as the worm turns

KListon over at the SANS Handler Diary recently posted about worms and how we won’t see an SNMP-borne “Slammer-like” Internet worm, or maybe even any worms like Slammer, despite the opening given by MS06-074.

I think he is somewhat correct. The Slammer worm exploited SQL instances and caused a huge amount of havoc because of the unintended effect of flooding most networks with packets, to the point that they were unusable. From worms like this, authors have learned that if they want to have a good worm, you don’t want to overload your own pipelines. Rabbits may multiply like nothing else, but once you get 5,673 of them stampeding over a bridge to get to new food sources, the bridge will collapse and they’re all dead in the water, so to speak.

I think kliston’s best point was the oddity of tons of tcp 1434 ports open to the world. This defies the common sense that administrators of today have, where databases are (should!) be nestled deeply inside the network behind a few layers of protection between it and incoming Internet traffic. Firewalls have been built up quite a lot over the years, and I think many networks are much more resilient to network-borne worms coming from a public network. Unless something is able to pop apps on commonly opened ports (we’re probably looking at IIS/Apache, sendmail/IIS, SSH/telnet, BIND…) that are widely used, I don’t see any major outbreaks on the horizon. What we’re then left with would be widespread apps running on IIS/Apache (Web 2.0 or common packages like phpBB) or perhaps IM propogation should something in a message be able to pop the app. And of course, some discovery in Cisco equipment could be catastrophic as they make up more of the bricks in our perimeters.

Now, that may nicely cover Internet-borne worms attacking over the dangerous public networks, but that is not to say there won’t be pockets (sometimes LARGE pockets) of an SNMP worm. Even beyond the heyday of the Slammer worm there were still terrible outbreaks as laptops took hold and developers moved offsite with Slammer-susceptible MSDE instances. Once back into the comforts of the home network, such instances gobbled up any unpatched systems and vomited out onto the network wires. Similarly, an SNMP worm can piggy-back inside a network as well, or be delivered via email or other means. Once loose inside a network, it can still have a catastrophic effect for locally.

I have heard often that the network perimeter has disappeared. I disagree with that. Our networks have simply become more ephemeral, kind of like the kids starting to play outside the house and getting dirty by dinnertime. The house is still there; the perimeter is still there. I imagine as ipv6 starts to get realized (someday?) the calls will arise to do away with NAT and the perimeter once public address-space is again limitless. But, of course, that would pave the way for worms to come out of hibernation, so I hope that the perimeter is going nowhere even with ipv6.

Kliston’s third leg mentions something lots of people have repeated all year long: malware authors have become more interested in profit than notoriety. Well, how about being paid to disrupt a competitor’s network? And you just happen to have the ability to create an SNMP worm? And what if that competitor has poor network design and utilizes SNMP on his internal servers, and has a long cycle before those servers get patched? You might be able to realize this financial gain by sending your worm packaged into an attachment over email or perhaps scatter some USB flash drives in the parking lot (with eye-catching glitter-bits painted on to attract attention) with the worm autorunnable. All it might take is one execution and bam, their servers go from the same ol’ grind to being tickled lightly to flat out all raising a new flag of ownership. Dramatic, yes.

Or, hang out at a local wireless hotspot that the employees frequent. With their laptops. Once away from the hardened corporate network, those devices may be ripe for the picking…and planting of a worm. Maybe corporate epionage is already here, but I suspect it will continue to get worse, whether the media picks up on it or not.

One thought on “as the worm turns

  1. I have had the same concerns of an SNMP worm. However in my nightmare, the worm is more like a hydra (ala Hollywood’s ‘Swordfish’) where it comes in on a laptop (possibly compromised by your coffee shop hacker) and targets multiple vulnerabilities that aren’t managed by a Windows-centric patch management system like the not-so-recently patched but recently exploited Symantec vulnerability.
    Big Yellow was built to own local networks. Imagine your competitor purchasing a one-off version of that exploit, that doesn’t get detected by signature-based countermeasures. They couple that with an SNMP attack and tune the scanner phase of the worm to be low and slow, to stay off the radar and you have yourself a nasty little information stealing worm.
    Ahh the things we lose sleep over.

Comments are closed.