MALWARE

You receive a screensaver in the mail from a friend, with a short note. It passes the latest antivirus software, so you try it. It's a screensaver, all right, and it's pretty neat so you leave it running. Five days later, along with several thousand other copies, your "screensaver" starts sending bogus requests to an e-commerce server, overloading it and blocking real transactions worth thousands of dollars a minute. The e-comm tech team panics - the packets are coming from all over the place, and they can't block them without blocking genuine customers. Twenty sleepless hours later they have renamed all their servers, allocated new addresses, updated hundreds of web pages and are back in business. A week later, you download the latest antivirus database, which recognizes your screensaver as a "virus". The same day, your ISP terminates your account, citing "inappropriate use".

• In this example, the malicious code arrives as a "Trojan Horse" in an email attachment. Viruses such as Happy99 and Melissa have shown that they can appear to come from friends, using names from an address book. Malicious code could also be planted in a download area after a website is hacked, or advertised in a chat room.

There is a new breed of computer virus starting to appear. With names like Ring Zero, Trinoo and Babylonia, these new viruses - termed "malware" - have the ability to communicate via the Internet. As in the above (fictitious) example, they may spread and act more rapidly than traditional antivirus programs can respond. According to a SANS report, trojans are being found at an increasing rate (over 150 in 1999).

• The Ring Zero virus explores the Internet looking for proxy servers on ports 8080 and 3128, passing information back to a website in Russia.
• Trinoo is a distributed denial-of-service attack launched from multiple computers.
• Babylonia is a virus with the capability to download new capabilities over the Internet

The obvious defense against this threat - disconnecting from the Internet - becomes less and less viable as we come to rely on the net more and more in our daily lives. Future operating systems may protect us with access controls, or checking digital signatures on all programs. Meanwhile, we can use network filters to control what our PCs are talking to behind our backs, and try to run only authenticated software.

• More software is becoming "web enabled". Instant messaging, network games, stock tickers - all require continuous connection. Although at first glance a screensaver should not require Internet access, it is quite reasonable that it might download a new scene every day. Many software packages might legitimately "call home" to check for updates, and thereby show unexpected network access.

• Some operating systems already offer access control lists or capability based access mechanisms.
• Software distributed using RedHat Package Manager (RPM) is often digitally signed against tampering with a PGP or GnuPG signature.
• Modern Linux includes firewall filters, controlled with ipchains. Windows 2000 also contains IP filters. Third-party software is available for Windows 95, 98; see e.g. Personal Internet Firewalls at Gibson Research.
• Downloading software from reputable sites is safer than using warez or anonymous freeware binaries, but there is still some chance of tampering if the site is hacked. See for instance this report.

Another threat from malware is the possibility of industrial espionage and data gathering. Instead of launching an attack, like Trinoo, the malicious program may collect passwords or data and pass it back to a "mothership", as is done by Ring Zero. The program may pass data out through a firewall using email or http.

• Users of multiuser systems such as Linux or Windows NT may use different accounts for web browsing, games, personal finances etc., so that game programs and browser plugins cannot access personal data. This is only a partial solution, though. Users of single-user operating systems such as Windows 95 may find it best to use a separate PC.

• The certificate authority checks identity before issuing a certificate. A commerce site which uses regular http instead of SSL (https) is not necessarily insecure, but it may have a lax attitude to security in general. SSL protects only data in transit, not in your PC and not at the merchant.

• Slightly more technical version of this article.