Worst Nightmares Come Alive

Before we start
============
This document has been written with great care. I urge you to read the complete document before commenting on it. Furthermore, I urge you to think about it for a while before commenting on it. If you have constructive comments please send it to:

roelof@cube.co.za

You may replicate this document at will - but please do not butcher it - copy the *whole* document, and give me credit. I would also appreciate it if you let me know where you publish it - just to keep track of it.

Regards,
Roelof Temmingh
South Africa.
99/07/29

Index:
======
Part I: Background
Part II: Overview
Part III: Detail design
Part IV: QWRNA (Questions We Rather Not Ask)

Part I: Introduction to your worst nightmare
===================================
"I guess it was bound to happen someday - please spread the word". This message was posted to a computer mailing list by Gene Spafford on 03 November 1988 - back in the days when the Internet, still in its infancy, was a tool for academics and a toy for geeks. Spafford is referring to an Internet-born computer worm (a type of self-sustained virus) that eventually managed to effect more then 10% of the 60,000 hosts then connected to the Internet. Despite the fact most of the world hadn't heard of the Internet or email before, and the fact that the Dukakis-Bush election was just days way, the incident made it to the front page of most major newspapers. This was not because the worm was particularly viscous - it was actually quite benign - but because people recognized the potential for large-scale damage the worm represented. Were it not for a small programming error in the worm's code it may never even have been discovered. Ten years ago the "Morris Worm" shocked the world into realizing the fragility of Internet. Today, very little has changed. Despite ten years of new knowledge and experience the Internet today is as least as vulnerable to Morris-type attacks as it was ten years ago. In fact, even more so. Consider the following:

1. Ten years ago the Morris worm used weaknesses common to a number of different UNIX systems to take control of the computers and propagate itself. Today the same operating system is installed on 90% of all desktop computers. A single program could attack all these machines.

2. Ten years ago the Internet belonged to an elite group of specialists and professionals. They understood their computers intimately and managed them closely. Today every home has a computer and a connection to the Internet. The average computer user can't tell "email" from "mpeg".

3. Ten years ago the Internet was used primarily by scientists, researchers and academics. Today it is a major business conduit. Billions of dollars are moved over the Internet daily in various forms and most companies would simply not be able to ANY business without their IT computer systems.

The widespread use of firewalls on computer systems does little to alleviate the risk. The threat here is not an attack from some hacker on the Internet, but a program run unwittingly on a computer already inside the protected network. The sections that follow show exactly just how feasible such a program is. While reading you will note the following frightening truths:

- Just how relatively easy such a program is to write. Similar programs already exist and are widely known.

- Just how easy such a program is to spread. The Internet is the perfect mass distribution system and its strength is also its weakness.

- Just how easy such a program is to hide. The average user doesn't understand half the processes running on the system legitimately, let alone a program doing its utmost to conceal itself.

- Just how hard such a program is to stop. The program can spread at the speed of light, take any form, hide itself and mutate with every new installation. Immeasurable damage could be done before it is eventually stopped.

- Just how ugly such a program could be. This kind of software could bring entire sectors of industry to their knees. A well-planned infection with malicious intent would make the Morris Virus of '88 look like a mild case of the flu.

So what can be done to prevent this from happening? Not too much I'm afraid. Like the citizens of a volcanic island we need to be aware, stay alert and hope we spot the eruption early enough to prevent a disaster. Here are some precautions a company can take:

1. Policy. The use of any unauthorized software should be prohibited.

2. User education, user education, user education. Make your users aware of the dangers of running software from untrusted sources.

3. Audits. Perform regular checks to see what's installed and running on your PCs.

4. Operating systems. A strong operating system with proper multi-user support can minimize the damage done by a worm. Install Microsoft NT rather then Windows 95 or 98. Consider using other operating systems, like Line or BSD.

5. Diversity. By mixing a number of operating systems one can minimize the amount of damage a virus or worm could do. This, however, introduces added complexity in the management of the all the different systems. Your call...

6. Network security. Firewalls, file encryption, operating system security, etc. all make it more difficult for the would be worm. In particular virus scanners and HTML, FTP and SMTP content scanners help us weed out these kinds of threats. Consider stripping executable attachments and other active content completely.

7. Host-based IDS. Intrusion detection systems may detect attacks either on the network or the computers themselves.

8. Assume the worst. Plan for disasters with disaster recovery sites, backups, and business continuity plans. Test and practice with these systems.

As you read the description that follows, imagine the consequences of the release of such an animal and ask yourself how long it will be before we are again saying to ourselves "I guess it was bound to happen someday..."