About the Sana Labs team

« June 2005 | Main | December 2005 »

September 01, 2005

Reflections on Zotob

Now that the authors of the Zotob worm have been arrested it seems an appropriate time for some reflections.

Many of us were wondering what had happened to all the worms. My take on it was that it was simply due to chance: with usually no more than two major worms in any year, there is a high probability there will be no worms at all.

There are a few very interesting features about the Zotob incident. One is the loss of the patching window - the worm started spreading 5 days after Microsoft announced the vulnerability. Myself and other security experts have been talking about this likely occurrence for years, although 5 days still seems slow to me. I expect that soon it will be no more than 24 hours.

And what will we do then with patches and AV signatures if the worm prevents an infected machine from getting help? This truly could be the death of signature-based systems, as Vincent Weaver, senior director of Symantec's security response team said:

"Using signatures as a primary defense is no longer effective today"

No wonder there is a growing emphasis on heuristics and behavioral approaches that don't need signatures.

Another interesting aspect is the "war" that erupted in the wake of Zotob. Evidently, multiple varieties of malware (11 different types according to F-Secure) were all attacking the same vulnerability, and competing for control of the host, for example, trying to remove competing bots. Clearly, there are multiple worm writers on the loose, so the idea that no one wants to write worms any more is just dead wrong (see point 2 in my previous post).

Even more interesting, from the point of biomimicry, is that computers are becoming battlefields for malware, just as our bodies are battlegrounds for microbes. This could be a dangerous trend, because it gives malware authors the incentive to make their malware more virulent, so that they get to the victim first. On the other hand, it may be a good thing, by increasing the soft selection on malware. Who knows, perhaps Zotob would have been worse if it weren't for all the subsequent competing variants? Whatever the case, digital life progresses apace - this will not be the last worm we shall ever see!

Posted by sana at 05:05 PM | Comments (0)