A Theoretical Superworm

This monthly briefing examines a scenario of a SuperWorm release into the current Internet environment. A theoretical worm description will be provided, and an examination of an actual incident of computer intrusion will be examined to indicate conditions that could facilitate the spread of the worm. Finally, two security technologies that could potentially mitigate the spread or damage of the worm will be described.

The aim of this report is to identify the current model of vulnerability detection, assessment, and response. Ultimately, the goal is to help network administrators in the development of adaptable and comprehensive responses to address vulnerabilities.

There is a tenuous balance between reactive and proactive measures taken to address vulnerabilities to national critical infrastructure systems of the U.S. and other networked computer assets. The current means to address vulnerabilities in software and systems revolves around the cycle of identification and disclosure of a vulnerability followed by the simultaneous development of patches and exploits. The race to infect (exploit) or inoculate (patch) vulnerable hosts eventually settles into an equilibrium, at which point both sides, both attackers and protectors, take stock of
lessons learned. The cycle begins again, and often the original exploit is re-introduced with counter-countermeasures to defeat the original steps taken to mitigate the threat.