Worst Nightmares Come Alive
Before we start
============
This document has been written with great care. I urge you to read the
complete document before commenting on it. Furthermore, I urge you to
think about it for a while before commenting on it. If you have
constructive comments please send it to:
roelof@cube.co.za
You may replicate this document at will - but please do not butcher it
- copy the *whole* document, and give me credit. I would also
appreciate it if you let me know where you publish it - just to keep
track of it.
Regards,
Roelof Temmingh
South Africa.
99/07/29
Index:
======
Part I: Background
Part II: Overview
Part III: Detail
design
Part IV: QWRNA
(Questions We
Rather Not Ask)
Part I: Introduction to your worst nightmare
===================================
"I guess it was bound to happen someday - please spread the word". This
message was posted to a computer mailing list by Gene Spafford on 03
November 1988 - back in the days when the Internet, still in its
infancy, was a tool for academics and a toy for geeks. Spafford is
referring to an Internet-born computer worm (a type of self-sustained
virus) that eventually managed to effect more then 10% of the 60,000
hosts then connected to the Internet. Despite the fact most of the
world hadn't heard of the Internet or email before, and the fact that
the Dukakis-Bush election was just days way, the incident made it to
the front page of most major newspapers. This was not because the worm
was particularly viscous - it was actually quite benign - but because
people recognized the potential for large-scale damage the worm
represented. Were it not for a small programming error in the worm's
code it may never even have been discovered. Ten years ago the "Morris
Worm" shocked the world into realizing the fragility of Internet.
Today, very little has changed. Despite ten years of new knowledge and
experience the Internet today is as least as vulnerable to Morris-type
attacks as it was ten years ago. In fact, even more so. Consider the
following:
1. Ten years ago the Morris worm used weaknesses common to a number of
different UNIX systems to take control of the computers and propagate
itself. Today the same operating system is installed on 90% of all
desktop computers. A single program could attack all these machines.
2. Ten years ago the Internet belonged to an elite group of specialists
and professionals. They understood their computers intimately and
managed them closely. Today every home has a computer and a connection
to the Internet. The average computer user can't tell "email" from
"mpeg".
3. Ten years ago the Internet was used primarily by scientists,
researchers and academics. Today it is a major business conduit.
Billions of dollars are moved over the Internet daily in various forms
and most companies would simply not be able to ANY business without
their IT computer systems.
The widespread use of firewalls on computer systems does little to
alleviate the risk. The threat here is not an attack from some hacker
on the Internet, but a program run unwittingly on a computer already
inside the protected network. The sections that follow show exactly
just how feasible such a program is. While reading you will note the
following frightening truths:
- Just how relatively easy such a program is to write. Similar programs
already exist and are widely known.
- Just how easy such a program is to spread. The Internet is the
perfect mass distribution system and its strength is also its weakness.
- Just how easy such a program is to hide. The average user doesn't
understand half the processes running on the system legitimately, let
alone a program doing its utmost to conceal itself.
- Just how hard such a program is to stop. The program can spread at
the speed of light, take any form, hide itself and mutate with every
new installation. Immeasurable damage could be done before it is
eventually stopped.
- Just how ugly such a program could be. This kind of software could
bring entire sectors of industry to their knees. A well-planned
infection with malicious intent would make the Morris Virus of '88 look
like a mild case of the flu.
So what can be done to prevent this from happening? Not too much I'm
afraid. Like the citizens of a volcanic island we need to be aware,
stay alert and hope we spot the eruption early enough to prevent a
disaster. Here are some precautions a company can take:
1. Policy. The use of any unauthorized software should be prohibited.
2. User education, user education, user education. Make your users
aware of the dangers of running software from untrusted sources.
3. Audits. Perform regular checks to see what's installed and running
on your PCs.
4. Operating systems. A strong operating system with proper multi-user
support can minimize the damage done by a worm. Install Microsoft NT
rather then Windows 95 or 98. Consider using other operating systems,
like Line or BSD.
5. Diversity. By mixing a number of operating systems one can minimize
the amount of damage a virus or worm could do. This, however,
introduces added complexity in the management of the all the different
systems. Your call...
6. Network security. Firewalls, file encryption, operating system
security, etc. all make it more difficult for the would be worm. In
particular virus scanners and HTML, FTP and SMTP content scanners help
us weed out these kinds of threats. Consider stripping executable
attachments and other active content completely.
7. Host-based IDS. Intrusion detection systems may detect attacks
either on the network or the computers themselves.
8. Assume the worst. Plan for disasters with disaster recovery sites,
backups, and business continuity plans. Test and practice with these
systems.
As you read the description that follows, imagine the consequences of
the release of such an animal and ask yourself how long it will be
before we are again saying to ourselves "I guess it was bound to happen
someday..."
Continue to Part II: Overview