The world is getting "smart" in a hurry. What with smart food, smart bombs, smart cars, and smart phones in the news, it shouldn't surprise anyone to hear that "smart worms" are on their way. Dan Ellis, an engineer in MITRE's Secure Distributed Computing group, says they're a lot closer than we think. To Ellis, contemporary computer worms are rather tame critters compared with his expectations for the smart worms of the future.

Tame worms are those teeny 100-kilobyte packets of highly virulent data with names like Code Red or Slammer. They menace network hosts at millions of cycles per second and are capable of infecting a half million computers in a matter of hours or minutes. That's kids' stuff for smart worms. A smart worm will not only wreak havoc with your computer, but once inside could take your freshly deposited paycheck and wing it offshore to a secret account in Bermuda.

In the hands of cyber adversaries this extra oomph in worm smarts could be catastrophic. "Contemporary worms," says Ellis, "acquire the potential of a vast computational environment but fail to leverage it." Smart worms are smarter than that. When a smart worm infects a host, it will provide an execution environment for future actions. For instance, a future scenario might go something like: after breeching a few thousand computers, the smart worm continues its exploitation by getting all of the previously infected hosts to act in concert, like sending out millions of e-mails to the Internal Revenue Service, bringing all electronic tax returns to a standstill. For the more than 40 million taxpayers who e-file annually, that's a gruesome scenario. And for the Department of the Treasury, it's a billion-dollar nightmare. As worms get "smarter," the consequences get larger.

MITRE's research program allows scientists such as Ellis to look into the future and come up with solutions before they are actually required. Ellis says about the smart worms, "We need to get used to such threats because that's exactly where hackers are headed." His work focuses on malicious code—computer viruses, worms, and denials of service—malcode in industry jargon. His MITRE-sponsored research project, "Next-Generation Information Attack Strategies," is designed to help understand the perilous world of computer attacks so that countermeasures for defense can be developed and evaluated.

Ellis likens the work of a hacker to that of a nefarious video game developer. A hacker creates the game, the players, the rules, and the game strategy—then sets the game loose on the worldwide network. Ellis' mission is to understand hackers' tactics, methods, and motives, and then to devise a counterstrategy and protective defense. To date, he readily admits there's no perfect defense—no two attacks are the same. But, he sees near-term opportunities for discovering and building novel defenses that will be highly effective.

WHAT IS A WORM? A worm is a self-propagating program that knows how to spread to other hosts over networks. A virus is a file that knows how to infect other files. Whereas a virus passively lingers inside a computer waiting for an opportunity to copy itself to another file and then for that file to be transferred to another machine to begin the infection anew, a worm actively seeks out other machines that it can infect—generally through security holes in server software. A worm scans a network for servers running a vulnerable server program and gains control of that server, installs itself on the new server, and then continues from that server to the next. The difference then is that a virus propagates to new files—which may or may not be copied to new computers—and a worm propagates to new computers on a network over network connections. Some worms are unimodal, meaning that they have a single trick to exploit their way into a host; others are multimodal, with two or more ways to exploit a target host. A smart worm can be either unimodal or multimodal to gain entry, then once inside it can deploy arbitrary payloads that do the worm's bidding. A Denial of Service attack is an attack that exhausts the finite resources of computing machines, preventing them from using their resources to do meaningful work. Contemporary examples exploit vulnerabilities in networking protocols (e.g., TCP/IP) and application servers with the intention of disabling a device, network, or service so that it can no longer be used.

The challenge for Ellis and his team is to think "out of the network." Consider the spread of the Sapphire or Slammer worm. David Moore at the University of California Berkeley says that "it was the fastest spreading computer worm in history." It doubled in size every 8.5 seconds and infected more than 90 percent of vulnerable hosts within 10 minutes. It caused cancellations of airline flights, interference with elections, and ATM failures. The villainous Code Red I and II worms knocked out more than 500,000 machines on the Internet. Even more devious are picky worms that choose a specific target with a specific real-world objective in mind. They could cause chaos by compromising a relatively small number of computers—if they can find the right computers to compromise. Attacks on an enterprise can be measured in seconds—30 seconds is not at all unrealistic for a well-written worm targeted against a mid-sized organization.

For future scenarios, Ellis feels we need an approach more aggressive than the current approaches to countering worm attacks, that is vulnerability analysis (the rigorous examination of host computers to identify weaknesses), which is strictly a preventative measure. Ellis wants to be able to detect and react to the threat from an adversaryin real time, which is the focus of his new MITRE-sponsored research project, "Active Worm Detection and Response." His objective is to develop a modeling and simulation capability to better understand the nature of the threats and evaluate the effects of various attack and defense strategies. The historical logic here is inescapable: often in warfare defenses are totally unprepared and surprised by the next new weapon that comes along—the cannon and the machine gun are good examples. Vulnerability analysis has come up short in this area. Ellis cuts in a different direction. He advocates, know your enemy.

His approach is much akin to human science and the body's own defense mechanisms against viral incursions—or immunology. For example, say a human cell expects to regularly receive a certain familiar protein, but, as the protein nears the cell, the immune system suddenly detects something unfamiliar in that protein's chemical signature. Immediately, an immune defense springs into action and destroys the intruder. An analogous digital immune system would respond similarly. For computers, unusual digital traffic also displays a detectable digital signature. This "exceptional system behavior," as Ellis calls it, can be recognized and destroyed at its point of entry into the potential host computer. "Once an alert has been raised," he explains, "system administrators can propagate that alert appropriately and take the correct preventative measures." His research is currently focused on modeling attack scenarios and defining appropriate countermeasures, which will give Ellis a tool with which to test his concept.

While fully developing such a signature-sniffing capability is innovative and intriguing, it's also very expensive. Implementing sensor arrays that can see and readily monitor the signatures of all incoming digital packets is an extensive and costly undertaking. On the other hand, to delay the hunt for a smart worm "buster" may be costly in many ways beyond the financial. In addition, Ellis feels certain that as worm-signature research matures, complexity and cost may be mitigated.

The potential application of Ellis' work for our sponsors is wide and varied, and could benefit organizations from the Department of Homeland Security to the military to the Internal Revenue Service. Although smart worms are not here yet, Ellis can sense their approach—and hopes to be ready with a less than cordial welcome.

—by Tom Green

Related Information

Technical Papers and Presentations

• A Potency Relation for Worms and Next-Generation Attack Tools
• Next-Generation Information Attack Strategies [PDF, 203KB]

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.

Privacy Policy | Contact Us