Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Changing Threat Models

Published: 2006-12-25
Last Updated: 2006-12-26 13:23:28 UTC
by Kevin Liston (Version: 1)
0 comment(s)

    A number of days ago, a reader pondered about the possibility of an SNMP "Slammer Worm" based on the vulnerability described in MS06-074.  What would it take exactly for there to be another "Slammer"-like event?  A worm outbreak requires two major components: an internet worm, and a vulnerable population.  The model for the internet worm is made up of further sub-components: the scanner, the propagation code, and the exploit. Scanning routines influence the success and impact of a worm.  Poorly written scanning routines have limited many promising young worms in the past.  A lot of time has been spent studying the scanning methods of worms, I've wasted an hour or two on it myself, take a glance through to see the number of white-papers and academic works on the topic.  The propagation code must be written to accommodate any limitations placed upon it by the vulnerability exploited (such as size limitations, and NOP codes, or other constraints on the injected data.)  Some overcame these limitations by using a staged approach.  This workaround has its drawbacks, as the secondary stage can add its own limitations to the worm since the transfer may fail because of firewall rules or, the source of secondary payload my make a lucrative target for incident handlers.  Finally, the vulnerability must allow for unauthenticated remote execution of arbitrary code.  Since proven scanning routines are publicly available, and there are multiple examples of propagation code in circulation, the announcement of any network-visible vulnerability that allows unauthenticated remote execution of arbitrary code creates a potential situation.

     A quick review of MS06-074:

SNMP Memory Corruption Vulnerability (CVE-2006-5583)

CVSS (Base)  : 10.0

Exploit code: Privately Available

     Now, some special things about SNMP are since it's UDP, the source IP address can be spoofed without affecting delivery of the exploit, also, knowledge of the SNMP community string may or may not be required to successfully deliver the exploit.

     This brings us to our second requirement for an "outbreak event," a vulnerable population.  Although a lot of systems are running SNMP, not that many are running with UDP/161 open to the internet.  On the other hand, there are a class of networks that may have UDP/161 allowed in from "trusted" 3rd party networks.  Which, based on the spoofability of UDP, isn't such a sound security practice.  These particulars alone would have limited impact on worm development, though the general inaccessibility to the SNMP port is a major limiting factor on the success of the potential worm.

    The limited size of a vulnerable population severely limits the possibility of a generalize Internet worm with "slammer"-like impact.

    If there was a large population ripe for an MS06-074 worm, I still reason that there would not be a "slammer"-like worm exploiting this vulnerability.  I left out one important criterion for a worm in the model above.  In addition to Scanning routines, propagation methods, a vulnerability exploit, and a vulnerable population, a worm also needs a motivated creator in order to come into existence.  (I'm chagrined to admit that malware follows a model of intelligence design, and not Darwinian evolution.)

    The model of the malcode author has changed these past years.  Monetary gain has now outpaced the egotistical quest for fame/notoriety, etc. as the driving motivation behind malcode creation.  A malcode author wants to be able to leverage their creation, so now you see botnets, not internet worms.

    So, we will not likely see an SNMP "slammer" worm.  The question should be: "will we see an SNMP 'SDbot'?"  Because of how SNMP is often implemented, I don't see a large chance of that either.

    With exploit toolkits like metasploit and webattacker, every new vulnerability that is discovered runs the possibility of becoming an "event."  Neither of these toolkits will create an internet worm like slammer.  Instead they make smaller, harder-to-detect events that can be leveraged by the criminal to cause more damage in the long run.

kliston -at-

0 comment(s)
Diary Archives