If one thing is definite about Internet security and worm attacks, say experts, it is that cyber attacks are on the rise in 2004.
Consider the worldwide effect of highly publicized worms like last year’s SoBig series and the recent Sinit Trojan and MyDoom outbreaks. Given the potency of some of these worms, security experts are bracing for what some say is an inevitable attack aimed at certain geographically based IP blocks, like those associated with the United States. Such an attack, experts warn, could methodically bring down systems and servers across the country.
TechNewsWorld outlined this scenario for leading security experts and posed questions about the likelihood of such an attack. Most of the security professionals we spoke with said that such a focused attack is possible and that there would be little network administrators could do to defend against it if it were to happen.
Dan Verton, a renowned cyber security expert and author of Black Ice: The Invisible Threat of Cyber-Terrorism, supports the idea that the threat from superworms is very real. He testified at a government reform hearing on September 18th to present his warning about the need for greater security of industrial control systems in the nation’s critical infrastructure.
Verton, a former U.S. intelligence officer, has presented a frightening case that terrorists are planning to take down America’s digital economy. While there is debate about the time frame for such an attack, other security professionals have arrived at the same conclusion.
Terrorists Not Served by Superworm
Geoffrey Kuenning, a professor of computer science at Harvey Mudd College, told TechNewsWorld that the series of incidents last year is proof that a large-scale cyber attack by a killer worm is likely.
“The power grid incident, though not intentional, is proof that the Internet has been brought down,” he said. Other worms released last year carried payloads that proved massive attacks are possible.
But if such a superworm attack is possible, why haven’t terrorists resorted to this tactic yet? According to Mikko Hyppnen, director of antivirus research at Finland-based F-Secure, a superworm attack is not likely to happen soon because it’s not the most effective strategy for terrorists.
“Terrorists are not using superworms and other network attacks because they don’t reach their target that way,” he told TechNewsWorld. “Terrorists want to cause fear and panic. You still cause more fear and panic by killing people than by taking down Web sites.”
Only a Matter of Time
Hyppnen said that geographically targeted viruses have already been written, and so have viruses that only spread within certain organizations or in certain language regions.
“We’ve seen very fast-spreading viruses — Slammer scanned 4 billion IP addresses in 13 minutes — and we’ve seen very destructive viruses [like when] CIH overwrote both hard drive contents and the BIOS chip,” said Hyppnen. “But we haven’t seen a combination.”
According to Harvey Mudd College’s Kuenning, physical location of attackers makes no difference. “The terrorists have the resources,” he said, to carry out a superworm attack at any time they want.
Kuenning pointed out that it would be fairly easy to take down the Internet. “It’s not easy to prevent,” he told TechNewsWorld. “But it is a little bit hard to target specific industries.”
The Year of the Superworm
Michael Paquette, vice president of product management at Top Layer Networks, told TechNewsWorld that he is surprised a superworm attack hasn’t happened yet. “The number of compromised machines is a little bit scary,” he said.
He sees the existence of the Sinit Trojan as the turning point in the feasibility of a massive cyber attack. Sinit operated as a backdoor Trojan that could give an attacker unauthorized access to a compromised computer.
Sinit, argued Paquette, has set the stage for a super Internet attack. Earlier worms went to a single site for their payload. Once identified, those worms were easily stopped.
Sinit appears to be using a true peer-to-peer strategy. As such, there is no single source for the payload and therefore no single source to block to prevent the worm from spreading. In addition, Sinit is using reasonable levels of encryption, which makes the Trojan difficult to identify as malware.
“These things make it less vulnerable to being stopped,” warned Paquette.
MyDoom Worm Adds to the Mix
As if things weren’t bad enough already with Sinit, the rapid spread of the MyDoom worm could give terrorists another strategic weapon.
According to security firm MessageLabs, the MyDoom worm accounts for one out of every 12 e-mail messages the company received during the last week of January. By comparison, last August’s Sobig.F worm accounted for one out of every 17 messages.
MessageLabs also reports it stopped 1.2 million copies of MyDoom in the first 24 hours of the outbreak. This compares with 1 million copies of SoBig.F stopped last August.MyDoom does not damage infected computers or their files, but it does give a remote attacker access to infected computers.
Next Step a Certainty
Kuenning told TechNewsWorld that a superworm attack is imminent. “We will certainly see another superworm attack in 2004,” he said. “I just don’t know if it will be the doing of terrorist intent. Trying to predict a terrorist cyber attack requires us to ponder what their goals are. That is risky. We don’t truly know what they want.”
Paquette said he recently attended an FBI seminar on cyber security issues. Deaths and economic impact were the watchwords of the presentation. “Such an attack could be targeted at massive financial transactions,” he said.
Kuenning offered a chilling warning in discussing whether a superworm attack could or would be launched by terrorists: “Terrorists could do it very easily. The fact that they haven’t means they haven’t needed to yet.”