Access Intelligence's BROADBAND GROUP
Communications Technology
Current Issue
Subscribe
Advertising Information
Meet the Editors
Advisory Board
Annual Awards
Custom Publishing
WebEvents
Show Dailies
Reprints
List Rentals
Archives
Search Career Center Contact Us Calendar Industry Partners Home

Archives

June 2004 Issue

War of the Worms
Put A Lid on that Can Today

Worm attacks are increasing in their number and voracity. But, there are steps you can take to protect your network.

By Tom Donnelly, Sandvine Inc.

Worms are an insidious subset of viruses that crash the performance of data networks. Worms exploit common security holes and then reproduce themselves at incredible speed by transmitting their progeny over high-speed Internet connections. Because they take advantage of common weaknesses, almost every computer system is vulnerable, making worms one of the most fearsome security threats.

Considered more loathsome than viruses, worms consume massive amounts of data capacity and throughput as they replicate. And depending on the number of unsecured servers, a worm can create hundreds of thousands of copies of itself in a matter of hours. (See Figure 1.)

The latest trend in worm creation is to utilize peer-to-peer (P2P) file-sharing networks, such as KaZaa or Morpheus, as a means to infect innocent victims. By exploiting the benefits of P2P file sharing, worms spread more efficiently and with a greater potential of exhausting service providers? networks.

Worms and broadband networks: A brief history

Worms were first noticed as a potential security threat in the late 1980s. The first worms utilized transmission control protocol/Internet protocol (TCP/IP), common application layer protocols, operating system (OS) bugs and a variety of system administration flaws to propagate. Various problems with worm management resulted, including extremely poor system performance and the complete denial of network service.

More recent worms have attempted to disable antivirus and security software on infected computers. Some worms steal data by attaching images or document files to the infected messages they send out, while others have destructive payload characteristics that destroy infected systems altogether.

Famous worms

The Code Red attack of July 2001 was the first to gain major publicity. It spread rapidly and globally until almost all vulnerable servers on the Internet had been compromised. (See Figure 2.)

The Nimda worm of Sept. 18, 2001, was a ?multimode? worm capable of infecting from a number of different vectors. It set a new standard of ferocity by spreading very rapidly while penetrating thousands of firewalls. Nimda reached saturation within a few hours and maintained itself on the Internet for months after inception.

The most recent Slammer or Sapphire worm was introduced at 9:30 p.m. on Jan. 24, 2003, exploiting a vulnerability in Microsoft?s SQL server. Despite being the smallest worm to date, only 376 bytes, it was by far the fastest. Scan rates ranged from 3,000 to 30,000 packets per second. This resulted in a very dramatic spread, initially doubling itself in only 8.5 seconds and almost entirely saturating the network in a mere 10 minutes. (See Figure 3.) Disruption included blocked networks and infected SQL servers, rendering both unavailable to perform critical tasks. The general public experienced flight cancellations, election interferences, ATM failures and 911 emergency center shutdowns.

P2P and worms: A new vector of infection

The latest trend in worm creation is the utilization of P2P file-sharing networks, such as KaZaa or eDonkey, as vectors of infection. According to antivirus firm Symantec, the Linux.Slapper.Worm was the first worm to make use of P2P networking technology.

By exploiting the benefits of P2P file sharing, worms spread more efficiently and with a greater potential of exhausting service providers? networks. From a subscriber?s perspective, P2P viruses are particularly dangerous because subscribers have no way of determining the integrity of a file until it is downloaded.

Not only do these worms travel faster and with greater ease, they also allow infected servers to maintain contact, potentially providing hackers with control over an entire network.

Virus writers also are using P2P technology to endow their worms with networking capabilities. SecurityFocus predicts that ?P2P technology might allow conventional Internet worms to update themselves, perhaps making themselves invulnerable to antivirus software by communicating with other infected systems and receiving new code.? Slapper is once again a primary example of a worm exhibiting these sophisticated capabilities.

Worm traffic and service providers

Service providers are now bearing the brunt of worm attacks, as the focus has shifted to residential broadband subscribers. These residential subscribers represent the weakest, most uncontrolled point in the Internet, while being very expensive to protect en masse.

The collective probing and multiplying behavior of worms causes routers and flow-based devices to exhaust resources. Processing this excess traffic degrades subscribers? service levels, ultimately impacting the service provider.

Individual protection is not effective given that a very small percentage of unprotected or poorly protected subscriber machines can create untold havoc for the rest of the service provider?s network.

Cleaning network outbreaks can require a complete network takedown. Disinfecting each computer one by one can be extremely costly and time consuming. The market research firm Computer Economics produced widely cited estimates of the total cost of major worm and virus incidents. For recent worms, overall costs range between $64 million and $2.62 billion worldwide. (See the table.) It also has been estimated that the public and private sectors combined spend millions of dollars a day to chart and protect themselves against worms. These expenditures are expected to climb.

An additional cost to Internet service providers (ISPs) not always accounted for is that of technical support. Seven in 10 broadband subscribers called for technical support during the last year, with 40 percent having to call twice. At an average cost of $13 per call and $150 per site visit, technical support and customer service can cost service providers millions of dollars a year. This cost skyrockets when a worm infects their networks and degrades service levels.

With service providers under intense pressure to cut operational costs, reducing customer support burdens alone stands to improve the bottom line significantly.

Current solutions

Since the days of Code Red in 2001, worm mitigation strategies have involved network equipment vendors scrambling to find and provide patches, access control lists (ACLs) or other ?bandages? to react to the problem of the day. Often this remedy affects service more than the disease itself, because emergency network upgrades and patches can cause outage problems of their own.

The only security tools currently employed to proactively protect networks from worms are firewall and antivirus systems. Firewalls protect organizations and individuals from incidents in the larger network world. An intelligent firewall filters all connections between hosts on the organizational network and the world at large, while a simple firewall disallows all connections with the outside world, essentially splitting the network in two.

Security professionals know that current network defenses, including antivirus products and firewalls, are inadequate to prevent the rapid spread of worm infections at the network level. There are thousands of different ways a worm can infiltrate a network, making it nearly impossible to feel completely confident that any network is can in reality protected.

Worms easily can foil firewall mechanisms by targeting Web server hosts or entering the enterprise network via incoming e-mail. Both the Code Red and Sapphire worms treated the Internet as a single, flat address space and spread solely via the worm mode for a single exploit.

Other than virus and firewall network protection solutions, adequate worm defenses were not developed until quite recently, primarily because worm attacks have been relatively rare.

Future considerations

Future worms will without a doubt be far more destructive than what has been seen to date. The tools to accomplish attacks across networks are becoming more widespread and easier to use every day. Future incidents will exploit more widespread vulnerabilities and will be better tested, work on a broader range of systems, use faster speed algorithms and have more malicious payloads. It is important to stay ahead of the attackers, but it is next to impossible to keep a determined attacker out.

Today?s large homogeneous population of multiuser systems is an attractive target for both virus authors and worm developers. Personal computer (PC) worms or virus/worm hybrids are becoming a huge threat. With a large homogeneous population of systems available, it is conceivable that authors of malicious code will combine the previously disjointed attacks of viruses and worms. An attack consisting of a worm traversing a network and dropping viruses on the individual hosts becomes a startling possibility.

The worst-case scenario is a flash worm, which is a worm optimized with knowledge of the Internet?s topology. With a flash worm, the worm releaser scans the network in advance and develops a complete hit list of vulnerable systems on the network. The worm carries this address list with it as it spreads throughout the list. Flash worms also are hard to contain and have the potential ability to penetrate the Internet within tens of seconds.

Reflecting the widespread struggle to properly confront the virus threat, the Gartner IT Security Summit, held in London on Sept. 15, 2003, focused much attention on the issue of virus management.

Gartner Inc., a technology research and advisory firm, cautioned companies not to rely solely on the antivirus solutions Microsoft plans to embed in its Windows operating systems.

Tests conducted by Web security specialist Sanctum on behalf of software application testing specialist Sim Group indicate that 97 percent of Web sites have significant security flaws.

Fortunately, worms to date have been relatively benevolent in that none have carried seriously malicious payloads. Nonetheless, it is only a matter of time until a worm with a seriously damaging payload emerges.

Future worm payload possibilities include:

  • Wiping out hard drives on all infected machines
  • Damaging hardware by reflashing computer basic input/output system (BIOS), causing computers to become inoperable
  • Perpetrating denial of service attacks on many targets simultaneously
  • Searching infected machines for intellectual property of a particular or general sort
  • Leveling stealthy attacks by remote and anonymous control via a worm distributor
  • Accepting new software modules that propagate through the worm and give it new behaviors at run time
  • Corrupting data over time and in subtle and difficult-to-detect ways

Kill the worms

Reactive techniques and systems upgrades often are not an effective solution because worms can spread at an astonishing rate.

To effectively mitigate a worm, time is of the essence. One approach is to provide one point in the network that mitigates worms automatically, avoiding the manual updating of every network device. Manual updates are not conducive to the speed required. By avoiding reliance on complex emergency upgrades and patchwork configurations, you can avoid potential damage to the network.

Worm signature pattern matching is a natural extension of some peer-to-peer signature techniques. These types of anti-virus solutions allow for quick identification and signature delivery turnaround, resulting in efficient worm elimination capabilities.

How does it work?

These worm mitigation solutions can connect automatically and download new worm signatures over the secure shell (SSH) as they are identified and isolated. The new signatures immediately eliminate worms as they are identified and ?black-holed? (blocked), refused or shaped/rate-limited to manageable levels. This efficiently isolates the issue and removes pressure on other network devices and components, protecting the entire network until you can perform desired upgrades in a regular, controlled fashion.

Why is it effective?

This type of approach attacks the worm on all levels simultaneously, during any and all stages of its infestation and incubation. These stages of infestation and incubation include:

  • Stage 1 (payload insertion probe): Usually a mechanism is used to run executable code on the target machine, such as the ?buffer overrun? condition exhibited in recent attacks. Interception here can eliminate worms before they are able to penetrate and start spreading.
  • Stage 2 (contact home for instructions): The penetration code is normally fairly small. To proceed further, a ?root-kit? often is requested from the penetrated machine to gain full control. This also can be intercepted.
  • Stage 3 (root-kit payload download): The downloading of the root kit from the controlling site to a compromised machine is necessary for the completion of the worm designer?s final goal. This download can be intercepted.
  • Stage 4 (replication and DDOS): When a subscriber machine is under complete malicious control, it will begin using distributed denial of service (DDOS) techniques to find and replicate itself to other machines. Control at this stage is necessary to contain infected machines until they can be inoculated with an anti-virus disinfection agent.

Three deployment options

Cable operators can choose from three options for implementing worm control.

  • Passive or noninline deployments. These can be used quite effectively on TCP-based attacks. However, they are somewhat limited on connectionless-based attacks. At the very least, a passive deployment can be used for detection and consulting.
  • Passive with selective inline deployments. These are almost as effective as a full inline solution. This model allows you to extend easily a passive deployment using simple, generic router policy maps. This can be very effective on Internet control messaging protocol (ICMP) or Port 135 attacks, where suspicious and dangerous traffic can be sent for in-depth scanning and scrubbing.
  • Full inline deployment. This is the simplest, most effective and proactive option. By using an inline mode, all strategies are available, including shaping.

Conclusion

The latest research indicates that file-sharing protocols have become favored vectors for worm infection, allowing worms to spread more efficiently and with greater potential of exhausting service providers? networks.

Hyper-powered worms such as Slammer and Code Red have created an urgent need for equally powerful network-based responses. Besides the obvious threat they pose to subscriber PCs, worms sap processing power from broadband routers and flow-based devices as they struggle to handle excessive, maliciously crafted traffic. This degrades the Internet experience across the service provider?s entire network and negatively impacts end users.

To better protect against malicious worm attacks, service providers must take a more proactive approach to worm mitigation.

Tom Donnelly is co-founder of Sandvine Inc. Email him at .

Did this article help you? Email comments to .

FIGURE 1: Massive Code Red Penetration

FIGURE 2: Code Red Propagation

FIGURE 3: Slammer/Sapphire Propagation

TABLE : Costs Associated with Several Major Worms


Back to June 2004 Issue


Access Intelligence's CABLE GROUP
Communications Technology | CableFAX Daily | CableFAX's CableWORLD | CT's Pipeline
CableFAX Magazine | CableFAX databriefs | Broadband Leaders Retreat | CableFAX Leaders Retreat
Access Intelligence, LLC Copyright © 2005 Access Intelligence, LLC. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Access Intelligence, LLC is prohibited.