Dailydave mailing list archives

RE: Self updating worms?

From: "Jonathan Wilkins" <jwilkins () microsoft com>
Date: Fri, 10 Sep 2004 13:57:44 -0700

I think that people are getting a little sidetracked with discussions
around who would do this sort of thing.  I think that history shows
that if it's possible, it'll be done.  The main reason I had for
discussing this in the first place is that current defences to worms 
seem to rely on the fact that worms tend to be noisy, stupid and that
defences are pretty simple (just install the patch).
    
It seems that people are convinced that this is actually possible, 
and Dave doesn't even seem to think it's as complicated as I do.

The real question is this: what defences will work against a slow
spreading, quiet worm?

Current response pretty much goes like this:
1. someone goes "oh shit, my firewall's getting hammered, what's going
on?"
2. someone gets a copy and the reverse engineering starts
3. someone figures out what hole is being exploited 
4. everyone reprioritizes that patch and starts installing it

What happens when the total traffic is too small to notice and days
or weeks go by between probes?
What happens when the exploit being used is different across instances?

I'm working on a few ideas, but I don't have anything that I haven't
been able to beat yet.

-----Original Message-----
From: Blue Boar [mailto:BlueBoar () thievco com] 
Sent: Friday, September 10, 2004 11:42 AM
To: Oded H
Cc: Jonathan Wilkins; dailydave () lists immunitysec com; 
ge () linuxbox org; th-research () linuxbox org
Subject: Re: [Dailydave] Self updating worms?

Oded H wrote:

There is a clear benefit for the bad guys espcially if we

are talking

about organized crime to have a self updating worm, simply because 
although they dont want to leave a trail they would like to

get some

exclusive access to a victom host. Adding some defence

(i.e. patch) to

the vulnerability on which their worm arrived is a step at

that direction.

You don't need "worm" bits (attack vectors) to maintain a 
botnet, you only need those to grow one.  If someone sells 
off a fixed set of 1000 zombies, they probably don't want the 
customer competing with them for new bots.  In fact, the 
seller would probably be quite happy that there is a natural 
attrition of the bot set, so they can sell more to the same 
buyer later.

Assuming of course that the builders and users of botnets are 
mutually exclusive sets.

                                              BB

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Self updating worms?, (continued)
- Re: Self updating worms? Gadi Evron (Sep 09)
- RE: Self updating worms? Kohlenberg, Toby (Sep 09)
  - RE: Self updating worms? Anton A. Chuvakin (Sep 09)
    - RE: Self updating worms? Dave Aitel (Sep 09)
- RE: Self updating worms? Jonathan Wilkins (Sep 09)
  - Re: Self updating worms? Gadi Evron (Sep 09)
    - Re: Self updating worms? Dave Aitel (Sep 09)
- Re: Self updating worms? Oded H (Sep 10)
  - Re: Self updating worms? Gadi Evron (Sep 10)
  - Re: Self updating worms? Blue Boar (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 10)
  - Re: Self updating worms? robert (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 13)
  - Re: Self updating worms? robert (Sep 13)