Cryptography Reference
In-Depth Information
sent itself to those computers. Once it located a vulnerable machine, it sought
out the file
mblast.exe
, retrieved it, then scanned other systems similarly. Blaster
was written to launch a DOS attack (see Footnote 8.8 on page 300), on Mi-
crosoft's updated WWW site. Microsoft found a means of thwarting the attack
on their site, but Blaster still infected around a half million computers. Mi-
crosoft offered a quarter of a million dollars (U.S.) for information that would
lead to the arrest of Blaster's creators. However, to date, there have been no
arrests. Microsoft has a five-million-dollar reward fund for the apprehension of
the various malicious code authors not yet caught.
On Friday, April 30, 2004, a worm called
Sasser
began spreading over the
Internet. It exploited a vulnerability of MS-Windows Local Security Authority
Subsystem Service (LSASS). Sasser scanned for vulnerable machines, created a
remote connection with them, installed an FTP server and downloaded itself to
the new host. From there it sought out the vulnerable LSASS components on
other machines. Sasser caused the LSASS component of Windows to crash. On
May 7, 2004, German authorities arrested Sven Jashan, an eighteen-year-old
student, who created a total of five separate versions of Sasser. Jaschan is also
responsible for twenty-eight variants of the
Netsky
worm. Key evidence leading
to Jaschan's apprehension was given by a peer group familiar with his activities.
They had approached Microsoft oHcials in Germany asking about the reward.
Once informed that they would indeed get it, they turned him in, after which
Microsoft paid the quarter million dollar (U.S.) reward to them. This arrest
caused Microsoft oHcials to have confidence that their reward fund would have
a positive effect on the eventual arrest of the perpetrators of the Blaster and
Code Red worms.
10.31
Antiworm Countermeasures
: At the outset of Section 10.2, we quoted
Sun Tzu on knowing your enemy in battle. This applies equally well today in
the war on malicious code. In fact, we may quote him further: “Know the
enemy and know yourself; in a hundred battles you will never be in peril.” (See
[279, page 84].) In the computer word, one must be aware of both internal
and external potential attackers, especially if you are an employer. Disgruntled
employees, as we demonstrated with real-world examples, can be a greater threat
than any external source. We have talked at length about measures against
internal threats such as the use of firewalls (see Section 8.4); monitoring; and
access control. Now we see how to protect against external threats presented
by worms.
Relying solely on firewalls is insuHcient. Each server must be protected
as a separate entity. We have already discussed the technological devices such
as IDSs (see page 395); blocking software, including antivirus mechanisms (see
page 403); and access-control software (see page 403). There should also be
human intervention such as Tiger Teams (see page 396 ); risk analysis; and in-
depth security policies. Using the human and technological devices in concert
can be the most effective of security-management mechanisms.
10.31
It was reported in August of 2004 in the
Telegram
(Berlin) that teenagers are responsible
for 70% of e-mail viruses.
Search WWH ::
Custom Search