A Virus Update: No End in Sight
It's another morning on the Internet, and the viruses are among us. On this day, Computer Associate's Japanese security site (http://
All of this is, or should be, required reading for the IT department, but the people who operate these websites think the audience should be much larger. "People need to be vigilant," says Ian Hameroff, security strategist for Computer Associates. "We'll switch on the news every morning because we're very concerned about how what's happening around the world could impact us. But how often do people go to a security vendor's website, like ours here at CA, and find out what viruses are spreading?" He has a point. Terrorist attacks don't just come in the form of exploding bombs. They can come right through the Internet connection, particularly if it's a persistent "always-on" one. Despite mounds of publicity, a stream of operating system patches, plenty of security programs and general awareness, computer viruses continue to cause grief in the world. And there's no end in sight. If 9/
To get a better understanding of where viruses are headed these days, I spoke with Kevin Houle, artifact analysis team leader for the CERT Coordination Center, a major reporting center for Internet security problems, and with spokespeople for three companies that make anti-virus software: Computer Associates, Symantec Security Response, and Trend Micro. (MacAfee Security responded to my interview request too late to be included.) These conversations came in the wake of two viruses that have made the headlines, recently: SoBig and MSBlaster.
SoBig is a so-called "mass-mailer" that spreads initially via email and entices the recipient to click on the attachment. That's the same approach used by earlier viruses like the I Love You virus and Melissa. SoBig relies on "social engineering," a fancy term that simply means you fool people into thinking they've received a legitimate email. Propagation is not by clever technology, but by a clever scam. "It always amazes me the average computer user is still caught off guard by the trickery used by virus creators to help propagate their malicious wares," says Hameroff. But the trickery has gotten trickier since Love Letter. SoBig usually "spoofs" the sender's name, using an address already residing on the infected system. The subject header is innocuous: "Thank you!" "Approved," "Your application." The body is a simple line, a variant on "See the attached file for details." And the attachment is usually a .pif file-Process Interchange Format. Perhaps people have confused it with Acrobat's .pdf extender.
A slicker approach to social engineering was taken by the Sven virus, whose accompanying email has the look and feel of a Microsoft technical letter. It featured the Microsoft logo, blue bars, white on black menu selections, and san-serif typeface-all of which are straight out of the Microsoft website. As some eBay users discovered when an official looking email coaxed them into giving out private information, Web publishing tools have made email forgeries look convincingly real. "Humans in general are very trusting, and that's why social engineering has succeeded all these years," says Hameroff. Trust can undo even the more sophisticated technology fixes. "The best security mechanisms that are not used aren't any better than having no security at all. It's like putting a deadbolt lock on your front door but no one ever using it."
Virus writers have also figured out that they need not rely on a single mode of propagation. Hence the development of the so-called "blended threats"-viruses that may initially spread through email, but also can traverse a local area network. An early example was Nimda, a vintage 2001 worm that initially propagates by email, then searches for an unprotected open share drive. These "open system shares" are typically used in workgroups as a repository for files. Hence what was once a convenience to a group of people collaborating on a project becomes a security vulnerability.
"A lot of the viruses and worms do something called 'enumerating open shares,'" says Hameroff. "They'll go through all the different drive letters to see if one of them is potentially an unprotected, un-passworded connection where they can effectively copy themselves to another person's computer. And some viruses might try to use not just email, but IRC or MSN Messenger or Kazaa. So we're seeing not just a single method of spreading, but viruses that employ multiple methods, and that has contributed to greater 'success' for the attack.
Passive entry: network wormsIn their initial propagation, at least, mass mailers require that the recipient do something-to click on an attachment. MSBlaster, on the other hand, which could be described as a "network worm," spreads strictly via the Internet with no user intervention. "While they are a growing phenomenon, network worms predate viruses," says Trend Micro's David Perry. "The first of them was the Morris Internet Worm of 1988." Robert Morris was a computer science graduate student at Cornell and took advantage of a hole in the Unix sendmail program. For his efforts, Morris received a suspended jail sentence, 400 hours of community service, and a $10,050 fine. "He said the same thing we still hear over and over," says Perry: "'I had no idea it would cause all this trouble.'"
Network worms have spurred the seemingly endless patches to Microsoft Windows. Or more likely, they are reactions to those patches. Perry says that worms take advantage of the loose programming habits afforded by C, which does not automatically clear up memory buffers when they're input to a particular port. That operation, like so much in C language development, is left strictly to programmer discretion-and programmers themselves need to be more vigilant. Worm writers take advantage by intentionally overflowing the port. "First they write a program to the port, then they push through null characters-until the program is lined up with the next memory jump point," says Perry. Doing that means knowing the structure of the program you're pushing to. "If you are pushing to Microsoft Outlook or Internet Explorer, not only are you talking to a program that is widely available, but on which there is a reference library of information available that specifically tells you where to find those jump points."
The buffer overflow is the vulnerability the worm exploits. "It is a door that's left open. The next time the program comes to that location, you are no longer running that program-you are instead running the worm. Usually these days, the first thing the worm does is turn around and download more worm to itself-because that little hook, the initial implant, is not enough to get everything done. It's just the handshake," says Perry. Worms also take advantage of constant Internet connections. Perhaps he's overly cautious, but Perry has connected an infrared motion detector-ordinarily used to switch on the lights-to his router. "When I leave my home office, the router pulls out."
And homes are where most virulent worms are striking. Institutions employ network administrators. Households do not. "Most consumers only patch their operating system when they buy a new computer," says CERT's Kevin Houle. That's not necessarily the case for consumers, and that's why MSBlaster represented a more dangerous kind of worm. "What distinguished Blaster was that it went after remote procedure call (RPC) services that were on by default in Windows XP and 2000, and hence on virtually every PC. Slammer targeted SQL Servers. Nimda was multi-vector, but it primarily targeted IIS [Internet Information Services], Microsoft's Web server. The same was largely true for Code Red and Welchia."
Blaster was so effective that if you didn't patch your computer ahead of its debut, you were probably too late. "With the prolific scanning that Blaster does, you don't have a lot of time-maybe 30 seconds from the time you connect to the Internet until Blaster scans your computer," says Houle. "Even if that number were 90 seconds or 10 minutes, it's not much time to react." After Blaster struck, it was sometimes too late. CERT got calls from people who couldn't stay online long enough to install the patch. And because you could catch Blaster without actually doing anything, CERT heard from plenty of people who mistakenly blamed the infection on the patch, itself-swearing they wouldn't download any others.
The other thing about network worms is that they are persistent. CERT is still seeing Code Red scanning away on the Internet, even though it first appeared in July 2001. "It's easy to think that these problems don't last any longer than the headlines," says Houle. "But this type of code can have a life cycle of two to three years. Mass mailers don't tend to last nearly as long." Houle suggests that you actually disconnect your PC from the Internet when installing software until you have installed the latest patches for that software. The advice is most critical for operating systems, but also applies to all sorts of software. These days, even software with no obvious need for Internet communications may communicate nonetheless. Houle also advises staying current by getting on your vendor's email notification system. That's particularly important for operating system patches, whether you are running Windows, Linux, MacOS or Solaris.
Is the cycle forever?
All of this leads to the question: is the discovery/
A hole is discovered in the operating system, patches are created to fix it, while worms are written to exploit it. Sometimes, Microsoft no sooner issues one patch when another one is needed. "The fear is that we will have a "zero day" where the time between when a vulnerability is discovered and when it is taken advantage of shrinks to virtually zero," says Haley "He says that when a vulnerability is found, you can sometimes detect activity on the Internet that resembles an experimental stage, where virus writers appear to be testing their work. Symantec's DeepSight service attempts to monitor this activity via customers who voluntarily run a program called DeepSight Extractor. The program submits security events to Symantec for evaluation.
Haley sites as an example Blaster's attack via port 135. "Over a normal period, we would see only a limited amount of Internet traffic directed at that port. If suddenly, we detected an increase, maybe we should be concerned. We might not understand the exact nature of the threat, but we know enough to tell our customers: turn off port 135 because there may eventually be a problem."
"Certainly when you have a highly complex environment like Microsoft Windows, the potential for faults to appear are greatly increased," says Hameroff. "It's not necessarily that Windows is written in such a shoddy way that it's Swiss cheese. It's that a large, large system always has the potential for vulnerabilities." Compounding the problem is that computer users don't keep abreast with OS patches. "That's clearly evident in the fact that we've had a number of large scale attacks that have gone after vulnerabilities, like SQL Slammer and MSBlaster. But it's also challenging for end users and enterprises to stay on top of the various different types of patches and workarounds that may be introduced as the result of a discovery of a vulnerability."
Hameroff says that we've grown accustomed to the idea that for every vulnerability discovered, a patch is the only solution. The problem is that people don't always apply the patch in time. "But there are ways to reduce the risk even if you haven't done so," he says. "For example, the appropriate configuration of your firewall, both for ingress and egress, can certainly remove a lot of the potential of your network being attacked.
"What was interesting about SQL Slammer is that although a lot of organizations would block incoming UDP [User Datagram Protocol] packets, they were allowing them to go out. UDP is the other protocol, in addition to TCP/
Hameroff says that when you are evaluating and building a security policy, you should always remember that there isn't much of a difference between the outside and the inside anymore. "There used to be this notion that everything was safe when you were protected by your firewall. With mobility, with broadband home use, with more powerful connectivity even down at the end user desktop, the outside and the inside have blurred. The line has been buffed away over the years. You almost have to compartmentalize your internal network as much as you would the external network."
But if worms are exploiting ports, what ports can you close off? "If you really want to protect yourself, shut everything off," says Hameroff. "That's the closest thing you'll get to 99.
"To state the obvious case, virtually every organization will have port 80 open because they are going to have an Internet website presence and will most likely have outbound access to the Web. They'll have port 25 open for email exchange. So perhaps you should begin by only allowing those to be open and close everything else. If that policy is interrupting a business activity, you'll find out about it because someone will call the help desk and you can evaluate right there and then how opening that port could potentially alter or impact the security policy of the organization."
CERT's Kevin Houle says that malicious code can't exist without a vulnerability to exploit, but not all vulnerabilities are alike "We documented 4,200 unique vulnerabilities last year. That's a lot, but the ones that got the most attention are what we call 'home run vulnerabilities'-meaning they give a remote user full access to the remote machine in a single step. In those cases, once an exploit is written, the amount of additional effort to compromise a remote system is negligible. By the same token, once you patch for a vulnerability, you are protected against all viruses that exploit that vulnerability.
"One of the more common philosophies security is to deny everything except that which is explicitly allowed. We're moving in that directions, away from the opposite: allowing everything unless it is specifically denied. So we'll see software out of the box that will be in a default deny posture. That makes it less useable, but more secure."
The virus hunt continues
Symantec's Kevin Haley says the company sees 10 to 15 new viruses everyday. The company's software can address a total of 65,211viruses as of this writing. Most new viruses never go very far, but as Haley points out, just because a virus is rated with a low severity doesn't mean it can't do serious damage; it only means the damage isn't widespread. One reason for the proliferation is that that virus-creation tools have gotten easier. "There are toolkits that you can download from a hacker site which allow you, with very little programming knowledge, to create your own virus. Every once in a while, we run a search for certain words, like "hacker," to guess how many different sites there are out there that have that kind of information on them. I don't have any data, but my sense is that that number continues to grow, as well. There is more and more information out there."
The diligence and occasional cunning of virus writers has turned virus protection into a thriving industry. Symantec, Computer Associates, Trend Micro and McAfee, among others, are all competing with each other, even while cooperating with shared knowledge, much of it gleaned via the same places the virus-writers go-the Internet.
"We look at Usenet, at hacker sites, at various virus discussion groups," says Haley. "We have a system that automatically forwards viruses to us that are found on a customer's system. We have a lot of software to look at that virus and see right away whether it is known or new. Symantec maintains four response centers around the world. The group will see viruses hit one part of the world first and then follow the sun. "People come into work, read their mail, boom, they send it out and you can see it spread."
While Asia sometimes gets the blame for propagating more viruses, Hameroff believes that has more to do with the path of the sun. "Over the years we've seen attacks that have appeared first in Asia-because those who are creating the attacks are working at night, and it's night time in Europe or North America. So when Asia wakes up, often our initial reports will come from there, because they are the ones that are first operational."
While new viruses crop up daily, only a few virus writers are doing anything original. "There's a lot of sharing among virus writers," says Hameroff. "There are plenty of websites that are run by the black hat community and there's a lot of information sharing that occurs there. Within a couple of mouse clicks, you can download the source code to the Love Letter, or even the latest attacks. And that's just talking about what's available on the web. Certainly virus creators use IRC and chat-type locations on the Internet to communicate with each other."
Some methods of propagation have all but disappeared. "When macro viruses showed up on the scene, there were only about 2000 viruses out there," says Trend Micro's David Perry. "They were written in Visual Basic, and were thus easy to write," and so that number jumped up considerably in just a short time. "But we don't see macro viruses anymore. We were able to write code analysis tools that detect and block the viruses, without knowing the specifics of each one."
Macro viruses, which were once quite popular, represent just a small fraction of current viruses that are at large. Boot sector viruses have all but disappeared, except when someone, often in search of old data, slips in an old, infected floppy disk. "Windows 95 effectively ended the reign of the boot sector virus, but it took about four years for them to go away because that's how long it took for Windows 95 to replace Windows 3.
"A few years ago you may have had 20 or 30 attacks that maybe contributed to a multi-billion dollar impact," says Hammeroff. "Now you take a look at SQL Slammer or Blaster or even SoBig, and you're seeing fewer attacks that are causing the majority of the damage. Although this year we've seen a number of large-scale attacks, they actually represent the minority of viruses we deal with each day."
On the other hand, virus writers are no longer content just to see how far they can get their self-propagating software to spread. Kevin Houle says that virus writers are asking themselves: "Now that I can compromise a quarter million machines in two days, what can I do after that?" The answer seems to be-harness the computer to do something else. "Blaster was designed not just to propagate, but to then launch a denial of service address against a Microsoft address. Code Red did the same against a White House IP address. The evidence suggests that SoBig.
"There's also evidence to suggest that virus writing is no longer just a technical challenge, but has an economical incentive." Just as with the world of organized crime, people are willing to pay others to do their dirty work, in this case, to harness computing power for their own means. "In the underground economy, you could always trade a couple of compromised computers for a couple of credit card numbers. Intruders are now advertising their services for hire, and people are employing intruders to cause damage." In other words, viruses are no longer just a question of technical whimsy, but of supply and demand economics. The profit motive has always been with us, and it alone could drive virus-creation for years to come.