Description: A new class of worms that spread like lightning is turning security on its head. Charles Renert of Determina says updates can't protect you and by the time the worm hits, it's too late.
My name is Charles Renert and I'm the head of security research and development at Determina Corporation. So the title of my talk is ready, set, too late: "Superworms." So what I'm talking about today is a new class of attack called Superworms. They spread extremely, extremely quickly and they really turn security upside down on its head. So you're going to have to reconsider the way that you do security in order to address this new kind of threat.
So let's look at your typical virus situation here. Let's say, from the Internet you get yourself an attachment. You get an e-mail. It's a typical way that these things are spread. You don't know what's in there. You decide to double click. Well, guess what happens? Now, your machine, it's going to send e-mail to all the people in your address book, right? So now if they double click, then they are going to get infected, but again it has to sit there kind of waiting in their inbox until they double click. Same concept here and so forth. So you get these folks slowly getting infected as they double click. So speed, it's moderately fast, in current terms. The e-mail worms too tend to spread pretty widely once you start double clicking. But there is that pause that slows them down somewhat. Their complexity is actually fairly low, so all I'm doing is send you an e-mail with an attachment. That's something that's very common. It's also something that from a security standpoint, it's a little easier to stop because we're just talking about e-mail here. Then the updates effectively are yes. Can you update yourself against this kind of threat? Yes, it's not spreading quite as quickly, again you've got other kinds of protections that are available, so that's why updating is feasible.
So Superworms are different. With Superworms, systems have vulnerabilities and the difference with the vulnerability is that when the threat comes, it goes straight in, straight into the vulnerability and starts running its code which then goes straight to all the machines that it can connect and so forth and so forth. So what you get is this absolutely lightning effect where all systems that have the vulnerability are almost instantaneously affected. So speed: lightning. Extremely, extremely fast. I mean just to give you an example, you take SQL Slammer; SQL Slammer, which infected computers a couple of years back a 500,000 machines, over 500,000 in less than 10 minutes. Okay, very serious here, very, very fast. Complexity is high. Vulnerabilities can exist in any application, any service, so the kind of traffic that's coming up from the Internet is very different than the e-mail traffic that we're talking about before. And then the bottom line is the updates is no. You can't update yourself to protect yourself because they're just too fast.
So if you want to protect yourself against Superworms then you're going to need to rethink how you do your security and make sure that you already have something on the box that's protecting you because by the time the worm hits, it's too late.
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Marc Canter: The master of multimedia speaks
-
In this Super Techies interview, larger-than-life techie Marc Canter talks with ZDNet's Editor in Chief Dan Farber about his career as a multimedia pioneer.
- Watch the video >>
