Upload
roger-thompson
View
217
Download
1
Embed Size (px)
Citation preview
47
Info
security To
day
March/A
pril 2005c
ol
um
n
The viruses of the DOS age seem
quaint.They include boot infectors,
program infectors, stealth viruses, multi-
partite viruses, tunnelers, and compan-
ion viruses.They appeared in 1987 and
dominated until about July 1995 when
Windows 95 was released.Win95 was
the first “protected mode” operating sys-
tem to become adopted widely.Almost
none of the DOS viruses was effective
on Win95 systems.While people contin-
ued to write them, they ceased to
threaten most users.
To use a biological analogy, living crea-
tures find it hard to adapt to swiftly
changing environments. So too with tech-
nological phenomena like computer virus-
es. Changing the operating system disrupt-
ed the viruses’ environment almost
overnight and so ended the first age.
The macro virus age — 1995 toearly 1999
In 1995 very few programmers knew
how to write assembly code for Win32, or
much about its internal structures.This
made new Win95-infecting viruses unlike-
ly — the required knowledge simply did-
n’t exist. But even if the OS was safe, the
applications were not.
Win95 was released with the Office95
application suite, which sported a
powerful macro language, Basic. In
addition, Microsoft invented the com-
pound file (a file system with file alloca-
tion tables, directories and both data
and program files within a single file),
which we came to understand as a DOC
file.
To be fair, Microsoft did it for the
right reason, to prepare DOCs to be
multimedia-rich, containing pictures and
sounds and even animations and
movies.There was little documentation
for these files, so anti-virus companies
had to adapt their scanning engines and
warn people that, unlike the first age,
viruses now lurked in what seemed to
be purely data files.
In the DOS age, geek pride made it
lame to write a virus in anything other
than assembler, but in the macro age, it
became “kewel”. If virus writers were ig-
norant of Win95 assembler, they still made
life hard for anti-virus developers by writ-
ing quickly, and figuring out how to use
the tools in Basic to infect other Office
applications.
Eventually it became apparent that
while Basic has infinite possibilities, one
needs only a few commands to make
code self-replicate. By detecting these
commands, anti-virus scanners could al-
ways find even brand-new macro virus-
es.They mightn’t know the variant or
what it did, but they knew it was a
virus.
Although macro viruses are still
around, they were no longer a strategic
problem by early 1999. Anti-virus scan-
ners ended the macro age by acting like
a broad-spectrum antibiotic, detecting
and killing viruses by family trait.
The mass mailer age — 1999 to2002
In January 1999 there were some 43
million hosts registered on the internet’s
Domain Name Service (DNS); this was the
bottom of the hockey stick curve that saw
the number of registered domains top 285
million in July last year.
In March 1999, the Melissa virus hit an
unsuspecting world.The results were dev-
astating. Self-mailing viruses had been
tried before, but Melissa was the first suc-
cess, and it ushered in a new age.
Virus writers realised that if they could
spread their virus faster than defenders
could update their anti-virus signatures, it
didn’t matter if they were easily detected.
Ironically, Melissa’s author had actually
meant to limit its spread to the first 50 ad-
dresses in each address book. But he did-
n’t realise that most large organisations
As malicious code has evolved, one can see four distinct ages. Theyshow a narrowing gap between the announcement of a vulnerabilityand an attack that exploits it, and a shift from a pure technology-based attack to those that exploit a sophisticated understanding ofsocial behaviour to trigger the attack.
The four ages of malwareRoger Thompson
Roger Thompson
Melissa [was] ...devastating.
Self-mailing viruseshad been tried
before, but Melissawas the first
success, and it ushered in a new
age.
48
Info
security To
day
March/A
pril 2005c
ol
um
n
use many of the first 50 addresses for all-
company groups.
The next few years saw some stunning-
ly successful self-mailers, including
LoveLetter and AnnaKournikova. But or-
ganisations discovered that no matter how
different each mass mailer was, there was
a single chokepoint, the corporate email
gateway.All one needed was to strip off
any executable attachment at the gateway.
There was no need to update anti-virus
scanners at all.
Even though mass mailers are still writ-
ten, and occasionally cause an outbreak
when they use a new file type, such as the
Zip file version of Bagle, any corporation
doing intelligent filtering at the gateway
has become pretty safe from mass mailers.
As in nature, intelligent filtering ensures
that harmful things stay outside the organ-
ism.This largely ended the third age.
The criminal age — 2001 to present
The fourth age began in July 2001 with
the release of the CodeRed.A worm. It ex-
ploited a buffer overflow vulnerability in
some versions of Microsoft’s Internet
Information Server (IIS).This allowed the
worm to explode into a system without
user interaction.This was the start of a
menagerie of spyware,VEWs (vulnerabili-
ty-exploiting worms) and VEBs (vulnerabil-
ity-exploiting bots).
The payload for CodeRed.A was that on
a given day at a given time, all infected
nodes would stop trying to spread, and
would instead mount a distributed denial
of service (DDoS) attack on the White
House. But within a month CodeRed.C
came out. Rather than bothering with
DDoS, it simply opened a backdoor on all
infected systems. Overnight tech support
folk had to rebuild thousands of ma-
chines.
Some people have always made a sport
of taking over other peoples’ computers,
i.e. hacking them.The more pernicious
turn these captive PCs into zombie ma-
chines to distribute spam and malware.
Since early 2003 the number of hacks
has reached epidemic proportions.Then
there were 300 to 500 viruses and Trojans
“in the wild”.There are now perhaps
10,000.The motive is money. Instead of
kids doing it for sport, it’s now a business
driven by spammers, phishers and DDoS
extortionists, many with criminal intent.
Other factors early in 2003 were the
“wormwars” fought between the develop-
ers of Bagle, NetSky and MyDoom
worms/bots, and the subsequent publica-
tion of much of the source code.This
made it easy for lots of people to enter
the scene.We now see as many as 30 vari-
ants of the common worms and bots each
month. Once an exploitable vulnerability
is published, we expect it to induce an at-
tack within two weeks.
In 2001 and 2002, it took eight or nine
months for an exploit to be used, and
many were never used at all. For example,
in 2001 there were about 90 published
vulnerabilities for Internet Explorer. By
year-end, Microsoft had patched only
about 70. Only one was actually used (in
Nimda), but the code to do this was cut
and pasted into nearly every worm for the
next two years.
At the other end of the spyware spec-
trum are the adware companies. Many are
legitimate businesses that want to use the
internet to do targeted marketing. Many
users understand that the internet must
become commercial to expand it. But mil-
lions object to unsolicited direct market-
ing in electronic form, better known as
spam or more generically as adware.
Arms race continuesLooking back one can see this is an
arms race. Competition and the develop-
ment of anti-spyware and anti-adware
make the new applications more virulent
(like CoolWebSearch), more aggressive
(like Claria), and spyware more danger-
ous.Already some malicious web sites and
BotHerds install bots first, and then install
normal adware, to make money from the
advertiser.
One thing is clear: the present arms
race will continue until the technology
changes.Then the cycle will begin again.
This is natural.This is how it has been, and
how it will be.
Computer Associates is exhibiting at
Infosecurity Europe 2005, Europe’s
premier information security event.
Now in its 10th year, Infosecurity
Europe continues to provide an unri-
valled education programme, new
products & services, over 250 ex-
hibitors and over 10,000 visitors from
every segment of the industry. Held
from 26-28 April 2005 in the Grand
Hall, Olympia, London, this is a must-
attend event for all IT professionals in-
volved in information security. See
www.infosec.co.uk for details.
Roger Thompson, director of malicious
content research, Computer Associates.
Since early 2003 thenumber of hacks has
reached epidemicproportions.... Themotive is money.
Instead of kids doingit for sport, it’s nowa business driven byspammers, phishers
and DDoS extortionists, manywith criminal intent.