Arbor Networks: Security to the Core

Sunday, November 2, 2008 marks 20 years since the Morris Worm, oft referred to as The Great Worm, was released by Robert Tappan Morris (RTM). Estimates suggested the worm, exploiting buffer overflow vulnerabilities in BSD-derived unix systems, infected ~10% of the Internet’s hosts at the time, which encompassed anywhere from 80k total systems by some estimates, to more than a million by others. A couple of weeks after the release of the worm Eugene H. Spafford provided The Internet Worm Program: An Anlaysis.

Just last week, Microsoft released an out-of-cycle patch to a wormable vulnerability, Microsoft Security Bulletin MS08-067, for which exploits have already been seen in the wild. The vulnerability, [also] a buffer overflow in an unauthenticated Windows SMB file sharing session, namely on TCP ports 139 or 445, is already experiencing some activity uptick. Fortunately, some potentially vulnerable systems, such as Windows XP SP2’s default enabled firewall configuration may well mitigate the threat to those systems.

Perhaps what’s most interesting is that today people find stupid Microsoft vulnerabilities pretty regularly; memory corruption issues in random post-auth services that are extremely hard (or impossible) to exploit. MS08-067, this was a crazy anomaly, and even 5 years ago, who would have thought we’d be saying exploitable pre-auth network memory corruption bugs in Windows are a crazy anomaly?

Considerable strides have been made in securing operating systems over the past decade to protect against these types of threats, many of which ran wild over the past two decades. However, common protection approaches to these threats often involved restricting or disabling network services, either on the end systems, or in the network itself. The unfortunate reality is that the openness and end-to-end (e2e) model that contributed so considerably to the Morris Worm, and the Internet’s success alike, is seemingly going the way of the buffalo. Out of the box configurations in most modern operating systems now enable firewalls by default, and middleboxes such as firewalls, network address translators (NATs) and proxies are the norm, driven by both security and network architecture or scalability requirements. What this means is that new network applications being developed can’t work on new ports or employ new IP-based transport protocols, so they’ve got to piggyback on existing “open” ones (e.g., IPSEC v. TLS). The nearing exhaustion of IPv4 address space, and the adoption of IPv6, which is not bits-on-the-wire compatible, only exacerbates the transparency problem, as Geoff Huston observes in this article aptly titled The End of End to End?

The threat landscape has changed considerably over the past two decades:

• from the initial disruptive and annoying worms and low-volume targeted compromises
• to lots of noisy worms, viruses and loud chest thumping in an exploits solely destructive wake
• to high-volume below-the-radar client-side attacks that not only enable full remote administration and complete victim system molestation, they also automate patching of victim systems upon compromise as to avoid cross-infections and recruitment or take-over by other miscreants, auto-organize bot partitions based on function (e.g., DDoS nets, spambots, clickbots, etc..), connection speed and geo-location, etc…

Today the motivation is typically either money or national security. When a miscreant anywhere on the Internet can lift hundreds of financial credentials from a housewife in Cairo, or just as easily from Nicolas Sarkozy, and certainly easier and with far less risk even than lifting a single wallet on a subway, all in a matter of seconds, and moments later cash’m for a new pair of sneakers, or swap’m for something more to his liking, the stakes have changed. And then there’s the asymmetric warfare and cyberwar chatter, and all those sexy related descriptors, mainly things that impact now critical Internet infrastructure availability and are extremely difficult to attribute to an individual, organization, or nation-state.

According to this 1990 NY Times article by John Markoff, Anne Morris, RTM’s mother, said, ”I still don’t feel that in any way, shape or form my son is a felon.” Well, a crime is a crime, whether it’s perpetrated on the sidewalk, or online, and the pain resulting from online criminal activity, be it basic network disruptions or theft, continues to grow considerably.

So, again, what’s changed since the Morris worm? Well, the Internet itself hasn’t changed considerably, except to be farther reaching, more critical, and less open. The attention, understanding and motivations of the miscreants have clearly increased, at least as steeply as the Internet itself has grown. As for the vulnerabilities themselves, some have evolved considerably, although some not at all (but still effective). It’s perhaps the surrounding framework, systems and employment of exploits for those vulnerabilities that seemingly evolved the most. With more depedence on the Internet comes more and more monetary motive, and without protections for consumers, users or networks, the bounty will only get larger for the exploiters.

This entry was posted on Wednesday, October 29th, 2008 at 2:58 pm and is filed under ATLAS, Arbor Networks, Attacks, Botnets, Critical Infrastructure, Events, Exploit Code, Interesting Research, Malware, Social Engineering, Trojan Horses, Vulnerabilities, Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.