WeekEnd Feature:
Blink and you’ll miss it

by Ian Thompson, CCSP Staff Editor
May 8, 2004

The world turns. Perhaps you’ve noticed this? Seasons change. Sun moves about a bit, and the moon trundles along its merry way. Some birds fly somewhere else for part of the year and whales swim thousands of miles and back again. This has absolutely nothing to do with security. But another thing that seems to run in cycles is the way that attack follows defence; the next threat after the last is not that far away these days…

This patch is amazing!
Oh, wait – that’s the title of some spam I just got…

Actually, the situation with patches is getting just a bit silly these days. Unless you have the shortest possible update interval set in your systems, regularly checking for the latest definitions, upgrades and remedies, the speed at which exploits can be, erm, exploited is going to be faster than you can respond.

Consider the latest Internet rash, the Sasser worm. This has the world in turmoil, generally removing access for major organisations across the globe. According to the now-daily updates from Panda AV Labs, this can hit a system in less time than it takes to run up the PC, log on and download the required patch that will correct the problem. Not even Safe Mode can help here.

However, the remedy seems unbelievably simple. Apparently, winding the PC’s clock back a few hours can break the cycle of start-restart. What? Come on, guys! If you’ve gone to the trouble of writing this one (and, by all accounts, the Netsky thingy as well), then this seems an obvious point for, shall we say, ‘improvement’ in the future.

Any way, the point seems to be that this relies on a similar exploit to ones that should have been patched sufficiently already, especially given the publicity that Sasser’s illustrious forebears have generated.

Andy Warhol would have been proud…
It’s been reported this week that virus coders are becoming more sophisticated. I wonder if there’s a more obvious reason for this upsurge. Perhaps the original coders are active again. You know who I mean – the guys who wrote the exploit kits in the first place; the stuff all the skiddies have been bunging around the place. Don’t just rely on reverse-engineering stuff, because (if they’re anything like I was at 15) they’ll rip out the original author’s name and insert their own.

Anyone recall T33kid? I think this guy actually wanted to be caught – no other reason for him leaving a trail that started in his modified virus back to a domain registered in his name. And in case anyone didn’t get that, he backed up the whole show onto his home PC each night. Hello, Mr FBI! Why did you reckon it was clever work to take more than a day to spot that? They still haven’t got the original coders, but this glory-seeker is now serving time for inflicting MSBlast.B on us.

It is gradually being realised that within 6 months, (so, by the time the New Year 2005 hangover has worn off), the virus and worm coders will be able to crack the exploit within 15 minutes after a patch has been released. And you can bet they’ll have all their collective ears to the ground in patchland, waiting for the next little gem to cleave.

Patch mania.
So, a single home-user, with a Windows XP PC listening like mad to WindowsUpdate via the Critical Updates tool might just be able to keep up with this. But try this – time your own response to a security release. I’ll bet it is longer than 15 minutes for you to realise something is flawed and a patch is required to prevent all your money draining from your online banking system.

And the problem is even more pressing for companies. Assuming you have a hotline to W.G.III’s desk, and he makes his billions by sitting at his desk waiting to ring you with details about the latest MS patch, how quickly can you have that patch applied across your domain? Does any competent network administrator just tick the box to authorise the workstations to pick up the patch from the on-site SUS system? Or do you test stuff out a bit first?

You bet you do, if your job depends on it! In any case, you’ll have systems across the network collecting the updates at different times. Worst will be those that are already logged on – most SUS patching will occur when the PC is first used that day, and not in the interim (unless the policies specify hourly checks, for example).

The home user can perhaps afford the time to create a restore point, install the patch and risk the need to roll back the installation if it goes wrong. However, if a network server goes postal on you, taking out huge sections of the company assets in one swift, bloody barrage of high-speed ballistics, mad that someone stole it’s donuts, (what? Oh, that’s the ’Postal 2’ game is it?), then someone’s for the high jump. Maybe it’s more real than just a game - did faulty old-style CD-ROMs coming apart in the first 52x speed drives actually injure anyone?

Update! Update! Got to get the update!
The problem with this mantra (aside from having to do it in the style of the White Rabbit – didn’t you check the small print?) is that there are still people who don’t routinely make sure they’re up-to-date. Microsoft’s own figures reveal that less than 60% of users keep their AV systems current. This is even worse than relying on the old MS-DOS AV scanner – at least a user of that relic won’t be under the illusion that it’s any good against the current stuff.

Or maybe even that is assuming too much. Scary thought.

If the virus/worm coders can crack a patch in 15 minutes, and realistically accepting that only a very small proportion of users will be protected, then the world is quite literally their playground, at least for a day or so. The virus has to be identified, submitted and analysed, then the defences improved and distributed, all of which takes time. Given that the multitude of slave-bots infesting PCs undetected are in near real-time communication with their masters, the bot-army is far more prepared to unleash mayhem on users than the Guardians of the Hall of Righteous Justice can rally a counter-attack.

Ha Ha! Very Witty.
Droll, more like. And sorry for the corny subtitle. One day, I expect the joke writers will grow sick of simple word play - but while lowbrow shows like Family Fortunes and Big Brother exist, I doubt it.

Point is, the Witty worm hit hard and fast. It took out its targets over the course of one weekend, and was specifically written to exploit a weakness in the very software designed to protect PCs that had only been known about by the end-users for less than a day. Most would have made patching the system a job for Monday afternoon, only to find their system had been wiped out by Monday morning. The weekend’s here – why are you still sat at the PC? Wassat? Reading some limey drivel… I see…

Ironically, in the case of Witty, it was the unprotected PCs that were left alone. Funny, I suppose, in this age of firewalls and biometrics, guard-dogs and CCTV.

You can expect to see more of these short-lived dervishes, whipping across the face of the Internet and then disappearing into the shadowy world of warez sites and host systems to lie in wait for the next unprotected PC to stroll by.

The more you lock stuff down, the more at risk it is.
Here’s the latest knock-back to the hi-tech security overburdened world. In line with current paranoia about just what is that foreign-looking bloke doing carrying a lumpy holdall through an airport, biometric data is being collected from travellers in an attempt to reduce threats to life and limb. Obviously, increased security is needed – no question there – but what’s the best way of dealing with it? After all, my passport has a biometric panel on it already – it’s the photo – and it seems this isn’t enough.

So we have fingerprint scanning, DNA records and iris recognition. Except that no one has the time to wait for a DNA analysis that will be accurate enough to tell John from Jane, and current fingerprint algorithms have lead to many false matches. So that leaves iris recognition.

Well, no it doesn’t. Recent tests have shown that heavy mascara can completely mess up the scanning process. So, will we all have to have images taken with and without mascara? Bound to be a delay at US Immigration desks this summer with that one. Buy stock notes in Max Factor, Rimmell and the rest, plus Johnson & Johnson – after all, baby lotion makes excellent low-cost makeup remover (apparently).

Still, at least the terrorists will all be impeccably made-over to avoid detection. And so will the undercover air marshals – after all, you’re worth it.

Ian

by Ian Thompson ComputerCops Staff Editor

Ian Thompson is a Network Manager of a 500-PC, 9-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.

Copyright © Ian Thompson All Rights Reserved 2004.