My name is Charles Renert and I'm the head of securityresearch and development at Determina Corporation. So the title of my talk isready, set, too late: "Superworms." So what I'm talking about todayis a new class of attack called Superworms. They spread extremely, extremelyquickly and they really turn security upside down on its head. So you're goingto have to reconsider the way that you do security in order to address this newkind of threat.
So let's look at your typical virus situation here. Let'ssay, from the Internet you get yourself an attachment. You get an e-mail. It'sa typical way that these things are spread. You don't know what's in there. Youdecide to double click. Well, guess what happens? Now, your machine, it's goingto send e-mail to all the people in your address book, right? So now if theydouble click, then they are going to get infected, but again it has to sitthere kind of waiting in their inbox until they double click. Same concept hereand so forth. So you get these folks slowly getting infected as they doubleclick. So speed, it's moderately fast, in current terms. The e-mail worms tootend to spread pretty widely once you start double clicking. But there is thatpause that slows them down somewhat. Their complexity is actually fairly low,so all I'm doing is send you an e-mail with an attachment. That's somethingthat's very common. It's also something that from a security standpoint, it's alittle easier to stop because we're just talking about e-mail here. Then theupdates effectively are yes. Can you update yourself against this kind ofthreat? Yes, it's not spreading quite as quickly, again you've got other kindsof protections that are available, so that's why updating is feasible.
So Superworms are different. With Superworms, systems havevulnerabilities and the difference with the vulnerability is that when thethreat comes, it goes straight in, straight into the vulnerability and startsrunning its code which then goes straight to all the machines that it canconnect and so forth and so forth. So what you get is this absolutely lightningeffect where all systems that have the vulnerability are almost instantaneouslyaffected. So speed: lightning. Extremely, extremely fast. I mean just to giveyou an example, you take SQL Slammer; SQL Slammer, which infected computers a coupleof years back a 500,000 machines, over 500,000 in less than 10 minutes. Okay,very serious here, very, very fast. Complexity is high. Vulnerabilities canexist in any application, any service, so the kind of traffic that's coming upfrom the Internet is very different than the e-mail traffic that we're talkingabout before. And then the bottom line is the updates is no. You can't updateyourself to protect yourself because they're just too fast.
So if you want to protect yourself against Superworms thenyou're going to need to rethink how you do your security and make sure that youalready have something on the box that's protecting you because by the time theworm hits, it's too late.
