Old Threats Never Die
Posted by Gunter Ollmann on August 19, 2007 at 10:51 PM EDT.

What kind of answer do you give if someone asks you “how long did it take before the slammer worm ceased to be a threat?”

Slammer kicked off in the morning of January24th, 2003, and within its first 10 minutes of propagation had managed to compromise an estimated 75,000 hosts running Microsoft’s SQL Server engine.  To most security professionals, it’s “the worm that could – and did”.

So, when did it cease to be a threat? … a week later? … a month later?

Actually, you’ll probably be surprised to hear that Slammer is still the most commonly encountered network threat observed by IBM ISS’ Managed Security Services.  In fact, (depending upon which statistics you choose to use) there are probably more hosts currently compromised by Slammer today than there were when everyone thought the Internet had gone in to melt-down mode way back in 2003.

Eradicated or Extinct?

Internet security vulnerabilities aren’t like other kinds of threats.  You can’t just arrest the villains that posed the threat and, having thrown them in jail, expect the threat to have passed (or be “solved” if you prefer).  What we find instead is that each new vulnerability appends itself a repetitive lifecycle – transitioning from “disclosed”, to “existing”, to “fixed” and finally on to “eradicated”.  The problem though is that “eradicated” isn’t precisely the same as “extinct” let alone “permanently erased from the annuls of Internet history”. And, more pointedly, these old vulnerabilities keep on cropping up – continuously reaping a trail of new victims.

In my new whitepaper “Old Threats Never Die”, I dive in to the vulnerability lifecycle and take a closer look at the consequences of a non-zero “eradicated” threat model.  In particular, what this means for today’s protection technologies and how organizations need to evolve their defenses.

You see, today’s Internet security requirements are quite a bit different from a decade ago – in fact they’re quite different to the Internet of only a couple of years ago.  Organizations not only have to protect against today’s threats and preempt tomorrows, but they also have to protect against just about every threat since the birth of the Internet – something that most organizations (and security vendors) would rather forget about. 

Depreciating Protection

A lot of the protection systems developed for past threats were great at the time, but can’t really keep pace nowadays.  For example, antivirus systems can handle tens of thousands of new signatures without blinking, but after a few hundred thousand they begin to struggle a bit.  Now, with several hundred thousand new virus strains each year (and increasing faster than Moore’s Law), things are getting pretty creaky.  One solution has been to get rid of signatures for old viruses to make way for the new.  To some degree, this is easy to justify – but what about other protection systems such as IDS or IPS? 

The increased adoption and placement of off-the-shelf operating systems in to just about every electronic device imaginable has meant that old operating systems (and their applications) have much longer service-life’s than ever before – in fact, just the other day I was amused to watch an ATM at the local Mall cycle continuously through a Windows 95 blue screen of death. 

Have a think – when was the last time someone applied the latest security patches to that big multi-function printer down the hall from your office, or updated the firmware on your home wireless router?

While, at the same time of increased bandwidth to the home and dirt cheap fly-by-night ISP hosting, we’ve seen attackers merely append the latest exploit to their existing attack systems rather than focus on a single vector.  After all, it costs the attacker absolutely nothing to do it this way.  The consequences for all of us are that old exploits (and the threats they represent) will never disappear – and there continues to be a steady supply of hosts vulnerable to flaws for which patches have existed for half a decade. 

And then, even when you think you’re 100 percent on top of your patching cycles, a developer migrates old code (or reinvents the wheel) and an old vulnerability lovingly reappears after a decade of slumber.

For more info on this topic, you can read my new whitepaper on "Old Threats Never Die".

    Copyright 2001-2007 © Gunter Ollmann