OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Will a smart worm be made in the near future?

From: Taeho Oh (ohharapostech.edu)
Date: Wed May 05 2004 - 03:03:52 CDT


Will a smart worm be made in the near future?

Nowadays, many bugs are found in the software and many worms are made in a
short time. Foutunately, the worm usually doesn't destroy any data in the
PC until now. And it's very easy to know something is wrong in the PC or
network. Because the network speed slows down quickly when the PC are infected
by a worm. However, I think it will not be true in the future.

I just tried to think the smart worm scenario.
1) The worm doesn't cause network slow down.
Usually, the worm uses wide network bandwidth and causes a kind of denial of
service effect. It is because the worm tries to infect other PC very fast. But
I think if the worm uses P2P technique, exchange the infected PC list with
other worms, network load can be reduced significantly and network will work
ok. Surely, sanity check is needed to check if the infected PC list is not
spoofed. I think the worm which doesn't cause denial of service effect is more
dangerous than the worm which causes denial of service effect because usually
it's not detected easily.
2) The worm destroys the data severely.
If the worm destroys the critical data in the every PC at the same time. It may
be a disaster. What is the critical data? Someone may think that the windows
system dlls or some important boot configuration files. But I think the
important data is the recently modified files. The worm has a recently modified
file list and overwrite the files with garbage data at the same time. And how
do you feel if the worm deletes all ".c", ".cpp", ".h", ".doc", ".xls", ".txt",
mailbox, database files and doesn't touch any ".exe", ".ini", ".dll" in your
hard drive?
3) The worm destroys the hardware severely.
Many people will ask for this, "is it really possible?". The answer maybe yes
or no. As you know, many hardware vendors support the firmware upgrade. It
means that if the worm want to delete the firmware, it can do it. How do you
feel if the worm deletes the firmwares of m/b bios, video card, hard drive,
cd/dvd rom drive? You may not be able to use the hardwares unless you send them
to a/s.
4) The worm upgrades itself.
The worm programmer sends updated exploit code to the worm and upgrade itself
and distributes it to other worm by using P2P technique. Surely, sanity check
is needed.
5) The worm hides itself.
The worm can hides itself. For example, it is not seen by task manager and
explorer.

I think there are other many possible techniques to make the worm smart. I am
not sure everything I mentioned here is technically possible. But in my
opinion, it's possible. What can we do to protect our PC from those kinds of
smart worm?

--
Taeho Oh ( ohharapostech.edu, ohharaplus.or.kr ) http://ohhara.sarang.net
Postech ( Pohang University of Science and Technology ) http://www.postech.edu
PLUS ( Postech Laboratory for Unix Security ) http://www.plus.or.kr