Feeds

Wormability formulae weighs malware risks

Predicting the next big one

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

RSA 2005 Security researchers are developing a method to predict the potential for individual vulnerabilities to become the subject of computer worms. Although Arbor Network's "wormability" formula for predicting worms is far from perfect it allows the firm to give better advice on prioritising security remediation actions and insight into the vulnerabilities likely to be wormed.

Before a worm can be developed, a network vulnerability has to be identified. Arbor's research shows there are potentially dozens of vulnerabilities ready to be used as the propagation vector in internet worms. However, only a handful are developed into worms every year.

Dr Jose Nazario, worm researcher at Arbor Networks, said that by looking at factors such as the potential of an exploit and the state of a vulnerable population it was possible to work out the "wormability" of a software flaw. The possibility of recycling methods seen in previously successful worms is also taken into account. Factors like ease of remediation, the visibility of an exploit and the number of potential targets are also considered. "Most malware authors are going for something that gives them the most 'most bang for their buck'," Nazario added.

This analysis allows Arbor to focus on the dozens of vulnerabilities likely to be turned into worms from the thousands of software flaws discovered every year. Although the wormability model flagged up the danger posed by a hole in Window's Local Security Authority Subsystem Service (LSASS) component that was used in the Sasser worm it missed the Witty worm
, which took advantage of a bug in ISS's firewall software to spread.

Nazario conceded that the model still needs refining not least because it "overstates the problem". "Modelling human behaviour is really hard to do, ultimately game theory is applicable. But if you use analysis to express in concrete terms what factors had contributed to the appearance of a worm you can formalise the process of looking at new threats," he said.

The arrival of a worm is time dependent. Arbor's research shows that risk posed by vulnerability rises rapidly before decaying slowly over as long as a year. Most worms are produced in a "Window of opportunity" of between two weeks to two months after the discovery of a software flaw, Nazario explained.

Nazario outlined Arbor's research on wormability at a presentation at the RSA 2005 conference in San Francisco last week. ®

Related stories

RSA 2005: complete coverageInfected in 20 minutes
Witty attacks your firewall and destroys your data
The strange death of the mass mailing virus
Rise of the Botnets
Companies adapt to a zero day world
Sasser worm creates havoc

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.