It is hardly controversial to claim that the beginning of 2005 was a fairly rough period regarding the sheer number of new malicious programs threatening the Internet community. New variants of Bagle, MyDoom and Sober appeared and spread on a daily basis - sometimes even more than once per day.

Recent attacks have given us reason to believe that we are witnessing a war between different groups of malware writers. If this is true, lots of "innocent bystanders" were severely harmed by this "shoot-out". Some of the latest malware analyses have also made us aware of the fact that the virus authors can cooperate in a way that makes the attacks even harder to discover and more difficult to stop.. While investigating some of the latest attacks it was discovered that the authors of Bagle and Zafi were actually using each other techniques to make the attack worse. They did not meet each other physically, but they were using each others information and techniques in order to inflict the most possible damage. Undoubtedly, this is a scary trend that poses large threats to the IT community. Joined criminals that share information with the intention to cause damage and perform illegal actions such as fraud and theft. Only to mention some possible threats.
The latest development has clearly shown that the trend towards increased criminalisation of the Internet will continue. As a consequence, the antivirus vendors have to be on high alert around the clock and spare time is no longer a familiar word.

The "perfect" piece of malware
In 1988 the Morris Worm appeared sending shock waves through the word while demonstrating the fragility of the Internet. Since that time there have been written several papers about how to create the perfect piece of malware. Various propositions have been mentioned. Reolof Temming, and the group Stuart Staniford, Vern Paxson and Nicholas Weaver have written two extremely interesting articles about the fragility of the Internet focusing on the fatale consequences that might be realised when a worst case scenario attack happens. An interesting point is that the issue is how it can happen – not if.

As Temming is claiming in his article “Worst nightmares come alive?” the Internet is actually more fragile today than it was ten years ago. Why? First of all: ten years ago the Morris Worm used weaknesses common to a UNIX system to propagate itself. Today most desktop computers are using Windows operating systems from Micorsoft. . A single program could attack all these machines. Ten years ago the Internet was used by an elite group of specialists and professionals. Today the average user can’t tell email from “mpeg”. While the early users of the Internet were limited to only a selected group of persons, IT today is major business.
All of this makes the systems more fragile and easy to exploit. Temming is carefully describing how easy it is for potential malware authors to exploit the systems, paying explicit attention to the trojan/virus that are proliferating themselves by the use of so called robots.
Unlike Temming’s article, the Staniford/Paxson/Weaver paper approaches the threats from a scientific angle, including the use of mathematical models based on actual behaviour of previous malware, and use of these models in analyzing "better" constructed malware.
Both articles argue that it is surprisingly easy to create a malicious program that can infect more than one million computers in a very short time. And with that many infected computers under a malicious person’s control, the Internet will be unsafe for a very long time.
Let us examine some of the characteristics of a perfect piece of malware, based on the paper by Staniford, Paxson and Weaver.

Let us assume that a person’s goal is not only to wreak havoc by spreading a program with no payload. She has a much more ambitious end, as she intends to control the Internet to some extent, including shutting down part(s) of the Internet and/or particular domains. The malicious person with evil intent aims to "own the Internet", not by offering a bulk of money rather by seizing it by use of malware. The first step for her would be to distribute this malware. A clever way to do this is to use worms as spreading mechanism. The authors do not use the term "worms" as programs that spread by email attachments - worms in this context are defined as programs that replicate themselves by using security flaws in installed software. The advantage of using security flaws as spreading mechanism instead of human interaction, is that the malicious person is not dependant on any other humans than herself. She only has to "trick" computers, and this facilitates easy testing and fine-tuning of the malware.

We have seen examples of such worms all through the history of the Internet. The previously mentioned Morris worm was the first (famous one at least). More recent examples are the Code Red worms, Ninda, SOLslammer and the Blaster worms. The disadvantage of this technique is however that when a vulnerable program is patched, this spreading mechanism does not function any more. It may therefore be smart to add additional spreading mechanisms. To avoid detection during the initial spread (by the worm itself) the initiator of the malware has as a built-in facility in the malware, to use other spreading mechanisms to take place at a certain point in time after the initial worm infected a computer. This technique enables the malware to live much longer, as it is able so spread even though the systems vulnerable to the worm are patched. We saw this clearly by comparing the CodeRed worms and Nimda. The latter had additional methods for spreading and endured a much longer life as active malware. Additionally there are several other spreading mechanisms that the malicious writer can use – permutation scanning, topological scanning and internet scale hit-lists, to mention a few.

How to defend yourself?
Obviously, with worms spreading as fast as those discussed here, human action cannot possibly defend against the infection of a magnitude of computers. As we have seen in the scenario above, our evil person has been able to infect almost all vulnerable computers on the Internet with her malicious program. This could have happened so fast that thousands of computers could be infected without anyone’s knowledge.
We have seen that several of the worms/viruses that have emerged in the wild have more - or mostly! - less successful methods to update themselves. Both the articles mentioned in the introduction discusses ways to issue commands to the malicious program.

Staniford, Paxson and Weaver’s paper outlines a way for distributed communication between the worms, in such a way that a command sent to any worm will be distributed to the others, using encrypted communication between the different instances of the malicious program.

They also draw attention to the fact that it is theoretically possible to issue commands to the worm of such a character that new different child worms may be created and spread into the computers all over the Internet that are already infected. Or attacking other computers with different vulnerabilities. This technique would have as a side-effect that the worm’s children and grand-children might live long after the original malicious program was discovered and removed from the computers.

The authors of "How to 0wn the Internet in Your Spare Time" discuss what to do to defend ourselves against the threat they describe. They recommend that one uses the same approach as is used in the world of medicine and establishes "Cyber-Center(s) for Disease Control". They also assign some roles of such center(s).
A different - complementary - approach to this might be to increase the research and resources aimed at stopping (potentially) malicious programs based on its behaviour - a technique already in use in Norman Sandbox technology. In theory this method could stop the worm from infecting the vulnerable computers. It could also stop the payload from the malicious program if the worm had succeeded in infecting.

Norman UK is exhibiting at Infosecurity Europe 2005 which is Europe's number one information Security Event. Now in its 10th anniversary year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th – 28th April 2005 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security.