IPv6 Will Mark It Hard For Worms To Propagate. On Abilene.

Thomas Ptacek | February 10th, 2006 | Filed Under: Bitching About Protocols, Malware, New Findings

From Schneier (his summary: “Nice”), this paper, an analysis of how worms can spread even given sparse IPv6 addressing (the address space is so large that it suppresses brute-force scanning). The Cliff’s Notes:

• Worms will use Neighbor Discovery (ARP)
• or they’ll use routing protocols
• or they’ll scan using the embedded MAC address in the IPv6 address
• or or or multicast!
• and don’t forget zone transfers
• and sniffing!

I don’t mean to be glib. It’s a good paper. I am not as smart as Bellovin. But this is not my perception of what the state of the art in worm design is. Two high-level comments:

1. The trend in “smart” worms —- and a worm that sniffed or tapped routing protocols to locate prey qualifies as “smart” relative to Witty —- will be towards “topology awareness”, a dumb word for worms that take advantage of IM Buddy Lists or trust relationships. This has been extremely effective for mail viruses. These worms rely on application layer location services, not raw addresses. The long and the short of it: building an OSPF adjacency seems like a lot of effort to go through in a programming environment that involves assembly instructions written in hexidecimal with no NUL bytes. Hyperbole, I know, but the sentiment is valid.
2. Worms use random probing not just to locate targets, but to locate targets without competing with other instances of the same worm. This is what enables them to spread quickly without using explicit coordination. Look at it this way: simply by observing biases from random number generation seeding, Paxson’s team was able to make a credible claim at identifying “patient zero” for Witty. What does “seeding” based on zone transfers and routing tables do to this? Worms spread by mass probing, generating orders of magnitude more candidates than would be obtained even from a dump of a flat OSPF network. Won’t the worms just stomp all over each other? Not to mention the fact that the overwhelming majority of infected hosts to date have not run routing protocols.

The Ptacekometer Reading for IPv6 Worm Propagation: we’ll never have IPv6 anyways so it’s somewhat irrelevant, but studying how to randomly scan a 128 bit address space IS an interesting problem, but relying on OS artifacts to get around the size of the address space seems like cheating.

The real reason I’m writing about this, though, is to ask Peter Lindstrom a question:

The sole purpose of this paper is to educate people on how to write better malware. Not close vulnerabilities, mind you, because it doesn’t document any closeable vulnerabilities. It just tells worm authors how to write more virulent worms.

Your response?

PS: IPv6 does not make multicast any less untenable.