"Beat the Worm:" A Guide to Mitigating Critical Flaws, Part III

Exploitation and Propagation

Worm writers can gain access to critical information by leveraging a user or software flaw. One of the most common and fastest ways to accomplish this task is through an exploit. Exploits are most successful when a machine is "worm-ready" based on an unpatched or flawed system. The reliability of exploitation directly coincides with the vulnerability class of the security flaw, and the dynamic nature of the software application being exploited. Exploits that expose heap-based buffer overflows are typically less reliable due to the more dynamic nature of the exploit required to successfully take advantage of the software flaw. As hacking techniques to increase exploit reliability become more available, so will the security holes that are worm-ready — possibly causing a zero-day attack.

One critical factor taken into consideration by worm writers is the potential for successful propagation. For example, if the security flaw exploited by the worm can only be exploited over a port, usually filtered by routers or firewalls, then the risk of extreme propagation is much lower. If the flaw can exploited over a common protocol that is permitted into and out of most networks then the threat level increases. Sometimes flaws are discovered that can exploited over multiple protocols. These types of vulnerabilities are extremely severe and the risk or heavy propagation is imminent.

Rate of Propagation
Although some thought may go into the potential of a worm spreading by its designers, the true rate of propagation usually can't be determined until after a worm has been released. This is due to the large number of variables involved in how fast and how far a worm can spread.

One factor that affects the spread rate of a worm is the nature of the protocol that the worm uses to propagate. Worms that propagate using the TCP (Transfer Control Protocol) will infect vulnerable machines at a much slower rate than worms that propagate using the UDP (User Datagram Protocol). The TCP connection requires a full three-way handshake to complete before a worm can issue its payload. During this handshake various timing schemes implemented in the source and target IP stack can cause delays in connections. UDP on the other hand doesn't require any handshake and timing can be entirely disregarded. Worms that propagate over the UDP protocol will typically spam out UDP datagram's at a horrendous rate, often causing huge disruptions in network services.

The major factor that influences the rate of spread in a worm is the internal structure of a worm. Each worm has a targeting mechanism that it uses to find other potential hosts to infect. This targeting algorithm may be very complex or exceedingly simple. Some worms choose randomly, and others have fairly complex processes for finding new targets. For instance, a worm once used probabilistic spreading by choosing hosts closer to it on the network. It made the assumption that if a host on this network was vulnerable, there are likely more to be had nearby. A good targeting algorithm will spread faster and more completely than a poor one. Additionally, each targeting algorithm has specific timings it follows. Some are very short, which lends to much faster propagation and denial of service type effects on the underlying infrastructure.

Scale of Propagation
Scale of propagation deals with the theoretical and actual limit of how many devices a worm can infect. Much like rate, scale has numerous variables that can greatly affect worm spread.

First, the nature of the vulnerability must be taken into consideration. Vulnerabilities fall into numerous classes. The best for worm propagation so far have been buffer overflow attacks. Even in this category, there have been numerous different levels of difficulty in creating a stable exploitation technique that will guarantee high degrees of exploit success. In many cases, different operating systems, different service packs, and different applications can make a single unified exploit unlikely or exceedingly difficult.

Next, we need to be able to estimate the number of affected hosts. For instance, perhaps Windows XP service pack 1 is vulnerable, but service pack 2 is not. Now, we need to generally guess at the number of XP sp1 machines to gather our "worst case scenario". Although there are often studies attempting to discern actual numbers of different operating systems, none seem very accurate so far. In addition, the chance of differing configurations makes this guesswork more difficult. Sometimes this number is gathered from the number of licensed users, however this does not take into effect the huge number of pirated copies of any specific operating system.

Another factor that needs to be taken into consideration for scale is the targeting algorithm. Similarly to how it affects rate, targeting schemes directly affect the possibility of a worm to hit a large percent of its potential base targets.

Finally, we can look at the environment of the worm including aspects such as routers, firewalls and host protections. In some cases, ISP's have completely shut down a series of ports. If a worm requires these, then spread through this ISP is unlikely or even impossible. Firewalls on the network are designed to stop unwanted traffic. Unfortunately, worms often piggyback on legitimate traffic. Firewalls can then reduce your exposure, but not eliminate it. Host and network protections, or Intrusion prevention systems, like eEye's Blink watch each host and stop attacks before they are successful, thus keep propagation down.

Mixing it Up
Now that we know a few factors that affect how fast and far a worm can spread, let us examine some of the ways to limit and slow them down.

1. Firewalls - Limit all traffic you do not need
   
2. Intrusion Prevention - One less system intrusion means one less system to clean up
   
3. Diversity - Explore non-Microsoft based platforms to eliminate a worm's ability to wipe out a homogeneous network

Red Herring: eEye Selected as a Finalist for List of 100 Most Innovative Companies
"After a long and rigorous process of evaluating more than 1,200 entries from more than 900 companies, the Red Herring editorial team has chosen finalists for Red Herring's list of the 100 Most Innovative Companies. The winners will be announced at Red Herring's Fall Conference in Monterey, California on Dec. 6-8." Full Article

SearchSecurity: Enterprises Have a Role in Fighting ID Theft
"Enterprises must secure networks, carefully screen employees and keep tight control of information they collect to avoid becoming pawns in identity theft schemes, experts said at a forum sponsored by New York-based American Express." Full Article

InfoWorld: Phishing on the Increase, Group Says
"Online phishing schemes increased significantly in October as financial institutions struggled to combat attempts to steal private account information from online consumers, according to the Anti-Phishing Working Group (APWG)." Full Article

Microsoft: Five Security Bulletins Released Tuesday
"Microsoft has issued new Security Bulletins for December, describing five important issues affecting various version of Windows and one critical (remote code execution) alert affecting Internet Explorer." Full Article

Q: How can I tell if a system has the correct services installed and running? And, how can I tell if unapproved services or processes are running?

A: In addition to identifying services that are running via the ports that they are using, Retina lists processes that are running on a system as well as installed services and their current status. So, to determine what processes are running at the time of a scan, look for the "Processes" section of the "Scanned IPs" information area. There you will see a list of the processes and their process ID (PID); selecting one will display the Parent Process ID, as well as the time that the process started.

To check on installed services, you would look in the "Services" section of the "Scanned IPs" information area. Previously, Retina would determine services running on a host via named pipes. These will still be there, but now Retina also checks by querying the Service Control Manager (SCM). For the services located this way, you'll see the short name of the service, the status (running or stopped in brackets), and the long name. If you select one, you'll see the description in the description window. Services that are [STOPPED] are either disabled or just stopped. You can use this information to determine if required services, such as an IDS are running or have been stopped by a user; with similar capabilities to check for undesired services.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Save 20% on Additional Scanning Capacity!
Now until December 17, 2004, end users can save 20% when they purchase additional scanning capacity.
For most of our customers, the past year has brought continued network growth with more systems, devices, applications, etc. – as well as mobile devices coming in and out of the environment. As such, their network has outgrown their scanner license - or is about to – with a host of vulnerabilities going unchecked. Now you can help make sure their business continues with the highest level of network vulnerability protection – and that they are able to save money at the same time.

From now until December 31, 2004, customers can expand their Retina scanner and save 20% on additional IP licenses. Contact your eEye Channel Account Manager for more details on how to get your customers in on this special end of year deal. Full Article

Upcoming Webinar: Vulnerability Expert Forum
eEye Digital Security will be hosting special web seminars focusing on the recently announced critical vulnerabilities. Prospects, customers and partners are invited to participate in these discussions with eEye's vulnerability experts, such as Marc Maiffret, where we explore the impact high-risk vulnerabilities and exploits have on network environments and infrastructures. Our experts will provide in depth knowledge about these issues and the solutions eEye Digital Security provides to detect and protect against current and future critical security weaknesses.
Date/Time: US: Wednesday, December 15 @ 1pm PST / 4pm EST
Date/Time: Europe: Thursday, December 16 @ 15:30 London Time Full Article

Coming Soon: Retina Network Security Scanner 5.1 and REM 2.1
Join this live webinar to see a live demonstration of eEye's Retina Network Security Scanner version 5.1 and how it delivers the most comprehensive scanning capabilities and seamlessly integrates with REM Security Management Console into a unified threat management solution.
Date/Time: US: Thursday, December 16 @ 10am PST / 1pm EST Full Article

Release: Blink Eliminates the Threat of WINS Zero-Day Attacks
Industry's Most Comprehensive End-Point Security Solution Protects Enterprises from the Unpatched WINS Critical Security Vulnerability and Allows Enterprises to Properly Plan the Upgrade of Unsupported Operating Systems. Full Article

Computerworld: New Security Standards to Strengthen SCADA
The security of critical-infrastructure processes, long festering as a thorny issue in securing everything from food and water to energy and transportation, will be getting a boost from proposed standards for industrial controls. More

PCWorld: Online Identity Theft: Many Medicines, No Cure
As the incidence of online identity theft has steadily climbed in recent months, banks and online retailers have struggled to stay on top of the problem and to protect their customers, whose personal financial information and online account details are coveted by criminals. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.