Since the inception of computing, newer trends in technology have emerged with newer and increasingly sophisticated solutions announced every coming day. Undeniably, digitalization has embraced the present civilization with incessant reliance on computing for the purpose of efficiency and accuracy in various operations. Coupled with the globalization impacts that haveee resulted in the eased exchange of information across the globe, the world has evolved into a wholly information-reliant setup. However, just like other common endeavors, the information era has witnessed enormous increment insecurity within its tenements. Evidently, the interconnected computing community across the globe has afforded an avenue for extensive security infringements.
Reports of worm attacks persist to emerge with varied groupings claiming responsibility while some infringements go unnoticed but for their later consequences. This paper focuses on recent trends of insecurity within the fields of computing. It studies two cases of extensive worm attacks across the globe. The write up provides an exploratory study of potential causes of the infringements as well as the suggestions of future considerations to constrain such attacks. The cases of SQL slammer and Stuxnet worm are considered. It proposes that worm attack is a threat to computer security that must be eliminated.
A Brief about Computer Security
According to Gollmann (2011), computer security can be described as a process which aims at preventing and detecting any unauthorized use of computers by an organization or an individual. With increasing Internet-related problems, new measures are being discovered in this field to help in preventing and detecting these crimes. Today, a number of computer-related frauds have continued to pose security threats to many organizations. Gollmann (2011) noted that although computers and other related technologies have benefited various economic factors, computer insecurity has threatened various sectors. Numerous scholars have, therefore, pointed out that the computer forensic investigation is the most reliable solution in curbing such fraud activities. One of such real security issues in today’s society that must be eliminated is the worm attack.
The SQL Slammer Worm
According to Travis, Ripley & Wallace (2003), the SQL server worm was released from until hitherto unknown location to the mainstream global computer interconnections on 25 January 2003. Various analysts agree that its exact time of release was a round 12.30 EST. Taking a shape of a 376-byte UDP (User Datagram Protocol), the worm aimed at machines running certain versions of the Microsoft’s SQL server application. It equally propagated into varied Microsoft merchandises and dissimilar vender applications that incorporated the SQL server applications (Travis, Ripley & Wallace, 2003). Reportedly, the worm propagated itself through multiplications into machines embracing the 32-bit IPv4 IP addressing criterion. Travis, Ripley & Wallace (2003) suggest that the key property of the worm was its capacity to replicate extensively within a small range of time, reaching global levels within minutes of its release.
Deshpande, Thottan & Sikdar (2003) suggest that only in few minutes after its launch, a global array of over 120 000 machines were under its effect. This established an infected data outlay of over one terabit per second, propagating the worm to over 90% of the global internetworked computers. Noticeably, at its peak, the worm caused an approximated 15% outages in the Internet infrastructural capacity. These outages emanated from subsequent overloads as well as substantial hardware malfunctions. Given this estimations, a quicker response was inevitable to restore the desired efficiency and availability. In his analysis of recent worm incidences, Sharma (2011) suggest that a swift response to the predicament witnessed a recovery of the lost capacity to an approximate 98% accessibility. Reportedly, through the observation of its susceptibility to port 1433, various Internet providers resorted to a complete blockage of the port 1433 and 1434. Sharma (2011) suggest that the implementation of this employed the institution of blockages at both institutional and associational borders as well as direct physical disconnection of suspected hosts with SQL servers. Observably, these earlier steps barred a considerable replication that would have culminated in a complete blockage of the global interconnections.
The reported 15% blockage prompted other consequences in addition to other multiple effects discovered days after the containment of the incidence. Joukov & Chiueh (2009) suggest that the 2003 SQL slammer incidence had a severe impact on router control planes. From theoretical models, it is understood that the basic high-speed router construct incorporates a data plane where the routing information is included and a navigation plane that is vital for router-to-router exchanges. The functionality of the two planes witnesses the monitoring of the transfer of information from the data planes to other sections, which is a direct procedure with dismal participation of the router control sections.
Joukov & Chiueh (2009) suggest that in normal operational conditions, the router construct is such that there is suspicious treatment of data entering the control sections. Furthermore, owing to the scarce resources that are typical of the router construct, the separation of data transfer and monitoring ensures limited incidences of malicious attacks. Nonetheless, the SQL slammer managed to overcrowd the router control culminating in an absolute failure. Similarly, its ability to target varied IP addresses, including the multicast transmission reserves, contributed to its multiplication.
Mitigation and Future Recommendations
Hedges (2006) observes that the simplicity of the SQL slammer was its most worrying aspect. Noticeably, its capacity to replicate itself incessantly through the computer interconnections at unimaginable rates that almost shortly blocked the global interconnections was its greatest threat. While numerous individuals readily pointed at the potential weaknesses in the Microsoft’s SQL server application, it is evident that the software had no special weakness that made it a potential propagating avenue. Similarly, sections of IT professionals readily singled out the closed up technique incorporated by Microsoft in its frameworks as a potential source of weakness. They argued that such closed approach limited extensive trials and subsequent testing and improvement by users, thus making it susceptible to potential threats. While there is observable truth in these assertions, such specialists as Joukov & Chiueh (2009) suggest that the application’s only weakness was its vulnerability to buffer overruns. Reportedly, this vulnerability was evident in numerous other applications from dissimilar sources, such as vendors, academic spheres, research associations, and many other associated organizations. From this perspective, it was impractical to lay blame wholly on Microsoft but rather to correct the evident weakness.
Thottan & Sikdar (2003) suggest that the issue of buffer overflow had existed for decades prior to the SQL slammer incidence. Allegedly, the first incident occurred in the 1988 worm attack that was in countless manners similar to the SQL slammer incidence. Evidently, with the prominence of Microsoft products coupled with vendor designs that readily incorporated the apparent faults, it is imperative that all stakeholders in the interconnected systems played their respective parts in restraining the suspected fault. Sharma (2011) suggest that the buffer overflow issue remains a considerable source of threat in the present hugely sophisticated systems and applications. However, he suggests that the entrenchment of the weakness is the result of dismal proactive roles by numerous vendors. Additionally, in the aftermath of the incidence, it was apparent that Microsoft interconnections had experienced some serious disturbances from the incidence. This showed a laxity in correcting the evidently well-known faults. From these revelations, I suggest that a continued corporation amid varied stakeholders would increasingly aid in the absolute elimination of such faults.
The Stuxnet Case
Porteous (2010) observes that the reports of the Stuxnet worm first emerged from Belarus in a report by a local antivirus vendor. Reportedly, the special feature of the virus was its ability to replicate in similar ways since all versions of Windows processed shortcut files. Porteous (2010) suggest that its other worrying aspect was its evident legal signature from Real tek. Kerr, Rollins & Theohary (2010) report that the worm targeted specific vendor installations like the Siemens WinCC constructs that comprised critical sections of the PCS 7 control installations. Noticeably, armed with these capacities, the worm invaded industrial control installations through the utilization of unrecognized system vulnerability. Kerr, Rollins & Theohary (2010) report that further investigations revealed its propagation modes that included a disguise through the modification of key control procedures in varying systems.
According to Matrosov, Rodionov & Malcho (2010), the propagation of Stuxnet was through computer installations on USB sticks and operating on shared networks under the control of earlier versions of Microsoft installations with RPC vulnerability. It presented itself as the link files which pointed to executable files that had the worm. Additionally, upon installation, the files became virtually invisible to Windows explorer. Reportedly, compromised systems spread the worm via shared USB resources where it stayed for a maximum of three hopes amid machines prior to self-destruction. This shows that the designers of the worm purposed it for a limited spread. Matrosov, Rodionov & Malcho (2010) suggest that in addition to the USB propagation, the worm also showed considerable spread in networks with machines that allowed a write option for the virus.
The effects of the worm were imminent. Several reports of compromised system installations emerged (Matrosov, Rodionov & Malcho, 2010). Noticeably, its method of destabilization incorporated a variety of procedures that included file creation and resumption of insignificant procedures besides the addition of extra codes in subtle memory procedures. Matrosov, Rodionov & Malcho (2010) suggest that the created files exhibited dissimilar properties to the link files in that they remained visible to explorer functions. Additionally, the worm carried inspections of antivirus presence in compromised installations and disabled their varied functionalities rendering the machines permeable to their activities. Matrosov, Rodionov & Malcho (2010) suggest that upon compromising the system, the worm extended its operations to surrounding network connections where it prompted similar activities.
Falliere, Murchu & Chiem (2011) observe that contradicting reports emerged concerning the spread of the worm across the globe. Reportedly, publications from antivirus vendors like Kaspersky gave a number of over 5000 compromised stations across the globe with uniform distribution in North America, Asia, and sections of the Middle East. Similarly, emerging reports from Microsoft secure centers indicated a rejection rate of approximately 100 installations per day. These report indicated severe case in Asia and other sections of Europe. Evidently, the numbers reported by Microsoft are a representation of a dismal section of the overall global computers. Furthermore, it represents a discriminatory report from the statistics represented by the kaspersky. However, both reports captured a significant aspect of the worm that was its prevalence in industrial control installations.
Mitigation and Future Recommendations in the Stuxnet Case
From the foregone discussion, it is evident that the spread of the Stuxnet worm is limited to a number of isolated installations across the globe. Evidently, its affinity for industrial control installations makes it less significant to individual users. In his analysis of the prevalence of Stuxnet, Ginter (2010) suggests that individual users should not worry about the destructive effects of the worm but should be conscious of other prevalent worms which increasingly utilize the vulnerabilities evident in the link functionality as well as the PIF fault. Agreeably, the reported cases of the worm across the globe are dismal. Indeed, the only occasion that such reports captured foremost headlines was in its association with political motives. Taking this into consideration, I would suggest an installation of excellent antivirus applications as well as an installation of a patch for the LNK and PMF loopholes in Windows. Similarly, Ginter (2010) reports that Siemens released updates of its industrial installations that automatically corrected the apparent vulnerability. It is equally imperative to tighten the admission to assorted industrial server setups.
The SQL Slammer worm was a perfect reminder of a deliberate disregard to potential vulnerability in varied systems across the globe. Evidently, the buffer-overrun vulnerability was a potential loophole that had existed for over a decade in varied systems. This afforded the SQL slammer an avenue to replicate extensively resulting in the huge traffic blockage and a near standstill situation in the global interconnections. However, the response was immediate, resulting into the restoration of the hugely needed Internet accessibility. Despite its dismal spread, the effect of the Stuxnet Case presented a unique predicament to varied vendors and equipment suppliers across the globe. Its ability to detect and utilize an unanticipated vulnerability in applications and propagate by disabling antivirus installation was unique. While the source of the Stuxnet remains unknown, from its design, it is plausible to culminate that it aimed at premeditated functions. Either way, these two cases indicate that there are in existence several loopholes in the varied systems applied in different operations across the globe. In designing mechanisms, all the stakeholders should contribute varied consequences associated with infringements.