By Kelly Jackson Higgins
Oct. 1, 2005
Senior scientist at the International Computer Science Institute,
University of California-Berkeley, and staff scientist at Lawrence
Berkeley National Laboratory
Paxson, one of the industry's foremost worm experts, developed the
open-source intrusion-detection tool Bro and has conducted studies on
the genesis and propagation of worms and other malware. He was
recently named to the advisory board of start-up ConSentry Networks,
which has developed a next-generation, hardware-based IDS.
How did you become a renowned 'wormologist'?
In part, it was luck. When Code Red came out in 2001, it was
fascinating to observe it from the Bro tool, and [the International
Computer Science Institute] had forensic logs from it at Lawrence
Berkeley National Laboratory. We knew every single probe from the
worm, and that allowed me to study its progress. We got Code Red 2
just a couple of weeks later, and then Nimda six weeks later, and it
was fascinating seeing all the worms interacting. We had this very
rich data ... including an estimate of the total size of the worm,
with upward of 300,000 infected [machines].
How have worms evolved since the first one, written in 1988 by Robert
It's easier to create them now because there are more toolkits. But
the evolution of worms has been surprisingly slow. Slammer in 2003 was
different, though--the entire worm fit into a single packet and was
connectionless, so it could go fast. It wasn't anything anyone had
Aside from its historical precedent, what was so special about the
That worm was brilliantly built and remains the best-designed one
ever. It had multiple modes, which we later saw with Nimda are very
effective. And it had topological scanning ... It went through the
information on the locally infected machine to try to find other
machines. The Morris worm also came with its own built-in password
Where do worms go from here?
A big threat is the commercialization of malware. The lay of the land
is changing, from the equivalent of vandals doing their work to people
who will commoditize malware and use it to make money. The rise of
this commercially motivated attacker is very disturbing, and
inevitable. There's a paper in the research world that talks about how
you can specialize in just doing the worm technology without being
involved in the exploitation of it.
There's going to be some sort of black market where criminals hook up
with people with worm access. Also on [the horizon] are blended
threats, where a malware writer puts together viruses and botnets and
uses a botnet to propagate the keylogger that then feeds into your
encrypted point-to-point network and extracts all the goodies.
Are there worms against which we can't defend?
We published a paper for DARPA [Defense Advanced Research Projects
Agency] on the worst-case scenario of a worm. We sketched how it's not
implausible that a worm could get 10 million to 15 million desktops in
a day. But we could not resolve the question of how much damage this
type of worm would really inflict. Still, we're racing against the
clock. If I see tomorrow that some huge worm has hit, it won't
What scares you most about worms?
The worms that don't randomly scan--topological worms, which get their
target information separate from scanning. And detection-scanning
worms--in particular, the ones that can go after Windows or Cisco
vulnerabilities. The recent brouhaha over executable code on Cisco
routers gave a lot of people pause. If we had a Cisco exploit, it
could really do damage. Also in the back of my mind is cyberwarfare.
You'd be a fool if you were in the modern military and not planning
for cyberattacks and working on defenses to it.
What about viruses?
Viruses seem like old news today because there's still a huge class of
them that don't show much innovation. They're just variants. But I
would expect viruses to be a key part of blended attacks, where a
virus would be used to cross a firewall, for example.
What's the danger of going overboard with security?
There's going to be a huge struggle over control of the Internet,
which is driven by concerns about security, intellectual property and
politics. This could unfold in a lot of ways that wouldn't be pretty.
The key question is, can we have an architecture so we get security
control without losing the infrastructure and its real power?
Regulating that traffic must terminate at a proxy that must be able to
see your traffic in clear text to see if the text is allowable, for
instance. Now you've created an incredible point of control that has
obvious uses for going after criminals, but it also [breeds] political
repression and commercial gain, good or bad.
There's a new National Science Foundation initiative to rethink
Internet architectural notions. [The International Computer Science
Institute] and other institutions are thinking about how to get funded
to look at new security architectures that provide these controls that
are needed, but in a way that doesn't throw out the baby with the
InfoSec News v2.0 - Coming Soon!