To Trap a Superworm

[InfoSec News <isn () c4i org>]

http://www.businessweek.com/technology/content/feb2003/tc20030225_4104_tc047.htm

By Alex Salkever 
FEBRUARY 25, 2003 
SECURITY NET 

The Slammer worm's ability to spread so rapidly adds a frightfully new
dimension to the species. Does Stuart Staniford have the cure?

Fear the superworms. They're coming, and you can't escape. All you can
do is contain the damage. That's the message Stuart Staniford has for
the computer-security world. A co-founder of information-security
company Silicon Defense in Eureka, Calif., Staniford has studied worms
for many years as a respected researcher and innovator in the arena of
intrustion detection. Such systems can help network administrators
spot intrusions and prevent damage or security breaches to linked
computers at corporations, universities, and government agencies.

Some past worms such as CodeRed and Nimda have proven to be notable
nuisances to network administrators. A worm is a small program that
contains code for self-replication using unprotectd computers tied
together over networks. Worms usually do bad things, such as using up
a computer's processing resources, crashing systems, and possibly
inserting spyware that can later be accessed to remotely control a
compromised network.

SOLITARY CONFINEMENT.  According to Staniford, though, the so-called
Slammer worm that was unleashed on Jan. 24 heralds a new and difficult
era of blazingly fast-spreading worms. And he claims Silicon Defense
has devised a useful way to protect against them. On Feb. 24 it rolled
out a hardware device dubbed CounterMalice, which aims to stop
superworms by segmenting computer networks into compartments and
monitoring each compartment for infections. If CounterMalice spots
signs of an infection, it can isolate the offending compartments, like
a ship commander sealing watertight doors to contain the damage on a
leaking vessel.

Though not a cheap solution at $25,000 per device, CounterMalice could
prove worth the price if it can prevent worms from bringing down a
company's network.

Until Jan. 24, superworms were found only in speculative white papers
but never in the wild. According to Staniford and many others, Slammer
crossed the Rubicon into superworm territory. It used a so-called
buffer overflow attack to overwhelm Microsoft SQL database products by
jamming 376 bytes into an input field designed to handle far less
data. The Slammer worm would then take over the crippled database
product and start sending out scans in an attempt to infect other
Microsoft (MSFT ) database products.

LITTLE REACTION TIME.  CodeRed and Nimda caused lots of problems. But
they were far less virulent. According to an analysis by some of the
top researchers in computer worms, including Staniford, the Slammer
infection doubled in size every 8.5 seconds. A Slammer-infected server
could spew out tens of thousands of data queries per second, easily
stopping traffic on a 100-megabit connection serving an entire midsize
corporation. Slammer had infected 90% of all vulnerable servers
worldwide within 10 minutes.

In some corporations, system engineers literally had less than a
minute to react before Slammer thoroughly bogged down their network
and left them unable to manage their machines.

As a result, Slammer gummed up not just corporate networks but the
general economy worldwide. Bank of America (BAC ) automated teller
machines stopped dispensing cash after BofA's Microsoft databases were
overwhelmed. Continental Airlines (CAL ) had trouble with its
online-booking and eTicket systems. Phone companies in Korea claimed
customer could get no dial-tone.

CELL DIVISION.  The havoc wreaked by Slammer was far more widespread
than that of any past worms. Microsoft had released a patch in the
summer of 2002 that addressed the vulnerability that Slammer
exploited, but not all systems administrators had installed it. Some
claimed it disabled other key functions on their machines. And
Microsoft itself had problems containing a Slammer outbreak on its
internal network.

Which points to the basic premise of CounterMalice. Worms enter
computer networks by various means. Superworms move so fast that all
existing defenses, save pulling the plug on the computer, are useless.  
Even the best antivirus company won't have a new virus definition out
in less than an hour. Same holds for the attack signatures that
intrusion-detection systems use. And, as Slammer illustrated, all it
takes is one infected machine to effectively cripple an entire
network. Due to a superworm's speed, system administrators might have
mere seconds to react.

Staniford claims that CounterMalice will work that quickly because of
the way it divides a network into cells and then monitors each cell
for abberant behavior that could indicate a worm infection. "A
computer may be [sending data queries to] computers that it hasn't
talked to before. A computer may be talking to places that are not
live. Or the sequence of data queries might be unusual," says
Staniford. The above traits could indicate an infected node on a
network making efforts to spread a worm.

"LOST CONTROL."  For example, Slammer fired out queries to randomly
generated Internet protocol addresses (the unique number identifier
carried by each device on a network). So the machines it infected
certainly tried to talk to computers that weren't turned on and to
machines they had never tried to communicate with before.

Once CounterMalice spots a worm, it automatically isolates the
machines in the cell and blocks the specific services the worm is
using to spread (Slammer used port 1434, the standard designated port
for some Microsoft SQL Server queries). By quarantining the offending
machines, CounterMalcie gives systems administrators a chance to
protect the rest of their networks and prevent major outages.

"With Slammer, people lost control of their networks altogether
because they couldn't get to the management consoles in time. Our goal
is to prevent the worm from spreading and then make the patching and
cleanup relevant again," says Staniford.

"DIFFICULT TO TEST."  A big question is: How much will CounterMalice
itself affect network performance? In the past, computer-security
systems searching for behavioral red flags tended to slow down
networks or return a lot of false-positive readings. This happened
because of the amazing complexity of today's networks and engineers'
inability to account for all scenarios and create truly accurate
behavioral models.

The big proof will come when the next superworm actually hits and
Silicon Defense customers can prove CounterMalice works -- or doesn't.  
The company couldn't provide any customers to testify to
CounterMalice's performance to date, but Staniford has a solid
reputation in the field. "The approach relies heavily on an
enterprise's ability to compartmentalize their network, which makes
great sense for any security program. But will it be able to identify
the next worm? I think it's a valuable idea that will be difficult to
test until the next worm hits," says Peter Lindstrom, research
director for consultancy Spire Security in Malvern, Pa.

Computer-security analysts say CounterMalice isn't likely to remain a
stand-alone system for long and will probably be wrapped into either
intrusion-detection systems, antivirus software, or other types of
network defenses. Staniford says Silicon Defense is in talks with some
big computer-security companies regarding CounterMalice but won't name
names. The next attack will certainly put his product to the test.  
With luck, it could also make Staniford known as the man who corralled
the superworm.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.