[ISN] Q&A With 'Wormologist' Vern Paxson

InfoSec News isn at c4i.org
Tue Oct 4 01:49:01 EDT 2005 

http://www.informationweek.com/showArticle.jhtml?articleID=171202582

By Kelly Jackson Higgins 
Secure Enterprise 
Oct. 1, 2005 

Vern Paxson

Senior scientist at the International Computer Science Institute, 
University of California-Berkeley, and staff scientist at Lawrence 
Berkeley National Laboratory

Paxson, one of the industry's foremost worm experts, developed the 
open-source intrusion-detection tool Bro and has conducted studies on 
the genesis and propagation of worms and other malware. He was 
recently named to the advisory board of start-up ConSentry Networks, 
which has developed a next-generation, hardware-based IDS.


How did you become a renowned 'wormologist'?

In part, it was luck. When Code Red came out in 2001, it was 
fascinating to observe it from the Bro tool, and [the International 
Computer Science Institute] had forensic logs from it at Lawrence 
Berkeley National Laboratory. We knew every single probe from the 
worm, and that allowed me to study its progress. We got Code Red 2 
just a couple of weeks later, and then Nimda six weeks later, and it 
was fascinating seeing all the worms interacting. We had this very 
rich data ... including an estimate of the total size of the worm, 
with upward of 300,000 infected [machines].


How have worms evolved since the first one, written in 1988 by Robert 
T. Morris?

It's easier to create them now because there are more toolkits. But 
the evolution of worms has been surprisingly slow. Slammer in 2003 was 
different, though--the entire worm fit into a single packet and was 
connectionless, so it could go fast. It wasn't anything anyone had 
predicted.


Aside from its historical precedent, what was so special about the 
Morris worm?

That worm was brilliantly built and remains the best-designed one 
ever. It had multiple modes, which we later saw with Nimda are very 
effective. And it had topological scanning ... It went through the 
information on the locally infected machine to try to find other 
machines. The Morris worm also came with its own built-in password 
cracker.


Where do worms go from here?

A big threat is the commercialization of malware. The lay of the land 
is changing, from the equivalent of vandals doing their work to people 
who will commoditize malware and use it to make money. The rise of 
this commercially motivated attacker is very disturbing, and 
inevitable. There's a paper in the research world that talks about how 
you can specialize in just doing the worm technology without being 
involved in the exploitation of it.

There's going to be some sort of black market where criminals hook up 
with people with worm access. Also on [the horizon] are blended 
threats, where a malware writer puts together viruses and botnets and 
uses a botnet to propagate the keylogger that then feeds into your 
encrypted point-to-point network and extracts all the goodies.


Are there worms against which we can't defend?

We published a paper for DARPA [Defense Advanced Research Projects 
Agency] on the worst-case scenario of a worm. We sketched how it's not 
implausible that a worm could get 10 million to 15 million desktops in 
a day. But we could not resolve the question of how much damage this 
type of worm would really inflict. Still, we're racing against the 
clock. If I see tomorrow that some huge worm has hit, it won't 
surprise me.


What scares you most about worms?

The worms that don't randomly scan--topological worms, which get their 
target information separate from scanning. And detection-scanning 
worms--in particular, the ones that can go after Windows or Cisco 
vulnerabilities. The recent brouhaha over executable code on Cisco 
routers gave a lot of people pause. If we had a Cisco exploit, it 
could really do damage. Also in the back of my mind is cyberwarfare. 
You'd be a fool if you were in the modern military and not planning 
for cyberattacks and working on defenses to it.


What about viruses?

Viruses seem like old news today because there's still a huge class of 
them that don't show much innovation. They're just variants. But I 
would expect viruses to be a key part of blended attacks, where a 
virus would be used to cross a firewall, for example.


What's the danger of going overboard with security?

There's going to be a huge struggle over control of the Internet, 
which is driven by concerns about security, intellectual property and 
politics. This could unfold in a lot of ways that wouldn't be pretty. 
The key question is, can we have an architecture so we get security 
control without losing the infrastructure and its real power? 
Regulating that traffic must terminate at a proxy that must be able to 
see your traffic in clear text to see if the text is allowable, for 
instance. Now you've created an incredible point of control that has 
obvious uses for going after criminals, but it also [breeds] political 
repression and commercial gain, good or bad.

There's a new National Science Foundation initiative to rethink 
Internet architectural notions. [The International Computer Science 
Institute] and other institutions are thinking about how to get funded 
to look at new security architectures that provide these controls that 
are needed, but in a way that doesn't throw out the baby with the 
bathwater.

More information about the ISN mailing list