47

Info

security To

day

March/A

pril 2005c

ol

um

n

The viruses of the DOS age seem

quaint.They include boot infectors,

program infectors, stealth viruses, multi-

partite viruses, tunnelers, and compan-

ion viruses.They appeared in 1987 and

dominated until about July 1995 when

Windows 95 was released.Win95 was

the first “protected mode” operating sys-

tem to become adopted widely.Almost

none of the DOS viruses was effective

on Win95 systems.While people contin-

ued to write them, they ceased to

threaten most users.

To use a biological analogy, living crea-

tures find it hard to adapt to swiftly

changing environments. So too with tech-

nological phenomena like computer virus-

es. Changing the operating system disrupt-

ed the viruses’ environment almost

overnight and so ended the first age.

The macro virus age — 1995 toearly 1999

In 1995 very few programmers knew

how to write assembly code for Win32, or

much about its internal structures.This

made new Win95-infecting viruses unlike-

ly — the required knowledge simply did-

n’t exist. But even if the OS was safe, the

applications were not.

Win95 was released with the Office95

application suite, which sported a

powerful macro language, Basic. In

addition, Microsoft invented the com-

pound file (a file system with file alloca-

tion tables, directories and both data

and program files within a single file),

which we came to understand as a DOC

file.

To be fair, Microsoft did it for the

right reason, to prepare DOCs to be

multimedia-rich, containing pictures and

sounds and even animations and

movies.There was little documentation

for these files, so anti-virus companies

had to adapt their scanning engines and

warn people that, unlike the first age,

viruses now lurked in what seemed to

be purely data files.

In the DOS age, geek pride made it

lame to write a virus in anything other

than assembler, but in the macro age, it

became “kewel”. If virus writers were ig-

norant of Win95 assembler, they still made

life hard for anti-virus developers by writ-

ing quickly, and figuring out how to use

the tools in Basic to infect other Office

applications.

Eventually it became apparent that

while Basic has infinite possibilities, one

needs only a few commands to make

code self-replicate. By detecting these

commands, anti-virus scanners could al-

ways find even brand-new macro virus-

es.They mightn’t know the variant or

what it did, but they knew it was a

virus.

Although macro viruses are still

around, they were no longer a strategic

problem by early 1999. Anti-virus scan-

ners ended the macro age by acting like

a broad-spectrum antibiotic, detecting

and killing viruses by family trait.

The mass mailer age — 1999 to2002

In January 1999 there were some 43

million hosts registered on the internet’s

Domain Name Service (DNS); this was the

bottom of the hockey stick curve that saw

the number of registered domains top 285

million in July last year.

In March 1999, the Melissa virus hit an

unsuspecting world.The results were dev-

astating. Self-mailing viruses had been

tried before, but Melissa was the first suc-

cess, and it ushered in a new age.

Virus writers realised that if they could

spread their virus faster than defenders

could update their anti-virus signatures, it

didn’t matter if they were easily detected.

Ironically, Melissa’s author had actually

meant to limit its spread to the first 50 ad-

dresses in each address book. But he did-

n’t realise that most large organisations

As malicious code has evolved, one can see four distinct ages. Theyshow a narrowing gap between the announcement of a vulnerabilityand an attack that exploits it, and a shift from a pure technology-based attack to those that exploit a sophisticated understanding ofsocial behaviour to trigger the attack.

The four ages of malwareRoger Thompson

Roger Thompson

Melissa [was] ...devastating.

Self-mailing viruseshad been tried

before, but Melissawas the first

success, and it ushered in a new

age.

48

Info

security To

day

March/A

pril 2005c

ol

um

n

use many of the first 50 addresses for all-

company groups.

The next few years saw some stunning-

ly successful self-mailers, including

LoveLetter and AnnaKournikova. But or-

ganisations discovered that no matter how

different each mass mailer was, there was

a single chokepoint, the corporate email

gateway.All one needed was to strip off

any executable attachment at the gateway.

There was no need to update anti-virus

scanners at all.

Even though mass mailers are still writ-

ten, and occasionally cause an outbreak

when they use a new file type, such as the

Zip file version of Bagle, any corporation

doing intelligent filtering at the gateway

has become pretty safe from mass mailers.

As in nature, intelligent filtering ensures

that harmful things stay outside the organ-

ism.This largely ended the third age.

The criminal age — 2001 to present

The fourth age began in July 2001 with

the release of the CodeRed.A worm. It ex-

ploited a buffer overflow vulnerability in

some versions of Microsoft’s Internet

Information Server (IIS).This allowed the

worm to explode into a system without

user interaction.This was the start of a

menagerie of spyware,VEWs (vulnerabili-

ty-exploiting worms) and VEBs (vulnerabil-

ity-exploiting bots).

The payload for CodeRed.A was that on

a given day at a given time, all infected

nodes would stop trying to spread, and

would instead mount a distributed denial

of service (DDoS) attack on the White

House. But within a month CodeRed.C

came out. Rather than bothering with

DDoS, it simply opened a backdoor on all

infected systems. Overnight tech support

folk had to rebuild thousands of ma-

chines.

Some people have always made a sport

of taking over other peoples’ computers,

i.e. hacking them.The more pernicious

turn these captive PCs into zombie ma-

chines to distribute spam and malware.

Since early 2003 the number of hacks

has reached epidemic proportions.Then

there were 300 to 500 viruses and Trojans

“in the wild”.There are now perhaps

10,000.The motive is money. Instead of

kids doing it for sport, it’s now a business

driven by spammers, phishers and DDoS

extortionists, many with criminal intent.

Other factors early in 2003 were the

“wormwars” fought between the develop-

ers of Bagle, NetSky and MyDoom

worms/bots, and the subsequent publica-

tion of much of the source code.This

made it easy for lots of people to enter

the scene.We now see as many as 30 vari-

ants of the common worms and bots each

month. Once an exploitable vulnerability

is published, we expect it to induce an at-

tack within two weeks.

In 2001 and 2002, it took eight or nine

months for an exploit to be used, and

many were never used at all. For example,

in 2001 there were about 90 published

vulnerabilities for Internet Explorer. By

year-end, Microsoft had patched only

about 70. Only one was actually used (in

Nimda), but the code to do this was cut

and pasted into nearly every worm for the

next two years.

At the other end of the spyware spec-

trum are the adware companies. Many are

legitimate businesses that want to use the

internet to do targeted marketing. Many

users understand that the internet must

become commercial to expand it. But mil-

lions object to unsolicited direct market-

ing in electronic form, better known as

spam or more generically as adware.

Arms race continuesLooking back one can see this is an

arms race. Competition and the develop-

ment of anti-spyware and anti-adware

make the new applications more virulent

(like CoolWebSearch), more aggressive

(like Claria), and spyware more danger-

ous.Already some malicious web sites and

BotHerds install bots first, and then install

normal adware, to make money from the

advertiser.

One thing is clear: the present arms

race will continue until the technology

changes.Then the cycle will begin again.

This is natural.This is how it has been, and

how it will be.

Computer Associates is exhibiting at

Infosecurity Europe 2005, Europe’s

premier information security event.

Now in its 10th year, Infosecurity

Europe continues to provide an unri-

valled education programme, new

products & services, over 250 ex-

hibitors and over 10,000 visitors from

every segment of the industry. Held

from 26-28 April 2005 in the Grand

Hall, Olympia, London, this is a must-

attend event for all IT professionals in-

volved in information security. See

www.infosec.co.uk for details.

Roger Thompson, director of malicious

content research, Computer Associates.

Since early 2003 thenumber of hacks has

reached epidemicproportions.... Themotive is money.

Instead of kids doingit for sport, it’s nowa business driven byspammers, phishers

and DDoS extortionists, manywith criminal intent.