So Many Worms, So Little Time
by Randy M. Nash - @RISK Online - Monday, 11 October 2004.
Along with the increasing number of worms, there is a disturbing trend; reduced time between the discovery of vulnerability to the time of active propagating code. Code Red raised security community awareness in that it was able to infect more than 359,000 computers connected to the Internet in less than 14 hours. The cost of damages incurred by Code Red and its subsequent strains was estimated to be in excess of $2.6 billion! The rapid spread of Code Red led to the hypothesis of a faster spreading worm which came to be called a "Warhol Worm". A Warhol Worm would be capable of infecting all vulnerable hosts on the Internet in approximately 15 minutes to an hour. The theory stated that this would be accomplished "by using optimized scanning routines, a hitlist scanning for initial propagation, and permutation scanning for complete, self coordinated coverage.

Theory became reality on Friday, 19 March 2004, at approximately 8:45 p.m. Pacific Standard Time (PST). The Witty Worm began its spread, but this attack was unlike anything seen previously:
  • It began to spread the day after the ISS vulnerability was publicized. This represents the shortest known interval between vulnerability disclosure and worm release!
  • It was the first widely propagated Internet worm to carry a destructive payload.
  • It started in an organized manner, spreading from an initial 'seed' of about 110 hosts. This number grew to 160 in the first 30 seconds.
  • It reached its peak (supposedly infecting all vulnerable machines on the Internet) in about 45 minutes.
  • It affected systems owned by people who were actively trying to security their computers and network.
This assemblage of features presents what appears to be an insurmountable security problem. Previous worms have lagged several weeks behind publication of new vulnerabilities. This has led to a general trend of patch management to protect vulnerable systems. There was generally sufficient time to patch these systems before malicious code was widely circulating. The Witty worm started to spread the day after information about the exploit and the software upgrades to fix the bug were available. We can no longer count on a buffer period in which to patch our systems. We must be on the alert to any new attacks, be ready to implement a multi-pronged defense, and prepared to monitor all systems until the threat has passed.

How Do We Defend Ourselves?

The patch management model of security our systems is a failure. Now don't misunderstand me. I'm not saying we should not patch our systems; I'm saying we cannot rely on this as a sure defense. In fact, there is no single security measure that will ensure our complete protection. We must employ security countermeasures for every possible avenue of attack.

First and foremost, deploy a defensive perimeter. A firewall is a definite MUST, but don't stop there. Firewalls should only allow traffic which corresponds to tightly defined rules. Include protections such as file attachment filters for email and via web content filtering. Use internal firewalls throughout the corporate network at various segment intersections. Apply appropriate access-control lists (ACLs) on routers and switches. Implement an intrusion detection system (IDS). Deploy anti-virus protection on servers and email gateways.

Inside the perimeter, examine your demilitarized zone (DMZ). Harden all servers, change all default passwords, and disable unnecessary service and protocols. Consider host-based IDS on critical systems. Check account permissions, file permissions, and trust relationships.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th