CIO.com has an article about a ‘rapidly spreading virus’ that is giving the UK Ministry of Defense a run for its money.

First, viruses don’t spread on the network — worms spread on the network and a virus can be their payload.

Semantic arguments aside, the story demonstrates just how effective a worm can still be, especially in cyber warfare. Not only do you have the direct impact of the worm; delivery of the payload, but you also have secondary effects; network and host congestion and the potential over-reaction by the IT groups by simply shutting off machines to avoid compromise. According to a Ministry of Defence spokeswoman;

“The reason why so many people are without their computers is because we’ve turned them off rather than they’ve been wiped or destroyed by this virus”

Without knowing what this particular bug is and what it does, shutting down systems may very well be a solid defense but that obviates the fact that the network wasn’t well prepared for a worm outbreak. The best defense against a network worm is defense in depth but it doesn’t have to be complicated. In fact I would argue that it shouldn’t be much more complicated than:

1. Patch management
2. Network segmentation
3. IPS and AV protection at segment links
4. HIPS protection on critical hosts and AV protection on *all* hosts
5. Established incident response

But I digress.

As I stated previously; targeting military networks can have far reaching, even strategic gains:

Crippling the network of a carrier group would be a punch to the solar plexus, which would allow for a follow-up attack, such as a swarm attack or suicide attack by aircraft and small watercraft. The combination of the two less-conventional and relatively inexpensive attack methods stands a good chance of forcing the carrier group to disengage until they can repair damage, replace assets, and restore their data network. This kind of ‘more bang for your buck’ is one of the key advantages of cyber warfare.

Note that neutralizing a carrier group borders on strategic, as these are key assets in any expeditionary force of modern warfare.

Wouldn’t you know it, the rumor mill suggests BBC confirms that the HMS Ark Royal, an invincible-class light aircraft carrier was or still is affected. I guess their network isn’t invincible-class.

The fact that the worm spread through multiple networks and ultimately ended up on the carrier’s network demonstrates the potential a worm has for damage simply through the Achilles heal of interconnected systems; their very connectedness.

If this is in fact the conficker worm and not some one-off, custom job cooked up by someone intentionally targeting the MoD, I’d expect some heads to roll. It would be extremely disappointing to learn that a garden-variety* worm targeting a three month old vulnerability whipped some MoD ass.

*Conficker is neither exceptional nor cutting edge as worms go. In fact, the core vulnerability that conficker targets resides in the Windows Server service, which is known to be vulnerable as early as 2006 if not earlier and RPC attacks enjoy an even longer history. Given the core role Windows’ server service and RPC play in networking Windows machines, any shop deploying it as an infrastructure should protect both at all costs.

Update:

According to the BBC, as of 1/20/09, this is still affecting the MoD and it has affected 70 sites. What’s interesting is the statement that it’s successfully redirected email traffic to email servers in Russia:

Conservative MP Mark Pritchard said he had been told by one defence official that e-mail traffic from some RAF stations had been re-directed to a Russian internet server as a result of the virus.

Officials note they don’t think the MoD was targeted, which leads me to believe it was indeed a garden variety worm that hit them. That statement (that email was redirected) could be caused by the ‘fog’ of incident handling on such a large scale. However, if it’s true, I assume it happened because the email server or servers were compromised by the worm, which deployed a bot that phoned home, and the compromise was escalated through remote control of the bot.

After providing this wordy response to my friend about the conficker worm and defenses for it, he asked another simple question; “So if we patch within weeks of MS release we’re good?” To which I provided this less-than-simple answer; not completely.

The patch stops the primary propagation method and AV stops the payload. (This probably answers your question and the rest is me blathering on to show just how smart I am)

Think of a worm as an ICBM. Like an ICBM, the worm has several parts;

1. A rocket to deliver a warhead to the target. The rocket is the propagation method(s). Having this mechanism defines it as a worm (self-propagating)
2. The warhead is the reason of its existence, the doer of deeds. The warhead represents the payload. The warhead is lethal with or without the rocket. The warhead can be anything; a keystroke logger, often a downloader, or even a patch.

The conficker/downadup payload can be delivered in one of two ways:

1. When the worm compromises a vulnerable server service and then has the service download the payload
2. Through normal file sharing the payload can be dropped where it awaits execution

If you’ve already applied MS08-067 you are safe from being automatically compromised by the worm. You are still vulnerable to the worm’s payload being dropped on the server through removable or mapped drives. At that point your server would become a ‘carrier’ but not infected unless that payload gets executed on the server in the absence of effective AV. As a carrier (without having executed the payload), the server wouldn’t actively compromise other hosts. Other hosts would have to manually download and execute the payload, at which point it would infect that host, barring AV on that host.

For example, lets say my laptop is compromised and I have write access to a share on your patched server. My host can deliver the payload to that share. If AV on that server doesn’t catch the malicious file, it will sit dormant and wait. It can’t do anything to the server automatically — someone must launch it on the server through RDP or console access. However, if you come along with your laptop patched or otherwise and download the malicious file and execute it, if your AV software doesn’t catch the payload as malicious, your laptop will be compromised and then will actively attempt to propagate the worm, even if it is patched.

A patched machine can still be compromised because MS08-067 only addresses conficker’s primary and automated method of propagation; malicious RPC traffic sent to the server service. The patch does not address any payload the worm may deliver. That falls under the purview of AV. Further, the patch doesn’t address an already-compromised machines ability to continue to scan for other hosts to infect. This is because the payload does the scanning, not the compromised server service. Even a patched machine that was previously compromised can continue to spew death across your network until the payload is removed.

There is a lot of great information about worms in Jose Nazario’s book “Defense and Detection Strategies Against Internet Worms”. I think I’ll dust off my copy and review it in honor of conficker.

A good friend recently emailed me to ask if AV would protect his servers from the Conficker worm and I thought this would be a good opportunity to continue my anti-antivirus tirade.

The short answer to the question ‘will AV protect me from conficker’ is “somewhat.” Here’s why. Below are the typical phases of a worm, starting with the prime infection, usually done by seeding hosts/bots that are already under control through other compromises:

1. Scan for vulnerable services on hosts
   (usually noisy and vulnerable to IPS/IDS/HIPS and draconian firewalling)
2. Compromise vulnerable service
   (vulnerable to IPS/IDS/HIPS and maybe AV)
3. Have owned service download payload
   (vulnerable to IPS/IDS and AV)
4. Execute payload
   (vulnerable to HIPS)
5. Repeat from step #1

Usually AV isn’t effective (or even relevant) until a file hits the system (step #3). Some AV suites have HIPS built in and may block the behavior at #2. But that is rare (obviously, given the effectiveness of worms still).

Your best bet is to apply the patch as soon as you can. It was released in October so it’s had plenty of vetting. Most AV does detect the payload but AV can be inaccurate and unreliable any more and is reactive by nature. If AV alerts on the file, that means steps 1 and 2 have been successful. With enough compromised hosts on your network scanning and attacking, it could DoS the service on vulnerable hosts, even though AV is catching the payload.

My main beef with AV can be read here.

There is also a lot of good information in the comments of this post where I contemplate what a future AV package could look like.

The moral of the story is that AV will help but should be part of a layered solution. The solution that has worked very well for us so far is:

1. Draconian firewall rules (egress and ingress)
2. IPS units backing up all firewalls to protect open ports
3. Automated patch management
4. HIPS software on all laptops
5. Defined and practiced incident response

Recent cyber attacks on Israel may appear to be an aspect of cyber warfare, but in reality they’re merely cyber activism.

From Globes online:

Quantity, not quality, is the guideline of hackers trying to shut down Israeli websites in response to Operation Cast Lead. Information security solutions developer Applicure Technologies Ltd. (TASE:APCR) reports a multifold increase in hacking at Israeli websites, as well as a large increase in attempts to hack protected websites.

We’re hearing more and more of cyber attacks associated with physical attacks; Estonia, Georgia, and now Israel. More often than not the attacks (usually website defacements or distributed denial of service (DDoS) attacks) are perpetrated by a lose-knit group of decentralized actors (open source warfare) rather than a well organized attack orchestrated by a military, government, or other hierarchal entity. But as the tactics develop and effectiveness increases, cyber attacks will become more mainstream, just as other technologies of warfare develop and we progress further into 5th generation warfare or 5GW.

But the key question is; in the grand scheme of warfare just how effective are cyber attacks? Current state of the art has for the most part been low-scale and minimally effective for several reasons. Obviously the more developed and connected a target is, the more potential cyber attacks have for disruption. Also, the better organized and developed the cyber ‘army’ is, the more effective they will be. That doesn’t mean the cyber army has to be centralized, merely organized in a way that provides meaningful intelligence, attack cohesion and relevancy, etc. Most cyber attacks that we’ve seen, that have been associated with armed conflict, have been largely disorganized, perpetrated by ad-hoc organizations, and have largely been centered around propaganda dissemination rather than system disruption.

In other words, the majority of what we’ve seen so far has mainly been cyber activism; defacing websites with propaganda, spamming propaganda, etc, taken by itself has minimal effect on the outcome of physical warfare and should probably be a sub-category of psychological warfare.

So what are the gains of cyber warfare when it’s properly implemented? I’ll organize a few examples into two categories; tactical and strategic gains.

Tactical gains

Forget about website defacement, imagine if one could disrupt satellites and hinder GPS guided bombs, like the GBU-39 Small-Diameter Bomb (SDB) that Israel is currently deploying in large numbers. Better yet, imagine being able to control those satellites and redirect those bombs to a target of your choice (a hospital or baby formula factory if that’s your style). But let’s not stop there, now that we control the satellites, we don’t just have control of bombs, but to a lesser extent war planes, UAVs, and any other weapon system that relies heavily on GPS positioning.

Imagine compromising the enemy’s C4ISR infrastructure and not only knowing where all enemy assets are, but having the ability to provide false information (if at least a few times before being discovered).

Crippling the network of a carrier group would be a punch to the solar plexus, which would allow for a follow-up attack, such as a swarm attack or suicide attack by aircraft and small watercraft. The combination of the two less-conventional and relatively inexpensive attack methods stands a good chance of forcing the carrier group to disengage until they can repair damage, replace assets, and restore their data network. This kind of ‘more bang for your buck’ is one of the key advantages of cyber warfare.

Note that neutralizing a carrier group borders on strategic, as these are key assets in any expeditionary force of modern warfare.

Strategic gains

Nearly all national economies are tied to the Internet and utilize a computer network of some sort. A concerted, long term disruption of these systems could seriously impact the enemy’s economy. Cyber attacks on oil bourses, stock exchanges, etc could reduce the ability of a country to generate revenue and fund their campaign. This could also help subvert the peoples’ hearts and minds, turning the populace against the war effort.

Cyber attacks on key industries could disrupt a country’s ability to produce weapon systems. For example, if an enemy were to continuously disrupt or outright destroy data and information systems for Northrop Grumman, they could have a severe impact on the production of UAV’s, which the US military as come to heavily utilize.

Theft of military and industrial secrets could provide a needed boost to a state. Just look at China, one of the leaders in emerging cyber warfare and certainly adept at espionage.

The list goes on; electrical grids (collateral damage to industry, economy, etc), cell phone grids, nuclear power plants (destruction of which would also be a physical attack), commercial shipping entities, etc.

Cyber warfare has huge potential and we’re only seeing the earliest stages of it now. As its effectiveness develops and as the world embraces ‘teh intarwebs’ we’ll begin to see a whole new way to wage war by smaller and smaller players, both state and non-state.

One of the best features of Postini is the ability to write custom content filters. I leverage these to snipe spam that Postini doesn’t catch. One of my most effective (24,000+ caught in 42 days) is a filter I’ve titled ‘invigorate:’

This will catch anything with either “viagra” or “cialis” in the subject line and a hyperlink anywhere in the body.

Sometimes the simplest things are the most effective.