Security Information Week 11, 2004

Security Information

Introduction

It is hardly controversial to claim that the end of February and beginning of March 2004 was the worst period ever regarding the sheer number of new mailicious programs threatening the Internet community. New variants of Bagle, MyDoom and Netsky were spread daily - sometimes even more than once per day. 

A widespread theory is that what we witnessed was a kind of war amongst different groups of malware writers. If this is true, lots of "innocent bystanders" were severely harmed by this "shoot-out".

Whatever the reason, the antivirus vendors had to keep their staff on high alert around the clock and spare time did not apply any more. This is eloquently described in an article by Bob Sullivan from MSNBC.com’s Technology section.

However, this Security Information will not elaborate on a possible war in the malware writers’ inner circles, or a similar syndrome against the antivirus industry. We will focus on a threat that is potentially much worse.

Note that everything written here is available from the Internet by a search using any of the popular search engines, and therefore presumably well-known for any writer of malware. Thus, we are not in the slightest worried that any person with malicious intent and capability to carry out her talent, will get any new ideas from what is presented here.

The "perfect" piece of malware

Ever since the Morris worm in November 1988 articles have been published on the Internet and in other media, that suggests how to create "the most malicious program ever".

One such article is "Worst Nightmares Come Alive" from May 2000 by Reolof Temming. This article discusses, quite convincingly, ways to spread a malicious program in an effective manner, as well as techniques to avoid detection by antivirus programs and/or intrusion detection software.

In May 2002 an extremely interesting paper was published by Stuart Staniford of Silicon Defense, Vern Paxson of ICSI Center for Internet Research and Nicholas Weaver of UC Berkeley. The paper held the challenging title "How to 0wn the Internet in Your Spare Time", and is well worth reading for any security-conscious person.

Unlike Temming’s article, this one approaches the issue from a scientific angle, including the use of mathematical models based on actual behavior of previous malware, and use of these models in analyzing "better" constructed malware.

Both these documents argue that it is surprisingly easy to create a malicous program that can infect more than one million computers in a short time, providing certrain criteria are fullfilled. And with that many infected computers under a malicious person’s control, the Internet will be unsafe for a very long time.

Let us examine some of the characteristics of a perfect piece of malware, based on the paper by Staniford, Paxson and Weaver.

The goal

Let us assume that a person’s (or an organization’s, or a nation’s - in a situation with cyber war between states) goal is not only to wreak havoc by spreading a program with no payload. She has a much more ambitious end, as she intends to control the Internet to some extent, including shutting down part(s) of the Internet and/or particular domains.

Distributing the malware

Our person with evil intent aims to "own the Internet", not by offering a bulk of money; rather by seizing it by use of malware. The first step for her would be to distribute this malware.

The use of WORMS as spreading mechanism


According to the authors, the most efficient way to spread malware is by using worms. Note that they do not use the term "worms" as programs that spread by email attachments - worms in this context are defined as programs that replicate by themselves by using security flaws in installed software. The advantage of using security flaws as the spreding mechanism instead of human interaction, is that the malicious person is not dependant on any other humans than herself. She only has to "trick" computers, and this fascilitates easy testing and fine-tuning of the malware.

We have seen examples of such worms all through the history of the Internet. The previously mentioned Morris worm was the first (famous one at least). More recent examples are the CodeRed worms, Nimda, SQLSlammer and the Blaster worms.

One characteristic of these worms is that the are spreading very fast. As we shall see, the potential to increase this even further is huge.

ADDITIONAL spreading mechanisms

The previous chapter argued that worms (as defined above) utilizing security flaws in installed programs are the most efficient spreading mechanism. However, the disadvantage of this techinque is that when a vulnerable program is patched, this spreading mechanism does not function any more. It may therefore be smart to add additional spreading mechanisms.

To avoid detection during the initial spread (by the worm itself) the initiator of the malware has as a built-in facility in the malware, to  use other spreading mechanisms to take place at a certain point in time after the initial worm infected a computer.

This technique enables the malware to live much longer, as it is able so spread even though the systems vulnerable to the worm are patched. We saw this clearly by comparing the CodeRed worms and Nimda. The latter had additional methods for spreading and endured a much longer life as active malware.

Speeding up the spreading

One significant factor in a worm’s success in infecting as many computers as possible is speed.

Staniford, Paxson and Weaver’s paper points out four different techniques to increase the rate of infecting vulnerable computers. To go into these in detail is beyond the ambition of this Security Information, and we will only mention them in brief:

Hit-list scanning

Identifying a set (10 - 50.000) of potentially vulnerable computers, preferably with fast access to the Internet and provide the worm with this list. In case of a successful infection the initial worm splits the list, keeps one part for itself and transfers the rest to the "child worm".

Several techniques can be used to generate the hit-list, depending on the vulnerability that one wants to exploit.

When all machines on the hit-list are scanned (and vulnerable computers infected), other techniques for finding hosts are applied.

Permutation scanning

Simply put this is when a worm scans computers in e.g. a certain IP range, and finds a computer that is already infected, it knows that another worm is already working on that range and thus changes to another IP range. This eliminates a situation where several worms scans the same computers.

The authors of the paper discussed here, postulate that a combination of the two scanning techniques mentioned above may create a Warhol worm - a worm that attacks almost all vulnerable targets in possibly less than 15 minutes.

The name Warhol worm is of course after Andy Warhol's famous prediction in 1968 that "In the future everybody will be world famous for fifteen minutes."

Topological scanning

This technique employs information on the infected servers to find other targets to scan. Typically this can be email addresses, URLs etc. on the infected computer, depending on the vulnerability of the exposed targets.

Internet scale hit-lists

The fourth method mentioned is a variant of the hit-list technique mentioned above, but it requires that the attacker has the ability/resources to compile a list of virtually all computers on the Internet that runs the program with the particular vulnerability she wants to exploit.

The authors calls such a worm a Flash worm and predict that such a worm could infect all vulnerable targets in seconds.

Defense mechanisms against the distribution of the malware

Obviously, with worms spreading as fast as those discussed here, human action cannot possibly defend against the infection of a magnitude of computers.

Updating and controlling the malicious program

As we have seen in the scenario above, our evil person has been able to infect almost all vulnerable computers on the Internet with her malicious program.

This could have happened so fast that it is unknown that lots and lots of computers are infected.

What would be her next move?

Of course the malicious program could have been set up to launch a Distributed Denial Of Service (DDoS) attack on certain computers/domains, and would most likely succeed. There are several examples of DDoS attacks causing disruption of services over the years, the most resent is the worm MyDooms (successful) attempt to stop www.sco.com from being reached.

However, she is much more sneaky, as she does not want her world wide fame to last only fifteen minutes!

We have seen that several of the worms/viruses that have emerged In the Wild have more - or mostly! - less successful methods to update themselves.

Both the articles mentioned in the introduction discusses ways to issue commands to the malicious program.

Staniford, Paxson and Weaver’s paper outlines a way for distributed communication between the worms, in such a way that a command sent to any worm will be distributed to the others, using encrypted communication between the different instances of the malicious program.

They also draw attention to the fact that it is theoretically possible to issue commands to the worm of such a character that new different child worms may be created and spread into the computers all over the Internet that are already infected. Or attacking other computers with different vulnerabilities. This technique would have as a side-effect that the worm’s children and grand-children might live long after the original malicious program was discovered and removed from the computers.

The antidotes - are there any?

The authors of "How to 0wn the Internet in Your Spare Time" discuss what to do to defend ourselves against the threat they describe.

They recommend that one uses the same approach as is used in the world of medicine and establishes "Cyber-Center(s) for Disease Control". They also assign some roles of such center(s).

A different - complementary - approach to this might be to increase the research and resources aimed at stopping (potentially) malicious programs based on its behaviour - a technique already in use in Norman Sandbox technology.

In theory this method could stop the worm from infecting the vulnerable computers. It could also stop the payload from the malicious program if the worm had succeeded in infecting.

References, further reading, listening etc

Per Olav Førland