Elias Levy

Worst-Case Scenario

Its no longer enough to merely ensure that the systems we work on meet the most basic security requirements; we have to realize that in the current political climate, the threats that we previously chose to ignore - the worst-case scenarios, the one percent - can no longer be overlooked

An analysis of the Slapper worm

We can prove that the Slapper is a variation of the Apache Scalper worm by comparing the source code. Modifications introduced in the Slapper worm improved the robustness and efficiency of its predecessors simplistic P2P networking capabilities. Slappers author also removed certain features from the original-either because they were redundant or to reduce the perception that it was a tool developed to cause direct harm to networks. Among the features the author removed from the Slapper were capabilities to update itself from a remotely specified Web server (perhaps to prevent someone else from replacing this version with a new one), to attack and infect a host specified with a controlling program, and to send spans. Interestingly, the ability to execute distributed denial-of-service attacks on a controlling users behalf was kept intact. Slappers author attempted to make communications with a remote controlling program as stealthy and untraceable as possible by removing several commands to query status and obtain feedback from Slapper nodes.

Criminals Become Tech Savvy

This installment of Attack Trends looks at the growing convergence of technically savvy computer crackers with financially motivated criminals. Historically, most computer crime on the Internet has not been financially motivated: It was the result of either curious or malicious technical attackers, called crackers. This changed as the Internet became more commercialized, with more of the public going online. Financially motivated actors in the fauna of the Internets seedy underbelly—spammers and fraudsters—soon joined crackers to exploit this new potential goldmine.

The making of a spam zombie army. Dissecting the Sobig worms

On 25 June 2003, a new mass-mailing worm, Sobig.E, emerged. The worm was highly successful at infecting computer systems. It is the fifth revision of a worm that first raised its ugly head in January 2003. There is strong evidence that spammers use infected computers to relay unsolicited commercial e-mail.

Interface illusions

Phishing (the act of conning a person into divulging sensitive information) commonly uses legitimate-looking Web sites that mimic the online interface of the institution the attacker is misrepresenting (usually a bank, merchant, or ISP). One way users can tell they are viewing a false Web site is to check the Web browsers address bar: the URL should match that of the actual institution, barring any vulnerabilities that permit spoofing the address bar or some types of DNS spoofing attack. However, recent phishing scams not only spoof an institutions Web site but also spoof the browsers address bar and display the correct URL.

Crossover: online pests plaguing the off line world

During the past 10 years, several technological trends have emerged that significantly and positively affected todays world. Two in particular are noteworthy: the apparently unbounded desire to network any and all devices and deployment of Microsofts operating systems in everything from consumer PCs and business servers to embedded devices. We could well see the telecommunications boom; the rise of the Internet, and the rush to connect everything to it as one of humanitys milestones, not far removed from, that of the invention of the telephone or telegraph. Computer networking, over the Internet, particularly, has democratized the publishing of information, made massive amounts of information and services accessible to the general public, and enabled new business models. But everything has a dark side. Along with its benefits, the Internet has brought about such things as cybercrime, computer worms, online fraud, spam, and denial-of-service attacks, among other online unpleasantness. This down side is considered in the article.

Worm propagation and generic attacks

The defining task of propagating malicious code is to locate new targets to attack. Viruses search for files in a computer system to which to attach, whereas worms search for new targets to which to transmit themselves. Depending on their method of transmission, malicious code writers have developed different strategies for finding new victims. Worms transmitted via email have had great success propagating themselves because they find their next targets either by raiding a users email address book or by searching through the users mailbox. Such addresses are almost certain to be valid, permitting the worm to hijack the users social web and exploit trust relationships. In most cases, the worm will craft its own message to send to the target, but some will wait for the user to send a message and attach themselves to it. Network worms, those that attack network services, must determine their next victims IP address.