»Worms that turn: nematodes and neotodes«
2018-10-18, 08:45–09:30, Europe

Nematodes, or "anti-worms", exploit the vulnerabilities used by worms, but then attempt to disinfect and patch vulnerable hosts. In this talk, I discuss the history of nematodes; why previous implementations failed; and why it may be worth reconsidering, given the recent rise in unconventional worms using IoT, hardware, firmware, and other mediums. I will also show demos of a traditional nematode and a new IoT nematode I developed, and a nematode I wrote which identifies and reports on specific images found on infected hosts.

*** Introduction – 2mins
- Who I am, what I do, what this presentation will cover - Why am I qualified to talk about this? Have done extensive research into worms and nematodes. Professional penetration tester and security researcher – one of my main research interests is in unconventional vectors for attack and defence (e.g. “See no evil, hear no evil: Hacking invisibly and silently with light and sound” at DEF CON 25 and BruCON 0x09).

*** History of nematodes – 15mins - 3 different types: - true nematodes (targeting specific worms, patching the hole, spreading); - malicious nematodes (these do the same as true nematodes but perform some additional action which can be considered malicious, such as opening a backdoor; or seek to destroy other worms in order to increase their own infection rate) - ‘moral’ nematodes (these may not exploit specific vulnerabilities, or target specific worms, but replicate and perform some kind of ‘beneficial’ action) - Some digital paleovirology (I will discuss the context, background, and effects of each of these) - Creeper vs Reaper 1970-1 (apocryphal) - Animal (PERVADE) vs Hunter 1975 - Brain vs Denzuko 1986/1988 - KOH 1993 - Cruncher 1993 - ADM BIND worm vs Max Vision 1998 - PolyPedo 2001 - Blaster vs Welchia 2003 - “The worm turns” 2003 (fictional story, Stealing the Network) - main inspiration for starting this research project - Netsky vs Bagle vs MyDoom 2004 - Mirai vs Hajime 2014-present - Mirai/Reaper vs BrickerBot 2016-present

*** Why you may not have heard of nematodes before – 5mins - Demise of traditional worms - Exploit mitigation (ASLR/DEP/etc) - Improvements in patching, sandboxing, antivirus defence, vendor responses and disclosure process - Less widespread vulnerabilities in software - Business models adapted to target specific organisations - Previous attempts to introduce nematodes include: - An open source international attenuated computer virus (Peikari, 2001 – DEF CON 9) - Nematode framework (Aitel, 2005) - HP Active Countermeasures (2005-6) - Fujitsu (2012) - Proposed benefits (discover shadow IT, rapid assessment and disinfection, pre-emptive defence, frustrate and reduce botnets, distributed scanning, other distribution problems e.g. searching) - Counter-arguments (still illegal, still destructive and/or disruptive, no longer relevant, 'fear factor' of running self-replicating code on a network) - Never widely adopted. Current consensus is that it's an interesting idea, but not really viable, and potentially just as disruptive/damaging as malicious worms. Not without good reason, but...

*** Rise of the neotodes (5mins) - Recent increase in ‘wormable’ vulnerabilities in hardware and associated protocols - RFID worms 2006 - Smart lightbulb worm 2016 - ArduWorm 2016 - BlueBorne 2017 - BroadPwn 2017 - IoT devices 2016-present - Future neotodes – drones (seen something similar already with Samy Kamkar's SkyJack), connected vehicles, medical devices? - Why is this important? - Harder to patch, affect more users, rely on fixing hardware/firmware rather than software - May not be constrained by typical network boundaries - Vendors less likely to care (esp. IoT) - Also some interesting developments in proposed legislation (“hack back” bill), and exploit economy (e.g. Shadowbrokers’ proposed 0-day subscription service; private bug bounty programs, etc) - Re-examining the concept of a nematodes could be a way to address some of these security gaps

*** Re-opening the debate – 5mins - Useful for vulnerabilities for which there aren’t worms yet - Plus addresses a security gap (e.g. IoT) which can’t always be dealt with in the same way as traditional equipment - Targeted ‘moral’ nematodes may also have a place - Could move towards more of a distributed model, where organisations take responsibility for the configuration and actions of nematodes deployed on their network (rather than nematodes being released into the wild)

*** Demos – 10mins - 1x true, traditional nematode – recent web application vulnerability. Worm created in Python to exploit 4x vulnerable virtual machines and report back. Nematode, also in Python, removes worms from infected machines, executes workaround mitigation - 1x neo-nematode – IP camera vulnerabilities. Worm created in Bash, chains 2 vulnerabilities together to infect 3x cameras. Nematode infects, removes worms, temporarily mitigates - 1x ‘moral’ worm as an improvement on PolyPedos – Windows executable which compares images in a folder to a hardcoded list of ‘bad’ images, and emails a specified address if any are found. Rather than using filename matching (as with PolyPedo), or cryptographic hash comparison, it uses ‘perceptual’ hashing to measure image similarity based on pixel distribution. Tolerates edits, resizing, and screenshots from different points in a video (e.g. for thumbnails). Replicates over USB devices. - For each demo, I'll show both the worm performing the original infection, where applicable, and then the nematode. I'll also provide a scenario where the nematode could be deployed practically. - Depending on circumstances, these will either be live, or pre-recorded. I will try to do live where possible but will have video backups.

*** Conclusion – 3mins - Nematodes were an interesting idea, but ultimately not successful - Drawbacks outweighed the benefits - Also a “fear factor” associated with them (rightly or wrongly) - Have mostly managed without them in the last few years, with the odd exception (Conficker, WannaCry, etc) - Threat of neotodes means we may need a new method to combat worms - Some disadvantages, and needs to be carefully managed - Nematodes could be used to address the gaps introduced by neotodes - Moral nematodes also an interesting concept… - The debate will continue, but wanted to raise awareness of this and demonstrate that if they’re handled carefully, they might have their uses - Ideas for future research: - Framework to develop IoT nematodes - Focus on wormability when disclosing/discussing vulnerabilities, followed by discussions of possible nematodes - Questions if time, otherwise will highlight contact details and invite discussions after the talk.