Worm that Turned
First Published: X-Force Monthly Magazine
As expected, the first major vulnerability this year within a Microsoft
operating system (2006) - exploitable through a default network-accessible
service - had the exploit writers pulling out all stops to be the first on
the block with exploit code. Within days the virus and worm writers
had a half dozen code exploit examples for the Plug and Play vulnerability
and were updating their creation kits with them. By the weekend the
first worms were already on the net seeking vulnerable prey.
It was inevitable that this was going to happen, and the press I spoke with
earlier that week were eager to promote the prospect of a worm that would
“take down the net” just as Slammer and Blaster had years before.
However that was never going to happen – security has moved on, even if only
grudgingly. Importantly, the most popular home operating systems
weren’t easily exploitable externally over the Internet, so propagation was
always going to be a problem for a worm.
I received the first notifications of worm release halfway through the
weekend, and had the opportunity to track all the permutations of the
various worms as the battle between worm writers and security professionals
evolved. Each time someone had analyzed the behavior of one flavor of
worm and were able to monitor its propagation, the worm changed and they had
to start again.
Unlike other high profile worm attacks in the past, their propagation
methods were considerably different this time. These worms were more
like bots, having separate command and control mechanisms, and packed with
tools to slice their way into vulnerable networks given half a chance.
While previous worms have made use of a single vulnerability to compromise
hosts and self-propagate, these bot worms were packed full of different
kinds of exploit material – they were as different as a steak knife is to a
Swiss army knife.
The change in tactics threw quite a few security teams as they tried to
analyze what was happening to their networks and struggled to understand the
almost hourly changes in the worm they thought they were watching.
Many organizations were initially flooded with anti-virus detection alerts
about a virus several months old due to the virus writers recycling other
successful worm engines and updating only the exploit module with the Plug
and Play attack code. However, once the worm owners started tuning the
bot components, a lot of organizations lost visibility of the worm until new
anti-virus signatures were applied to their monitoring agents… and had to
repeat this process with each new bot worm variation.
For those organizations that were using security solutions that triggered
when detecting the use of vulnerability exploit material and certain
protocol anomalies, their security teams had to decipher a mix of different
alerts and statistical data to try understand the nature of the attack that
was underway. Although they were the first to detect (and stop) the
new bot worms, it took quite some time before they were in a position to
actually understand the complexities of what was happening. In many
cases this understanding was hampered by the information anti-virus
companies were publishing about the worm – failing to explain the Swiss-army
knife nature of the updatable bot components.
A lot of security teams were expecting to detect Plug and Play exploit
attacks as an indicator of the worm everyone was talking about – but instead
detected other exploits being used in an attempt by the bot worm to
propagate around the network as their staff connected via the corporate VPN
tunnels or connected their laptops to the network in the morning with
systems that had been infected over the weekend.
Hopefully a lot of these security teams have learned from the experience and
will be better prepared for he next bot worm. Unfortunately I think
that the bot worm creators learned a lot more and are already tuning their
engines in preparation for the next “good” exploit to be released.
1) Always keep your security protection tools current with
the latest updates and signatures. During an outbreak you may need to
update some tools hourly to keep up with the threat.
2) Take care if relying upon the first information
releases about an attack. There is a lot of pressure for some security
organizations to release less exhaustive information in their effort to be
3) Time is becoming ever more critical in securing a
network. Ensure that security intelligence news feeds are reviewed
daily to keep up with the current threats.