Q&A With 'Wormologist' Vern Paxson

One of the industry's foremost worm experts, Paxson developed the open-source intrusion-detection tool Bro and has conducted studies on the genesis and propagation of worms and other malware.

InformationWeek Staff, Contributor

September 20, 2005

4 Min Read
InformationWeek logo in a gray background | InformationWeek

Vern Paxson

Senior scientist at the International Computer Science Institute, University of California-Berkeley, and staff scientist at Lawrence Berkeley National Laboratory

Paxson, one of the industry's foremost worm experts, developed the open-source intrusion-detection tool Bro and has conducted studies on the genesis and propagation of worms and other malware. He was recently named to the advisory board of start-up ConSentry Networks, which has developed a next-generation, hardware-based IDS.

How did you become a renowned 'wormologist'?

In part, it was luck. When Code Red came out in 2001, it was fascinating to observe it from the Bro tool, and [the International Computer Science Institute] had forensic logs from it at Lawrence Berkeley National Laboratory. We knew every single probe from the worm, and that allowed me to study its progress. We got Code Red 2 just a couple of weeks later, and then Nimda six weeks later, and it was fascinating seeing all the worms interacting. We had this very rich data ... including an estimate of the total size of the worm, with upward of 300,000 infected [machines].

How have worms evolved since the first one, written in 1988 by Robert T. Morris?

It's easier to create them now because there are more toolkits. But the evolution of worms has been surprisingly slow. Slammer in 2003 was different, though--the entire worm fit into a single packet and was connectionless, so it could go fast. It wasn't anything anyone had predicted.

Aside from its historical precedent, what was so special about the Morris worm?

That worm was brilliantly built and remains the best-designed one ever. It had multiple modes, which we later saw with Nimda are very effective. And it had topological scanning ... It went through the information on the locally infected machine to try to find other machines. The Morris worm also came with its own built-in password cracker.

Where do worms go from here?

A big threat is the commercialization of malware. The lay of the land is changing, from the equivalent of vandals doing their work to people who will commoditize malware and use it to make money. The rise of this commercially motivated attacker is very disturbing, and inevitable. There's a paper in the research world that talks about how you can specialize in just doing the worm technology without being involved in the exploitation of it.

There's going to be some sort of black market where criminals hook up with people with worm access. Also on [the horizon] are blended threats, where a malware writer puts together viruses and botnets and uses a botnet to propagate the keylogger that then feeds into your encrypted point-to-point network and extracts all the goodies.

Are there worms against which we can't defend?

We published a paper for DARPA [Defense Advanced Research Projects Agency] on the worst-case scenario of a worm. We sketched how it's not implausible that a worm could get 10 million to 15 million desktops in a day. But we could not resolve the question of how much damage this type of worm would really inflict. Still, we're racing against the clock. If I see tomorrow that some huge worm has hit, it won't surprise me.

What scares you most about worms?

The worms that don't randomly scan--topological worms, which get their target information separate from scanning. And detection-scanning worms--in particular, the ones that can go after Windows or Cisco vulnerabilities. The recent brouhaha over executable code on Cisco routers gave a lot of people pause. If we had a Cisco exploit, it could really do damage. Also in the back of my mind is cyberwarfare. You'd be a fool if you were in the modern military and not planning for cyberattacks and working on defenses to it.

What about viruses?

Viruses seem like old news today because there's still a huge class of them that don't show much innovation. They're just variants. But I would expect viruses to be a key part of blended attacks, where a virus would be used to cross a firewall, for example.

What's the danger of going overboard with security?

There's going to be a huge struggle over control of the Internet, which is driven by concerns about security, intellectual property and politics. This could unfold in a lot of ways that wouldn't be pretty. The key question is, can we have an architecture so we get security control without losing the infrastructure and its real power? Regulating that traffic must terminate at a proxy that must be able to see your traffic in clear text to see if the text is allowable, for instance. Now you've created an incredible point of control that has obvious uses for going after criminals, but it also [breeds] political repression and commercial gain, good or bad.

There's a new National Science Foundation initiative to rethink Internet architectural notions. [The International Computer Science Institute] and other institutions are thinking about how to get funded to look at new security architectures that provide these controls that are needed, but in a way that doesn't throw out the baby with the bathwater.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights