The Worm that Turned
First Published: X-Force Monthly Magazine

As expected, the first major vulnerability this year within a Microsoft operating system (2006) - exploitable through a default network-accessible service - had the exploit writers pulling out all stops to be the first on the block with exploit code.  Within days the virus and worm writers had a half dozen code exploit examples for the Plug and Play vulnerability and were updating their creation kits with them.  By the weekend the first worms were already on the net seeking vulnerable prey.
It was inevitable that this was going to happen, and the press I spoke with earlier that week were eager to promote the prospect of a worm that would “take down the net” just as Slammer and Blaster had years before.  However that was never going to happen – security has moved on, even if only grudgingly.  Importantly, the most popular home operating systems weren’t easily exploitable externally over the Internet, so propagation was always going to be a problem for a worm.
I received the first notifications of worm release halfway through the weekend, and had the opportunity to track all the permutations of the various worms as the battle between worm writers and security professionals evolved.  Each time someone had analyzed the behavior of one flavor of worm and were able to monitor its propagation, the worm changed and they had to start again.
Unlike other high profile worm attacks in the past, their propagation methods were considerably different this time.  These worms were more like bots, having separate command and control mechanisms, and packed with tools to slice their way into vulnerable networks given half a chance.  While previous worms have made use of a single vulnerability to compromise hosts and self-propagate, these bot worms were packed full of different kinds of exploit material – they were as different as a steak knife is to a Swiss army knife.
The change in tactics threw quite a few security teams as they tried to analyze what was happening to their networks and struggled to understand the almost hourly changes in the worm they thought they were watching.  Many organizations were initially flooded with anti-virus detection alerts about a virus several months old due to the virus writers recycling other successful worm engines and updating only the exploit module with the Plug and Play attack code.  However, once the worm owners started tuning the bot components, a lot of organizations lost visibility of the worm until new anti-virus signatures were applied to their monitoring agents… and had to repeat this process with each new bot worm variation.
For those organizations that were using security solutions that triggered when detecting the use of vulnerability exploit material and certain protocol anomalies, their security teams had to decipher a mix of different alerts and statistical data to try understand the nature of the attack that was underway.  Although they were the first to detect (and stop) the new bot worms, it took quite some time before they were in a position to actually understand the complexities of what was happening.  In many cases this understanding was hampered by the information anti-virus companies were publishing about the worm – failing to explain the Swiss-army knife nature of the updatable bot components. 
A lot of security teams were expecting to detect Plug and Play exploit attacks as an indicator of the worm everyone was talking about – but instead detected other exploits being used in an attempt by the bot worm to propagate around the network as their staff connected via the corporate VPN tunnels or connected their laptops to the network in the morning with systems that had been infected over the weekend.
Hopefully a lot of these security teams have learned from the experience and will be better prepared for he next bot worm.  Unfortunately I think that the bot worm creators learned a lot more and are already tuning their engines in preparation for the next “good” exploit to be released.
Top Tips:
1)    Always keep your security protection tools current with the latest updates and signatures.  During an outbreak you may need to update some tools hourly to keep up with the threat.
2)    Take care if relying upon the first information releases about an attack.  There is a lot of pressure for some security organizations to release less exhaustive information in their effort to be “first”.
3)    Time is becoming ever more critical in securing a network.  Ensure that security intelligence news feeds are reviewed daily to keep up with the current threats.

    Copyright 2001-2007 © Gunter Ollmann