• System Administrator -- Active...
• Linux Administrator CONTRACT
• Senior Project Manager - Multi...
• NATIONAL SALES MANAGER. WIRELESS...
• Systems and Network...

Learning lessons about computer security

Paul Ducklin, Information Age

18/08/2006 11:46:59

Computer security is a large and complex battleground in which there are many opponents. Ill-advised users, badly-written software, disaffected employees, unscrupulous competitors, organised criminals, hackers, even security vendors themselves (if the conspiracy theorists are to be believed) seem to be lined up against us. The Bad Guys really are out to get us.

Nowhere is this threat more visible or more sustained than in the field of malicious software, or malware. Malware covers a wide range of threats with dramatic-sounding names such as viruses, worms, Trojans, spyware, bots, rootkits and more. By looking at the history of malware, and how we have dealt with it, we can better defend ourselves in the future.

Malware: what are viruses and Trojans? Very broadly speaking, malware can be split into two categories: viruses and Trojans. Trojans, by the way, are named after the Wooden Horse of Troy, which legend tells us was left behind by the Greeks as a gift after they decided to pack in their long-running war against the city of Troy.

What happened next is very much the way many PCs become infected by malware these days: the whole thing was a trick. The Greeks had only pretended to surrender. The navy sailed no further than around the headland, where they anchored and waited for darkness. The wooden horse was hollow, with a number of heavily armed infantrymen stashed inside. The carrot was dangled. The stick would come later.

Despite warnings that the whole situation seemed too good to be true, the Trojans dismantled their city gates, wheeled the enormous horse inside, and started to party. For a while, everything seemed to be going fine, until the secret door in the horse opened up, the navy sailed back, and the Trojans were quickly defeated. This is hardly surprising: they ignored expert advice; they believed what they wanted to see rather than what they had been reliably informed; they intentionally lowered their defences; and they pretty much guaranteed their own downfall.

But what about computer viruses and computer Trojans? Viruses are programs which are capable of transitive self-replication. This is a fancy way of saying that they are able to spread themselves -- perhaps from file to file, or from disk to disk, or from PC to PC. Common types of virus include parasitic infectors, which spread by injecting themselves into host files, such as existing .DOCs or already-installed .EXEs, and worms, which are simply self-contained viruses which spread as complete objects and do not need a host file.

Although many viruses do more than simply spread (for example, there is a virus which tries to ruin your PC's motherboard on April 26), self-replication alone is enough to make viruses dangerous, because it leads to a lack of control and consent over how and where the code runs. There is simply no such thing as a benign virus. Indeed, if you deliberately spread a virus, you can be sent to prison in many countries, including Australia, because the virus commits the joint crimes of unauthorised access and unauthorised modification on your behalf.

Trojans, in contrast, are programs which secretly perform malicious functions. Unlike viruses, they do not spread by themselves. Of course, this means that viruses and Trojans often go together -- the viral component acts as an automatic distribution system across your network and the Trojan stays in the background on all your PCs. If you remove just the Trojan, the virus will redistribute it. If you remove just the virus, the Trojan will remain to do its dirty work.

Malware: where does it come from? By the middle of 2006, approximately 180,000 distinct pieces of malware were known. Many people assume this large number is a result of random mutation, because it is technically possible for a new virus or Trojan to arise by chance. For example, network errors whilst a worm is copying itself from your PC to your file server might result in a different, but still-working, variant of that worm. However, this sort of accidental evolution is rare.

Malware which is randomly modified often breaks altogether, posing no further threat. The vast majority of the 180,000 viruses and Trojans in existence have been created and distributed quite deliberately. Even when new malware is only a minor variant on an existing sample -- perhaps with just a byte or two changed -- it is almost always intentionally adapted into this new form.

What this suggests is that there are numerous malware writers out there. We don't know the exact number, but we can at least set some likely upper and lower limits. We know, of course, that there is more than one person, because there have been a number of different individuals convicted for offences related both to writing and to disseminating malware over the past 20 years.

We also know that there are fewer that 180,000 different malware authors, because some individuals have written several (sometimes many -- possibly even hundreds) of different pieces of malware. We can tell this either because they make believable claims to have done so, or because their programming style can be seen in numerous malicious creations. (When judging programming style, we need to take the entire virus or Trojan into account, not just snippets of it, because much malware borrows a variety of pieces of existing code, thus showing several different styles.)

A reasonable estimate is that there are around 1000 people who have been, or are now, involved in malware creation.

Malware: who writes it? These malware creators fall pretty much into one of two camps: counterculture, or organised crime. Interestingly, the latter group did not become visibly involved until early this century, making the turn of the millennium a rough and ready watershed in any history of the malware problem.

A glib overview of the 20th century's malware authors is that they were largely male, single and under 25. Many, though, were much younger than that, and seemed to use malware writing largely as an act of rebellion against authority, and in order to prove themselves to other like-minded youngsters.

Counterculture malware writers almost always operate under nicknames, or handles (since to use their real names would invite the direct attention of the authorities), and often identify with a specific malware-writing group. There is even a notation for this, so "Benny/29A", for instance, was the virus writer Benny from the group 29A. (The name is nerdy humour, or what passes for it, because the Number of the Beast, 666, comes out as 0x29A in hexadecimal.)

Malware groups are often competitive or combative, insulting one another with hidden messages inside their creations, and sometimes cooperative, deliberately sharing code or openly publishing ideas for new malicious techniques. Their activities are often immoral, and when deliberate malware distribution is involved, criminal. Some malware writers know this to their cost, having been investigated, charged, convicted and, in several cases, sent to prison.

A common excuse heard in court was that the malware they had written and released was intended for research only, or was just to prove a point, or wasn't supposed to spread as fast as it had. But as early as 1988, Robert T Morris had written and let loose the infamous Internet Worm, which brought the Internet as it was then to its knees, and an American court subsequently held him culpable despite his suggestion that he simply hadn't realised how badly it was going to turn out.

Generally speaking, however, this sort of malware author seemed only to seek to achieve some kind of imaginary coding glory by provoking a large virus outbreak, or to shake a fist at the world by programming a dramatic and indiscriminate warhead. Chen Ing Hau, a Taiwanese university student, actually managed to do both at once in the late 1990s with his Chernobyl (or CIH) virus, which spread to all parts of the globe and tried to wipe out PC motherboards on April 26. Nevertheless, there rarely seemed to be a secondary criminal purpose in this sort of malware.

Over the past five years, this has changed significantly. More and more malware is been written or used with the ultimate motivation of making money. Organised crime is recognising how the Internet can be used in a variety of ways to steal from others. Ways in which money can be made include phishing, spam, standover, spyware and ransomware.

Malware: what can it do? It is worth looking at some examples of recent malware which has either being written by (or to order for) organised crime, or suborned into criminal activity. Recognising the range of ways in which malicious code can generate illegal income is a good start in designing and building appropriate defences, and in understanding the mindset of the enemy.

SophosLabs, for example, has published the following headline items, amongst many others, in 2006 alone:

* Court hands hefty fine and jail sentence to Israeli spyware couple Having previously entered into a plea bargain to be sentenced to four and two years in jail respectively, a married couple in Israel have also been fined approximately $A600,000.

Their Trojan, which helped private investigators spy on their clients' business competitors, was said to have been originally created as a practical joke before being marketed. Since the couple were arrested, several private investigators have also been indicted.

* 20-year-old zombie king pleads guilty - faces jail sentence A 20-year-old California man has pleaded guilty to seizing control of hundreds of thousands of zombie computers, using them to display cash-generating adverts, and renting them out to hackers to send spam campaigns and launch denial of service attacks.

* Police arrest 55 suspected hackers in Brazilian phishing swoop Police in Brazil have arrested 55 people suspected of being part of a gang which phished millions from online bank accounts. According to the police, the gang broke into approximately 200 accounts at six different banks by infecting Internet users' computers with spyware to steal confidential information such as account numbers and passwords.

* Spyware kits sold for $A20 available on the Web A Russian Web site sells spyware kits, branded WebAttacker, for $20. The Web site, which refers to its creators as spyware and adware developers, makes the kits available for online purchase and offers technical support to its buyers.

* Vietnamese denial of service hacking suspect arrested A man has been arrested in Vietnam for launching a distributed denial-of-service (DDoS) attack against a commercial Web site which left computer users unable to access the site.

The man faces charges for creating a Trojan that exploited a flaw in Microsoft's Internet Explorer. The Trojan turned unpatched computers into zombie PCs which were then ordered to repeatedly hit the victim's Web site, overwhelming its servers.

* Zippo Trojan demands AU$400 ransom for encrypted data Troj/Zippo-A searches for files such as Word documents, databases and spreadsheets, and moves them into password-encrypted ZIP files. It then creates another file informing the victim to pay AU$400 into an E-Gold account to recover the data.

More than 40,000 new pieces of malware appeared between July 2005 and June 2006. Counting began just under 20 years ago, which means that over 22 per cent of all known malware has appeared in less than 5 per cent of the threat period. Indeed, we are seeing an increasing number of malware attacks, each targeted at a smaller number of victims, in contrast to the mass-mailing and wide-spreading worms of the past. This helps organised criminals avoid drawing unnecessary attention to themselves.

Malware: boosting your online immunity With the simultaneous increase both in the rate at which new malware appears and in the determination of our enemies, the demands placed on IT security professionals have increased. But technology and your IT department cannot solve all the problems of malicious code. All of us need to keep our wits about us, too.

Most malicious programs succeed not through esoteric coding techniques or through revolutionary low-level system hacking. They succeed simply by persuading you to believe something which isn't true, or by pretending to be something which you can't resist. This sort of "hacking" is often called social or human engineering.

So what can you do to improve your resilience to social engineering on the Internet? Here are some simple precautions:

* If an e-mail sounds too good to be true, it almost certainly is. On second thoughts, if an e-mail sounds too good to be true, it is. Don't try, don't buy, don't reply.

* Don't be tricked by correspondence which seems legitimate because it happens to coincide with your own interests. Spammers and scammers are bound to guess correctly for a proportion of the many people they communicate with.

* Avoid software, or even links to software, sent by e-mail. If a program takes your fancy, use the Internet to find out for yourself what others are saying about it before using it, and choose your own link to download it from. Check digital signatures if you can.

* Don't be tricked by e-mail s just because they appear to come from people you know. Spammers and phishers know how to disguise the real sender.

* Don't let your guard down when you receive e-mail s about hot topics. If the matter is both important and genuine, then you will almost certainly be able to locate news about it more reliably through one of the many legitimate on-line services.

* If in doubt, ask an expert. Sophos customers, for example, can ask for expert analysis of suspicious e-mail s and programs. Your business will often be more at risk from IT haste than from reasonable delay.

* Practise safe hex. Free advice can be found at:http://www.sophos.com/virusinfo/whitepapers/ (and feel free to double-check that link using a search engine first).

Paul Ducklin is head of technology, Asia Pacific for Sophos Australia. duck@sophos.com.au