Issue #11 September 2005

Computer worms, Red Hat, and you

What is a worm?

There are few computer users who don't know what a worm is from the events of the past few years. It seems that anytime a critical security issue gets fixed, a computer worm is soon to follow. A computer worm is defined as a program that will attach a malicious payload to an already running service, then use that host to infect other vulnerable computers connected to a network. The network may be a local private network, but often it is something global such as the Internet.

It seems that anytime a critical security issue gets fixed, a computer worm is soon to follow.

Not every worm created is necessarily malicious in the sense that it deletes or changes files. Many worms simply propagate to as many computers as possible; they become malicious as they consume computing resources and network bandwidth. It is not uncommon though for a worm to contain instructions to perform a malicious action such as a denial of service attack or to spread and await further instructions from the creator of the worm. It has also become popular for a worm to turn an infected computer into a "Zombie" to relay spam. It is estimated that between 50 and 80 percent of spam originates from these zombie computers.

One of the most famous worms, also considered one of the first, was known as the "Morris Worm." This worm was first discovered in 1988 before the Internet was anywhere near as large as it is today. Estimates put the size of the Internet at 60,000 computers in 1988. Today it has hundreds of millions of computers connected to it. The Morris worm managed to disable most of the Internet by either consuming all computing power on a target host or from institutions removing computers from the Internet to avoid becoming infected. The Morris worm was not meant to be malicious by modern definition of the word, but it spread so quickly and so well, that many computers became infected with multiple copies which would consume all available computing power.

One of the latest worms to gain widespread attention was a Microsoft® Windows® based worm which was named "Zotob." This worm became famous as it struck a number of news organizations, preventing them from conducting business as usual (there were reports of typewriters having to be used). This particular worm only affected Windows 2000 and connected to an IRC server to await further instructions. The worm would also modify the system's hosts file to disallow access to certain websites. The disabling of various websites was an attempt to prevent antivirus products from receiving updates which could potentially clean the infection off the target computer.

Systems running Linux have had at least one well known worm, the "Slapper Worm." The Slapper Worm was discovered in September of 2002, over two months after a fix had been made available, targeting Linux systems running SSL-enabled Apache HTTP servers. F-Secure, a virus tracking firm, has estimated that the Slapper Worm managed to infect roughly 13,000 computers during its life. The worm actually leveraged a problem with the OpenSSL library, which was exploited through the Apache HTTP server. This worm only affected some of the most popular distributions of Linux at the time since small differences in each distribution's binaries required different memory offsets to be successful. The worm proceeded to create a peer-to-peer network of infected hosts which could later be used for specific attacks.

Squiggly locomotion (or how they spread)

We live in a highly connected world in which there are hundreds of millions of computers, all interconnected through the Internet. While this has proven to be an incredible communication medium, not all computers are equal. Many of the computers attached to the Internet are well managed and secured, but some of them are not. When dealing with numbers in the hundreds of millions, even a small percentage of unsafe computers is a LOT of machines. When a worm begins to spread over the vulnerable computers on the Internet, it will spread faster over time as more and more hosts are infected. Worms tend to spread in a parabolic manner: One host becomes infected, which infects two hosts, each of which infect two more hosts, etc. Each infected host will probably infect more than two hosts and continue until the infected hosts reaches a critical mass, or a point where additional hosts cannot be found which are either not infected or vulnerable.

One of the factors which helps worms spread so quickly is the large number of identical environments. If every computer in an organization is running the same operating system on the same type of hardware, it's very likely that if one computer is vulnerable to a worm, all the computers in the organization are also vulnerable. Most worms will need to know the location of certain memory addresses to execute their malicious payload. Identical environments mean that a worm only has to know one set of memory offsets, lowering the time needed to write the worm, and time required to infect a host. A diversified environment, running different operating systems and architectures can help slow a worm down or even prevent it from infecting some hosts.

Most worms will need to know the location of certain memory addresses to execute their malicious payload.

An additional danger which is fairly recent is the proliferation of laptop computers. In the past it was understood, although still very dangerous, that if a worm could not penetrate a corporate firewall, the computers inside the network would be safe, even if unpatched. It is now possible for a laptop user to become infected at a remote site, attach the infected computer to the network, and infect computers behind a firewall. Once a worm has infected most of the computers on an internal network, it is likely it will use the corporate environment to begin attacking random computers attached to the Internet.

How Red Hat helps keep the worms at bay

While it is important to keep your computers updated, it is always possible a worm could appear before a vulnerability is publicly known and a patch is available. Many computers currently connected to the Internet would be susceptible to such a 0-day issue unless the vulnerable service was disabled or the machine was shut off. Red Hat® Enterprise Linux® and Fedora™ Core contain a number of technologies which can help mitigate the potential damage a worm can do. It is even possible that in some instances these technologies would completely stop a worm from infecting an unpatched system.

Buffer overflows are commonly regarded as some of the most dangerous and easiest to exploit security vulnerabilities. Most worms to date have leveraged buffer overflow issues to infect their targets. A publicly facing service that contains an unpatched buffer overflow vulnerability could act as an ideal transport mechanism for a worm. Red Hat Enterprise Linux and Fedora Core contain a technology known as ExecShield (refer to the articles What's new in security for Red Hat Enterprise Linux 4 and Limiting buffer overflows with ExecShield for additional information on ExecShield) which can help prevent most buffer overflows through its non-executable stack feature (NX). If a worm attempts to use a buffer overflow bug to infect a target host which has NX support, NX will catch the attempt and stop the running program. Even if the system in question does not support the NX extension, it is likely that segment limits will prevent most stack-based buffer overflow attacks. This does mean that the service in question may be vulnerable to a denial of service attack, but this is considerably better than being infected by a worm.

Double free issues are often just as serious as buffer overflows are and could easily be exploited by a worm to spread. glibc now has the ability to determine when a portion of memory has already been freed once and will not allow it to be freed again. This provides additional protection which can help prevent a worm from spreading itself between vulnerable hosts. It is very likely that if a worm attempts to exploit an unpatched service, a denial of service condition may arise.

A goal of any organization should be to keep a diversified environment, one which contains a healthy mix of different operating systems and architectures. For a worm to spread, it will rely on knowing the locations of various things in memory. A worm can be slowed down or stopped in a diverse environment if various memory offsets differ between operating systems and architectures. One of the problems with a diverse environment is the need to keep a wide array of staff to properly maintain the diverse collection of hardware and software. A feature of ExecShield known as Position Independent Executables (PIE) can help add diversity in a homogeneous environment; making it appear very different from the viewpoint of a worm. A service built as a PIE will not have predictable memory offsets. This means that for a worm to properly exploit a buffer overflow, it will have to guess memory offsets or be very lucky. There are a finite number of addresses various libraries will have, meaning PIE doesn't guarantee that a worm can't infect a system, but it makes it extremely difficult.

In the event a worm can bypass all the previously mentioned technologies, it is possible that Security-Enhanced Linux, or SELinux, could prevent the worm from succeeding or severely reduce the potential damage that could be done. If a service is being protected by an SELinux policy, the resources available to it are restricted. It's very likely that a service will not be able to write files to useful locations on the local disk, which should help prevent the worm living across system reboots. SELinux can also prevent a service from accessing various executable files and libraries on the disk; even resources such as network access can be protected by SELinux. It's likely that if a worm is able to execute itself within a service protected by SELinux, it will be severely crippled. Refer to the What's new in security for Red Hat Enterprise Linux 4 and Taking advantage of SELinux in Red Hat Enterprise Linux articles for more information on SELinux.

The best way to stay safe from a worm infection is to keep all computers updated with the latest vendor fixes.

The best way to stay safe from a worm infection is to keep all computers updated with the latest vendor fixes. All of the modern computer worms have been created after a vendor fix for a security issue has been made available. The amount of time between issue discovery and worm creation has been shrinking, which means it's more important than ever to deploy patches quickly and efficiently. Red Hat Network is an ideal tool to understand which computers are vulnerable and deploy a fix to those computers. If an environment has thousands of computers, each of which much be manually updated, the window of safety before a worm emerges may not be suitable before all machines are updated. Red Hat Network allows system administrators to determine which machines are vulnerable to a particular issue and easily apply fixes to those machines. Precautionary technologies can help give an admin additional time to deploy a fix, but they are not a replacement for a security patch.

Conclusion

While Red Hat Enterprise Linux and Fedora Core provide a number of technologies to help mitigate the potential damage a worm could do, it is still very important to keep your system properly updated. The potential risk posed to a properly updated system is significantly less than that of a vulnerable system which is relying on technologies like ExecShield and SELinux to keep worms at bay. A missing security update represents a missing layer of security to help keep data safe and reliability stable. It is additionally important to know what is on your network. If you don't know about a certain system which is running, you may believe you are not vulnerable to a given worm, when in fact you are. It is believed that many of the perpetually unpatched systems attached to the Internet are not known to exist by the organizations hosting the machine.

It is equally important to understand that a firewall is not a reason to leave a machine unpatched. All it will take is one internal machine to become infected, and all unpatched machines are in serious jeopardy. This ties into the idea of keeping system administrators and users properly educated. If a user understands the threats of moving an unpatched system such as a laptop between networks, it may help prevent a potential disaster. Keeping system administrators properly educated can mean making sure the fundamentals of secure network design, and the importance of timely updating will keep things safe.

Even with proper technology, patching, and education, the best defense against a worm is vigilance.

Even with proper technology, patching, and education, the best defense against a worm is vigilance. Knowing what security updates have come out recently is very important. It is likely that after a serious security issue affecting an Internet-facing service is fixed, a worm is likely to appear a few weeks or months later. Knowing which worms are in the wild and knowing what to expect can help plan for things such as pending network attacks. Even if you have no systems which are vulnerable to a certain worm, it can hinder the reliability of systems and networks. Information security is a very turbulent and changing landscape that can easily catch unsuspecting victims and cause a great deal of trouble.

About the author

Josh Bressers is a member of the Red Hat Security response team. He has been involved in information security for many years and has been a Linux enthusiast and user for even longer.