Blended threats

["Nasseam Elkarra" <nelkarra@opensec.org>]

The CodeRed worm is a good example of a blended threat because it
performs multiple attacks on different components.

It exploits a buffer overflow vulnerability, defaces the website of the
exploited machine, attempts to spread to other machines, and causes
system instability.

It is more than a buffer overflow as someone mentioned in the call and
can fit into more than one category. However, blended threats usually
have an entry point. In this case, the buffer overflow provided CodeRed
the necessary privileges to perform the latter attacks. In scenarios
like this, we can try to classify the threat in multiple categories or
simply focus on the entry attack.

I imagine an assessment checking to see if a system is affected by
CodeRed would perform an HTTP request and analyze the response. In this
case, the assessment would check if the buffer overflow problem is
present so this easily fits in the overflow category. Maybe we can work
backwards and start from the assessment because whatever the assessment
is checking for is the category.  

If we want to discuss CodeRed, we should probably look at what Microsoft
and eEye(they discovered the problem) had to say about it.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS01-033.asp
http://www.eeye.com/html/Research/Advisories/AL20010717.html

Symantec also has some good whitepapers about blended threats:
http://securityresponse.symantec.com/avcenter/whitepapers.html

Finally, I am still trying to understand the goals of WAS and how things
will fit together. Someone mentioned playing with the XML format early
to try to encode our thoughts. I think this would be a good idea to help
us visualize our goal and make sure we are all on the same page.

Thanks,
Nasseam Elkarra
nelkarra@opensec.org