Worms Could Slip Through Detection Nets - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Worms Could Slip Through Detection Nets

Future worms may be able to slip through the early warning networks deployed by the likes of SANS Internet Storm Center and Symantec, researchers say.

Future worms may be able to slip through the early warning networks deployed by the likes of SANS Internet Storm Center and Symantec, researchers from the University of Wisconsin said Friday.

But experts from Internet Storm Center and Symantec discounted the impact of the researchers' proposed evasion tactics.

In an award-winning paper presented earlier this week at the Usenix Security Conference, three computer scientists from the University of Wisconsin-Madison said that attackers could launch a widespread probe of the Internet, then use the publicly-available data of the detection networks to identify individual sensors. A worm that encodes those IP addresses could conceivably sneak through the early warning networks, which are used by government and private enterprise to warn of unusual activity or developing attacks.

The whole purpose of these networks -- which include the one maintained by the SANS' Internet Storm Center and Symantec's DeepSight Threat Network -- could be undermined.

"The danger is to the service that these systems provide," said John Bethencourt, the researcher who presented the paper. "They now provide a useful service, but an attack like we outline could make them no longer useful."

Maintaining secrecy is crucial to a detection network, for obvious reasons, said Bethencourt. But the algorithm he and his co-workers -- Jason Franklin and Mary Vernon -- developed can easily sniff out sensors.

"It's definitely feasible," he said.

Their tactic involves sending data packets to all the Internet's IP addresses, then monitoring the public reports produced by the detection networks to see which addresses produce activity. "It basically determines which address they're monitoring," Bethencourt said.

The researchers laid out three scenarios, each with more systems contributing to the probes. In the fastest of the trio, which approximated a bot network of some 2,000 machines -- large as botnets go, but not unheard of -- all a network's sensors could be mapped in under three days.

Using fewer bots -- say 200 compromised home machines with broadband connections to the Internet -- an attacker could map sensors in about five days, said Bethencourt.

It would also be possible to use this technique and algorithm to spot honeypots, the computers purposefully left unprotected by anti-virus and anti-spam researchers in the hopes of capturing samples of worms, spyware, and spam.

The three researchers paid particular attention to the SANS Internet Storm Center's network, in part because it's one of the largest and most difficult to map, said Mary Vernon, one of the three Wisconsin academics. In fact, SANS was used as the focus of one case history in the paper where the researchers detailed how they simulated a probe attack.

The simulation showed that a detection network like SANS' could be probed and sensors identified in less than a week, or if enough bandwidth could be organized -- say as a bot network -- in as little as 70 hours.

"Previously, it was unknown how quickly a network could be mapped," said Vernon. "Our algorithm makes the mapping as efficient as possible."

But neither the Internet Storm Center or Symantec -- which runs a similar detection network, called DeepSight -- were worried that the research paper will put their tripwire systems out of business.

"I hope someone does write a worm that excludes all of our sensors," said Johannes Ullrich, the chief research officer SANS Internet Storm Center. "Because it means if you have sensors on your network, you're not going to be attacked."

"It is feasible," admitted Alfred Huger, the senior director of engineering for Symantec's security response team, "but would someone do it? Even if they did, [the researchers' ideas] are predicated on an attacker writing a worm using this, which they won't, and likely for good reason: it would dramatically decrease the target set of the worm."

Both Ullrich and Huger noted that by detecting sensors and excluding them from an attack, an attacker would blacklist whole swaths of the Internet. "They may be just three IP addresses seen though a company's firewalls," said Huger, "but they could represent thousands of systems. Excluding those addresses would protect all those machines."

"Excluding sensors would exclude whole universities and ISPs," Ullrich agreed.

Not to mention that the whole idea is, well, a bit behind the times, said Huger.

"Worm writers aren't writing these large-scale worms that go out and attack the entire Internet anymore," Huger said. "I don't think we'll ever see the likes of Slammer or MSBlast at the same volume as we once did. They're doing smaller, more targeted attacks now."

Bring it on, both Ullrich and Huger said.

"What this means, if this was used, was that if you have a sensor on your network, you're not going to be attacked," Ullrich said.

"It'll be like putting an Acme Burglar Alarm Co. sign on the front lawn," added Huger, to add one's network to a sensor system like DeepSight. "I can see how this news would only bolster the sensor base."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll