5 min read

Worms Could Slip Through Detection Nets

Future worms may be able to slip through the early warning networks deployed by the likes of SANS Internet Storm Center and Symantec, researchers say.
Future worms may be able to slip through the early warning networks deployed by the likes of SANS Internet Storm Center and Symantec, researchers from the University of Wisconsin said Friday.

But experts from Internet Storm Center and Symantec discounted the impact of the researchers' proposed evasion tactics.

In an award-winning paper presented earlier this week at the Usenix Security Conference, three computer scientists from the University of Wisconsin-Madison said that attackers could launch a widespread probe of the Internet, then use the publicly-available data of the detection networks to identify individual sensors. A worm that encodes those IP addresses could conceivably sneak through the early warning networks, which are used by government and private enterprise to warn of unusual activity or developing attacks.

The whole purpose of these networks -- which include the one maintained by the SANS' Internet Storm Center and Symantec's DeepSight Threat Network -- could be undermined.

"The danger is to the service that these systems provide," said John Bethencourt, the researcher who presented the paper. "They now provide a useful service, but an attack like we outline could make them no longer useful."

Maintaining secrecy is crucial to a detection network, for obvious reasons, said Bethencourt. But the algorithm he and his co-workers -- Jason Franklin and Mary Vernon -- developed can easily sniff out sensors.

"It's definitely feasible," he said.

Their tactic involves sending data packets to all the Internet's IP addresses, then monitoring the public reports produced by the detection networks to see which addresses produce activity. "It basically determines which address they're monitoring," Bethencourt said.

The researchers laid out three scenarios, each with more systems contributing to the probes. In the fastest of the trio, which approximated a bot network of some 2,000 machines -- large as botnets go, but not unheard of -- all a network's sensors could be mapped in under three days.

Using fewer bots -- say 200 compromised home machines with broadband connections to the Internet -- an attacker could map sensors in about five days, said Bethencourt.

It would also be possible to use this technique and algorithm to spot honeypots, the computers purposefully left unprotected by anti-virus and anti-spam researchers in the hopes of capturing samples of worms, spyware, and spam.

The three researchers paid particular attention to the SANS Internet Storm Center's network, in part because it's one of the largest and most difficult to map, said Mary Vernon, one of the three Wisconsin academics. In fact, SANS was used as the focus of one case history in the paper where the researchers detailed how they simulated a probe attack.

The simulation showed that a detection network like SANS' could be probed and sensors identified in less than a week, or if enough bandwidth could be organized -- say as a bot network -- in as little as 70 hours.

"Previously, it was unknown how quickly a network could be mapped," said Vernon. "Our algorithm makes the mapping as efficient as possible."

But neither the Internet Storm Center or Symantec -- which runs a similar detection network, called DeepSight -- were worried that the research paper will put their tripwire systems out of business.

"I hope someone does write a worm that excludes all of our sensors," said Johannes Ullrich, the chief research officer SANS Internet Storm Center. "Because it means if you have sensors on your network, you're not going to be attacked."

"It is feasible," admitted Alfred Huger, the senior director of engineering for Symantec's security response team, "but would someone do it? Even if they did, [the researchers' ideas] are predicated on an attacker writing a worm using this, which they won't, and likely for good reason: it would dramatically decrease the target set of the worm."

Both Ullrich and Huger noted that by detecting sensors and excluding them from an attack, an attacker would blacklist whole swaths of the Internet. "They may be just three IP addresses seen though a company's firewalls," said Huger, "but they could represent thousands of systems. Excluding those addresses would protect all those machines."

"Excluding sensors would exclude whole universities and ISPs," Ullrich agreed.

Not to mention that the whole idea is, well, a bit behind the times, said Huger.

"Worm writers aren't writing these large-scale worms that go out and attack the entire Internet anymore," Huger said. "I don't think we'll ever see the likes of Slammer or MSBlast at the same volume as we once did. They're doing smaller, more targeted attacks now."

Bring it on, both Ullrich and Huger said.

"What this means, if this was used, was that if you have a sensor on your network, you're not going to be attacked," Ullrich said.

"It'll be like putting an Acme Burglar Alarm Co. sign on the front lawn," added Huger, to add one's network to a sensor system like DeepSight. "I can see how this news would only bolster the sensor base."

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Jessica Davis, Senior Editor
Richard Pallardy, Freelance Writer
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Carlo Massimo, Contributing Writer
Salvatore Salamone, Managing Editor, Network Computing