By Don Parker
Viruses are largely a threat that is contained if one has an anti-virus solution. This begs the question of what then is the next big threat in terms of malware code? The answer to that would be the new, and more lethal worms such as Slammer for one. What would happen though if someone with coding talent were to harness the chaotic world of the worm?
The concept of Darwinism is a simple one; only the fittest survive. Though this is a generalization of Darwinism it does boil down to that statement. How does this apply though to computer viruses, and worms? Well simply put while the latest batch of computer viruses is irritating they are hardly the stuff of nightmare. These annoying virus pests are barely even noticed, if at all, by the people that are infected by them who in turn propagate them. In large part this is due to the simple fact that the people who are infected simply don’t have an anti-virus solution for their computers, and are largely novice computer users. After all it comes down to user education in the first place or lack thereof for their being infected. For the rest of us who are protected with an anti-virus program we simply watch with minor annoyance the number of infected emails hit our email inbox. Streaming into your email inbox these are hardly a threat really, and only really are a waste of our bandwidth.
Are viruses a threat to everyone?
Realistically though the whole virus scene has not really evolved all that much at a technical level. There has been an increased sophistication though in the social engineering aspect of such things as the subject line, and attachment name which contain the virus attachment. This sharpening of the social engineering aspect has already been widely discussed as it impacts virus propagation. I would venture though that the virus versus the anti-virus vendor ongoing battle has almost come down to one of predictability. A new virus comes out, and quickly a signature is added by the vendors.
Can one really say these annoying viruses are a threat anymore if indeed they ever were?
Yes MyDoom, Swen, Bugbear among others spread quickly, but once again only due to users not being protected to begin with. My own opinion on this continuing virus threat is much ado about nothing. There will always be a short period between a new virus and the signature being released, but it is a short time period. Much like the perpetual wholesale scanning of computers on the internet today by script kiddies, and other wannabe hackers it has simply become part of the internet today. Many people I know simply refer to it as white noise, or simply put part of doing business on the web today. So who then in reality is threatened by these viruses? Well simply put those who do not have some software solution to protect them. Also by extension these are the very same people who help propagate the virus.
I myself work in a large WAN corporate environment. We have the normal protection in place for this type of threat. All known trouble attachments are stripped at the mail server and anti-virus also resides at the work station level. Only with some of the more successful viruses have we been impacted. Even then though it was only for about twenty four hours or so till we had a new signature in place from our anti-virus vendor. This threat then from viruses is very much a managed risk. One will never be able to fully protect from zero day exploits or viruses for that matter, but you can however mitigate the threat.
All that being said though how does Darwinism enter into the equation of viruses and worms? Well with the perceived threat of viruses petering out what realistically is going to take its place? That is where the worm comes into play. A person with no programming ability can study Visual Basic for a couple of months, and then write a simple virus. If you recall one of the best known viruses was Mellisa, which was also written in Visual Basic. Many people would argue as well though that writing a worm is just as easy. That assertion though in my mind is very much open to debate. To that end too many people sneer at the programming abilities of others whilst they themselves cannot program a simple “hello world”. Much like the term “script kiddie” is thrown around much too often by people who in reality are one themselves.
The new threat: Worms
Now the worm writer has a much richer harvest to work with. What I mean by that is the person can choose exploit code which has been publicly released, and wrap a delivery vehicle around it. Unlike the virus which will clog your bandwidth the worms payload will quite possibly result in system level, or root access on your system dependent on your platform. We can all agree I believe on this being a far greater threat then the loss of bandwidth. Does any virus in recent memory really come close to say the Slammer worm? Per my perspective the two are not even close. Especially in the case of Slammer which uses a transport protocol of UDP. This made for a lightning fast infection rate as SQL listened on UDP as well for connections.
Now in the case of Slammer once again the vulnerability that it exploited had been known about for some months. A patch had been released by the vendor and yet quite a few months later this worm still tore a hole through the internet. It was of far more serious impact then a simple virus. We need to remember as well that this worm was all based on a publicly known exploit, which had been fixed by the vendor in the form of a patch.
This is where Darwin comes into play. What would of happened though if the worm writer had inserted a zero day exploit into the worm vice a known one? Indeed this would have been a far more lethal and unsavory prospect. To be quite honest it surprises me that it has not happened yet. Why have there not been any zero day exploits folded into a worm? This realistically is the next evolutionary step in the progression of the worm after all, and in reality a rater frightening one.
Tomorrow’s super worm?
To that end I was discussing this with a colleague of mine who also does exploit development as a part of his computer security work. I asked him if my doomsday worm scenario made sense to him seen, as he did exploit development. After some discussion with him we came up with what we both agreed would be a plausible scenario. My train of thought earlier on was simply to make some changes to the CMOS via the worm. What if however as my colleague stated you rather had the worm’s payload encrypt the hard drives of the computers? Not only that but each time the worm spread the encryption seed changed?
Let’s apply this quickly to a real world example of how this could transpire. First off you would need a very talented developer. Unlike my colleague, and others of his caliber there are some developers who do not share their strong sense of ethics. For our case study we will explore the damage such a malicious developer could cause.
This person decides to bring order to the chaotic world of the worm. Targeted deliberately is a pharmaceutical company whose data is stored on computers within the internal LAN. Data such as the new chemical mixture for an anti-depressant drug, which has several billion dollars worth of research and development sunk into it. Our malicious developer finds the weak point in the pharmaceuticals online presence, and gains entry. Now within minutes of initial breach the entire internal LAN is now compromised via this worm. Come morning the staff arrive to find all data on their computers utterly useless. Everyone panics, and then the companies CSO receives an email stating the financial demands of the developer for undoing the damage caused by his worm.
Does my take on the evolution of the worm sound far fetched as shown in the above noted snippet? Let me assure you it is very much a possibility. To the vast hordes of computer users out there today the world of the elite coder may indeed seem surreal. It is a very tight knit community of ethically minded peers who thankfully for us have a clearly defined sense of right and wrong.
Don Parker, GCIA GCIH specializes in matters of intrusion detection, and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security. You can contact Don Parker at [email protected]
Click here for Don Parker's section.