« Network access control: a folorn attempt to rebuild the perimeter | Main | Malware on every device »
March 10, 2005
Where have all the worms gone?
We haven't seen a serious network worm in what appears to be ages. People are beginning to forget about the devastation wreaked by Slammer, Blaster and all the others, especially in the light of other pressing problems such as phishing and spyware.
But why haven't we seen a virulent, destructive network worm? I've heard several different theories and predictions:
1. All the worm writers are just dumb kids who have got scared because they've seen other worm writers put behind bars. This strikes me as a specious argument: I suspect that the testosterone-rich environment of young worm writers who are doing it for the glory is not dissimilar to that around extreme sports such as urban-assault biking or extreme snowboarding, and in those sports, the element of danger adds to the thrill - if one person gets seriously injured, it often doesn't put everyone else off, it just ups the ante.
2. All the worm writers are now in the employ of evil geniuses who are focused on profits and world domination. Hence they are doing more subtle and lucrative things, are too busy for writing worms, and are no longer interested in them either. I don't buy this one either: it doesn't take long to write a worm on the side, and we have no evidence that those people who used to write worms are now employed by crime syndicates. In fact, if worm writers traditionally did it for the glory, they might be the ones least likely to be employed by organized crime, because they can't be trusted to be stealthy. Furthermore, what better a way to phish than getting a trojan on a victim, and what better way to get the trojan there than through a worm? And if you want to own a large number of computers for launching denial-of-service attacks as part of an extortion racket, what better way to get those computers than via a worm?
3. Networks are getting more secure and hence there is less ability for worms to wreak havoc, so worm writers have not bothered writing new worms. This is patently untrue: for example, a recent vulnerability reported on February 8th is a buffer overflow in SMB that affects all Microsoft platforms, including servers and desktops/laptops. It's a prime candidate for a worm because exploiting it can give ring 0 privileges, and it affects so many systems. In fact, Jose Nazario of Arbor Networks has tried to formalize this notion with his concept of "wormability", which refers to how suitable a vulnerability is for use by a worm. He shows that in 2004 there were 11 highly wormable vulnerabilities, only one of which actually had a worm exploit it.
4. Another one I heard recently is a comment by Charles Ahn in which he says that 2005 will be a big worm year, because worms come in two year cycles. To justify this claim, he refers to the fact that 2001 was a big worm year, with Ramen, Nimda and Code Red, 2002 was quiet, 2003 was big again with Slammer and Blaster, and 2004 was quiet. Such reasoning would be considered laughable by anyone with a decent knowledge of statistics: to predict a trend based on what is essentially two data points is rather a wild leap.
Any other ideas out there? Let me know. Personally, I'd be willing to attribute it purely to the vagaries of chance - I don't see any pattern here. The issue is that the impact of one nasty worm can be enormous, but it just takes one twisted individual (and not even a hugely skilled one at that) to write a worm. And the impact is out of all proportion to the occurence. There may be many wormable vulnerabilities, but predicting the occurence of a worm, when so very few of them do occur, is akin to predicting the behavior of a few isolated individuals out of millions. We may have the ability to predict human behavior in some circumstances in large groups, but in this case, I suspect we have no predictability whatsoever.
But then again, perhaps we have already had a few large-scale worms in 2004 and never noticed them. A theoretical possibility is a worm that spreads slowly and surreptitiously, and upon infiltrating a host, installs a kernel rootkit and leaves itself completely untraceable. And perhaps, even when the rootkit is detected, no one realizes that it was deposited via a worm; perhaps, we think, it was merely deposited via a spyware download. In fact, how do we know for sure that amongst the plethora of spyware and trojans on the typical machine, nothing was deposited via a worm?
In conclusion, I believe that the network worm is not dead, just in abeyance, and all hell could break loose at any time, depending on the whims of a few individuals.
Comments
I believe the SMB exploit from February requires that the vulnerable machine view an SMB mount on the attacking machine, so is not really "wormable". I think the same is also true of the SMBFS CPL==0 exploit for Linux from last December. But I'm sure there are plenty of remote exploits in CPL==0 if anyone ever starts looking for them.
Jed
Posted by: Jed Crandall at March 25, 2005 02:49 PM