Berkeley-based ICSI Center for Internet Research and the Lawrence Berkeley National Lab's network research group, and Nicholas Weaver, a graduate student at the University of California at Berkeley.

The paper argues that this next generation of computer worms -- which would have military applications during war - would carry knowledge about a specific server's vulnerability and propagate at a breathtakingly high rate of infection "so that no human-mediated counter-response is possible."

Fixing software vulnerabilities remains a huge problem and many corporations admit it takes a day or two at best to apply software patches once a software vendor has acknowledged a flaw in product coding and supplied a fix for it. Home computer users, meanwhile, are often wholly unaware of these types of problems.

Staniford said they tested the paper's thesis in a lab simulation of a computer worm designed to subvert 10 million Internet hosts over low-speed and high-speed lines. Supplied with its own "hit list" of IP addresses and vulnerabilities gained through prior scanning, the theoretical worm could infect more than 9 million servers in a quarter hour or so.

They called this the "Warhol worm" after artist Andy Warhol's well-known quote that in the future, everyone will be famous for 15 minutes. A similar theoretical worm, which they called the Flash worm, blasted out from a 622M bit/sec link, would take even less time to "own" the Internet.

The authors concluded that just as the U.S. government has established the Centers for Disease Control in Atlanta as the central voice in matters related to new health risks for the nation, it would benefit the country to set up an operations center on virus- and worm-based threats to cybersecurity.

Richard Clarke, President Bush's adviser on cybersecurity matters, said that while he hadn't read the Flash-worm research paper, he wouldn't discount the idea of a fast-moving worm of this type.

As it happens, the draft "National Strategy to Secure Cyberspace" report issued last month recommended that the government fund a network operations center as a central point for threat analysis.

Another official, Bob Dacey, director of information security issues at the U.S. General Accounting Office, said of the theoretical worms: "The risk is there, though I can't speak to the 15 minutes. When you look at Nimda and Code Red, you see greatly developed delivery mechanisms."

To date, the Internet hasn't been exposed to a worm with a dangerous payload to destroy systems combined with rapid delivery, but it certainly might be out there in the future, said Dacey, who's in charge of overseeing vulnerability-testing of federal agencies' networks.

Dacey said agencies need to do a better job of applying software patches, and to that end the federal government is seeking to award a contract for an outside service to help agencies install patches quickly.

The terms "Flash" and "Warhol" worms are not yet part of the common vocabulary of the antivirus software business and its technologies. At first glance, the idea of a worm devouring the Internet in 15 minutes sounds farfetched to many.

"It's hard to imagine such a thing could happen," said Bob Justus, vice president of security at Union Bank of California, but then added, "But I guess it's possible."

Antivirus software vendors and the security industry as a whole seem to be taking the research paper seriously though it's unclear what defenses there may be for a worm that attacks the whole Internet in seconds.

"It's definitely plausible," said TruSecure Corp.'s virus expert Roger Thompson. "It's highly likely we'll see them."

Traditional antivirus software relies on signature updates to stop a worm or virus once it's identified, but with fast-moving Flash and Warhol worms, this wouldn't work, Thompson said.

"We haven't seen a Flash worm yet, but now that there's a paper on it, we probably will," said Mikko Hyponnen, manager of antivirus research at F-Secure Corp.

This research has credibility, said a spokesman for Moscow-based Kaspersky Labs Ltd., but he added, "Actually, we predicted this technology two years ago but never published it because it may give virus writers another clue how to improve their malware. The Berkeley guys did this and they are half-guilty for such a worm [appearing] that may easily cause the Internet to be down in just an hour, so users will not be able to download antivirus updates."

Staniford admitted that he's been criticized for describing how the worms would work, but said the researchers tried not be too obvious. He said there may not be much way to defend against a Flash worm today, but said his company, Silicon Defense, has something in the works, which he declined to discuss, that may be ready by February.

Not all security companies think the killer worms are an identifiable problem yet. A spokesperson at Network Associates Inc.'s research division, Avert Labs, said the concept of a Flash worm is "possible," but added with a note of skepticism, "there is a big step between theory and practice.'

Others security companies are also doubtful about Flash. Trend Micro Inc.'s product manager Bob Hansen said, "The threat from this type of thing is definitely growing," but added that "it takes a ton of research to design one of these things."

Nevertheless, Hansen said it's "certainly credible to think that a worm designed as a targeted hacker tool could be created to bring down 20 or 30 of the major business Web sites within a matter of minutes."

While signature-based updates wouldn't be ready fast enough, behavior-based technologies, such as Trend Micro's Applet Trap might be successful in blocking such an attack.

Okena Inc. which makes behavior-based intrusion-detection software, weighed in on the Flash worm. Director of product management Ted Doty said if a Flash worm surfaces in the future, Okena's StormWatch software for servers and desktops might be able to block it as it did Nimda or Code Red by blocking unauthorized behavior. However, few companies are using any type of behavior-blocking software.

"You can detect attacks you haven't known about before," said Rob Clyde, chief technology officer at Symantec Corp., regarding the concept of a Flash worm. "But it's not going to be easy."

This story, "Researchers predict worms that could take over the Internet" was originally published by Network World.


Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon