As expected, the first major vulnerability this year within a Microsoft operating system – exploitable through a default network-accessible service – had the exploit writers pulling out all stops to be the first on the block with exploit code. Within days, the virus and worm writers had a half dozen code exploit examples for the Plug and Play vulnerability and were updating their creation kits with them. By the weekend, the first worms were already on the net.
It was inevitable that this was going to happen, and the press I spoke with earlier that week were eager to promote the prospect of a worm that would "take down the net," just as Slammer and Blaster had. But that was never going to happen – security has moved on, if only grudgingly. Importantly, the most popular home OSs weren't easily exploitable externally over the internet, so propagation was always going to be a problem.
I received the first notifications of worm release halfway through the weekend, and had the opportunity to track all the permutations as the battle between worm writers and security professionals raged. Each time someone had analysed the behaviour of one flavour of worm, the worm changed and they had to start again.
Unlike other high-profile worm attacks in the past, their propagation methods were considerably different. These worms were more like bots, having separate command and control mechanisms, packed with tools to slice their way into vulnerable networks. Previous worms have made use of a single vulnerability, but these bot worms were packed full of different kinds of exploit material.
The change in tactics threw quite a few security teams as they tried to analyse what was happening to their networks and understand the almost hourly changes in the worm. A lot of organisations lost visibility of the worm until new antivirus signatures were applied, and had to repeat this with each variation.
For organisations that were using security solutions that triggered when detecting the use of vulnerability exploit material and certain protocol anomalies, their security teams had to decipher a mix of different alerts and statistical data to try to understand the nature of the attack.
In many cases, however, this understanding was hampered by the information being published by antivirus firms, which failed to explain the multiple capabilities of the updatable bot components.
A lot of security teams were expecting to detect Plug and Play exploit attacks as an indicator of the worm. However, what they detected was other exploits being used in an attempt by the bot worm to propagate around the network as staff connected to the network in the morning with systems that had been infected over the weekend.
Hopefully, a lot of these security teams have learned from the experience and will be better prepared for the next bot worm.
Unfortunately, I think the bot worm creators learned even more, and are already tuning their engines in preparation for the next "good" exploit to be released.
Gunter Ollmann is director of X-Force at Internet Security Systems