• United States
Senior Editor, Network World

Researchers predict worm that eats the Internet in 15 minutes

Oct 21, 20027 mins

Computer science researchers are predicting new types of dangerous worms that would be able to infect Web servers, browsers and other software so quickly that the working Internet itself could be taken over in a matter of minutes.

Computer science researchers are predicting new types of dangerous worms that would be able to infect Web servers, browsers and other software so quickly that the working Internet itself could be taken over in a matter of minutes.

Though still in the realm of theory, the killer worms described in a research paper entitled, “How to Own the Internet in Your Spare Time“, are triggering some skepticism but the idea of them is seldom dismissed as outlandish science fiction.

The three authors of the research, published two months ago, present a future where worm-based attacks use “hit lists” to target vulnerable Internet hosts and equipment, such as routers, rather than scanning aimlessly as the last mammoth worm outbreaks, Nimda and Code Red, did last year. And this new breed of worms will carry dangerous payloads to allow automated denial-of-service and file destruction through remote control.

“Code Red and Nimda could have spread faster, and they didn’t have powerful payloads,” asserts Stuart Staniford, president of Silicon Defense, and co-author of the research paper. The other authors are Vern Paxson, a staff scientist at both the Berkeley-based ICSI Center for Internet Research and Lawrence Berkeley National Lab’s network research group, and Nicholas Weaver, a graduate student at the University of California at Berkeley.

The paper argues that this next generation of computer worms — which would certainly have military application during war – would carry knowledge about a specific server’s vulnerability and propagate at a breathtakingly high rate of infection, “so that no human-mediated counter-response is possible.”

Remedying software vulnerabilities remains a huge problem, with many corporations admitting it takes about a day or two — at best — to apply software patches once a software vendor has acknowledged a vulnerability in product coding and supplied a fix for it. And home computer users online are often wholly unaware of these types of problems.

Staniford says they tested the paper’s thesis in a lab simulation of a computer worm designed to subvert 10 million Internet hosts over both low-speed and high-speed lines. Supplied with its own “hit list” of IP addresses and vulnerabilities gained through prior scanning, the theoretical worm could infect more than nine million servers in a quarter hour or so.

They called this the “Warhol worm” after artist Andy Warhol’s well-known quote that in the future, everyone will be famous for 15 minutes. A similar, theoretical worm they coined the Flash worm, blasted out from a 622M bit/sec link, would take even less time to “own” the Internet.

The authors conclude that just as the U.S. government has established the “Centers for Disease Control” in Atlanta as the central voice in matters related to new health risks for the nation, it would benefit the country to set up an operations center on virus- and worm-based threats to cybersecurity.

Richard Clarke, the advisor to President Bush on cybersecurity matters, said that while he hadn’t read the Flash-worm research paper, he wouldn’t discount the idea of a very-fast-moving worm of this type.

As it happens, the draft “National Strategy to Secure Cyberspace” report issued last month, for which Clarke is asking for public comment, contained the recommendation that the government fund a network operations center as a central point for threat analysis.

Another U.S. government official, Bob Dacey, director of information security issues at the U.S. General Accounting Office, said of the theoretical worms: “The risk is there, though I can’t speak to the 15 minutes. When you look at Nimda and Code Red, you see greatly developed delivery mechanisms.”

To date, the Internet hasn’t seen a worm with a really dangerous payload to destroy systems combined with rapid delivery but it certainly might be out there in the future, said Dacey, who’s in charge of overseeing vulnerability-testing of federal agencies’ networks.

Dacey said agencies need to do a better job of applying software patches, and to that end the federal government is seeking to award a contract for an outside patch-management service to help agencies install patches quickly.

The terms “Flash” and “Warhol” worms are not yet part of the common vocabulary of the antivirus software business and its technologies. At first glance, the idea of a worm devouring the Internet in 15 minutes sounds far-fetched to many.

“It’s hard to imagine such a thing could happen,” responds Bob Justus, vice president of security at Union Bank of California, but then he adds: “But I guess it’s possible.”

Antivirus software vendors and the security industry as a whole seem to be taking the research paper seriously though it’s unclear what defenses there may be for a worm that attacks the whole Internet in seconds.

“It’s definitely plausible,” says TruSecure’s virus expert, Roger Thompson. “It’s highly likely we’ll see them.”

Traditional antivirus software relies on signature updates to stop a worm or virus once it’s identified, but with fast-moving Flash and Warhol worms, this wouldn’t work, Thompson pointed out.

“We haven’t seen a ‘Flash’ worm yet, but now that there’s a paper on it, we probably will,” says Mikko Hyponnen, manager of anti-virus research at F-Secure.

This research indeed has “credibility,” said a spokesman for Moscow-based Kaspersky Labs, but he added, “Actually, we predicted this technology two years ago but never published it because it may give virus writers another clue how to improve their malware. The Berkeley guys did this and they are half-guilty for such a worm [appearing] that may easily cause the Internet to be down in just an hour, so users will not be able to download anti-virus updates.”

Staniford admits he’s taken some heat for describing how the worms would work, but tried not be too obvious. He said there may not be much way to defend against a Flash worm today, but Silicon Defense, has something in the works, which he declined to discuss, that may be ready by next February.

Not all security firms think the killer worms are an identifiable problem yet. Security firm Network Associates research division, Avert Labs, said the concept of a Flash worm is “possible,” but added with a note of skepticism, “there is a big step between theory and practice.’

Others security firms are also a bit dubious about Flash. Trend Micro’s product manager Bob Hansen said, “The threat from this type of thing is definitely growing,” but that “it takes a ton of research to design one of these things.”

Nevertheless, Hansen said it’s “certainly credible to think that a worm designed as a targeted hacker tool could be created to bring down 20 or 30 of the major business Web sites within a matter of minutes.”

While signature-based updates wouldn’t be ready fast enough, behavior-based technologies, such as Trend Micro’s Applet Trap, which he noted isn’t a big seller, might be successful in blocking such an attack.

Okena, which makes behavior-based intrusion-detection software, weighed in on the Flash worm. Director of product management Ted Doty said if a Flash worm does appear in the future, Okena’s StormWatch software for servers and desktop might be able to block it as it did Nimda or Code Red by blocking unauthorized behavior. However, few companies are using any type of behavior-blocking software today.

“You can detect attacks you haven’t known about before,” says Rob Clyde, chief technology officer at Symantec about the idea of a Flash worm. “But it’s not going to be easy.”