How is a router worm like a flu pandemic? Medical researchers say an outbreak of influenza, similar to the devastating Spanish Flu of 1918, is likely in the near future. Somewhere in the world, a flu virus may be quietly mutating. We don’t know when the virus will emerge or the scale of the pandemic. But we do know there’s an historical precedent.
In like fashion, vulnerability researchers predict the emergence of router worms: malware designed to automatically spread from router to router like wildfire, thereby bringing down vast segments of network infrastructure. Although the idea has existed as a possibility for almost two decades, no actual instances have yet occurred.
But like the Spanish Flu, there is an historical precedent. “Going back five years, it was very rare to see exploitation of buffer overflows in the Windows platform,” says Neel Mehta, team lead of the advanced research group at Atlanta-based Internet Security Systems (ISS). “Vendors and researchers agreed it was theoretically possible but were iffy on how it could be exploited. If you look at the evolution of security, today it seems every major threat is a Windows buffer overflow.”
Researchers for security vendor McAfee Inc. have designated router worms a major future threat. “It’s now the rage to find vulnerabilities and it was easy to find them in Microsoft operating systems. Then people started going after Apple, so you’re starting to hear more about those. When they exhaust these easy things, then they’ll start going after Cisco boxes,” says Jimmy Kuo, fellow for the McAfee Anti-Virus Emergency Response Team (AVERT).
But there are economic barriers for glory-seeking hackers looking to turn the router worm vision into reality. “The devil is in the details,” says David McMahon, director of high assurance at Bell Security Solutions (BSS). “When someone does exploit development on a Windows box, they can get a hold of a typical PC and experiment. It’s a little more difficult when you’re going against a core router that’s going to cost you a significant amount of money to purchase. It’s difficult to even get access to do the homework to develop and propagate these things. It’s going to be somewhat cost-preclusive.”
When do security experts believe router worms will emerge, in spite of the costs? “It’s speculative — when something has been a potential for 20 years and hasn’t happened, it’s hard to say it’s going to happen in the next five years,” says Kuo.
However, ISS researchers have a more precise timeline. “It doesn’t look like there are going to be any ‘super-router’ threats of router worms probably for the next 24 months,” says Michael Lynn, research analyst at ISS. “There will be some architectural changes to the Cisco Internetwork Operating System (IOS) in that time frame, and we’ve discussed some of the implications of that with Cisco.”
Cisco spokespeople were unavailable for comment at press time. In the arms race between hackers and vendors, major router users like BSS believe vendors are ahead of the game. “People who manufacture these routers will have a significant advantage running penetration tests, developing exploratory exploits and exercising some of the theoretical concepts. They’re going to have much better facilities than the average hacker,” says McMahon.
If and when router worms emerge, their effects could be devastating. “All the worms we see right now, they’re attacking network end-points such as desktops and servers. But a router worm would compromise the infrastructure in between,” says Thomas Akin, incident response manager at ISS and author of Hardening Cisco Routers. “If one were created that targeted Cisco, it could have a real effect on the stability of wide area networks.”
But ISS researchers believe the knowledge needed to create a router worm is still too specialized and confined to a very small group. “It’s become apparent routers are exploitable, and as changes are made to operating systems, they will become more exploitable. Looking forward, we do see it as a major concern but at the moment, there isn’t enough information out there publicly to make it a threat today. You’re going to see individuals attack routers long before you see router worms,” says Akin.
How should the perplexed network manager prepare to deal with a threat that may or may not materialize, perhaps in two years, perhaps five? Firstly, an attitude change is needed. “Many system administrators think of routers as a VCR or toaster, but they need to start thinking of it as a computer because it can be attacked in the same way as a computer can be,” says Lynn.
Good network hygiene is needed too. “If people want to protect themselves against router attacks, it comes down to paying the same attention to routers as their Windows system.
The two key things are patching them and monitoring the router’s configuration for changes,” says Akin. “Ideally, that process should be automated, but if not, administrators should do it manually once a month or quarterly.”