Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Malicious Distributed Computing 208

Jeremy Erwin writes "In this whitepaper, Brandon Wiley suggests a possible design for a "superworm", a coordinated network of worm nodes. Typically worms are designed to infect as many hosts as possible, but as overly rapid growth can lead to early detection, this is a suboptimal strategy. The worm, dubbed Curious Yellow uses communication between worm nodes to ensure optimal infection rates."
This discussion has been archived. No new comments can be posted.

Malicious Distributed Computing

Comments Filter:
  • by papasui ( 567265 ) on Friday October 25, 2002 @10:30AM (#4529557) Homepage
    ..already have this? I believe it's called KazaA ;)
    • Read the paper (Score:4, Informative)

      by Phronesis ( 175966 ) on Friday October 25, 2002 @10:59AM (#4529791)
      KazaA is discussed in the paper as an existence proof.
    • ...Already have this?? It's called samhain and I read about while BillG was in diapers.

      The problem with viruses like this one are the difficulty of debugging. "Ha, Ha! The world shall feel the wrath of my superworm!! Hunh?? What do you mean divide by 0 error??"

      Pinky, are you thinking what I'm thinking? Yes, but Stallman's beard does tickle so....

      The worst virus you can get on your computer is still Microsoft. Word will send unwanted information out to everyone you know, IE will allow anyone to execute remote code on your system, and Outlook will run whatever viruses you manage to send to it.

      Now, can this guy get you to shell out $200 US for the privelage of running his virus?? I think not. Microsoft is still the champine of the virii.

      Welcome to Virus.NET. Select a project from the new projects wizard:
      Nimda Based Worm
      Klez Based Worm
      Office Macro
      Some dippy ass VB script
      Windows XP

      Ho Hum.
  • Hmmm (Score:3, Interesting)

    by kenp2002 ( 545495 ) on Friday October 25, 2002 @10:33AM (#4529576) Homepage Journal
    (Tounge in cheek btw)

    Isn't talking about stuff like that, well you know, illegal now? I'm certain that talking about theoretical virus attacks could be considered terrorism. I mean here you are talk about this horrible WHAT-IF scenario and giving bad people all sorts of good ideas (providing AID are we?) Hmmm I have a feeling that this post may cause trouble. I bet our FRIENDS at the Homeland Security office would like to speak to you =)

    AWW BUT WHAT THE HELL DO I KNOW! :) I bet someone will have a DMCA issue with this too. Hey Taco looks like we may have incoming! EEEKKK!
    • Isn't talking about stuff like that, well you know, illegal now?

      Hah. Depends. Which $CONTINENT do you live in?
    • by djkitsch ( 576853 ) on Friday October 25, 2002 @10:53AM (#4529731)
      Didn't you know? It's illegal to THINK about this kind of stuff now.

      Microsoft's clickwrap agreement now states that you're only licensing the right to use your own brain matter, and they're legally entitled to read it at thier leisure?

      On with the tin foil hats....
    • Re:Hmmm (Score:5, Interesting)

      by EvilAlien ( 133134 ) on Friday October 25, 2002 @11:20AM (#4529922) Journal
      I believe the US has ratified the Council of Europe Convention on Cybercrime [coe.int], as has Canada. This treaty requires that signatories create criminal offences for possession of viruses or other "devices" designed to damage data/networks. I haven't read the whole damn thing yet, but doing time for actually possessing virus code isn't that far away.

      As far as law enforcement is concerned, go ahead and think about it... the national security types are who you need to worry about =)

      When is ThinkGeek getting Tin Foil hats with a stylish Tux logo?

      • This treaty requires that signatories create criminal offences for possession of viruses or other "devices" designed to damage data/networks

        Interesting. Are the people whose machines are infected considered "in possession" of the virus, since it now resides on their hard drive?

        Of course, I'm still waiting for the virus that infects your machine, then quietly downloads one kiddy-porn .jpg into your C:\Windows directory every day for a month. At the end of the month, it sends an anonymous email to the authorities with your email address and IP address. By the end of the year, the entire computer-using US population will be in jail...

        • Are the people whose machines are infected considered "in possession" of the virus, since it now resides on their hard drive?
          Fear the case law.

          If Monkeyboy Ballmer was a lawyer, he'd be ranting "PRECENDENT PRECENDENT PRECEDENT" right now. Dangerous laws are the ones written so open that any meathead judge can come along and pass judgement, despite not having any clue whatsoever in the issue at hand.

          Those viruses almost exist, by the way. Many of the new viruses getting out (about 4 new ones a day) spread through P2P apps and drop files that look like porn. Its not too much of a stretch to change the filename from hotlesbiansdoingit.mpg to hot16yearoldlesbiansdoingit.mpg, add an addressbook entry for a law enforcement contact, and THEN spam.

      • So let's see... it's *legal* to possess devices that are designed to quickly kill another person. Some of these are designed to do it from a distance, as demonstrated over the past three weeks.

        But it's going to be *illegal* to possess devices or code which might be used to usurp computing resources, damage file systems, etc.

        Where are people's priorities? It's all about the bottom line.
  • so (Score:5, Funny)

    by tps12 ( 105590 ) on Friday October 25, 2002 @10:34AM (#4529581) Homepage Journal
    The best way to infect as many hosts as possible is to make sure you don't try to infect too many hosts? How Zen.
  • by Anonymous Coward
    I'll get to work on it right away!
  • I've been thinking (Score:5, Interesting)

    by palad1 ( 571416 ) on Friday October 25, 2002 @10:35AM (#4529601)
    At some point, the worm will be detected, thus the slow infection rate will not be optimal.

    What if... in order to decide wether the worm should switch to 'Turbo' infection speed, the worm queries google news for 'worm $0', and if the number of results > $we_have_been_discovered/, bang!

    Previous worms used irc, but that doens't guarantee the author to be anonymous, does it?
    • The one good thing here is that as worms become more complex, there are more holes in THEM which can be exploited. For instance, it seems that one could set up a HoneyPot type worm on machines, which would communicate to the "hive" either that your machines were already infected (so don't bother trying to re-infect) or to force them all to constantly try to reinfect some scapegoat system.
    • by sopwath ( 95515 )
      There's no need to switch to "Turbo Mode" Achord can update whenever there's a fix for the exploit. In addition, switching to turbo mode would only help raise awareness of the presence on other nodes, therefore endangering other nodes. Each node shouldn't resist being erased. It should resist any updates from a source tat doesn't contain the private key.

      Since all they have to do is keep watching for uninfected nodes, each node could wait for a code update (which includes the appropriate private key) and then work around the specific anti-worm software.
    • by schlach ( 228441 ) on Friday October 25, 2002 @11:40AM (#4530076) Journal
      At some point, the worm will be detected, thus the slow infection rate will not be optimal.

      I propose that a breakthrough was made in the modularity of worm systems last year, with Code Red and Nimda. The infection mechanism can be separated from the intelligence/communication module and payload. Does anyone know how many machines are still infected by Nimda?? It's staggering. You could have a worm that only spread to machines already infected by Nimda, and virtually guarantee that it would never be detected. You'd 0wN a staggering number of machines, your worm could close off others access to the same cmd.exe sitting in the web root, increasing survival chances for your host (less likely to be taken down), and you could do all the intelligent communication you wanted. Better yet, design a mechanism so that later versions of your worm will replace previous ones, so you can release updates as the design becomes more sophisticated. The possibilities are endless. As much time as you want to tinker with the perfect intelligent worm design, and you don't even have to write the infection module yourself.

      I think wormnet design is one of the coolest theoretical exercises in CS... the problem right now is that there's no incentive to write intelligent worms (ie WormNet), because the unintelligent ones are so effective. Nimda was spotted almost immediately. It's still one of the worst. What's that tell you? When authors stop thinking about the individual worm, and start thinking that each worm is just a cell in a collective online entity... well, i'm kind of soured on calling things a paradigm shift, so I won't say.. d'oh!

    • by Alan Cox ( 27532 ) on Friday October 25, 2002 @11:46AM (#4530133) Homepage
      This depends upon the goal of the virus writer. The paper assumes a superworm with a goal of staying alive. Its equally valid to construct a superworm with a destruction goal, erasing bioses. disk firmware etc.

      I like the paper, its another reminder that the current approach of virus control simply doesn't work. Security needs a lot more depth and a lot more work - and not just on windows either
  • w/ AI (Score:2, Interesting)

    by dirvish ( 574948 )
    This would be pretty cool if it was made artificially intelligent through a neural network. It could use its neural network to determine the best way to distribute across the physical network of computers.
    • by Anonymous Coward
      Throwing a neural network at something doesn't make it intelligent. There are other, probably more appropriate methods. Neural networks need to be trained. Hypotethically speaking, if you were to write such a worm, you would not want the worm to train itself in the wild. It would probably be detected due to errors made during training.
    • Written by William Gibson, called kill switch [insidethex.co.uk].

    • Re:w/ AI (Score:5, Funny)

      by scott1853 ( 194884 ) on Friday October 25, 2002 @10:58AM (#4529783)
      Pfft, we could easily stop it with a tic-tac-toe worm that will make it aware of it's own futility.
      • I can't believe that someone else watched wargames [imdb.com].

        You know, the number of times we've played out the-near-destruction-of-human-kind-at-the-hands-of -our-creations scenario in our minds makes me suspect that it's going to be inevitble. If only for the fact that the meme is at the front of so many people's heads.
    • Just because nerual nets sound "smart" and we want a "smart" program doesn't mean they're appropriate here. As already mentioned, what are you going to train it with? Second, is the problem highly nonlinear? If not, simpler solutions exist. Best yet, a heuristic (set of rules) based system would make more sense. Give it a set of conditions under which it can alter its behavior - and I think that there are reasonable ways of determining such courses of action before hand.

      Remember, this thing needs to be small, not bloated.
    • Re:w/ AI (Score:2, Interesting)

      Actually I suggested the same thing as a paper idea in my neural networks class... Before I knew how neural networks worked...

      Seriously though, having a random hodgepodge of neural network nodes, randomly wired, and without having two endpoints with which to train the network really does you no good. Neural networks are trained to be intelligient by feeding them input, then looking at the output and massaging them to make them produce the correct output in hopes that they eventually "learn" a pattern.

      Now essentially building a beowulf cluster of sorts by linking all the nodes into a distributed processing network that could be used to crack RSA keys and the like... And could propogate updates (mutations?) to the worm... Well that will work. :)

      Plus when you're detected, you can go out in a huge DDoS blaze of glory...
  • by JeanBaptiste ( 537955 ) on Friday October 25, 2002 @10:36AM (#4529605)
    text of article:

    Curious Yellow: The First Coordinated Worm Design

    By Brandon Wiley

    The Warhol worm design began the theoretical discussion of so-called "superworms", a new type of computer worms. A worm is a computer program which copies itself from computer to computer in an attempt to reproduce as much as possible. A superworm uses more advanced techniques to achieve very quick infection of the network. The primary strategy behind the Warhol superworm is to pre-scan the network for vulnerable targets. When the worm is launched it already has a large list of targets with a known method for infection and can therefore quickly infect an initial seed population.

    One thing which the Warhol paper mentions is that better results might be achieved via a coordinated worm in which various instances of the worm on different computers communicate with each other in order to optimize infection. The Warhol paper states, however, that no coordinated worm has ever been created. This paper proposes the first design for a worm which utilizes efficient communication between worm instances for an optimal infection strategy.

    Benefits and Difficulties of Coordination

    The purpose of adding coordination to a worm design is to raise the level of sophistication in the attack from a simplistic greedy strategy to a more game theoretically optimal cooperative divide and conquer strategy. There are times when a greedy strategy can be suboptimal. Overly zealous propagation can lead to early detection and eradication. Also, it is simply wasteful for a worm instance to attempt to infect a system which has already been infected rather than choosing an uninfected host as a target. Unfortunately, typical worms have no information on which to base a more sophisticated attack. In order to divide the infection tasks among operative worms, the worms must know about each other and have a method for dividing work among themselves.

    The difficulty in creating a coordinated worm is in minimizing the coordination costs among worms. Since the initial goal of a worm is generally to reach all hosts on the Internet, the number of eventual worm instances will be enormous. The coordination strategy must be able to scale reasonably to that number of instances. If every worm had to coordinate with every other worm, for instance, the amount of bandwidth used to communicate between the worms could easily exceed that used by a greedy worm, defeating the benefits of coordination. The coordination strategy must also be simple to encode since worm designers attempt to make worms as small as possible.

    Efficient Coordination of Worms

    Interestingly, the problem of efficiently organizing worm instances into a network which can act globally but which has reasonable coordination costs for each node is very similar to problems found in peer-to-peer networks. The particular task of the division of the task space among all of the currently active worms is very similar to the problem addressed in distributed hash tables (DHT) designs. One popular contemporary DHT design is called Chord. In Chord, each node is assigned a portion of the task space such that the space is divided evenly and randomly among all nodes. Chord has some useful properties. First, each node in the network is reachable from each other node in the network with a maximum of O(log N) intervening nodes. Additionally, each node only needs to maintain knowledge of O(log N) other nodes, thus keeping coordination costs down to a reasonable level. What this means in simple terms is that in a network of one million nodes each node only has to keep track of approximately 20 other nodes and for one node to send a message to another node in the most distant part of the network it would take at most 20 intervening nodes. Similarly, for a network of ten million nodes, each node has to keep track of approximately 23 other nodes and it will take at most 23 intervening nodes to reach from one side of the network to the other. There are advanced variants of the Chord architecture which layer additional properties on top of the guarantees provided by the basic Chord design. Anonymous Chord (Achord) adds the property that it is very difficult for any node to find out the identities of all of the other nodes in the network. This makes it more difficult for an attacker to disable the network by discovering the identities of nodes. By having worms form an Achord network, a global framework for division of the space to be attacked can be created with reasonable coordination costs.

    Details of Coordinating Worm Attacks with Achord

    In order to create an Achord network, each node needs to be assigned a unique, difficult to forge, difficult to generate identifier. Identifiers are assumed to be generally random and evenly distributed. Each task also needs such an identifier. Tasks are matched to the node whose identifier is the closest match. The method which Curious Yellow uses to assign identifiers to worms and targets is via the SHA1 hash of their IP address. It is relatively difficult to choose your own IP address and the SHA1 hash makes the identifier approximately random and evenly distributed.

    The method for nominating a worm to attack a target is easy. Each Achord node knows the IP addresses of the two nodes whose identifiers are closest to its own. When it learns of a new target, it calculates the identifier for the target and then determines if it is closer to the worm's own identifier or one of its neighbors. If the worm is the closest to the target then it attacks the target. Otherwise, it informs the closer neighbor of the existence of the target and then forgets about it. Since the identifier space is globally consistent, decisions about which worm should attack will always be consistent. Additionally, the decision about who should attack does not require immediate communication between the worms. Communication is only necessary to inform nodes of found vulnerable nodes which they are responsible for attacking.

    Uses of a Coordinated Worm Network

    The initial deployment of the worm network using superworm pre-scanning techniques may take up to 15 minutes (Warhol) or merely 30 seconds (Flash). Once the initial seed network is deployed, it can be used as a platform for launching a second stage of activities. One obvious activity is distributed scanning of the network for vulnerabilities and further infection. Unlike Code Red, which used a greedy scanning strategy, Curious Yellow will have exactly one worm scanning each potential target. This will both reduce the load on the network and make detection less of a threat. The global connectedness of the entire worm network allows for an even more interesting type of distributed scanning than is at first apparent. Since all nodes are reachable from all other nodes, it is possible for the worm's creator to release code patches to all of the worms in the network and for these code patches to spread to the entire network even faster than the initial infection (less than 15 seconds). Therefore, as new exploits are found for previously invulnerable systems, they can be distributed to the worm network, which has already been building up a list of potential future targets. The Warhol method of pre-scanning attacks can thus be utilized repeatedly for rapid infection of diverse systems. The speed at which patches can be distributed to worms is so great that it will probably out-pace attempts to fix vulnerabilities. A zero-day exploit can be used by worms for infection before news of the vulnerability has even been made public. Code patches can also be made to change the behavior of the worm to mask signature behavior which could lead to its detection.

    The second stage of infection allows the infection to progress from controlling a large portion of the network to controlling the overwhelming majority of the network. This is just another part of the infection stage. Once the majority of the network has been infected, Curious Yellow can lay dormant until part or all of it is activated for some purpose.

    There are a number of possible purposes to which Curious Yellow could be used. One obvious use is to simply crash the majority of the Internet at once. Once it is activated, the worm network has achieved its purpose. A slightly more interesting use of the worm network would be to use it for distributed denial of service attacks against enemy hosts. The typical approach for this is to have all compromised hosts send a flood of packets to the target, thus overloading it sufficiently to keep any legitimate packets from getting through. However, this is a naive approach when given such an advanced network to work with. The Curious Yellow infection should, if properly deployed, control the vast majority of the network. All of the infected nodes can act in concert towards a common goal. Nodes and groups of nodes can be specialized for certain tasks. New directives can be sent to the entire network in less than 15 seconds. It is therefore not necessary to have the entire network gang up on a single machine in order to disable it. This is in fact a greedy rather than cooperative strategy and thus suboptimal. First of all, the target to be attacked is probably infected. Therefore, the worm controlling the target can simply be instructed to disable the target. Additionally, if all of the nodes surrounding the target simply drop traffic routed to the target then the target becomes unreachable. Finally, the worms controlling the hosts attempting to contact the target can simply ensure that no attempt to communicate to the server is ever made. Curious Yellow, acting globally and in unison, can make any host simply cease to exist as far as the network is concerned.

    Having total control of all of the Internet's traffic allows for other, more interesting, attacks. Traffic can be modified arbitrarily as it passes through the network. Defacing a website no longer requires actually having access to the computer containing the website. Web pages can be defaced automatically as they pass through the network, resulting in the world's collective web browsers rendering the pages differently than they are stored on the servers, a problem that the server administrators are totally powerless to fix. All of the unencrypted traffic on the Internet can also be observed. The entity controlling Curious Yellow can pick out particular individuals to monitor or gather statistical information about a large number of individuals.

    Of course, Curious Yellow's control over individual computers is not limited to controlling Internet traffic. As zero-day root exploits are found and patches distributed, worms can eventually gain superuser access to all of the machines, giving them access to all of the stored information and all of the spare resources such as hard drive space and CPU cycles, and the ability to surveil all of the world's Internet-connected computer users. By sending out code updates to the network which cause Curious Yellow to metamorphasize into an anonymizing proxy network, its owners can connect anonymously to target computers and control them interactively, browsing files and watching what users do with them. They could also program the worms to automatically send back potentially interesting information. The spare resources of the world's computers could be utilized for whatever agenda the owners of Curious Yellow have in mind. In general the uses of the network are endless. The entity which controls Curious Yellow controls the world's computers.

    The World After Infection

    Dealing with the infection once it has been detected is difficult. Once a signature has been detected for the worm, it must be codified by the various competing virus scanner manufacturers and then distributed to infected computers, probably by voluntary downloads. Naturally, once an anti-virus patch for the worm becomes publicly available on the Internet, Curious Yellow will cause that site to disappear from the Internet. Inoculation will therefore have to happen by hand using physical media or network distribution which is secretive enough that that owners of Curious Yellow (subscribers to many major anti-virus update programs) don't find out about it. Once the patch falls into the hands of the creators, Curious Yellow will soon receive a counter-patch obsoleting the old anti-virus patch. Unfortunately, anti-virus distribution methods cannot keep up with the pace of Curious Yellow patch distribution. The only method which can eradicate the virus, therefore, is to disconnect the computers from the network and then apply via physical media patches which both eradicate the virus and patch the vulnerabilities which allowed it to spread. Once the virus is totally eradicated, the creators will wait for a new zero-day exploit to be discovered and then relaunch the virus with a new transmission vector and signature.

    The only way to protect against Curious Yellow is to inoculate every computer with an anti-worm, Curious Blue, which uses similar technology to instantly distribute security patches. As soon as an exploit is discovered, a security patch must be released to Curious Blue before an exploit patch can be released to Curious Yellow. Infection and protection is thus primarily a race between the owners of the two entities. Of course, there might not be only two entities. There could be any number of competing vendors of Curious Blue offering different patches and different quality of service guarantees. Similarly, anyone with access to zero-day exploits could launch their own Curious Yellow. The battle does not end there, however. Curious Blue could act as an ideal platform for the initial stage of a Curious Yellow infection. All that is needed is an exploit in the Curious Blue code. Once one is found, the entire Curious Blue network can be turned, like a clever move in a game of Othello . The same is of course true of turning Curious Yellow into Curious Blue. These programs are particularly prone to such corruption because they are already designed to accept arbitrary code upgrades. They merely need to be fooled into accepting code which is not actually authorized.

    Security, Cryptography, Signatures, and Trusted Code Updates

    The authorization of code updates is a crucial component to both Curious Yellow and Curious Blue. Without a strong authentication system, the worm network can easily be taken over by an arbitrary attacker. The obvious way to do authentication is with public key signatures. In order to use public key signatures, the entity deploying the worm creates a pair of keys, one public and one private. The public key is distributed with the worm. The private key is known only to the worm's creator. When the creator wants to send a new code update, it generates a signature from the code using the private key. Since the worms have the public key, they can check to see if the signature was in fact generated by the matching private key. Using this technique, no attacker can send code updates to the network unless he possesses the creator's private key or finds a vulnerability in the worm which allows circumvention of the signature check.

    Maintaining the secrecy of the private key is an interesting problem in a world overrun by competing strains of Curious Yellow and Curious Blue. A simple strategy which an attacker controlling one worm network might use to compromise another is to instruct the network to search all computers for files that might potentially contain the private key of the competing network. Due to the large size of private keys, they cannot be easily remembered and so much be stored electronically somewhere. In order to keep the private key from being discovered, the creator will be forced to have a special computer used for generating signatures which is never connected to the network. Signatures will be generated on this computer and then transferred to a network-attached computer via removable media. The attack then is to find where in the network signatures are first introduced.

    The worm network can be configured to search for signature files stored on removable media. The network can also monitor other coexisting worm networks to see when code updates are sent. When a received code update matches a signature file found on removable media, the creator of the worm has been detected. Naturally, the creator of a particular strain of Curious Yellow would prefer that his own computers were not infected with competing strains. Unfortunately, the only way to ensure this is to inoculate with a strain of Curious Blue, which will undoubtedly also be searching for the creator so as to have legal action taken against it. Assuming, however, that the creator has the resources to inoculate against all competing strains, it can still be tracked. As the code updates propagate through the network, competing strains can monitor the progress. Using statistical analysis of the propagation of code updates, the source of updates can eventually be traced. Once the location of the creator has been determined, physical coercion such as spying, threats, lawsuits, and arrest are possible to gain control of the private key and thus the worm network.

    In order to avoid being traced, further cryptography is necessary. So that the progress of code updates through the network cannot be monitored, the worm code needs to be encrypted so that it cannot be easily examined to determine which code it currently is running. It is still possible to examine the contents in memory, but this will be a somewhat difficult task to encode in a program the size of a typical worm. Additionally, code updates being sent over the network must be encrypted so that their progress cannot be observed. Even with encrypted connections, however, the creator can still be traced through timing correlations. All the the observer needs to see is that one worm contacted another, then that worm contacted a few others, leading into a cascade. Whichever worm made the first contact is the one closest to the creator. Defeating timing correlation requires the worm network to be constantly sending cover traffic to other worms. Luckily, code updates are generally small, so the amount of cover traffic to be generated is not very much. Once the network is communicating entirely over encrypted channels with constant cover traffic, the creator can send out code updates in an anonymous, untraceable manner. Not only that, but the creator can also use the network to render anonymous any other transactions, such as using it as an anonymous communications channel to converse with other entities and distribute files and information. This would be a boon to the usual cast of characters that could benefit from anonymous communication, such as people attempting to escape human-rights-violating regimes, international terrorists, and music fans.

    Who Do You Trust?

    In the world after the global infection of the Internet by strains of Curious Yellow and the commercial availability of strains of Curious Blue, computer users will have a choice. One can either have a computer which is never connected to the Internet, risk almost certain infection and control by the various factions controlling Curious Yellow, or intentionally give control to the creators of Curious Blue. There are multiple issues of trust involved. Initially there is the question of whether one places more trust in the harmlessness of the hackers or the professional integrity of the security professionals. If one chooses Curious Blue then there is the issue of which strain will actually be effective in protecting one from infections by Curious Yellow. There is the additional issue of which strain can be trusted to not contain any vulnerabilities which can be exploited to turn it to the other side.

    Kazaa and Altnet

    There is a disturbing similarity between Curious Yellow and the new Kazaa feature, Altnet. Kazaa is a peer-to-peer file sharing network not entirely unlike Achord, but lacking some of the useful features. In later versions of the software Kazaa bundled a feature called Altnet, which is a second peer-to-peer network deployed alongside Kazaa nodes. when Kazaa is installed, Altnet is quietly installed as well. Buried in the licensing agreement which users click through when installing Kazaa are some interesting provisions concerning Altnet. The user agrees that Altnet is allowed to automatically receive and install code updates and modify settings on the user's computer. This makes Altnet a prime target to be corrupted and used as a widely deployed network from which to launch activities. All that is needed is the proper method for causing the supposedly 2.5 million Kazaa nodes to accept a rogue code update. Interestingly, such an attack has already occurred. While Kazaa is the predominate licensee of the FastTrack network technology, it was previously second to an application called Morpheus, another application using the FastTrack network. Morpheus was mysteriously shut out from the FastTrack network despite the fact that it was supposedly an entirely decentralized network without a central form of control. The network of Morpheus clients was shut down by a rogue code update, eventually discovered to have been sent by the company behind Kazaa. This is the first example of the sort of warfare between strains. It could escalate into being literally a war between worm strains if an entity discovers the key to making Kazaa accept code updates and mobilizes the Kazaa network as a first stage of infection, using it for decentralized scanning of the network for vulnerable hosts and an eventual global takeover of the Internet.
  • by Anonymous Coward on Friday October 25, 2002 @10:40AM (#4529631)
    It is quite simple actually. You program your worm to accept an attack range upon installation. Then you divide the IP space on every successful attack. If you start with 64 worms installs, give each worm 1/64th of the ip space to scan. Each worm would then scan/infect and pass down a smaller block. You would infect in a tree like pattern, possibly doubling up scanning efforts.

    For example:

    64 initial worms go out at /6 bit boundries. They plan on installing 64 worms each giving each sub worm /12 bit networks to scan. Then /18, /24, /30

    With a little bit more intelligence you can target the worms on major ISP DSL/Cable networks to infect the home machines.
    • by dabuk ( 573028 ) on Friday October 25, 2002 @10:51AM (#4529718)
      It would be quite easy for the worm to get stalled in that case. If the worm that is supposed to infect one bit of the IP space gets detected and removed or if there is anything that would stop that machine infecting its IP space (like it's firewalled) then that bit of the IP space is never going to get infected.

      But if you combined those two schemes you could get worms reporting back that they're not getting anywhere and a new worm could start on that space.

    • This strategy is too simple to be efficient in real world.

      Some of the worms would most probably be deleted by anti-virus programs before they could infect their share of the network. Many of them wouldn't even succeed to install itself in the first place.

      You may try to remedy this off-line, using techniquest from error correcting codes and fault-tolerant computations but I assume that doing it on-line is much simpler. OTH, if you have a degree in CS and like to create worms than why not try to learn some theory.
  • Of course (Score:5, Funny)

    by PygmyTrojan ( 605138 ) on Friday October 25, 2002 @10:42AM (#4529650)
    The only way to protect against Curious Yellow is to inoculate every computer with an anti-worm, Curious Blue, which uses similar technology to instantly distribute security patches

    I'd say one good way to protect against it is don't open those files named YippeeImAnIdiot.jpg.vbs

    • Curious Blue works something like litmus paper, and turns curious green when your computer is infected with Curious Yellow.
    • Re:Of course (Score:3, Insightful)

      by Jeremi ( 14640 )
      I'd say one good way to protect against it is don't open those files named YippeeImAnIdiot.jpg.vbs

      I'll go you one further... don't use any email client that has the capability of running scripts or executables received in email.

      • I don't think I want my e-mail tool running anything (macro, external executable, script, etc). And I don't accept document/data formats that allow embeded macros very comfortably (word docs, etc). Yes, it means sometimes I don't see the neat new thing someone sends me. But generally they can (if it matters) send it as plaintext, html or a simple image format.

        Gosh, I wish I had some mod points to burn just now.... that's one of the best (even if it is obvious to most of us) points....
  • Precedent (Score:5, Informative)

    by Anonymous Coward on Friday October 25, 2002 @10:45AM (#4529666)
    Hash: SHA1

    the Linux based 'Slapper' worm (link at end of message) was the first worm to create a peer-to-peer network of infected nodes. communication was basic, allowing the network to learn its own topology, and launch DDoS attacks as a single unit when commanded from a single remote location. the piece that Slapper is missing is authentication. imagine if the Slapper worm was written so that it carried with it a public key, and used that key to verify any command sent to it. the worm could be designed to not even reply to UDP requests whose signature fail, making remote detection completely impossible. signed messages would allow the worm author to remotely control the entire network of infected nodes exclusively, distributing patches to combat wormbusters, upgrades to allow the worm to infect new systems, and commands to launch DDoS attacks on targets of his choosing.

    it's going to happen. you heard it here first.

    - -s.
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: i am sllort [slashdot.org] and i post AC [slashdot.org]

    iD8DBQE9uR/OKpz2COjVE3YRAv1tAJ9HtLZ0AQDOfUvIGh4j z/ /N+aOtBQCgpQyI
    - ----END PGP SIGNATURE-----
    http://zdnet.com.com/2100-1105-959 385.html
    • Given that Windows systems have proven themselves so insecure that they'll soon be susceptible to catching the the Common Cold, and that every other operating system outside of Microsoft is essentially a UNIX flavor, this officially scares the hell out of me.

      Most viruses and worms are written with specific hardware or processors in mind, so I guess I shouldn't worry as much with my Mac OS X system...or should I? If the code is really written to leech around or through a typical process in a UNIX flavor and not be concerned about hardware, then--oh, boy.

      Thank God Mac OS X has many vulnerable services such as Apache, FTP, SSH, and the like switched off by default so you can't easily hose yourself. But one well-written trojan run on my computer could be a problem if I don't stay wary.
    • imagine if the Slapper worm was written so that it carried with it a public key, and used that key to verify any command sent to it. the worm could be designed to not even reply to UDP requests whose signature fail, making remote detection completely impossible

      Encryption alone will not do this.

      I agree that decrypting the udp packet would be computationally infeasible, assuming strong encryption. Likewise, forging arbitrary packets would be impossible for the same reason.

      But you could still use a type of replay attack to flush out infected hosts. Once you capture a command packet (with a sniffer) and the characteristic response on an infected system, you can just resend that packet to another system and then if you see the characteristic response, you know the system is infected. This might not qualify as remote, since you would have to be in a position to observe the "expected response," which realistically means, you have to be on the same subnet.

      I don't know. You are definitely on to something. There is probably a simple workaround for the replay attack I outlined. But I don't want to give anyone ideas. I don't want to give a design seminar for hard to detect worms. ;-)


  • It started with the plans to decode alien transmissions. We all know that SETI is regulalrly receiving alien transmissions from benevolent aliens, but this would interfer3e with the power that Disney has, so they try to break their codes and subvert them. Then there's the cure for cancer search, or rather the seartch for drugs companies to make more money from new drugs. Let's not forget all the code breaking challenges. Why do they want to break this code? There's somethign written in secret that they want to find out? But what? Clearly the lost city of Atlantis. The US government wants its secrets for itself. It's time to stop and find a benevolent use for distributed computing.
  • It took 3 weeks of antibiotics to get rid of it, and I had the squirts the whole time.

    Don't drink the water, they said. Sure, whatever, I said.

    I drank the water.

  • Like Real virususes (Score:5, Interesting)

    by goombah99 ( 560566 ) on Friday October 25, 2002 @10:48AM (#4529697)
    There are any number of real virii and bacteria (like Tuberculosis) that use a quorum sensing mechanism before becoming hostile to their host. The bugs grow but in a mostly benign fashion, concentrating on infecting but not harvesting or killing their host. When their numbers reach a critical level they switch over and become massively virulent, making an all out assualt on the host, overwhelming the defenses.

    the interesting thing here is the communication aspect. It's different than say a pre-progogrammed computer virus that does its thing on say jan 1 2000. Here the thing is adaptive and self organizing.

    lets take this a step further. China is a breeding ground for both real and computer viruses. Real viruses like flu live in ducks, where they are harmless and mutate rapidly, transfer to pigs where they adapt to mammalian systems, then onto humans when they are ready. THe chinese computers, as discussed in slashdot have become 80% exposed/infected to viruses.

    currently these virii (computer) do not actually "breed" in the sense of evolving by themsleves. But why not? Bacteria evolve during their own lifetimes by communicating (by exchange of circular DNA known as plasmids). If we start having computer-virus to computer virus communication we will soon have the cpabaility for viruses that breed and like a genetic algorithm "learn" new ways of infecting a host, learn to tune their rates of infection, and develop new and better communication protocols.

    A question emerges then of what happens next. Most virus's follow the pattern of being at first increasingly virulent and deadly to their hosts. Then over time as they begin to kill too manyhosts and the evolve to become less virulent as a survival strategy. at the same time the surviving hosts have become better at killing them. A truce ensues where the bugs are too hard to completely kill because they mutate quickly.

    Current viruses have the ability to replicate but not to evolve. The first step in evolving sexual reproductionis communication with another virus. later will come information sharing and controlled mutation. Terminator here we come, but not the same way as the movie.

    • Interesting that we are doing with computers what God's has appearantly done with us. Or the Angels, or Set, or whoever seems to be toying around with us from time to time...

      Kind of twilight zonish don't you agree? I still expect to peel back my skin one day to see gears and rods and sh!t :D
      • Interesting that we are doing with computers what God's has appearantly done with us. Or the Angels, or Set, or whoever seems to be toying around with us from time to time...

        Ah, but don't you see? God is a programmer [fourmilab.ch]. We're just following his footsteps. Now for the clincher... what if there are bugs in the system?

        God: What, bugs? No way, I'm perfect! Just let me fix this tiny little thing... (BUM!) Ooops, sorry Bill!
    • by waider ( 103687 )
      You're making a large (and frequently made) leap of faith here, from "communication" to "replication with successful mutation". There are several experiments in the field of mutating programs (look up Artificial Life in Google, for example), but to suggest that the mere ability of viruses to communicate with each other will automatically lead to "breeding" capability is a little far-fetched, to say the least.
      • Commnication is a prerequisite to "genetic" evolution . After all how do you think sexual evolution came about.

        The real difference in the analogy is the sophistication of the host. In the real world hosts and parasites co-evolved. An early parasite did not have to be a very clever bug. just be one step ahead of its equally dim host. each co-evolving to exploit each other's weaknesses. Now we have some really complex or really simple but tricky bugs that have a level of sophistication that seems miraculous.

        That is to say, if you were to create a man-made virus today without stealling the existing machinery from natural bug, you would find it patheticly incompetent to deal with modern hosts. Likewise, current computer virsuses are going up not just against sophisticated computers systems, but also against the human minds that are activley hunting them. Thus it's going to be a while before computer viruses can survive and mutate on their own. they will need human help to combat the humans trying to kill them.

        On the otherhand in china it appears there is a fertile breeding area when humans are not aggressively hunting bugs. this would be a good breeding ground for a simple bug to evolve to somthing actually AI quality.

        • On the otherhand in china it appears there is a fertile breeding area when humans are not aggressively hunting bugs. this would be a good breeding ground for a simple bug to evolve to somthing actually AI quality.

          Are you forgetting that an human being will have to be responsible for developing the AI for the virus? Today we can't even begin to understand the concepts behind self mutating computer viruses, and we many never fully understand the concepts.

          And I, for one, and happy. I fear the the day that mankind releases upon the world code that has the capacity to mutate and change under certain circumstances. No good can come of that.

    • Actually, If I recall, the MS Word Concept virus variations actually started to intermingle code.

      There where machines that would get infected with Concept.A, then infected with Concept.B (or something like that), with the second virus stomping on parts of A's delivery system.

      You'd get Concept.A's autostart + Concept.B's autoload etc.

      Quite a bear to remove, if I remember...

    • you're forgetting that in this case the network is the computer [google.com].

      What happens if Wiley's benign future doesn't happen and the worms kill the internet dead?

      As far as curious yellow is concerned, there is only one host.
    • [OT] Real viruses (Score:5, Interesting)

      by aridhol ( 112307 ) <ka_lac@hotmail.com> on Friday October 25, 2002 @11:22AM (#4529926) Homepage Journal
      Sorry, that's not how real viruses work. My wife's a virologist (studying ebola, if you care), and she's explained this a "few" times

      It is not optimal for a virus to kill its host. Ever. End-of-story.

      Because a virus cannot live outside of a host, it is important that the virus keep its host alive as long as possible. Therefore, each virus evolves in an "optimal host". This host is a type of life (animal, plant, even bacteria), in which the virus exists without killing the host. The problem arises when the virus tries to expand its territory to a non-optimal host. In some of these hosts, it can't even get a footing, and dies off without infecting cells. In others, however, it infects the cells in a non-optimal way, killing the host (and with it the virus).

      For example, ebola tends to kill people. Depending on the strain, it's between 50% and 90% fatality in humans. Obviously, humans are not ebola's optimal host. However, there are some species of bats that carry the ebola virus, and are not affected by it. These bats are the natural hosts of ebola, allowing the virus the best opportunity to survive without overpopulating.

      This is all from memory, as my wife's at work, so corrections are appreciated.

      • Your discussion considers the "equilibrium" virus. In the real world viruses are dynamic. Both in the sense of adapting to new hosts where they tend to be lethal, and in the sense of adapting to new host defenses. Thus as I said, dynamically, viruses tend to become more virulent and then later less virulent as they gain a footing and then evlove to the new host.

        On the otherhand, there are plenty of bugs (but not viruses--they require a living host) that look at you as a large sack of purina bacteria kibble. All these thing want to do is kill you and digest your tasty bits at their leisure. These bugs dont require a host to live.

        to a certain extent the current crop of computer viruses seem to define success as mortally wounding the host. Self preservations and adapting to their hosts are not the goals of most computer viruses.

      • People aren't infected with the variola virus anymore (Well, not officially...), even though a good portion of the world is not vaccinated.

        Plenty of potential hosts-- yet there is no epidemic, and smallpox is considered extinct in the wild. Why? Because a couple of decades ago, most everyone was vaccinated. No hosts, no new infections, no virus, no more need to vaccinate.

        And yet, before vaccination, smallpox was very virulent, and quite deadly to its hosts.

        • And yet, before vaccination, smallpox was very virulent, and quite deadly to its hosts.
          That is because humans were not its optimal host. The virus tended to kill its hosts before it had a chance to evolve into a less-deadly form. Assuming we hadn't destroyed it and it hadn't destroyed us, eventually it could have evolved to a form that doesn't kill us, and we would be the optimal host for the new strain of smallpox, which would probably be deadly to the next species it passed on to.
      • It is not optimal for a virus to kill its host. Ever. End-of-story.

        Evolution selects for whatever increases reproductive success RIGHT NOW, not what might be theoretically optimal. It might be situationally "optimal" to the virus for the host to walk into a crowded room and explode in a shower of highly infective blood. This is basically what happens with Ebola, the patient becomes incredibly infectious to people around them. To be fair, your wife is (of course) correct that this sort of transmission usually is associated with new hosts, as in the case of Ebola. I bet the "wild" host for Ebola carries the virus without dying, perhaps having periodic bouts of the bloody runs to assist in spreading the virus to its conspecifics.
    • Assuming you don't live in destitute conditions, it seems more reasonable to say that real viruses don't kill you, except of course for the pathological (pardon the pun) exceptions.

      Consider smallpox and cold.

      Smallpox of course does kill, but it's not around.. where is it? I don't see it, my neighbors and friends don't see it. Nobody sees it, except for biologists.

      Smallpox is laughed at by the other viruses. It has the strength of Hercules, but what does it do with it? It pops up once every few generations and shows its strength, but is usually gone in a flash. Lame.

      The common cold, on the other hand, is everywhere.. I have it right now, some of my neighbors and friends have it.. it's spreading like wild-fire!

      The cold is a great virus.. it's like the star of the viruses.. it tries its hardest not to get the host sick, becuase a sick host stays home, and then the cold can't get to new hosts.

      The real benefit of sanitation, plumbing in particular, is the quarantine of hosts infected by loser viruses. Viruses that devastate poor river villages in the tropics aren't a threat in the rich cities because of sanitation... a couple of people get the virus, stay home (to recover or die), and few others get exposed.

      If you want to make better viruses, save us some time and make them cool, like the cold, instead of lame, like smallpox... we'll both be happier for it.
    • Most virus's follow the pattern of being at first increasingly virulent and deadly to their hosts. Then over time as they begin to kill too manyhosts and the evolve to become less virulent as a survival strategy. at the same time the surviving hosts have become better at killing them.

      Or, following what may have happened w/mitochondria, they start performing useful functions...say, drivers for graphics cards. Or would that prove Microsoft's point about the GPL being viral?

      (Joke! Joke!)

    • Commnication is a prerequisite to "genetic" evolution . After all how do you think sexual evolution came about. The real difference in the analogy is the sophistication of the host. In the real world hosts and parasites co-evolved. An early parasite did not have to be a very clever bug. just be one step ahead of its equally dim host; each co-evolving to exploit each other's weaknesses. Now we have some really complex or really simple but tricky bugs that have a level of sophistication that seems miraculous. That is to say, if you were to create a man-made virus today without stealling the existing machinery from natural bug, you would find it patheticly incompetent to deal with modern hosts. Likewise, current computer virsuses are going up not just against sophisticated computers systems, but also against the human minds that are activley hunting them. Thus it's going to be a while before computer viruses can survive and mutate on their own. they will need human help to combat the humans trying to kill them. On the otherhand in china it appears there is a fertile breeding area when humans are not aggressively hunting bugs. this would be a good breeding ground for a simple bug to evolve to somthing actually AI quality.
  • Worms and 'payload' (Score:5, Interesting)

    by jACL ( 75401 ) on Friday October 25, 2002 @10:56AM (#4529755)
    On Flying: It's not the fall I'm concerned about -- it's the impact.

    On Worms: It's not the distribution method I'm concerned about -- it's the impact.

    Oh sure, this method is similar to the old nuclear war strategy -- "time on target" -- where the missiles were all set to arrive at their targets at the same time, increasing the surprise factor and decreasing the defensive options. But it's the bombs going off that really ruined your day.

    After running plenty of all-nighters flushing out assorted virii from corporate nets, I've come to the conclusion that the worst infections are the ones that look like some other kind of problem. Imagine a worm that changes the IP address of random hosts to the gateway address, or is intelligent enough to worm its way around innocuously until it snags an admin account and can begin 'remote registry' operations, or changes the nameserver addresses to trojans that redirect shopping sites to credit card collection impersonation sites. That kind of stuff is the hard stuff to defend against, because you don't know it's happening until way after it happens.
    • I don't know whether these are original thoughts, created by you, or whether you are simply passing along something that you'd read elsewhere...

      In either case, you appear to be an Evil Genius [tm].

      You should join S.P.E.C.T.R.E (Special Executive for Counterintelligence, Terrorism, Revenge, and Extortion) [tripod.com].

      • No, I'm not an evil genius -- just a paranoid engineer (having done way too much security work). This guy [amasci.com] is an Evil Genius(tm). I especially like the Kindergarten Death Squad and the argon-filled mylar balloon stunts...
    • One evening we agreed that an interesting attack would be to randomly transpose digits inside predominantly numerical documents on very long intervals. On the chance that it *was* discovered, most poeple would assume a keying error. Keep it up for a month (most sites) and you have got the backup as well. If you do it at a low enough rate, your data is junk before anyone realises what is happening. The negaitive was machine generated sequences, which would be broken (and noticed) immediately by such a change (i.e. a credit card number would cease working).

      The other option was popping random registry locations. At a low enough rate, it would not be distinguishable form the regular Windows bit-rot.

      • Now, imagine that Win95 was actually truly secure. But, just months into its release, someone wrote a registry-rot worm. It stealthily spread through the population of Win95 machines and eventually infected the dev team at Microsoft. Customers don't suspect anything because it confirms their suspicions. Programmers just assume it's another bug and they work on it as best they can, but the system is too complex so they're never sure it's gone (and thus that it has another cause.)

        At some point the spread is so successful that close to 100% of Microsoft is infected, even the machine they use to do builds. Thus, future versions of windows come with this virus pre-installed.

        Because of the extra debugging work to get rid of what is really virus behaviour, the windows registry and security model really is the best, but we'll never know because of the virus and the settings it uses.

        Or not. :)
  • Interesting... (Score:2, Interesting)

    I thought that the exponential behaviour of worms was deliberate to use all bandwidth and cause disruptions. I guess the slower worm being proposed would carry some other payload and probably be more damaging to individual machines instead...

  • by phorm ( 591458 ) on Friday October 25, 2002 @11:04AM (#4529814) Journal
    This would actually make a point to worms, etc. Right now most of them seem to be one of three:
    -(publicity) Hey, I'm an elite hacker, I've infected half the world's computers
    -(revenge, idiocy, attack) I'm pissed at the world and for that your PC's will pay
    -(information theft/hijacking) There's something on your computer I might want, and now the door is open to get it

    Now, we have a type 4
    -All your base are belong... er, I mean, we are the borg, you will be assi... er...
    basically, and advanced form of "W3 0WN 40U."

    Distributed worms could actually have a point though... There are still certain questions that any individual PC cannot solve (for which they are building voluntary, non-malicious, distributed sytems) that could be processed by this worm. Curious blue (the fix to "curious yellow) could be launched as an "anti-worm, worm" using the same exploit as curious yellow to self-patch the hole.
    Similarly, such a worm *could* be used to repair other known large-coverage bugs.
    Of course, it would be just as illegal to create/launch "blue" as it would be to create/launch "yellow", but wouldn't it be nice if somebody were to let loose something that goes around fixing those annoying "code-red" and "nimda" infected systems still running amok?
    Unfortunately, I cannot even use my own server with a "counterprocedure" to go out and repair those idiot machines that keep trying to access /windows/system/CMD.exe on my linux machine, so nobody can do this legally (it seems that using an exploit is an attack, regardless of intent or method).

    Black hat hackers can't touch me, I run Red Hat not Black Hat - phorm
    • by Anonymous Coward
      I've been wondering for a few days about this...

      What about a worm whose only effect was to change the MS Word default saving format to .rtf, then propagate?

      I'm sure we would quickly have a world of MS morons saving their docs in a open file format, because they can't figure how to change back to their old .doc.
  • I swear when I was halfway through the whitepaper I could actually hear 31,337,000 script kiddies begin to salivate.

    Meanwhile, in another part of the city, H.A. Rey [amazon.com] begins work on on a cautionary tale about what happened when The Man in the Yellow Hat doesn't download the latest patches.
  • Hax0r@home - Finding the cure for unpatched b0xen.
  • easy way to kill it (Score:5, Interesting)

    by nounderscores ( 246517 ) on Friday October 25, 2002 @11:10AM (#4529842)
    Sniff for packets containing the SHA1 hash of known infected nodes. Follow the links to eradicate the whole damn nest of the bastards.

    alternatively release a fake "wormcode patch" which poisons nodes after they pass it on. Such an anti-virus-virus would take the network down in less than 15 seconds. [blanu.net]

    To be more robust, this worm has to start thinking smarter: it has to organise itself into a network of cells which are networks, rather than one big flat network. That way, only one node in each cell knows about only one node in an adjacent cell. If node A in cell 1 knows about node A' in cell 2, then when it gets compromised, it cannot betray nodes B', C' or D'.

    Get the worm to spread until it knows about x number of nodes, and then tell each node that they are suddenly the only node in a new cell, and that all their old cell buddies are just their external contacts to other cells. repeat the process until you have global domination.

    That way you can still issue orders, if you have access to the original cell, but if that cell dies, then the worm turns into many rogue cells which act on their standing orders... and any anti-virus-virus "patch" would have to start from the original cell....
    • alternatively release a fake "wormcode patch" which poisons nodes after they pass it on. Such an anti-virus-virus would take the network down in less than 15 seconds.

      What's to stop the code from using crypto to sign the patches? Worms have the public key, author has the private key. Simple and reasonably bullet proof.

  • Optimally I should be infected by this worm by the end of the year now that this is public.

  • The communication is the hard part, as soon as this thing gets known, every sysadmin worth his paycheck will block the ports it communicates on. Is there a way to double up processes on one port? If so you could say hook into the port for say, sendmail or something, and then have the worm ignore the sendmail commands, and parse the worm commands. Or you could have several ports listening all the time, UDP style, and have worm node (A) fire off a number that corresponds to the next port that worm node (B) should receive it's next set of commands on. This should get around that pesky admin. I must say I have to agree with the author, that slow and steady will probably win this race. Tally Ho. --Greg
  • ... but it's interesting to find out an origin for the vurt feather's name.
  • I believe curious yellow is more likely to be a reference to vurt [amazon.com] by jeff noon. Which is an amazing book by the way.
  • Mirror (Score:2, Informative)

    Since the site appears to be getting kind of slow, and also seems to be a personally-hosted site, I have set up mirrors here [earlham.edu] (courtesy of Earlham College [earlham.edu]) and here [wisc.edu] (courtesy of UW-Madison [wisc.edu]).
    • <paranoia>no, that was one of the specially delegated and tasked worms scanning and infecting you. your web access may be a little slow every now and then... for the rest of your life....</paranoia>
  • by siskbc ( 598067 ) on Friday October 25, 2002 @11:24AM (#4529943) Homepage
    The major problem is how the network fixes itself. Nodes will go down - either because they just do, or because some sysadmin is going to notice trafic on some strange port.

    I could see one node saying "Hey, my neighbor disappeared, we need a new node," but he doesn't know the neighbor's other neighbor. This is exactly like a linked list - if you delete a node before switching the pointers around, you've just created a memory leak.

    Also, to make this thing branch, won't each node need at least three neighbors?
  • by photon317 ( 208409 ) on Friday October 25, 2002 @11:33AM (#4530020)

    In today's environment if a group of intelligent hackers with a wide range of skills deployed and attempted to control a Curious Yellow, they would probably succeed, although they would have to start with months of planning and exploit-discovering to make sure they had pre-prepared their own "zero-day" exploits for a wide variety of platforms (wintel may be dominant, but unices and even routers could be crucial to some of the attack plans). And in order to keep up an arms race, they will have to continually here of or discover on their own new exploits before they get widely patched.

    The whole problem here revolves around the insecurity of most operating system installs (especially Wintel, but commercial and free *nix are also relatively insecure by default). The real solution to scenarios like Curious Yellow ona global scale would be to secure all the operating systems by default. If every OS vendor would take a slightly more OpenBSD-ish tack on security, disabling most services by default and warning users of potential risks of turning them on misconfigured, auditing their code, and perhaps most importantly, open-sourcing their code for peer-review... it would severly limit Curious Yellow's ability to infect in the first place.

    However, I think it's a pretty safe assumption that that level of universal computer security won't happen in the near future, and that some bright people are already coding their Curious Yellow variants. In that case the best you can hope for is to secure your own systems against Curious Yellow by being more secure than the norm. You won't be able to stop the distributed attacks and service problems that will affect your network traffic, but at least you can avoid being part of the problem and avoid direct control of your machine. Take the cautious road - reploy an OS you can see the source of. Disable mostly everything that listens to a network port. Take advantage of security-upping kernel patches (grsecurity for linux comes to mind, a collection of stack protection, randomization of various things, finer grained access control, etc). Run a firewall, make sure you know what it's doing and why. Don't let any traffic in unless there's a need, and keep an eye on that traffic. As with human infections, early detection leads to a faster recovery. Snort is your freind.
  • by nweaver ( 113078 ) on Friday October 25, 2002 @11:39AM (#4530066) Homepage
    A better cittion on worms and their strategies: How to 0wn the Internet in your Spare Time [berkeley.edu] by Stuart Staniford, Vern Paxson, and myself.

    The warhol paper largely got rolled into the "0wn the Internet" paper.
  • Biological viruses (Score:4, Interesting)

    by HisMother ( 413313 ) on Friday October 25, 2002 @11:40AM (#4530081)

    Perhaps the parallel to biology is too obvious to bother pointing out, but it's well understood in epidemiology that viruses that are quick to incubate, and nearly always fatal, historically couldn't propagate far and so haven't led to epidemics. This is why, for example, there are no Ebola epidemics: it kills such a high percentage of its victims, so quickly, that the virus effectively starves itself to death.

    Of course today, with high speed travel so prevalent, we're giving the virii a hand in propagating, and doomsday scenarios become possible...


  • by Anonymous Coward on Friday October 25, 2002 @11:42AM (#4530101)
    ..but here goes. You have a worm that divides up the address space in two and infects one machine in each partition. The new worms do the same. Just how many partitions should we have 2, 10, 100?

    Then you make the child check up on it's parent every now and then. When it's parent fails to respond it tells it's own children that this event has occured (a sort of reverse TTL), when a child receives a rTTL of say 10 or more it knows that the game is up goes beserk! Maybe additionally it could check on its siblings.

    Thus killing the worm could (potentially) cause more trouble than if it were left alone. To kill it would require a pseudo parent to replace the real parent which would be able to report the IP of the infected child machines.

    It's all getting very X-Files this.

    Perhaps the partitioning 2, 10 or 100 is based in the rTTL. When no one has noticed use a small partition, when people start to kill off the parent then crank up the partitions.

    MLM goes (truly) viral!
  • One of those multiheaded worms to sniff out information on 7 different networks at once, like from Swordfish? Can it break 512-bit encryption like Halle Berry said?
  • by ethereal ( 13958 )

    If this were doable, I can really see a future of detente for the 'net. If you had a worm that would essentially take over the 'net, but you didn't know if it would really work or not, and the consequences for trying and failing were pretty severe, then you wouldn't want to try it out. You'd wait, and only if someone else released theirs would you fire off yours. Assuming that this idea isn't too tough for more than one group to figure out, within hours of the release of one superworm the 'net will be swarming with several different variants of the same idea, all fighting to ensure that their creators get a little piece of the soon-to-be balkanized network. Imagine not just tracking, fingerprinting, and distributing fixes for one of these plagues, but trying to fend off several at once, all of them able to almost instantly distribute defensive tactics, etc.

    Frankly, the only way you could salvage the 'net (short of a complete reinstall on millions of machines) would be to partition it to cut down the communications avenues, and then sterilize each small subsection one by one. And unfortunately the triumph that is Internet-style routing probably means that partitioning the damn thing would be a lot tougher than you would think.

  • True Names [amazon.com] is a great short story about such a worm. It's one of the best "hacking" stories ever written, and one of the earliest stories written about cyberspace. To say much more about the worm or it's author would give away a major plot twist, but the protagonists us something like curious blue as well, to counterattack.
  • Give it access to webcams, microphones, and speakers. Let it learn about humans from their own written communications.

    I'm from the future, here to tell you this is how Skynet REALLY got started. If you don't believe me, ask your computer. Just speak clearly into the mic.
  • Not that i agree it should be, but i was thinking that it violated some act/law or something or other related to terrorism/warfare..

    But i could be wrong.. dont have the name of the law handy to verify.

  • Like many others, I've been throwing around ideas along these lines for a while. More to the point:

    1. How do we know this hasn't already been done (and I don't just mean Kazza)?
    2. What if the worm were to patch the security problems it found on the victim system? In the process it could "evict" any other worms or back doors on the system. Essentially, it gets the machine all to itself.
    3. How would this worm avoid Honeypots?
    4. I think the key to internode communication would be covert channels (see the recent thread on the SF Vuln-dev mailing list), moreso than encryption. More specifically, the worm will want to avoid disrupting the statistical characteristics of the network that its using. The best way to go about that is most likely to lay domant for a week or so after the initial infection of the system to develop a statistical model of the local network traffic.
    5. "such as people attempting to escape human-rights-violating regimes, international terrorists, and music fans", yes people, it's offical: music lovers are now lumped together with poticical agitators and terrorists. Burn your CD collection before they get you.

    All in all though, I think the main limiting factor to such an undertaking is its usefullness. I mean, what could be done with such a network while retaining its stealthy qualities? Any computation I can think of would require so many resources as to violate the steathy nature of the beast. That is, even if such a calculation is network efficient, I think the high CPU useage would tip people off. Even if you patched the system so that task manager, top, etc, didn't report the worm's CPU useage, some people would notice that their computers are noticeabily warmer, laptops have a shorter battery life, etc. If the creator of the network were to try to gain in any way through the use of stolen credit card or bank info, law enforcement would track them down when they try to use that information. So as another poster noted, this is really just a fancy way of saying "1 0wn y0u", which is really juvenile. Interesting thought exercise though.


"Go to Heaven for the climate, Hell for the company." -- Mark Twain