Feeds

Wormability formulae weighs malware risks

Predicting the next big one

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

RSA 2005 Security researchers are developing a method to predict the potential for individual vulnerabilities to become the subject of computer worms. Although Arbor Network's "wormability" formula for predicting worms is far from perfect it allows the firm to give better advice on prioritising security remediation actions and insight into the vulnerabilities likely to be wormed.

Before a worm can be developed, a network vulnerability has to be identified. Arbor's research shows there are potentially dozens of vulnerabilities ready to be used as the propagation vector in internet worms. However, only a handful are developed into worms every year.

Dr Jose Nazario, worm researcher at Arbor Networks, said that by looking at factors such as the potential of an exploit and the state of a vulnerable population it was possible to work out the "wormability" of a software flaw. The possibility of recycling methods seen in previously successful worms is also taken into account. Factors like ease of remediation, the visibility of an exploit and the number of potential targets are also considered. "Most malware authors are going for something that gives them the most 'most bang for their buck'," Nazario added.

This analysis allows Arbor to focus on the dozens of vulnerabilities likely to be turned into worms from the thousands of software flaws discovered every year. Although the wormability model flagged up the danger posed by a hole in Window's Local Security Authority Subsystem Service (LSASS) component that was used in the Sasser worm it missed the Witty worm
, which took advantage of a bug in ISS's firewall software to spread.

Nazario conceded that the model still needs refining not least because it "overstates the problem". "Modelling human behaviour is really hard to do, ultimately game theory is applicable. But if you use analysis to express in concrete terms what factors had contributed to the appearance of a worm you can formalise the process of looking at new threats," he said.

The arrival of a worm is time dependent. Arbor's research shows that risk posed by vulnerability rises rapidly before decaying slowly over as long as a year. Most worms are produced in a "Window of opportunity" of between two weeks to two months after the discovery of a software flaw, Nazario explained.

Nazario outlined Arbor's research on wormability at a presentation at the RSA 2005 conference in San Francisco last week. ®

Related stories

RSA 2005: complete coverageInfected in 20 minutes
Witty attacks your firewall and destroys your data
The strange death of the mass mailing virus
Rise of the Botnets
Companies adapt to a zero day world
Sasser worm creates havoc

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.