Cover V12, I06

Article

jun2003.tar

syslog

Simson Garfinkel is worried. In his thought-provoking column, "The Net Effect", in the May issue of Technology Review, he expresses concern about the computer viruses and worms seen so far. Garfinkel believes, based on the pattern of behavior seen in these attacks, that at least some of these worms are in fact elaborate proof-of-concept tests. The following is excerpted from Garfinkel's column:

"Most of these hostile programs have three parts. The first, the "exploit," is the technique the virus or worm uses to break into systems. Most exploits take advantage of a known security flaw -- for example, the classic "buffer overflow," in which an excess of incoming data corrupts the information already stored in memory. The second part, the "propagation engine," is the code that targets computers for attack. And the third, the "payload," does the actual damage.

Viewed through this morphology, the major worms that have disabled computers on the Internet -- Code Red, Nimda, Klez, and, most recently, Slammer -- share a disturbing similarity. Each one employed a novel -- and extremely effective -- propagation engine. But for exploits, all these worms have used security vulnerabilities that had been previously identified. And as for the payload: all were duds. Even though each gained so-called administrative privileges to alter the systems they infected, none used its privileges to cause mayhem.

... not a single worm or virus that we have seen in the wild -- not one -- has employed a novel exploit. That's not surprising. Unknown exploits are far too valuable to reveal in public proof-of-concept testing. Likewise, no worm has deployed a payload that caused significant damage."

The most worrisome aspect is that, as Garfinkel says, "today's lame computer worms, even with well-known exploits and dummy payloads, have shut down corporate and government networks." What might a more malicious attack do?

Hal Pomeranz (in his article in this issue of Sys Admin) speculates that "the Sendmail buffer overflow exploit announced in March will almost certainly be programmed into an automated worm within the next six months. Such a worm could do for UNIX systems what Code Red did to the Windows world -- simply because there are so many potentially vulnerable UNIX systems on the network today." In that article, Pomeranz details some suggestions for protecting networks against this Sendmail vulnerability. I hope you find his article and others in this issue useful in making your systems more secure.

Sincerely yours,

Amber Ankerholz
Editor in Chief

 
© 2003 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com