Feeds

Wormability formulae weighs malware risks

Predicting the next big one

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

RSA 2005 Security researchers are developing a method to predict the potential for individual vulnerabilities to become the subject of computer worms. Although Arbor Network's "wormability" formula for predicting worms is far from perfect it allows the firm to give better advice on prioritising security remediation actions and insight into the vulnerabilities likely to be wormed.

Before a worm can be developed, a network vulnerability has to be identified. Arbor's research shows there are potentially dozens of vulnerabilities ready to be used as the propagation vector in internet worms. However, only a handful are developed into worms every year.

Dr Jose Nazario, worm researcher at Arbor Networks, said that by looking at factors such as the potential of an exploit and the state of a vulnerable population it was possible to work out the "wormability" of a software flaw. The possibility of recycling methods seen in previously successful worms is also taken into account. Factors like ease of remediation, the visibility of an exploit and the number of potential targets are also considered. "Most malware authors are going for something that gives them the most 'most bang for their buck'," Nazario added.

This analysis allows Arbor to focus on the dozens of vulnerabilities likely to be turned into worms from the thousands of software flaws discovered every year. Although the wormability model flagged up the danger posed by a hole in Window's Local Security Authority Subsystem Service (LSASS) component that was used in the Sasser worm it missed the Witty worm
, which took advantage of a bug in ISS's firewall software to spread.

Nazario conceded that the model still needs refining not least because it "overstates the problem". "Modelling human behaviour is really hard to do, ultimately game theory is applicable. But if you use analysis to express in concrete terms what factors had contributed to the appearance of a worm you can formalise the process of looking at new threats," he said.

The arrival of a worm is time dependent. Arbor's research shows that risk posed by vulnerability rises rapidly before decaying slowly over as long as a year. Most worms are produced in a "Window of opportunity" of between two weeks to two months after the discovery of a software flaw, Nazario explained.

Nazario outlined Arbor's research on wormability at a presentation at the RSA 2005 conference in San Francisco last week. ®

Related stories

RSA 2005: complete coverageInfected in 20 minutes
Witty attacks your firewall and destroys your data
The strange death of the mass mailing virus
Rise of the Botnets
Companies adapt to a zero day world
Sasser worm creates havoc

The smart choice: opportunity from uncertainty

More from The Register

next story
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Who cares about T&Cs when there's LIteCoin to mint?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.