Question: What do you get if you cross a computer
virus
with a network
worm* ?
Answer: Malware.
Until now, writers of viruses and computer hackers were two
distinct breeds. This isolation may be ending, with
potentially serious
consequences.
In the past, computer viruses were pretty dumb. Yes, it took
skill to create them, but the payload was relatively harmless -
pranks, or some damage to a single computer. Worms could affect
many networked computers, but relied on some vulnerability in
the network servers. The Morris worm used a hole in the
sendmail service.
The new generation of network-aware viruses, or Malware,
can be delivered like a virus, in a download or email attachment,
but when activated can connect to the network. An example of
an early generation
of Malware was the Back Orifice trojan, which when activated
creates a network service and passively waits to be contacted.
A plugin module for this, however, actively sends a message
to an IRC chat room announcing successful infection.
A more sophisticated example, the RingZero trojan, actively
uses the network to pass information back to a collection point.
In the case of RingZero, this information was the location
of Web proxy servers. Some macro viruses, such as Melissa
and ExploreZipWorm, also use the network, in these cases to
propagate themselves by exploiting email addressbooks.
An important feature of this kind of Malware is the ability to
pass easily through firewalls. Melissa used the email service,
while RingZero used the Web service. Both these services
usually traverse firewalls, since they are now critical for
day-to-day work.
Taking Precautions
Never run untrusted software
This sounds easy, but is not. Although you may trust a particular
vendor, their download site may have been hacked. One method to
verify software is to use a cryptographically signed checksum.
RedHat Package Manager (RPM),
for instance, allows software packages
to be digitally signed using
PGP
or GnuPG.
This guarantees that the
package you install is the same as the one the author or vendor originally
released.
Some capability is provided in Windows98 to use a Verisign certificate to
authenticate programs. Right-click an application icon, then follow
"Certificates", "Details", "More Info" etc. An invalid certificate (tampered
binary) will
show up with a red "X".
Monitor system activity
Ensure that all processes running on your computer are authorized.
This, again, is not easy. Modern operating systems run a large number
of processes which the average user is unaware of.
Monitor network connections
Your computer should only connect to authorized services and addresses.
Again, not easy. Normal web browsing may connect to a wide range
of information providers, advertisement providers, etc. while
secure payment servers may be hosted elsewhere, sites may be mirrored
and so on. Email traffic to and from almost any domain may be legitimate,
while strange network connections may indicate travelers or visitors
using email or accessing data from their workplace.
Worst-Case Scenarios
An individual or group may hack in to a webserver of some
reputable organization, and instead of defacing the home page, may
replace downloadable software such as screensavers, applications
or security updates with modified copies, then cover their tracks.
The modified software performs its primary function, but also
performs some secondary function. It may be intelligence gathering,
such as recording keystrokes or passwords, or it may be active, such
as mapping a network from inside the firewall. The malware may
then report results back to its origin, using a service such as email
or http which traverses firewalls. It may simply set up an anonymous
proxy for other malware to use to disguise its origin.
It may also contain a timebomb - on a particular date, the
program will launch a denial of service attack against either the
host network or a remote site. The consequences of such
an attack, if launched simultaneously from thousands of computers,
could be extremely serious. Consider that neither the Morris worm,
nor the Melissa virus, which
tied up networks for days, were actually designed
to be hostile.
Note: the network attacks against
Yahoo!,
eBay etc. in February 2000 were
probably made using a relatively small (dozens) of copies of
Stacheldraht,
which requires a hacker to manually break in to each "slave" computer
before launching the attack from the "master". A virus-spread malware
attack could be much worse than this.
Is there a silver bullet ? Probably not.
An operating system where every process had a digital signature which
could be verified, or a capability-based system
where networking ability was a privilege
which could be restricted (as in VMS), would make life much more
difficult for malware. A screensaver trying to send email, or
a virus checker downloading data from elsewhere than its parent
website ought to set off alarms.
The Future
This is one area where some science fiction writers and futurists
may have seen more clearly than IT professionals.
Future malware may be very sophisticated, incorporating artificial
intelligence routines. The hacker of the future may be able to
unleash self-aware programs which propagate themselves through
the network, analyzing security defenses and reconfiguring themselves
to avoid detection. Defenses, in turn, may become much more robust
and incorporate active features to block attacks and identify friendly
agents. (For more on agents, see for instance Hive - link below.)
Most antivirus packages will detect well-known trojans such as
Back Orifice, once they have been found and analyzed and included in the
database updates.
Dynamic firewalls allow network connections to be monitored and blocked,
so that the user can control outside access. These products will
detect trojans and other malware using unregistered network ports.
(Malware could still hide traffic in a "safe" service such as HTTP if
general Web browsing is enabled).