 presentation starting a few minutes early. But this is unique today and yesterday, but let's get underway with it. First of all, just a simple question or two for people in the audience, are there any network worm offers in the audience? Can you please put your hands up? I just want to know if we had any mental retards which needed to be rejected before the start of the presentation. Like, I'm really gonna stick my hand up at a conference full of federal agents saying, I write network worms. Yeah, okay. Just wanted to see if there's plenty of people in this room who were too drunk and from the night before we were gonna stick their hands up. Okay, well, damn, okay. Not caught anyone out this time. I'll just introduce myself. My name is Jonathan Wignall. As you can probably tell from that accent, I'm not from the States. I'm from the UK. I represent an independent group, data network security council, not a Fed, just an organization which just campaigns for improved information security. My day job, I'm an academic. Those of you who are really early will have heard me talking about my ability to stretch three or four, perhaps say 12 overheads, till five and a half hours. If anyone's looked at my presentation, you will note I have 49 overheads here for you. It's all on the conference CD, including sets of references for you to look up extra material. So, I didn't put the material on the CD because I thought there'd be a bit of a thing, but if you have a look, you've got the URLs and the books which are listed, they're probably on sale outside anyway. So if you want the information, it's all there for you. So I went a bit overboard on that particular material, but better to have too much, isn't it, than too little. At least I'm going to underrun. I'm also gonna presenting a couple of bits of my own research, which I haven't got round to putting in white papers yet. Unfortunately, I think I've got enough material in here for three white papers on some different elements. But what I'm going to do is I'm gonna be covering, starting from the basics about network worms, what they are, and also of course, going through recent history of computer network worms to bring everyone up to speed. Don't worry if you already know on this subject, I won't be on it for that long. The whole purpose is to bring everyone up to an even level, so that when we start discussing what's happened in the last couple of years, particularly on the theoretical research, everyone is able to understand what I'm going on about. So without further ado, shall I start? Good grief, you're all quiet. Who was drinking last night? This explains it definitely. Okay, let's get on the way. And the first thing is, what is a network worm? Well, the answer is that, possibly. We can come up with tons and tons of different descriptions. Note the reference for the end. I can come up with tons of descriptions. Does anyone hear Wynn's description in the Hackageppadi last night? The question? None of you were there for it? Okay. Well, literally, a network worm and a virus, what's the difference? The both malicious code. Well, the main difference is a worm will seek out its target actively rather than being passively carried to its target. That's the main difference between what a network worm is and a virus. The problem is, this line isn't absolute. We can declare quite a few worms also being viruses and quite a few viruses have worm-like behavior. So you can't really design an absolute definition, really, what a network worm is. We know what one is, but it's hard to write down actual definition. So that's Vasily Bonachev's one up there on the screen, but I could have put quite a few other ones up there, indeed. But one thing is certain they've been around for a very, very, very long time, as long as viruses or even longer. But one thing is certain in this business, whatever has been theorized by people like myself and other researchers, whatever has been produced by people actually producing network worms, there's one group of individuals who always beat us to the actual definition and description of network worms or viruses. And that is, of course, science fiction authors who in this room have seen Terminator 3. What is Skynet? Yes. What is it? A virus or worm? It's hard to make out, isn't it? Seems to be a worm for me from watching the film. But one thing is certain. Everything we're going to cover here today is nowhere near as advanced as what is covered in Terminator 3. Any science fiction film you look at or science fiction book you go through will always be way ahead on this subject. The difference is, we're looking at what actually can be implemented. And if we look through, we see that 1982, some work was done, as there are. And also we look, in fact, going through the 1980s, we get first one appearing. If it ran on Rex on IBM, the Christmas EXE worm. But of course, in 1988, is a world famous Morris worm, the internet worm. The one which everyone in this room, I'm sure, is sick of presenters telling you about in detail. Is that right? Yeah, okay, I'm not going to go into it. But one of the key things about it is a lot of people state, after then, there weren't many worms occurring. Well, there were, particularly on IRC. I assume there's quite a few IRC users in this room. Okay, they carried on for quite some time. But of course, in the press, it vanished until, of course, the end of the 1990s. And of course, Melissa. Melissa, not the world's best written computer worm, by any stretch of the imagination. Yet, it did spread quite rapidly. And it certainly gained an awful lot of press coverage. A ginormous amount of press coverage. From reading some of the press coverage at the time, you'd think the end of the world was coming. All it was, of course, was a basic worm, written to propagate via email. Had virus-like properties, and it probably was mainly a virus, but it just had some spread using people's address books. Any Outlook users in this room? I think there's a percentage will be less than in some of the other conferences I've delivered at. I'll tell you now. But one thing is certain about Melissa. It's quite basic, but Keck came along not too long later. And this was a little different in the fact that he actually utilized an exploit in order to replicate itself rather than lying purely upon user stupidity. Now, I'm not gonna knock user stupidity. User stupidity is perfect for worm distribution. If you operate some on a box, which tick this to delete all your files on your computer, believe me, people will do it. But the Keck worm was able to actually just open it up, auto-execute. And that, of course, became a bit of a problem, and it's still knocking around till this day. And of course, in May 2000, love letter. You'll notice all of these were, of course, mainly email-spending worms. You'll notice the fact that what is possible is one thing, but virus and worm writers only tend to act once they know something has been proven. So once someone produces one type of worm, you tend to get an awful lot of copycats following on its tails to a few slight modifications or improvements. So that's what we've got there. We're gonna move forward now to code red. This worm caused me an awful lot of problems, not from infecting computers, not from the hundreds of entries I got in my web logs. Did anyone else get tons of entries in their web logs? Yeah, still do. No, what it caused me upon was, I was over here at DEF CON, right, and then over in the States on holiday before I was going over to HAL to deliver a presentation on network worms. Guess what, when did this come out? Don't even know what it's like when you're on holiday, and all you've got is an AOL link to try and get updates on information, because that's all you can find for ISPs around the United States, which I could get access via. Anyway, code red. Okay, decent, decent worm in many aspects, and the fact it wasn't too badly coded. Okay, it wasn't perfect, a bit big. Version one contained a payload to do an AOL of service, which was very poorly written, and it targeted an IP address, so it was very easy for the target site the way I was just to dodge it by moving to different IP address. The version two one, and so on and so on other versions, were far more effective. The problem was that it didn't work very well in some aspects. There were some crashes occurring, particularly on anti-computers, and also, of course, the replication mechanism in the worm wasn't very efficient. It kept trying machines which had already been broken into, or it kept trying machines which couldn't be broken into. And this is why we've got hundreds of thousands of entries in our web locks. If we've got plenty of websites, believe me, really stacks up. So it was code red. And again, it gained quite a bit of press coverage. This one gained also a lot of press coverage, though less surprising than code red, because the author made one silly mistake. Does anyone know what the silly mistake was of Nimda? The author did not release it during the silly season for the press. When Congress and other bodies happened to be out, when they're looking for stories. And so as a result, it seems slightly less press coverage, but it's a far more efficient written worm. And it was also an example of a multi-vector worm. One was relied upon more than one method of actually spreading itself. It could use an exploit. It could scan for the back doors left by code red too. Use open network shares. And it could even, which didn't work too well because most people didn't use it, was the fact that it could infect web pages on a machine. And if that machine happened to be a web server, those pages would bell to spread the worm to people who happened to view the web page using an Internet Explorer exploit. And one of the things that you've noticed is the fact I've noticed in particular is that that is one of the few areas of network worms which appeared, which have never worked properly. Even though most users never patch their workstations and never patch Internet Explorer, but it's never worked generally because most people who browse websites tend not to do it from a web server. They tend to use separate machines to be the web servers. Even so, Nimda is knocking around today and it's just very hard to get rid of. And again, it's spread reasonably fast. Oops, oh God, Veef. What's it, to go back on these things? Control, does anyone remember? Sorry? What's it? Page up. Page up. Hey, thanks. Okay then, right. Let's bring ourselves up to this year. Told you it wasn't gonna be too long on the old historical stuff. The slammer and the sapphire worm. Who's heard of this worm? Only about two thirds of the audience. Okay, well, let's be realistic. This one is particularly relevant to this sort of conference, given the fact that he used an exploit which Dave Litchfield revealed at Blackout last year and he gained quite a bit of stick over this. Even though it didn't actually lose his code in the actual worm, the fact was of revealing the exploit and providing some proof of concept code that should be included in this worm. And it utilized, of course, an exploit against what service? Z equals, server. As a result, it worked by a single transmission of a single packet. Receipt of that packet by an infectable system caused the system to be infected. This is our first known example of a fast distribution worm. Very efficient. We're not talking about large size which takes ages to upload and infect. We're just talking send and forget infection of a target system. Most of the damage caused by this wasn't caused by the worm itself. It had no damaging payload. But most of it was caused by people going and blocking off port 143 on systems and finding that the database systems no longer worked. Did anyone ever suffer this from ISPs or from inside the organization of any of the system admins cutting off access on port 13143? Any of you? Good grief, none. Okay? The second problem was it generated an awful lot of packets on 150,000 of some machines which infected very, very fast. And this amount of packet did cause some areas of the internet to suffer packet failure. There's a reference put in there for a few sites which have got lists and graphs of packet failure. And in some cases, around about 20%. Irritating to the players of online computer games, not too much of a problem for everyone else. So it spread around the world within a few minutes. What's so important about that? Well, if a worm can spread that fast, it means it's going to reach you before you're aware that it exists and able to plan a defense against it. And this is one of the key things of worms in the recent years is the development of faster, more efficient replication systems. It wasn't efficient. It kept trying the same machines again and again and again. But as it was so quick and so small, it could replicate very, very fast indeed. But regardless of replication speed, there's only two ways a worm is going to get an entrance to a system. And that is either by using legitimate service, which relies normally on the stupidity of the users, or the manufacturers, or the service providers, or by utilizing a system exploit to break in the system, to do an automatic hacking attack. The second method is actually less reliable than the first, because many of us know the fact that the system has an exploit doesn't necessarily mean that it is exploitable, depending on the configuration on the box. The first one is perhaps the preferred route for worms to propagate. Because of the fact, it's more reliable. And I'll tell you now, no worm has ever failed by underestimating the intelligence of the users of computers. Believe me. This is one way of ensuring that you're going to be around for years and years to come. So that's what we've got there. But regardless of that, we're going to get a modified bell curve. Now, apologies for the graphics, it's gone a bit yucky at the end there. Okay, but the fact is what we're going to do is we're going to end up with any worm, we're going to end up with a kind of bell curve. And what we need to look at really, is really this bell curve explains the life cycle of a worm. And any worm that's been engineered, normally wants to have eye infection time to really close to the maximum number of hosts that are going to be infected as short as possible to gain a quicker distribution as it can. I know stealth worms are a little bit different than that, but most of them want out short as possible. You want to have M as high as possible of the affected hosts that we want to infect. And also a long C, which means the fact it's hard to actually get rid of the worm infestation. Now, obviously this isn't going to be always the case. If a network worm writer wants to trash the computers it's on, they want to cut short I, high M, and they want to ridiculously short C because they've just wiped all those computers hard disks. But every time we look at worm cycles, we tend to follow this sort of bell curve distribution. So if we do that, I'm going to skip on two overheads here. We look at an ideal worm. These are some of the criteria which we can use to actually state what an ideal worm is. It needs an effective replication engine which might not be efficient, but ideally will. Small size to prevent its own distribution being hindered by traffic constraints and believe me, most worms suffer from this that they end up too large, they're not able to distribute themselves because of traffic love jams occurring. Target inexperienced users to reduce chance of removal, okay? Any AOL users in this room? None who are willing to admit it. I have to, I've just admitted it, haven't I? I've got AOL, yeah. Have a large contactable population to infect, okay? The contactable is the important matter. Have a payload which you can't easily dodge. So if you're going to do a denial of service, don't do a denial of service on the IP address. Do it on the domain name. Amazing how many people make that mistake in worm development. And of course, avoid detection for as long as possible. See previous talk in here, I think it's one of the way of putting that. And the final one I added, which is reference one, which is to Brandon Wiley's Super Worm presentation, which I regrettably wasn't able to see a blackout. Did anyone see it? A few of you, you know more of this than I do probably. Well, on Super Worm ones is adapt to new exploits and counter removal methods. In other words, respond and defend yourself. But more on that a bit later. And this would make it ideal from a worm writer's point of view, worm. For most of our perspective, that we want everything in reverse for that. Well, that's what the worm writer wishes to produce ideally. So what's the major developments? Well, the biggest development is the reduction in time of replication. I've nicked an equation and modified it from Winsch-Wartau's book on time-based security. Anyone read that one? Okay, I've modified it quite a bit. But generally speaking, the concept is that if a worm can reach a system, in less time that it takes for you to know that the worms there will be told it's circulating, plus the time it takes you to patch or counter or put a defense in, the worm is going to win. It's kind of like a magic equation. And what we've got here is a shortening in the time of a few proposals in order to actually get worms so they distribute far faster than before. These are purely theoretical. None of these have been seen in the wild yet, okay? But they've been published by quite a few people. So let's have a look at them. So, fast replication, slammer, small size, distributed to a large number IP addresses very, very, very, very quickly. Requires small, well-written code. You're gonna have duplications in infection attempts. You're gonna cause network saturation. You're gonna cause, of course, network log jams for the amount of traffic which you're generating over the network. But you will be able to affect machines very, very quickly. But people will know that an infection is ongoing. People will know that the traffic load is just suddenly soared. They will realize by looking at it, even if they're the thicker system admin, that something's going on. Oh, the collision light's going a lot on that switch. Okay? So literally, you'll find that these sort of worms can spread quickly, but it requires tight, competent programming, which a lot of worm writers don't have. So this is what we have by fast replication. Okay? So that's fast replication. But there are better methods, as you've seen up there. What we're going to deal with is one named by Nick Reaver, back in 2002. And that is this concept of warhol. Have I put it onto that correct? Is it warhol? Oh, okay. Anyway, from the quote, in the future everyone will have their 15 minutes of fame. Yep, to try and spread around the world in 15 minutes or less. So how does the worm do it? Well, the key trick is for a worm to get started. You saw that bell curve, it starts off slow. Once you've got a population, the propagation builds up. So the trick is, you port scan, search around, probably using M-map over tools, find target machines and operating systems which you think are going to be vulnerable, and build a hit list of a few thousand victims into the worm itself. This means that the worm has a set of targets which it can go for, to provide it a quick seeding effect. So if someone was sat here in DEF CON with a wireless access card, and had a network worm, could just hit a button, what load one, distribute to all those particular machines, and suddenly have a replica infection spreading very, very fast instead. And that's what you'd actually do. It requires you to scan a list of vulnerable targets beforehand. Well, let's be realistic, how often do we get our computers port, I mean, let's be realistic, how many people here have not noticed any one pinging or checking out their computer whilst online? Good, right? It's not suspicious anymore, is it? It's like, oh, yet another one. So the fact is, people could do this and build up a list of targets. Hey, go to some sites, you know? Look at, oh, that site has been, website has been up online without any downtime for the last four months. I wonder if it might be vulnerable to any recently-nounced security exploits. These are sort of things which people can do very, very easy. Now build up a list. Once the worm has used the list, it goes on to a trick known as permutation scanning, which is really the worm concentrates on blocks of IP addresses. So in other words, it picks a random block and scans that block looking for any copy of the worm in that block. If there's no copy of the worm in that block, it will try and infect all those machines. It will try and infect machines until it finds a worm in that block and then it will skip to another block. The idea is to reduce replication in infection attempts so that if you know there's a worm in that block of IP addresses, you avoid it. Now I'm not just talking about Class C here, I'm talking about chunk of Class B address space. And so this way, the worm can spread with less replication. And the whole thing combines to produce a far more effective worm distribution mechanism. And these haven't been seen as of yet. I think we will be seeing them. Won't be too difficult to program and develop such a worm. But there is an even quicker mechanism, which is even quicker to code. And that is flash worms. Okay, now the concept of a flash worm is literally to contain mass coverage inside round about 15 seconds of release. There's no way anyone could actually respond, no human could respond to this particular threat. The concept is that each copy of the worm carries a set of addresses. When the worm copies and infects a host or tries to infect a host, it splits off a section of its address space to that child. So the worm will start off very large and break down into smaller worms as time goes on. If we were to list 10 million addresses, this means we could end up with a worm initially of the size of 40 megs. Now, before you criticize this, if this was targeted on a high speed bandwidth server, this wouldn't be a problem. How long would it take if the system was actually just merely on a T1 line? How long would it take to affect? If you can do the maths or you're so hungover, I'll take the hungover approach, okay? Well, what we're talking here is not very long, particularly if it's even faster. So the end result is that we can have a worm which can actually large worm, which infects the main server and then breaks down to smaller ones. And this is what we can end up with. 400K initially, broken down to two 100K worms infecting two nodes. Then it breaks down and goes down in a tree-like form. The system isn't perfect in that it is for it to be perfect. All the sites which you've scanned as to be potentially infectable must be completely infectable. But has anyone ever had a go at doing any hacking? Anyone in the room here has done that? Well, probably no. Just because a system's got an old exploit on doesn't necessarily mean even if you get in that stuff's going to work. And so the main problem with flash worms is they may come down and it may attempt to infect a machine, break off, and a worm won't activate, in which case some of the infectable machines have been effectively cut off from the tree. There's no cross communication between these worms. As there's no cross communication, there's no coordination at all. And as it spreads on down, it's possible the fact you would not infect your entire name space. Now Stanford actually suggested an alternative to having all the data in the worm of hosting the files up on the server, on a high-speed server. And each worm pulling down a copy of its block from this high-speed server. But again, the worms had to keep track of which copy of the worm would be pulling what block from the server. And that model would suffer from major lag as they attempted to open an FTP connection, get the file, download it, and then execute. But the whole model would work. And the flash worm one would be very easy for people to encode. So that's what we've got there with flash. Those are disadvantages. And of course the number one disadvantage is if the flash worm picks as its first target and machine hanging off a modem, it suddenly stops becoming a flash worm and becoming an incredibly slow worm. But it's reasonable, it's a reasonable concept. It's not the only thing we can actually use in terms of worms. There's other methods of replication. And that is, why go for speed? Why don't we go for slow? Who is here for the previous talk? Okay, what was the general concept about changing your form of your virus? Why would you do it? Defeat detection, okay. So why don't we do this? Why isn't this done with a worm? Why not attempt to sped slowly? It is cooler to infect the world in 15 seconds. Yeah, that's what most virus writers want, to be honest. They want to just say, hey, yeah, I wrote that virus, that worm. My name's up in lights. That's what they want to say to their friends and hope none of them are friends. Well, the key thing about it is this, this would be a very devastating effect, slowly transmitting from machine to machine, hiding itself. Maybe say, Kazar or something. None of you use Kazar, do you? Okay, hiding yourself as normal traffic, slowly building up a large infection base. Okay, maybe programming it to avoid certain sites which you know the antivirus companies and so on. Okay, slowly spreading out and you could store a record of infection, infection trail, which you could then activate in future. If you look at a virus research, you'll often find papers on this sort of topic and very, very tricky to program. So as a result, you're likely to see many cases in the wild and also of course of the world of intrusion detection systems. Anyone see the first talk on this track this morning? Okay, the fact is it's harder to achieve. Not impossible, but harder to achieve with the world of intrusion detection systems. I know most of them are crap, but the fact is that some of them may pick up some suspicious traffic and someone may isolate and analyze it. But the key advantage of these is no one's gonna notice a traffic load hike. It's just gonna look like normal traffic. Build up the large infection base on the quiet. So I suppose you could describe this like pyramid marketing of some sort, I suppose. Just build up slowly and then go kaboom as you crash. Okay, that's one concept of stealth worms. There's other ways we can actually have worm spreading as well. And that is of course what I call section which one of my bits of research here which I've yet to get around to do the research produce the white paper on. I did it years and years ago which was 1997 to be honest and there's this year of companion worms which is really a worm carrying another worm. Or rather in particular, a lot should we say a common worm operated on a window say platform which could actually transport a worm for a lesser platform. One which didn't have a large population but was maybe the real target. And each worm could carry the other one as data. Okay, so since it's kind of like a cluster of worms working together. All right, example here, we could have a Unix worm stored as data in a Windows worm. The Windows worm would scan out looking for Windows and Unix hosts. If found a Unix hosts break in, install the Unix worm and copy the Windows worm up as data. Okay, the cycle could now complete with the Unix worm looking for both Windows and Unix targets. So this would enable a worm to cross platforms, so to speak. It's not rewriting its code. It's a very, very simple concept. The problem is for worm writers is this. It requires twice the effort to write as a standalone worm. And as a result, we have not seen any of these types in the world. Well, okay, we've seen worms drop viruses. We've all seen that. And we've seen some of the viruses they drop spreading on file shares. But it's not been a mutual carrying the other one as well. And this is one thing which we could see in the future. But we also could see this. This is Brandon Wiley issued a paper, our curious yellow on super worms. Has anyone actually seen that paper? I know some of you have seen the presentation at Black Hat. Have any of you seen the paper before? Okay, well, the concept here is literally based around peer to peer networks. The concept is you can have a worm which talks to other copies of the worm in a peer to peer network. This worm then is aware of all the machines which the other worms, installing the other computers have attempted to infect. The concept being that this worm will only ever try and infect a machine once. And the whole of the worms will form one single peer to peer network which can communicate with all the other nodes and can even respond and deal with threats to itself. So that if someone comes up with a solution, this worm could say jam all the other infected machines from accessing the site which contain the solution. The worms could literally also look at updating their own code across the network. So it could have be updated for new hatches and new exploits. So the whole array, once it was infected on the internet, would remain on the internet. Interesting concept, isn't it? Indeed it is. Now, it's not perfect system. There are quite a lot of drawbacks to this. The concept is totally solid. The problem is, again, should we say the capability of worm writers. There are people who could produce this. I'm still a bit concerned about who would risk updating the system with new exploits. I'm also still concerned of how you could stop someone removing a machine from the internet and then getting a CD from the antivirus manufacturer to actually remove the infection on your standalone computer before rejoining the network. But it certainly would exist as a decentralized infestation on the internet. So it's an interesting concept and very similar to Skynet in Terminator 3 and quite a lot of things, but it is feasible. So I missed Brandon Wiley's talk, but I did believe he went through a lot of the mathematics of updating all the nodes and keeping them in sync at blackout. So that's what I've got there with power worms. However, this node could have centralized processing. Certainly, not a problem. Ladies and gentlemen, as a director of the feds in the audience, if there aren't any, it's imperative that Special Agent Beal from the Washington field office of the FBI contacts me immediately. There's an emergency we need to address. If you know him or know how to get a hold of him, could you please have him come find priest? I will most likely be in the knock. Once again, Special Agent Beal of the FBI from the Washington DC field office. He's contacting me there as an emergency item we need to take care of. Sorry for the interruption, guys. Okay, right. So this is what we've got here with power worms. Yeah, well. Okay. Now, what we could have, of course, this literally is a supercomputer array. You could operate and merge the computing power of these nodes together. And literally, of course, you could have it find its own exploits if you wanted, but yeah, it's a very, very interesting concept. I don't know if we'll ever see it in the wild, though. I hope we don't, to be honest. Okay. Is anything else? Yeah, well, this is one of mine again, which I've not got round to doing the white paper on. It should be out in about a couple of weeks. This is server-controlled worms for the distribution. The whole concept of it is really like what we've seen with flash worms, but to get around a few of the problems. And this one here is instead of, we're going to distribute, and now it is to distribute worms very, very quickly, but in a targeted manner. In the past, worms haven't been used in information warfare or been planning because of the potential of coming back and hitting yourself. With flash worms, we can select which machines we're going to go for. Well, with server-controlled worms, we can actually distribute worms very, very quickly and very, very efficiently to targets in a certain namespace. And we can also distribute them with an IP address of the targets they're going for and also a trigger date and time so that all the worms would trigger, say, at the same instant, their payload, not relying upon the date and time on the actual machines themselves. We could also give each one a different set of instructions on a target for, say, a denial of service of a set IP address and set ports. Okay? And this could produce a very, very fast distribution. Provide the server operated on a single packet in, request from a worm for a set of IP addresses, a trigger date and time, and target, and a single packet going out. And this would be very, very fast, and this is what we could end up with. You could pick a target country. I'll leave it up to you to pick a target country. I'm sure you've all got suggestions here. You'd have a target set up here and you'd install a server or more than one server, probably on a hacked computer in that country or one you purchased by a credit card. In that particular, distribute no worm infections, which would gain it, and they would spread only within your target space. Once they spread within the target space, very short period of time, you've reached saturation point. Too quick for most systems to respond. And then bang, denial of service. The denial of service is mainly contained within the area of the worm infestation. With very little traffic leakage, you'd jam up the international links going out and there would be traffic trying to go in and out around the international links from the country, but literally, you would actually have it more or less contained for a target. I don't know how this would go down for gaining press, but if someone did it very, very carefully, they could produce this and use this in cyber warfare. Of course, it has drawbacks, they all have, and people have quite a bit more information on this, but literally, the fact is there is a limit on the replication speed caused by the server. ISPs could block the server addresses. There are defense mechanisms we're gonna come to hopefully in the next few minutes, and I'm gonna have to speed up here, okay? Blocked by ISPs in the time frame, and it could cause the system to slow down. And again, there will be some leakage of traffic and any denial of service attacks to neighboring countries unless you're very, very careful. But even so, it is a quick and effective mechanism for quality distribution. However, while I bother doing anything complex when let's be realistic, people make mistakes all the time. And I hate to say this, but there's many new ways worms can spread which haven't been done in the past. And these are so easy to find, it's unbelievable. People all they've got to do is just look at ISPs or look at service manufacturers. And I'm just gonna give you a couple quick examples here. You're gonna love this one. Glad there's no AOL users in this room. Does anyone work for AOL in any shape or form? I might still keep my link then. Welcome to AOL's web space for its users. It's only accessible by the user themselves, but AOL users access their web space by ftpngtomembers.aol.com, logging in as anonymous, putting the password in as the user ID which is an email address at aol.com, going to the user ID and just uploading the web space. That's all AOL users. Every last one, 30 million screen names I believe, web accounts. Anyone ever visited a site on AOL, hometown or members, any time? So for web application worms, that's one way it could be done. Yeah, like I say, they're not the only ISP to make that sort of mistake. Because if a worm gets on the target computer, it could do that automatically. There's no need to note it down, it's on the CD. Just so you know. Don't worry, I did a visit to the presentation two years ago. The only difference is they've added CD user ID since then, so it's long term this. That's AOL, hey, come on, manufacturers, who cannot put up Microsoft, okay? Quickly, bang, bang, there's Microsoft there. HTAs, anyone probably going to chuckle in the moment? If you read down there, you'll find that HTAs are HTML applications and a very, very, very, very, very quick way of getting past some of their security controls. This is from the Microsoft web page. URL's up there, have a look yourself, okay? I've not edited it, didn't need to, okay? Look at this one, that's one. Microsoft ActiveX Control and Javaplex, with respect to the zone security settings on the client machines, no warning displays before such objects are downloaded from HTA, okay? Have a look at this, it's quite funny actually. And don't worry about it, you've all got it. It's run from a program called mshta.exe on your computer, delete it, service packs will put it back on for you. Even with a better security levels, the most you'll get is this warning box, and let's be realistic, users are going to click open and run from current location. It's a mechanism which for web replication could actually be very effective. It's just a couple of examples for us, bucket loads of them. But let's be realistic, there's other mechanisms, distribution, see next talk, okay? But what's the worm what to do? Well, any of these, but the prime one, of course, is gain publicity. And that's very, very important for a worm to achieve. Can we stop them? Well, yes. This is going to be very quick a couple of minutes here because I'm getting a signal from the back. 10 minutes, great, okay, get through the time. And this one literally is the fact is, can we defend? Yeah, we can. What we've got to do though is start taking the people out of the equation because we can't respond fast enough. What we need is more effective defenses against fighting these worms. And fortunately, we can do this. Let's take a World Health Model view. What's a good defense to do? Well, the first one is diversity. Why do we all use Microsoft products? Don't people learn from the potato famine in Ireland? Monocultures are ideal for infections. Diversity is strength. Okay, it ain't gonna happen, is it? We're gonna keep these monocultures, but we've got to put it up there at least. What else can we do? We can do good housekeeping. This is a standard of mine, which I've done. A lot of other people have done as well, which is essentially securing your computer system so that even if you do get exploits, you won't get hacked. I don't think that files there because I think the web admin deleted it last night. I'll get it put up in the next couple of days for everybody. But literally about it is that if you follow good housekeeping practice, even if you've got exploits, you're not going to be compromised. And as long as you keep up to date with the current patches, at least you're not going to be vulnerable to that six-month-old exploit or 12-month-old exploit, which the worm is going to be using. But again, are people going to follow these? No. All you need is about 5% of views on the internet to jam an internet line to be infected because RISPs oversell their internet access by high contention ratio. So literally, okay, we may follow it, but we know tons of people are on. So what can we do? Well, this is a proposal which was done in March by Matthew Williamson of a concept of bandwidth throttling, which is really rules, alternative rules for routers and for systems to limit communication speed between machines which you don't know. So that anyone trying to talk to you who you've not talked to before gets 300 bits per second. If you try and talk to people, machines which you've not talked to before, again, you've fottled down in your connection speed. Modification is not just bandwidth throttling, but connection throttling and the number of connections you can open it at any one time. This combined would essentially slow down a worm infestation speed and might be able to provide a defense. It will not stop it, but at least it will slow everything down, which I need to speed up now, okay? Okay, what can we do? Well, we could try containment, don't work very well, stick them in mailboxes and checking them. We could try back black listing infected hosts, but there's millions of them. It's not going to work too well, okay? We could try getting patches and installing them, but let's be realistic. Has anyone ever tried in one of the popular virus outbreaks to connect to an antivirus company and gain an update? How long does it take? Forever. So what do we got to do? Well, with simple trick, we've got to spread the word and essentially beat that atop equation, okay? We could send a worm after another worm. It's totally illegal and probably wouldn't work because it wouldn't be fast enough. We've got to look at another approach. This is my proposal. This is where I'm going to finish off in a moment, so, and literally this one is very, very, very simple. We can't patch, takes too long to install patches for propagation speed of worms. Notice look at antivirus approach, transferring active code to a computer and setting it up could take too long. Why don't work on the personal firewalls on the actual system? Have an array of personal firewalls talking through to an analysis node, a computer at your supplier. This analysis node will literally be passed information if your IDS thinks something's fishy going on, coming, trying to come in. Analysis node will say, yeah, block it or allow it through. If it allows it through, your node will then monitor for suspicious behavior to see if you're transmitting now the same traffic which you got sent. If you do, your node cuts it off, the traffic tells analysis node and the analysis node tells all the other ones block that traffic. Essentially it means sacrificial lamb, the first machines to get infected in the network, sacrifice themselves to gather intelligence to get enable the other machines to actually start this again. It's one of these papers which I've got to finish. I've got stat loads of them, I'll tell you now. I should hopefully have that one done by September, fully completed and up on the web for you. But it's a very, very efficient system effective. It's really like all those being dumped on a desert island. We've got a suspicious bush over there with berries. Do we know of the poisonous or not? We draw straws, select some poor person to go and eat them. If they drop dead, we don't touch those fruit, do we? You may laugh, but it's workable and this sort of system could work. No active code so it couldn't be used to propagate viruses. The only thing potentially could if the signing was broken was you could have a bit of a denial of service. Okay, that's it. Now questions just for how many minutes? Five minutes. Okay, now I've got a few things to throw out in the audience, so what do you reckon? If it's a good question, they get a shirt. That sound fair? Don't think I've been wrong that. Okay then, anyone got a question? Okay, you, there, please, yeah, done up. About a week later. The question was if you could, why not if a worm distributes around the world in 15 seconds, why not take your time, develop a worm which could spread also around the world in 15 seconds and then clean it up afterwards? Yeah, I think that's a good point. However, it does require the worm not being set to trigger. It's damaging payload, say, it goes around the world in 15 seconds to trigger within a minute. Okay, I think that's all right. Does he reckon he deserves a shirt for that? Yeah. I think he does as well. Catch. You've only got two more left. I can't bring much more into the country thanks to your import rules. Okay. Right, go on yourself there, please. Yeah, yeah. Yeah, the question was, couldn't the worm establish initial connection to establish itself as trusted then later on go back to utilize the high speed connection? Yes, it could. It also, if it followed a web of trust, say, over file sharing, particularly on peer to peer networks, this system wouldn't work. But it is our mechanism which would provide a degree of defense. Do you reckon he deserves a shirt? I think he does as well. Catch. Right, final shirt now, because I'm conscious of the time. Right, now, which question do I think I'll take one from? Okay, go on, front row here. The concept was, was like we mentioned earlier on about stealth worms. Would it fool the system regarding over bandwidth throttling? And the answer is yes, it probably would. It would fool it. And the fact it was sneaking at slow speed wouldn't provide a defense. But would that bandwidth throttling would provide a good defense against flash worms and some of the war hole methods of providing really rapid distribution of worms. Deserves the final shirt? There we are. Okay, now, I think I'm going to have to get out now. I've got a couple of pens here. Are there any journalists? I haven't known you have it hitting journalists with pens and other objects. Well, I throw them in the audience. I normally manage it. Any, anyone? Shall I just throw them in the audience? Eyes up everyone, watch out. Okay. A few DNS comments, all right. Underarm, I'm not doing overarm after them. With a rock. Okay then, thank you. If they want to have a question, I'll take them outside because I know the next speaker and he may need to clear the room. Is that correct? Okay.