numbers

Most PCs are rife with malware, & owners don’t know it

From Robert Lemos’s Plague carriers: Most users unaware of PC infections (CNET News.com: 25 October 2004):

A study of home PCs released Monday found that about 80 percent had been infected with spyware almost entirely unbeknownst to their users.

The study, funded by America Online and the National Cyber Security Alliance, found home users mostly unprotected from online threats and largely ignorant of the dangers. AOL and the NCSA sent technicians to 329 homes to inspect computers. …

Nearly three in five users do not know the difference between a firewall and antivirus software. Desktop firewall software regulates which applications on a PC can communicate across the network, while antivirus software detects malicious code that attempts to run on a computer, typically by pattern matching. Two-thirds of users don’t have a firewall installed on their computer, and while 85 percent of PC owners had installed antivirus software, two-thirds of them had not updated the software in the last week. The study found one in five users had an active virus on their machines.

Most PCs are rife with malware, & owners don’t know it Read More »

The math behind Flash Worms

From Stuart Staniford, David Moore, Vern Paxson, & Nicholas Weaver’s “The Top Speed of Flash Worms” [PDF] (29 October 2004):

Flash worms follow a precomputed spread tree using prior knowledge of all systems vulnerable to the worm’s exploit. In previous work we suggested that a flash worm could saturate one million vulnerable hosts on the Internet in under 30 seconds [18]. We grossly over-estimated.

In this paper, we revisit the problem in the context of single packet UDP worms (inspired by Slammer and Witty). Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds. …

Since Code Red in July 2001 [11], worms have been of great interest in the security research community. This is because worms can spread so fast that existing signature-based anti-virus and intrusion-prevention defenses risk being irrelevant; signatures cannot be manually generated fast enough …

The premise of a flash worm is that a worm releaser has somehow acquired a list of vulnerable addresses, perhaps by stealthy scanning of the target address space or perhaps by obtaining a database of parties to the vulnerable protocol. The worm releaser, in advance, computes an efficient spread tree and encodes it in the worm. This allows the worm to be far more efficient than a scan- ning worm; it does not make large numbers of wild guesses for every successful infection. Instead, it successfully infects on most attempts. This makes it less vulnerable to containment defenses based on looking for missed connections [7, 16, 24], or too many connections [20, 25]. …

A difficulty for the flash worm releaser is a lack of robustness if the list of vulnerable addresses is imperfect. Since it is assembled in advance, and networks constantly change, the list is likely to be more-or-less out of date by the time of use. This has two effects. Firstly, a certain proportion of actually vulnerable and reachable machines may not be on the list, thus preventing the worm from saturating as fully as otherwise possible. More seriously, some ad- dresses on the list may not be vulnerable. If such nodes are near the base of the spread tree, they may prevent large numbers of vulnerable machines from being infected by the worm. Very deep spread trees are particularly prone to this. Thus in thinking about flash worms, we need to explore the issue of robustness as well as speed. …

The Slammer worm [10, 22] of January 2003 was the fastest scanning worm to date by far and is likely close to the lower bound on the size of a worm. Data on observed Slammer infections (and on those of the similar Witty worm) provide us with estimates for packet rate and minimum code size in future flash worms. Slammer infected Microsoft’s SQL server. A single UDP packet served as exploit and worm and required no acknowledgment. The size of the data was 376 bytes, giving a 404 byte IP packet. This consisted of the following sections:

• IP header
• UDP header
• Data to overflow buffer and gain control
• Code to find the addresses of needed functions.
• Code to initialize a UDP socket
• Code to seed the pseudo-random number generator
• Code to generate a random address
• Code to copy the worm to the address via the socket …

In this paper, we assume that the target vulnerable population is N = 1000000 (one million hosts-somewhat larger than the 360, 000 infected by Code Red [11]). Thus in much less than a sec- ond, the initial host can directly infect a first generation of roughly 5,000 – 50,000 intermediate nodes, leaving each of those with only 20-200 hosts to infect to saturate the population. There would be no need for a third layer in the tree.

This implies that the address list for the intermediate hosts can fit in the same packet as the worm; 200 addresses only consumes 800 bytes. A flash version of Slammer need only be slightly different than the original: the address list of nodes to be infected would be carried immediately after the end of the code, and the final loop could traverse that list sending out packets to infect it (instead of generating pseudo-random addresses). …

The graph indicates clearly that such flash worms can indeed be extraordinarily fast-infecting 95% of hosts in 510ms, and 99% in 1.2s. There is a long tail at the end due to the long tail in Internet latency data; some parts of the Internet are poorly connected and take a few seconds to reach. …

Can these results be extended to TCP services? If so, then our results are more grave; TCP offers worm writers a wealth of additional services to exploit. In this section we explore these issues. We conclude that top-speed propagation is viable for TCP worms, too, at the cost of an extra round-trip in latency to establish the connection and double the bandwidth if we want to quickly recover from loss. …

We believe a TCP worm could be written to be not much larger than Slammer. In addition to that 404 bytes, it needs a few more ioctl calls to set up a low level socket to send crafted SYN packets, and to set up a separate thread to listen for SYN-ACKs and send out copies of the worm. We estimate 600 bytes total. Such a worm could send out SYNs at line rate, confident that the SYN-ACKs would come back slower due to latency spread. The initial node can maintain a big enough buffer for the SYN-ACKs and the secondary nodes only send out a small number of SYNs. Both will likely be limited by the latency of the SYN-ACKs returning rather than the small amount of time required to deliver all the worms at their respective line rates.

To estimate the performance of such a small TCP flash worm, we repeated the Monte Carlo simulation we performed for the UDP worm with the latency increased by a factor of three for the hand- shake and the outbound delivery rates adjusted for 40 byte SYN packets. The results are shown in Figure 6. This simulation predicts 95% compromise after 1.3s, and 99% compromise after 3.3s. Thus TCP flash worms are a little slower than UDP ones because of the handshake latency, but can still be very fast. …

It appears that the optimum solution for the attacker – considering the plausible near-term worm defenses – is for a flash worm author to simply ignore the defenses and concentrate on making the worm as fast and reliable as possible, rather than slowing the worm to avoid detection. Any system behind a fully working defense can simply be considered as resistant, which the worm author counters by using the resiliency mechanisms outlined in the previous sections, combined with optimizing for minimum infection time.

Thus, for the defender, the current best hope is to keep the list of vulnerable addresses out of the hands of the attacker. …

The fastest worm seen in the wild so far was Slammer [10]. That was a random scanning worm, but saturated over 90% of vulnerable machines in under 10 minutes, and appears to have mainly been limited by bandwidth. The early exponential spread had an 8.5s time constant.

In this paper, we performed detailed analysis of how long a flash worm might take to spread on the contemporary Internet. These analyses use simulations based on actual data about Internet latencies and observed packet delivery rates by worms. Flash worms can complete their spread extremly quickly – with most infections occuring in much less than a second for single packet UDP worms and only a few seconds for small TCP worms. Anyone designing worm defenses needs to bear these time factors in mind.

The math behind Flash Worms Read More »

Japan’s 99.8% criminal conviction rate

From Hiroshi Matsubara’s “Trial By Prosecutor” (Legal Affairs: March/April 2003):

In 1990, a retired high-court judge gave an influential speech that indicted the criminal justice system [of Japan], citing the nation’s 99.8 percent conviction rate as evidence that prosecutors, not courts, decide the fate of criminals. Criminal trials, he declared, are merely “formal ceremonies” en route to conviction. …

Prosecutors are vested with tremendous authority, and courts routinely defer to prosecutorial judgment. The prosecutor, in collaboration with law enforcement, is expected not only to enforce the laws but to decide how to use them to serve the public good. He is given far broader powers of investigation than his American counterpart, including the ability to search, seize, and interrogate without the interference of defense counsel. Justice in Japan is often equated to cooperating with the prosecutor. One of the earliest changes made by legislators to the American legal framework was the addition of a “societal duty” to submit to questioning upon arrest.

Because of their importance in the Japanese system, prosecutors have an overwhelming need to be right. A single loss can end their career. Prosecutors nearly always go to trial with a confession in hand, meaning that criminal courts are rarely asked to decide guilt or innocence. At trial, the counsel for the defendant usually spends his time trying to demonstrate the client’s contrition, his chances of being rehabilitated, and the low risk he poses to society – factors that affect the sentence, not the verdict.

Even in contested cases, the outcome for defendants is bleak. In American federal courts, about one-fifth of all criminal defendants plead innocent – and of those, one-third are subsequently convicted (state numbers indicate a similar trend). Meanwhile, in Japan, despite the fact that only 7 percent of defendants choose to contest their prosecution, the conviction rate in such instances is still about 99 percent. …

But in the aftermath of this unlikely victory, the system turned on Mainali. A higher court stayed his acquittal and ordered him detained while the finding at trial was reconsidered. In the United States, where defendants are protected against double jeopardy, Mainali’s acquittal would have ensured that he went free. Japan has no such standard: The opportunity to appeal a criminal acquittal is just one more weapon in the prosecutorial arsenal. Critics have pointed out that the stigma of losing a case puts prosecutors under great pressure to appeal each and every acquittal. In the notorious Kabutoyama case, prosecutors spent 21 years unsuccessfully appealing not-guilty verdicts handed down against a teacher charged with killing one of her students. …

Japanese prison terms, for both violent and nonviolent offenses, are shorter than those for comparable crimes in the United States. Murder, for instance, can carry a sentence of as little as three years. What is indisputable, however, is that in failing to emphasize procedural justice – a system based on rights and vigorous advocacy – Japan entrusts the integrity of its system to the good judgment of its prosecutors.

Japan’s 99.8% criminal conviction rate Read More »

How to grade or judge water

From Gideon Lewis-Kraus’s “The Water Rush” (Oxford American):

On the tables in front of us are pink “trial” judging sheets. Across the top run a series of boxes for water numbers, and down the side is the set of criteria we’ll be using. Arthur goes through the criteria one by one, and explains what to look for.

The first criterion is Appearance, which is rated on a scale from zero to five. Good is colorless; bad is cloudy. Self-explanatory, so Arthur moves along quickly to Odor, which is also based on five possible points. The box on the sheet has one example of a positive descriptor on the left side—in this case, “none”—and a row of possible characterizations of water odor on the right side: chlorine, plastic, sulfur, chemical, musty. Next on the list is Flavor, rated out of ten points; the left side of the box reads “clean” and the right side has the identical list of identifiers provided for Odor, plus “salty.” Mouthfeel is back down to a five-point criterion, and the relevant distinction is “refreshing/stale.” There’s a five-point box for Aftertaste (this one on a spectrum from “thirst-quenching” to “residue”), and finally we come to Overall Impressions.

Overall Impressions is scored out of fourteen points, which makes the total available points for each entrant an eyebrow-raising forty-nine. The fourteen-point scale is provided to us on an attached sheet. It was developed by a food scientist at UC Berkeley named William Bruvold. In the ’60s, he pioneered experiments in the acceptability levels of total dissolved solids in water, and he used his students as subjects; he incrementally increased the turbidity of the sample until the water came to resemble Turkish coffee and his students refused to drink it. Out of these experiments came this scale, which Arthur tantalizingly referred to the day I met him in Santa Barbara. Arthur seems a bit sheepish about the language of the document.

The fourteen-point scale, in its entirety, reads exactly as follows (all formatting original):

1. This water has a TERRIBLE, STRONG TASTE. I can’t stand it in my mouth.

2. This water has a TERRIBLE TASTE. I would never drink it.

3. This water has a REAL BAD TASTE. I don’t think I would ever drink it.

4. This water has a REAL BAD TASTE. I would drink it only in a serious emergency.

5. This water has a BAD TASTE. I could not accept it as my everyday drinking water, but I could drink it in an emergency.

6. This water has a BAD TASTE. I don’t think I could accept it as my everyday drinking water.

7. This water has a FAIRLY BAD TASTE. I think I could accept it as my everyday drinking water.

8. This water has a MILD BAD TASTE. I could accept it as my everyday drinking water.

9. This water has an OFF TASTE. I could accept it as my everyday drinking water.

10. This water seems to have a MILD OFF TASTE. I would be satisfied to have it as my everyday drinking water.

11. This water seems to have a LITTLE TASTE. I would be satisfied to have it as my everyday drinking water.

12. This water has NO SPECIAL TASTE at all. I would be happy to have it for my everyday drinking water.

13. This water TASTES GOOD. I would be happy to have it for my everyday drinking water.

14. This water tastes REAL GOOD. I would be very happy to have it for my everyday drinking water.

How to grade or judge water Read More »

Google’s number tricks

From “Fuzzy maths” (The Economist: 11 May 2006):

MATHEMATICALLY confident drivers stuck in the usual jam on highway 101 through Silicon Valley were recently able to pass time contemplating a billboard that read: “{first 10-digit prime found in consecutive digits of e}.com.” The number in question, 7427466391, is a sequence that starts at the 101st digit of e, a constant that is the base of the natural logarithm. The select few who worked this out and made it to the right website then encountered a “harder” riddle. Solving it led to another web page where they were finally invited to submit their curriculum vitae.

If a billboard can capture the soul of a company, this one did, because the anonymous advertiser was Google, whose main product is the world’s most popular internet search engine. With its presumptuous humour, its mathematical obsessions, its easy, arrogant belief that it is the natural home for geniuses, the billboard spoke of a company that thinks it has taken its rightful place as the leader of the technology industry, a position occupied for the past 15 years by Microsoft. …

To outsiders, however, googley-ness often implies audacious ambition, a missionary calling to improve the world and the equation of nerdiness with virtue.

The main symptom of this, prominently displayed on the billboard, is a deification of mathematics. Google constantly leaves numerical puns and riddles for those who care to look in the right places. When it filed the regulatory documents for its stockmarket listing in 2004, it said that it planned to raise $2,718,281,828, which is $e billion to the nearest dollar. A year later, it filed again to sell another batch of shares – precisely 14,159,265, which represents the first eight digits after the decimal in the number pi (3.14159265). …

Google’s number tricks Read More »

History & numbers on prison rape

From Daniel Brook’s “The Problem of Prison Rape” (Legal Affairs: March/April 2004):

In his 18 months at [the maximum-security Allred Unit in Iowa Park, Tex.], [Roderick Johnson, a 35-year-old African-American who is suing the Texas Department of Criminal Justice] did time as the property of the Bloods, the Crips, the Mandingo Warriors, and the Mexican Mafia, all of whom forced him to have sex with their members. They also sold his services to other inmates, usually for between $5 and $10. (A cigarette in Allred goes for $1.50.) …

The prevalence of rape in prison is fearsome. Line officers recently surveyed in one southern state estimated that one in five male prisoners were being coerced into sex; among higher-ranking officials, the estimate was one in eight. Prisoners themselves estimated one in three. (Female prisoners are the victims of rape as well, though they are usually assaulted by male guards, not other inmates; the phenomenon of male-on-male prison rape is generally studied separately.) …

The traditional rationale for prison rape is the lack of women, but most psychologists consider this facile. They see prison rape mainly as a means by which people who have been stripped of control over the most basic aspects of their lives – when to eat a meal, take a shower, or watch TV – can reclaim some sense of power. As one Louisiana prisoner, Wilbert Rideau, wrote, “the psychological pain involved in such an existence creates an urgent and terrible need for reinforcement of [a prisoner’s] sense of manhood and personal worth.” Others believe that prisoners become rapists out of fear of becoming victims themselves; it’s a choice between becoming predator or prey. The psychologist Daniel Lockwood, in his study Prison Sexual Violence, calls this strategy “pre-emptive self-defense.” …

IN 1826, IN WHAT WAS LIKELY THE FIRST PUBLISHED MENTION of prison rape in the history of the republic, the Rev. Louis Dwight wrote that “Boys are Prostituted to the Lust of old Convicts” throughout the institutions he surveyed from Massachusetts to Georgia. Dwight, the founder of the Prison Discipline Society of Boston, a prison reform group, wrote that “Nature and humanity cry aloud for redemption from this dreadful degradation.” It was not until the 21st century, however, that the nation saw its first anti-prison-rape legislation.

Last year, Congress passed the Prison Rape Reduction Act, which allocates $60 million to support rape-prevention programs run by federal, state, and local corrections staff and to aid investigations and punishment of perpetrators. The bill, which enjoyed bipartisan support in the House and the Senate, also requires states to collect statistics on prison rape.

History & numbers on prison rape Read More »

Why courts don’t use legal-size documents any longer

From Suzanne Snider’s “Old Yeller” (Legal Affairs: May/June 2005):

The legal-size legal pad has been under attack since as early as 1982, when then Chief Justice Warren Burger banished legal-size documents from federal courts. One informal survey estimated Burger’s move saved almost $16 million through more efficient use of storage space. Several states followed the federal government’s lead …

Why courts don’t use legal-size documents any longer Read More »

The tyranny of HOAs

From Ross Guberman’s “Home Is Where the Heart Is” (Legal Affairs: November/December 2004):

ABOUT 50 MILLION AMERICANS BELONG TO HOMEOWNER ASSOCIATIONS, also known as HOAs or common-interest developments, which are composed of single-family homes, condominiums, or co-ops. Four out of five new homes, ranging from starter homes to high-rise apartments to gated mansions, are in one of the nation’s 250,000 HOAs. However they look or whomever they cater to, HOAs impose the same obligations: If you want to buy a property in an HOA development, you must join the HOA, allow a board you help elect to manage shared grounds and other public spaces, pay regular dues and any “special assessments” for upkeep or other costs, and obey a host of quality-of-life rules, even if they’re added after you move in.

In return, the HOA keeps the welcome sign painted, the sidewalk cracks filled, and the flower beds fresh. It may also provide streets, parks, playgrounds, security, snow removal, and utilities that were once the province of local government. But the HOA does more than beautify the neighborhood and preserve property values. It is often the sole driving force behind the Halloween parades and holiday parties that are increasingly rare in an age of bowling alone.

Although structured as nonprofit corporations, HOAs operate as private governments. An HOA can impose fines on those who flout its quality-of-life policies, just as a municipality can penalize those who violate its zoning, antismoking, or noise-control laws. An HOA also levies dues and assessments that are as obligatory as taxes and sometimes less predictable. In exerting these quasi-political powers, HOAs represent one of the most significant privatizations of local government functions in history. …

About half the states allow “non-judicial foreclosures” if owners lapse on their dues. Typically, the HOA’s collection attorney places a lien on the property and announces its new legal status in a local newspaper. The home is then auctioned. Homeowners get none of the due-process protections they could use to ward off other creditors—no right to a hearing and no right to confront their HOA board.

Even in states that require court approval for an HOA foreclosure, the HOA nearly always wins. Under current law, any unpaid dues, no matter how small, can be grounds for foreclosure, particularly once the amount of the delinquency is swelled with interest and fines.

… According to a 2001 study of foreclosures in California by Sentinel Fair Housing, a homeowner advocacy group, when HOAs foreclose, the typical homeowner is $2,557 in arrears. When banks or municipal governments foreclose, by contrast, the typical homeowner owes $190,000 in delinquent payments or back taxes.

The tyranny of HOAs Read More »

The 80/20 rule

From F. John Reh’s “How the 80/20 rule can help you be more effective” (About.com):

In 1906, Italian economist Vilfredo Pareto created a mathematical formula to describe the unequal distribution of wealth in his country, observing that twenty percent of the people owned eighty percent of the wealth. In the late 1940s, Dr. Joseph M. Juran inaccurately attributed the 80/20 Rule to Pareto, calling it Pareto’s Principle. …

Quality Management pioneer, Dr. Joseph Juran, working in the US in the 1930s and 40s recognized a universal principle he called the “vital few and trivial many” and reduced it to writing. …

As a result, Dr. Juran’s observation of the “vital few and trivial many”, the principle that 20 percent of something always are responsible for 80 percent of the results, became known as Pareto’s Principle or the 80/20 Rule. …

The 80/20 Rule means that in anything a few (20 percent) are vital and many(80 percent) are trivial. In Pareto’s case it meant 20 percent of the people owned 80 percent of the wealth. In Juran’s initial work he identified 20 percent of the defects causing 80 percent of the problems. Project Managers know that 20 percent of the work (the first 10 percent and the last 10 percent) consume 80 percent of your time and resources. You can apply the 80/20 Rule to almost anything, from the science of management to the physical world.

You know 20 percent of you stock takes up 80 percent of your warehouse space and that 80 percent of your stock comes from 20 percent of your suppliers. Also 80 percent of your sales will come from 20 percent of your sales staff. 20 percent of your staff will cause 80 percent of your problems, but another 20 percent of your staff will provide 80 percent of your production. It works both ways.

The value of the Pareto Principle for a manager is that it reminds you to focus on the 20 percent that matters. Of the things you do during your day, only 20 percent really matter. Those 20 percent produce 80 percent of your results.

The 80/20 rule Read More »

IE unsafe 98% of the time

From Noam Eppel’s “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security“:

The security company Scanit recently conducted a survey which tracked three web browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were “known unsafe.” Their definition of “known unsafe”: a remotely exploitable security vulnerability had been publicly announced and no patch was yet available. Microsoft Internet Explorer, which is the most popular browser in use today and installed by default on most Windows-based computers, was 98% unsafe. Astonishingly, there were only 7 days in 2004 without an unpatched publicly disclosed security hole. Read that last sentence again if you have to.

IE unsafe 98% of the time Read More »

CCTV in the UK deters crime

From Technology Review‘s “Big Brother Logs On“:

In many ways, the drama of pervasive surveillance is being played out first in Orwell’s native land, the United Kingdom, which operates more closed-circuit cameras per capita than any other country in the world. This very public surveillance began in 1986 on an industrial estate near the town of King’s Lynn, approximately 100 kilometers north of London. Prior to the installation of three video cameras, a total of 58 crimes had been reported on the estate. None was reported over the next two years. In 1995, buoyed by that success, the government made matching grants available to other cities and towns that wanted to install public surveillance cameras – and things took off from there. …

And not many argue about surveillance’s ability to deter crime. Recent British government reports cite closed-circuit TV as a major reason for declining crime rates. After these systems were put in place, the town of Berwick reported that burglaries fell by 69 percent; in Northampton overall crime decreased by 57 percent; and in Glasgow, Scotland, crime slumped by 68 percent. Public reaction in England has been mixed, but many embrace the technology. …

CCTV in the UK deters crime Read More »

Copyright stupidity: arguments & numbers

From Financial Times” “James Boyle: Deconstructing stupidity“:

Thomas Macaulay told us copyright law is a tax on readers for the benefit of writers, a tax that shouldn’t last a day longer than necessary. …

Since only about 4 per cent of copyrighted works more than 20 years old are commercially available, this locks up 96 per cent of 20th century culture to benefit 4 per cent. The harm to the public is huge, the benefit to authors, tiny. …

We need to deconstruct the culture of IP stupidity, to understand it so we can change it. But this is a rich and complex stupidity, like a fine Margaux. I can only review a few flavours.

Maximalism: The first thing to realize is that many decisions are driven by honest delusion, not corporate corruption. The delusion is maximalism: the more intellectual property rights we create, the more innovation. This is clearly wrong; rights raise the cost of innovation inputs (lines of code, gene sequences, data.) Do their monopolistic and anti-competitive effects outweigh their incentive effects? That’s the central question, but many of our decision makers seem never to have thought of it.

The point was made by an exchange inside the Committee that shaped Europe’s ill-starred Database Directive. It was observed that the US, with no significant property rights over unoriginal compilations of data, had a much larger database industry than Europe which already had significant “sweat of the brow” protection in some countries. Europe has strong rights, the US weak. The US is winning.

Did this lead the committee to wonder for a moment whether Europe should weaken its rights? No. Their response was that this showed we had to make the European rights much stronger. …

Authorial Romance: Part of the delusion depends on the idea that inventors and artists create from nothing. Who needs a public domain of accessible material if one can create out of thin air? But in most cases this simply isn’t true; artists, scientists and technologists build on the past. …

An Industry Contract: Who are the subjects of IP? They used to be companies. You needed a printing press or a factory to trigger the landmines of IP. The law was set up as a contract between industry groups. This was a cosy arrangement, but it is no longer viable. The citizen-publishers of cyberspace, the makers of free software, the scientists of distributed data-analysis are all now implicated in the IP world. The decision-making structure has yet to adjust. …

Fundamentally, though, the views I have criticised here are not merely stupidity. They constitute an ideology, a worldview, like flat earth-ism. …

Copyright stupidity: arguments & numbers Read More »

The Witty Worm was special

From CAIDA’s “The Spread of the Witty Worm“:

On Friday March 19, 2004 at approximately 8:45pm PST, an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE. The worm takes advantage of a security flaw in these firewall applications that was discovered earlier this month by eEye Digital Security. Once the Witty worm infects a computer, it deletes a randomly chosen section of the hard drive, over time rendering the machine unusable. The worm’s payload contained the phrase “(^.^) insert witty message here (^.^)” so it came to be known as the Witty worm.

While the Witty worm is only the latest in a string of self-propagating remote exploits, it distinguishes itself through several interesting features:

  • Witty was the first widely propagated Internet worm to carry a destructive payload.
  • Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous worm.
  • Witty represents the shortest known interval between vulnerability disclosure and worm release — it began to spread the day after the ISS vulnerability was publicized.
  • Witty spread through a host population in which every compromised host was doing something proactive to secure their computers and networks.
  • Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly. …

Once Witty infects a host, the host sends 20,000 packets by generating packets with a random destination IP address, a random size between 796 and 1307 bytes, and a destination port. The worm payload of 637 bytes is padded with data from system memory to fill this random size and a packet is sent out from source port 4000. After sending 20,000 packets, Witty seeks to a random point on the hard disk, writes 65k of data from the beginning of iss-pam1.dll to the disk. After closing the disk, the worm repeats this process until the machine is rebooted or until the worm permanently crashes the machine.

Witty Worm Spread

With previous Internet worms, including Code-Red, Nimda, and SQL Slammer, a few hosts were seeded with the worm and proceeded to spread it to the rest of the vulnerable population. The spread was slow early on and then accelerates dramatically as the number of infected machines spewing worm packets to the rest of the Internet rises. Eventually as the victim population becomes saturated, the spread of the worm slows because there are few vulnerable machines left to compromise. Plotted on a graph, this worm growth appears as an S-shaped exponential growth curve called a sigmoid.

At 8:45:18pm[4] PST on March 19, 2004, the network telescope received its first Witty worm packet. In contrast to previous worms, we observed 110 hosts infected in the first ten seconds, and 160 at the end of 30 seconds. The chances of a single instance of the worm infecting 110 machines so quickly are vanishingly small — worse than 10-607. This rapid onset indicates that the worm used either a hitlist or previously compromised vulnerable hosts to start the worm. …

After the sharp rise in initial coordinated activity, the Witty worm followed a normal exponential growth curve for a pathogen spreading in a fixed population. Witty reached its peak after approximately 45 minutes, at which point the majority of vulnerable hosts had been infected. After that time, the churn caused by dynamic addressing causes the IP address count to inflate without any additional Witty infections. At the peak of the infection, Witty hosts flooded the Internet with more than 90Gbits/second of traffic (more than 11 million packets per second). …

The vulnerable host population pool for the Witty worm was quite different from that of previous virulent worms. Previous worms have lagged several weeks behind publication of details about the remote-exploit bug, and large portions of the victim populations appeared to not know what software was running on their machines, let alone take steps to make sure that software was up to date with security patches. In contrast, the Witty worm infected a population of hosts that were proactive about security — they were running firewall software. The Witty worm also started to spread the day after information about the exploit and the software upgrades to fix the bug were available. …

By infecting firewall devices, Witty proved particularly adept at thwarting security measures and successfully infecting hosts on internal networks. …

The Witty worm incorporates a number of dangerous characteristics. It is the first widely spreading Internet worm to actively damage infected machines. It was started from a large set of machines simultaneously, indicating the use of a hit list or a large number of compromised machines. Witty demonstrated that any minimally deployed piece of software with a remotely exploitable bug can be a vector for wide-scale compromise of host machines without any action on the part of a victim. The practical implications of this are staggering; with minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts.

The Witty Worm was special Read More »

Malware focused on theft above all

From AFP’s “70 percent of malicious software aimed at theft: survey“:

Seventy percent of malicious software being circulated is linked to various types of cybercrime, a study by security firms Panda Software showed. …

The survey confirms a shift from several years ago, when malicious software was often aimed at garnering attention or exposing security flaws.

“Malware has become a took for generating financial returns,” the report said. …

About 40 percent of the problems detected by Panda was spyware, a type of malicious code designed for financial gain, primarily through collecting data on users’ Internet activities.

Another 17 percent was trojans, including “banker trojans” that steal confidential data related to bank services, others that download malicious applications onto systems.

Eight percent of the problems detected were “dialers,” malicious code that dials up premium-rate numbers without users’ knowledge; “bots,” a scheme involving the sale or rental of networks of infected computers, accounted for four percent of the total.

The e-mail worm, which was recently considered a major Internet threat, made up only four percent of the total.

Malware focused on theft above all Read More »