Noisy worms replaced by stealthy, targeted attacks
Reprinted from: http://lastwatchdog.com/noisy-worms-replaced-stealthy-targeted-attacks/#more-7056
By Marc Maiffret
Friday, July 13, 2001, started out like any other Friday for me and my friend and colleague Ryan Permeh. We were hanging out, playing Tony Hawk’s Pro Skater videogame and drinking beers before venturing out to our favorite local bars. In the midst of our Friday ritual we received an email from an IT administrator asking if we could help him figure out why his Microsoft IIS web server was making seemingly random connections to hundreds of other servers.
After a couple of hours of reviewing various network data we realized what we were looking at was not random but the first Microsoft computer worm. We worked through the entire weekend until finally releasing our analysis of the worm to the world on July 17, 2001. We named the worm CodeRed after the Mountain Dew soda that had fueled us through the weekend: Code Red.
Random crashes
The world of computer and network security has come a long way since that fateful day in 2001. If you were to review IT administrator mailing lists for the few weeks prior to our discovery of CodeRed, you would see IT administrators asking each other if anyone knew why their web servers were randomly crashing. These random crashes were actually a side effect of the CodeRed worm. CodeRed traveled the Internet undetected for weeks until Ryan and I stumbled across it.
The security, IT and software-vendor communities of course learned not only from CodeRed — but also from an entire array of network-based worms that were discovered over the next several years — on how to keep up with worms, to track them and to have an early warning before they could get to out of hand. We became very good as an industry at detecting these threats and alerting the world to them.
But the success we had was short lived. Attackers simply moved away from noisy network-based worms and gradually evolved today’s stealthy, decentralized, coordinated and increasingly targeted attacks.
At the end of 2009 and leading into 2010, we saw one of the greatest public examples of how much attackers had shifted their methods to go undetected when Google boldly announced to the world that it and many others had been hit with sophisticated, targeted attacks that became known as “Operation Aurora.”
Landscape reset
Operation Aurora was significant not because of the level of sophistication of the attacks but because the attackers had reset the threat landscape to be not much different from what it was back when Ryan and I discovered CodeRed. For all the great achievements in security, the attackers had gained an upper hand again; the IT security community was no longer proactively discovering major attacks but learning of them by accident.
When I described to someone the other day this reset of the threat landscape, he asked if I thought we are losing the battle for security; “Are we never going to win?” The question in and of itself is part of the problem. People think about security as it relates not simply to computers and networks but also to terrorism and beyond.
We are at war with an adversary that has no home, no place of business and no code of ethics, and this adversary is not any one group of people that will simply disappear or be defeated. For as one group is taken down, another will rise. Because there is just too much money to be made in cybercrime and espionage, we will continue to see generations to come of folks working hard to outsmart the good guys in the opposition.
Something is forever unique about security; there is no finish line, no end to the race. A lot of folks are simply not cut out for a race that never ends. Others, however, wake up every day and live for the challenge of staying one step ahead of the attackers.
We understand that modern societies will continue to be fundamentally built on technology and that we are not fighting simply a battle of intellect but a battle to preserve a future way of life.
August 9, 2010