Proactive IT Security
 

Program flaws as malware propagation technique

2005-09-15 [Malware discussion, Spreading mechanisms]

15 September 2005

Background

Since the early days of computer malware, we have seen examples of viruses, worms etc. which are designed in such a way that they use security holes in operating systems and applications to propagate.

During the latest years, however, the tendency for malware to exploit flaws in computer programs seems to have increased.

One reason why an author of malware wants to exploit a security hole in e.g. an operating system to infect a system and spread itself to other computers, may be that the awareness of ordinary users concerning unknown attachments may have increased. The reason why end users are more aware of the danger involved in opening email attachments, may be a result of the media exposure that this spreading mechanism has received. The author then uses other means to spread her malware.

Some of the more notorious malware from recent years that use program flaws to propagate have been: 

  • The worm Code Red which first appeared in August 2001 
  • Nimda in September 2001 
  • Klez H in April 2002 
  • SQLSlammer i January 2003 that infected lots of computers that had Microsoft’s SQL server installed. 
  • Blaster in August 2003, which often caused computers to be infected so quickly that the users could not download a program patch to remedy the security fault. 
  • Sasser in April 2004.

Status and implications

There are several interesting points that may be observed when analysing the tendencies of malware that propagate through security flaws:

They often use several techniques for spreading.

It has become common for malware to use more than one method for spreading itself. In addition to exploiting a security hole in an applicaton, they rely on other methods as well, like sending themselves as an email attachment.

That way the malicious program may spread even to computers that are patched and therefore no longer vulnerable through the application flaw.

They are difficult to get rid of

This is not a characteristic of such malware in particular, but rather of lots of recent malicious programs.
They consist of several different programs, which then create a “cocktail" of infections, that may be very difficult to get rid of. If the infected user is able to delete one component, other components may still be active and recreate the infected file/process almost instantly.

The malware appears soon after the security issue has been discovered

This tendency is obvious when one compares how long it takes from a security hole in an application is discovered till the first malware that exploits this hole appears. Some years ago this period was weeks and months; nowadays it is a matter of a few days. One of the nightmares for security responsible persons in corporations around the world is malware that is released so soon after a security flaw has been discovered, that the vendor of the vulnerable program has not been able to provide the antidote. Such scenarios were discussed in one of Norman’s Security Information last year (the link opens in a separate browser window).

Food for thought

In the abovementioned it is implied that a piece of malicious software is released after a security issue has been discovered. Policies for making knowledge about such vulnerabilities available to the general public have been discussed for years. The current consensus (if there is one), seems to be that the responsible way is to alert the vendor of the vulnerable program “some time" before the vulnerability is made public. That way the vendor has the opportunity to create and distribute a patch.

What if someone discovers a vulnerability and creates a malicious program without notifying the vendor before she releases the malware to the Internet community?

The infamous malicious programs that get most media attention are not designed to target specific organizations. Rather they are designed to spread as efficiently as possible and thereby infect as many as possible. [It should be noted though, that some malware do target specific organizations, but not by infecting them; rather by initiations of a Distributed Denial of Service attack from infected computers.] There are a few frightening scenarios that one could easily imagine concerning this kind of malware.

One big ( and scary ) question is the following:

What if someone decides to target an organization or a specific country with a particular malicious program that utilizes a security hole which is not known by the vendor or the public?