Thursday, August 25, 2005

Short History of Worms

I found Ryan Naraine's article From Melissa to Zotob to be a good summary of popular worms of the last few years.

I remember Melissa as a real wake-up call for the community. It hit on a Friday night, and the following Saturday morning my (soon-to-be) wife and I were getting engagement photos taken. My commanding officer called during the photo session and said all officers were being recalled to the AFCERT to "fight" the worm. That was an interesting weekend!

A comment in the latest SANS NewsBites by editor Rohit Dhamankar on Zotob makes a good point:

"The time from vulnerability announcement to release of [the Zotob] worm was one of the shortest seen in recent times. Patch announced August 9th (Tuesday); exploit code posted publicly August 11th (Thursday); worm started to hit on August 13th (Saturday).

Because [these] worms spread over 139/tcp or 445/tcp, [these] ports that cannot be firewalled without breaking some functionality in Windows environment. That means that even a single infected laptop brought inside an enterprise will infect all the other machines. Multiple intrusion prevention systems, as ubiquitous as switches, need to become as integral to networks."

In other words, some form of traffic inspection that filters for illegitimate traffic must be performed on every switch port to which a Windows system is connected. This is an argument for so-called "security switches." It is also an argument for hosts to be able to defend themselves.

2 comments:

Anonymous said...

it simply makes no sense "Multiple intrusion prevention systems...". its just opposite to what you say "Prevention Eventually Fails", and i know that "This principle doesn't mean you should abandon your prevention efforts" but going after every single vulnerability or patch is a stupid thing.
This post makes more sense in today's enviornment http://www.sockpuppet.org/tqbf/log/2005/08/real-answer-to-worm-propagation.html
or as you have written in ur buk "Defensible Networks Limit an Intruder's Freedom to Maneuver"

Dominic White said...

While Zotob's vuln to worm turnaround was fast, witty's was faster, 36 hours from the vulnerability announcement.
http://singe.rucus.net/blog/archives/510-MS05-039-and-the-Zotob-summary.html