Skip to main content

Slow Scanners & Sniffer worms

The discovery of the worm, which employed the technique of network sniffing, has shone a bit of light on a dark corner of the worm universe. W32/Sdbot-UJ has sometimes been reported as the first worm to perform network sniffing, but almost certainly it was not. It may have been the first such to be captured and analyzed by an AntiVirus vendor, I don't know. This worm employs a technique thought for years by some security professionals to be used by "slow scanners". I say "thought to be used" because it turns out this particular class of worms is difficult to study and not perceived universally as much of a threat. Some professionals even dispute whether Slow Scanners exist, yet. (Everyone seems to agree that if they don't, they will soon enough.) Slow Scanner worms are not widely reported in the media, partly because they are not as flashy as the worms that hit millions of machines in a day and whose propagation efforts are so aggressive that they bring the internet to a crawl. Slow Scanners are typically memory resident -- they don't write anything to the filesystem, they blink out of memory if you try to inspect them. They don't they don't do anything to the machine they infect. They don't write to the Windows registry, they don't open trojan backdoors, and they don't attempt to spread rapdily. Instead, a Slow Scanner performs reconnaissance of the local network environment, very, very slowly. They may send only a few packets an hour or a day, looking for certain open ports or other responses indicating a system type (say a router, or a Windows server or a BIND server) for example, or a particular vulnerability. The worm may not probe anything at all for hours or days. Slow scanners gather data about a network, often by "scanning", sending packets out to see what sort of response comes back. But Slow Scanners don't just scan, they also gather data by sniffing and keystroke logging. After gathering data for a while, the worm will report back out to a web site or IRC channel or email address. After sending a single report, it may blink itself out of memory. Other worms do most of this stuff too, but Slow Scanners are very difficult to detect because they try to fly low and slow -- under the radar -- to evade detection. Once in a while they try to spread to another machine, but never to all other vulnerable machines they can find, just the occasional one, usually not within the same network segment. Slow Scanner Worms hint at a dark corner of the cracker underground, hidden beneath the noise of the script kiddies and their thousands of variant mass propagating worms, and the drone of frantic AntiVirus efforts. People running corporate and government networks want to believe the popular profile of the virus writer -- worms are written by bored teenage kids seeking attention in their peer group -- other bored teenage programmers -- and they don't really mean any harm. Increasingly there is evidence that at least some worms are written for profit, not fun, and possibly for other purposes, perhaps even tailored to a given victim network, such as espionage. Slow Scanners sport all the hallmarks of being written for a stealthy and sinister purpose: they are designed to perform network reconnaissance as a precursor to a sophisticated, targeted intrusion. They propagate very slowly, so as to evade detection, even by sophisticated heuristics (rules of thumb) in modern IDS/IPS and AntiVirus systems. Here are some links to stories about one of the first widespread sniffing worms. It wasn't a Slow Scanner, but it almost certainly borrowed a technique that's been used for years.

Technorati Tags: , , , , , , ,

Comments

Post a Comment

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom...
20 comments
Read more

SQL Injection - So Easy, Your Server is Already Cracked

In a simple demonstration, a hapless team discovers the truth. "Your server is vulnerable. It's already been cracked. Oh, and by the way, it's already distributing malware for a botnet." A Big Case of Oops! Attitude of management in many organizations is one of the biggest barriers to improved security on the internet. People simply don't want to believe that their systems are vulnerable. Denial is pervasive, and affects organizations from the biggest of the Fortune 500 or Federal government agencies, down to modestly sized companies, local governments, and non-profit corporations. The attitude of the unnamed client described at the "Following the White Rabbit" blog (link above) is all too common. I suspect that an underlying cause is that people want to believe several things that worked pretty well from an evolutionary perspective, but don't work very well on the internet. When everybody around is a bunch of cave dwellers, consumed entirely with...
1 comment
Read more

Bourne Incrimination - bio identity theft, the next big problem

It was only a matter of time before it became possible to create fake DNA evidence. That time is now. DNA Evidence Can be Fabricated [New York Times] Think it's bad when somebody steals your identity, drains your bank account, and spends thousands of dollars on credit cards they opened with your name on it? This run of the mill identity theft can cost you thousands of dollars, and many years to clean up. It pales in comparison to what will happen if biometric data becomes commonly used as proof of identity. Sometimes also called bio-print (like fingerprint) or bio-identity mechanisms, such things as retina scans and fingerprint scans are already in use, or even common use. DNA scans are likely to become possible several years from now, as the technology to read DNA is evolving rapidly. An entire genome can be sequenced by three people and equipment costing a few hundred thousand dollars, in a very short period of time, several days. When it become possible to read DNA in more or...
1 comment
Read more