To Trap a Superworm


By Alex Salkever Fear the superworms. They're coming, and you can't escape. All you can do is contain the damage. That's the message Stuart Staniford has for the computer-security world. A co-founder of information-security company Silicon Defense in Eureka, Calif., Staniford has studied worms for many years as a respected researcher and innovator in the arena of intrustion detection. Such systems can help network administrators spot intrusions and prevent damage or security breaches to linked computers at corporations, universities, and government agencies.

Some past worms such as CodeRed and Nimda have proven to be notable nuisances to network administrators. A worm is a small program that contains code for self-replication using unprotectd computers tied together over networks. Worms usually do bad things, such as using up a computer's processing resources, crashing systems, and possibly inserting spyware that can later be accessed to remotely control a compromised network.

SOLITARY CONFINEMENT. According to Staniford, though, the so-called Slammer worm that was unleashed on Jan. 24 heralds a new and difficult era of blazingly fast-spreading worms. And he claims Silicon Defense has devised a useful way to protect against them. On Feb. 24 it rolled out a hardware device dubbed CounterMalice, which aims to stop superworms by segmenting computer networks into compartments and monitoring each compartment for infections. If CounterMalice spots signs of an infection, it can isolate the offending compartments, like a ship commander sealing watertight doors to contain the damage on a leaking vessel.

Though not a cheap solution at $25,000 per device, CounterMalice could prove worth the price if it can prevent worms from bringing down a company's network.

Until Jan. 24, superworms were found only in speculative white papers but never in the wild. According to Staniford and many others, Slammer crossed the Rubicon into superworm territory. It used a so-called buffer overflow attack to overwhelm Microsoft SQL database products by jamming 376 bytes into an input field designed to handle far less data. The Slammer worm would then take over the crippled database product and start sending out scans in an attempt to infect other Microsoft (MSFT) database products.

LITTLE REACTION TIME. CodeRed and Nimda caused lots of problems. But they were far less virulent. According to an analysis by some of the top researchers in computer worms, including Staniford, the Slammer infection doubled in size every 8.5 seconds. A Slammer-infected server could spew out tens of thousands of data queries per second, easily stopping traffic on a 100-megabit connection serving an entire midsize corporation. Slammer had infected 90% of all vulnerable servers worldwide within 10 minutes.

In some corporations, system engineers literally had less than a minute to react before Slammer thoroughly bogged down their network and left them unable to manage their machines.

As a result, Slammer gummed up not just corporate networks but the general economy worldwide. Bank of America (BAC) automated teller machines stopped dispensing cash after BofA's Microsoft databases were overwhelmed. Continental Airlines (CAL) had trouble with its online-booking and eTicket systems. Phone companies in Korea claimed customer could get no dial-tone.

CELL DIVISION. The havoc wreaked by Slammer was far more widespread than that of any past worms. Microsoft had released a patch in the summer of 2002 that addressed the vulnerability that Slammer exploited, but not all systems administrators had installed it. Some claimed it disabled other key functions on their machines. And Microsoft itself had problems containing a Slammer outbreak on its internal network.

Which points to the basic premise of CounterMalice. Worms enter computer networks by various means. Superworms move so fast that all existing defenses, save pulling the plug on the computer, are useless. Even the best antivirus company won't have a new virus definition out in less than an hour. Same holds for the attack signatures that intrusion-detection systems use. And, as Slammer illustrated, all it takes is one infected machine to effectively cripple an entire network. Due to a superworm's speed, system administrators might have mere seconds to react.

Staniford claims that CounterMalice will work that quickly because of the way it divides a network into cells and then monitors each cell for abberant behavior that could indicate a worm infection. "A computer may be [sending data queries to] computers that it hasn't talked to before. A computer may be talking to places that are not live. Or the sequence of data queries might be unusual," says Staniford. The above traits could indicate an infected node on a network making efforts to spread a worm.

"LOST CONTROL." For example, Slammer fired out queries to randomly generated Internet protocol addresses (the unique number identifier carried by each device on a network). So the machines it infected certainly tried to talk to computers that weren't turned on and to machines they had never tried to communicate with before.

Once CounterMalice spots a worm, it automatically isolates the machines in the cell and blocks the specific services the worm is using to spread (Slammer used port 1434, the standard designated port for some Microsoft SQL Server queries). By quarantining the offending machines, CounterMalcie gives systems administrators a chance to protect the rest of their networks and prevent major outages.

"With Slammer, people lost control of their networks altogether because they couldn't get to the management consoles in time. Our goal is to prevent the worm from spreading and then make the patching and cleanup relevant again," says Staniford.

"DIFFICULT TO TEST." A big question is: How much will CounterMalice itself affect network performance? In the past, computer-security systems searching for behavioral red flags tended to slow down networks or return a lot of false-positive readings. This happened because of the amazing complexity of today's networks and engineers' inability to account for all scenarios and create truly accurate behavioral models.

The big proof will come when the next superworm actually hits and Silicon Defense customers can prove CounterMalice works -- or doesn't. The company couldn't provide any customers to testify to CounterMalice's performance to date, but Staniford has a solid reputation in the field. "The approach relies heavily on an enterprise's ability to compartmentalize their network, which makes great sense for any security program. But will it be able to identify the next worm? I think it's a valuable idea that will be difficult to test until the next worm hits," says Peter Lindstrom, research director for consultancy Spire Security in Malvern, Pa.

Computer-security analysts say CounterMalice isn't likely to remain a stand-alone system for long and will probably be wrapped into either intrusion-detection systems, antivirus software, or other types of network defenses. Staniford says Silicon Defense is in talks with some big computer-security companies regarding CounterMalice but won't name names. The next attack will certainly put his product to the test. With luck, it could also make Staniford known as the man who corralled the superworm. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column


Too Cool for Crisis Management
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus