Malicious programs - why do they never end

Introduction

During the latest 10 months the "top three" malicious programs ("malware") with respect to spreadig have made havoc on networks and stand-alone computers around the world.

These programs are:

• W32/SirCam
• W32/BadTrans.B
• W32/Klez.H

Click on the links above for a technical description of these three malicious programs (a new browser window is opened).

This Security Information will focus on a different angle - why did these particular programs become so widespread?

There are more than 50.000 different malicious programs identified by the antivirus industry. Of these only less than 1.000 are "In the Wild".

Nevertheless, almost every week there are malicious programs that cause lots of problems for users and corporations. Let us attempt to examine why some malicious code in the wild affects lots of customers and reach pandemic proportions, while other only affects some unlucky few.

For any program to become a potential big threat, there seems to be a "critical mass" that must be infected. Unless successfull infection of a certain number of computers is accomplished, the potential for being a major threat seems almost zero. This "critical number" of computers is impossible to calculate exactly (it depends also on whether the infected computer is strategically placed or not), but one may assume that the number is quite low.

The reason why some malware reaches this threshold, while other does not, may be purely coincidental.

However, when a critical mass of computers are infected, the potential for becoming a major threat is there. Why then do some malicious programs reach major proportions and continue to be a threat after several months, while others "die" after few days without reaching far beyond the critical mass. (SirCam, mentioned above, was first discovered in July 2001, and is still, ten months later, among the top threats mentioned by antivirus vendors.)

Let us examine some characteristics of the malware that reaches major proportions. Not all of them need to be present for a malicious program to spread successfully, but they are all indications of the potential for malware to become a major problem or not.

Email

Perhaps the most important characteristic is that email is by far the most effective way to spread malicious software. Even though some malware has successfully used e.g. web server infection (and thereby web pages) to spread, this has usually been in addition to email.

Social engineering

Social engineering is one of the most important tools for malicious persons to use when they want access to premises or sites, they are not supposed access. It is in a similar manner with malware. It seems certain that malware, which uses intrigueing and clever techniches to get the user to e.g. open the email and/or click the attachment has a much higher probability to reach major spread than those who are more "lame" in the approach.

There are several examples of this. All the three malware programs mentioned in the introduction use some tempting subject/body/attachment. Other malware with similar characteristics that has affected many are "Anna Kournikova" and "LoveLetter".

One other aspect of social engineering is the technique used for harvesting email addresses. Several malicious programs collect emails from the user's Windows address book and send infected emails to those. Thus, the probability that the recipient opens the email is higher as it presumably is from a person he/she knows, than if the email was from a totally unknown person.

Harvesting email addresses from the web cache on the infected computer is another way to get email addresses used as both sender and recipient of the malicious email. When the sender address is "spoofed", the real infected sender is not notified by antivirus programs by the recipient, thus disabling part of the technique that is instrumental in stopping a world-wide infection of computers.

Exploits of security issues in installed software

Two of the three malware programs mentioned in the introduction use a security flaw in Microsoft's Internet Explorer to infect a user. It enables an attachment to run without opening the attachment - a huge potential of course, for infecting users. This is an issue for which Microsoft provided a patch more than one year ago. Still, however, there obviously are lots and lots of unpatched systems around.

Other malware utilizes other security issues. Exploiting such seems to have been a much used technicque for spreading during the last year.

Different techniques to spread

Another characteristic of some of the wide-spread malware is to use different techniques to spread.

This has two different aspects:

• The malware spreads by various methods - e.g. email, over networks and by IRC, ICQ.
• The malware spreads by email by using different combinations of subject, body and attachment.

Both of these enable the malware to attack a non-infected user several times apparently completely differently.

Problems finding good techniques for email filtering

The fact that some malware spreads by combining several different subjects, email bodies and attachments in its emails, also has another worrying aspect: It makes it more difficult for network administrators to filter the malicious emails based on known parameters, as the combinations can be too many. W32/Klez.H is an excellent excample of this. Read the virus description of Klez.H carefully to see the problems involved in filtering all different variants of this worm/virus.

Getting rid of the infection is difficult

One should also mention that the ease or not of getting rid of malware when first infected, is an issue. Some malware uses different techniques to reinfect e.g. after a computer boot, and/or substitute crucial operating system files with itself, thus making the computer unusable if the infected file is merely deleted.

Users must think of computers in a different way than other purchases

One major reason why malware is able to spread, is, as mentioned above, that they utilize security issues in the operating system itself (e.g. Windows NT) or in certain applications (e.g. Internet Explorer). This means that one has to change the way to behave when a new computer is set into production.

Either the software vendor must be able to install a secure operating system and other applications on the PC. So far there seems to be no indication that this is going to happen in the near future. Or we as users must take action ourselves. The latter means that we have to change the way we think and act when aquiring a new computer. We cannot start to use a new PC with software, presuming that it functions as we want with respect to security!

Food for thought

Countless jokes have been made comparing a PC with Windows installed to a car. Below is another contribution, which hopefully illustrate the major change in attitude involved here.

If a brand new car was like a brand new computer

• Before you started driving, you have to change almost every part of the engine to the latest versions available from the vendor (install the latest Service Pack that changes almost the whole operating system and fixes lots of settings).
• Before starting to drive outside your own parking lot (connecting to the Internet), you have to change your brakes (the web browser) to a new version as the original may fail if you use the brakes in a special manner (visit certain malicious web sites) and disable the locks (sic!) on your car.
• After these initial steps you have to continously call the vendor of your car to check if any new security problems have been found. Amazed you discover that there are several new ones reported each week. You drive (surf) to your vendor and see that some old(??) parts of your car should be replaced by new parts (hotfixes). You may subscribe to the vendors' free magazines (mailing lists) if you take the initiative yourself (visit the vendor's web site, find the mailing list area for security and subscribe to a mailing list).
• You should subscribe to the magazines of different "Car Thieves" (hackers' web sites) to be updated of the new techniques used to steal cars (hack into PCs).
• If you at a later point in time you decide to subsitute your - now used - car with a brand new one, you have to start the process all over again...

Per Olav Førland