[iwar] [fc:The.evolution.of.malware]

From: Fred Cohen (fc@all.net)
Date: 2001-09-27 15:35:55


Return-Path: <sentto-279987-2456-1001630157-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 27 Sep 2001 15:37:07 -0700 (PDT)
Received: (qmail 32354 invoked by uid 510); 27 Sep 2001 22:36:13 -0000
Received: from n20.groups.yahoo.com (216.115.96.70) by 204.181.12.215 with SMTP; 27 Sep 2001 22:36:13 -0000
X-eGroups-Return: sentto-279987-2456-1001630157-fc=all.net@returns.onelist.com
Received: from [10.1.1.222] by n20.onelist.org with NNFMP; 27 Sep 2001 22:35:57 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 27 Sep 2001 22:35:56 -0000
Received: (qmail 32130 invoked from network); 27 Sep 2001 22:35:56 -0000
Received: from unknown (10.1.10.26) by 10.1.1.222 with QMQP; 27 Sep 2001 22:35:56 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 27 Sep 2001 22:35:56 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id PAA22403 for iwar@onelist.com; Thu, 27 Sep 2001 15:35:55 -0700
Message-Id: <200109272235.PAA22403@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 27 Sep 2001 15:35:55 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:The.evolution.of.malware]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

The evolution of malware 
By Izhar Lev, Jane's Intelligence Review, 9/27/2001
No URL available.

HIGHLIGHT: In the first of a series of surveys concerning the evolving
threat posed by specific malware such as viruses, trojans and worms,
Izhar Lev examines the current state of the threat from malware in light
of continuing technological developments. 

BODY: As more sensitive commercial and personal information is stored on
computers, the development of malicious agents and computer crime has
evolved rapidly.  A March 2001 survey conducted by the Computer Security
Institute (CSI) and the FBI showed that 85% of surveyed corporations
detected computer security breaches; of these, 64% reported financial
losses due to the breaches, with an average annual loss of US$1.3
million.  This article surveys the types of malicious software
(malware), their effects and threats. 

Malware can be defined as a group of programs designed specifically to
damage or disrupt a system.  Before looking into the various types of
malware, we should first survey the types of computer attacks.  A recent
National Institute of Standards and Technology study defined four basic
types of attacks against computers:

- Confidentiality attack: an attack causes a confidentiality violation
if it allows attackers to access data without authorisation (either
implicit or explicit) from the owner of the information;

- Integrity attack: an attack causes an integrity violation if it allows
the (unauthorised) attacker to change the system state or any data
residing on or passing through a system;

- Availability attack: an attack causes an availability violation if it
keeps an authorised user (human or machine) from accessing a particular
system resource when, where, and in the form that they need it; and

- Control attack: an attack causes a control violation if it grants an
(unauthorised) attacker privilege in violation of the access control
policy of the system.  This privilege enables a subsequent
confidentiality, integrity, or availability violation;

One typology of malware was devised by Lenny Zeltser, a computer
security expert.  A similar division of it into several sub- categories
would include:

Uncontrolled self-propagating agents

Self-propagating agents consist mainly of viruses and worms.  A computer
virus can be defined as a typically small, self-replicating computer
program that attaches itself to computer files or applications, and is
designed to execute undesirable functions within the infected computer
(the payload).  Similar to a virus, a worm is an independent program
that self-replicates and travels by itself across networks without,
necessarily, being attached to a program.  A virus or a worm payload can
vary from a harmless prank through disclosure of data (confidentiality
attack) to the destruction of files (integrity attack).  Worms will also
clutter bandwidth, grinding computer communications to a halt
(availability attack). 

Viruses and worms are a serious threat to computers for three major
reasons: their high prevalence; their growing sophistication; and the
ease by which they can be created (see JIR, March 2001, pp53- 55). 
However, the average virus and worm has a major flaw: while designed to
survive in the wild and infect as many computers as possible, they are
typically indiscriminate about their infected targets and spread in an
uncontrolled manner.  Although one could claim that they initially
target a specific network, the agent may very rapidly begin infecting
other networks around the world, regardless of a designated target. 

Today, growing awareness about viruses and worms and the regular use of
anti-virus software is becoming common practice.  Thus, properly
administered organisations cut rates of infections.  However, this is
still limited by developing anti-virus technology that cannot completely
predict and block original forms of viruses and worms. 

Data collection and monitoring agents

For the past decade, the value and need for competitive intelligence has
been on the rise.  Moreover, an alarming rise in identity theft is
reported which is currently turning it into the fastest growing crime in
the USA (see JIR, May 2001, pp54-55).  The relative ease in gathering
and transferring collected information through electronic means promoted
the development of malicious data collection and monitoring agents. 
Information obtained is either used directly by the perpetrators, sold
or bartered. 

These programs are designed to stealthily collect important sensitive
information, and transmit it back to the antagonist.  The malware itself
can take the shape of a virus/worm or legitimate software which has been
'trojanised' with a spying agent.  This malware is categorised as a
confidentiality attack and/or an integrity attack. 

Information collected can either be classified as reconnaissance
material or as sensitive data/intellectual property.  Reconnaissance
material is used to generate intelligence preceding an attack, for
example mapping the internal structure and architecture of a network or
monitoring outbound traffic.  Both can be analysed for vulnerabilities
in systems and communications.  The second type of information collected
is targeted for its intrinsic value.  For example, active credit-card
numbers, personal details and passwords, and intellectual property of
any sort.  This can be achieved in various ways - from secretly copying
files to keeping a log of all keystrokes performed. 

A survey conducted by Cyveillance showed an increase in the past three
years of 488% in the prevalence of hidden collection and monitoring
agents in web pages.  These unnoticed bugs collect information about
surfers visiting the site; while information collected is often used for
marketing, it might also be used in a malevolent way. 

Attack agents

Attack agents are designed to slow or shut down a network.  Generally,
this is achieved by overwhelming the system with more information than
it can handle, exhausting the system resources and causing it to slow
down or crash.  This type of attack is called a Denial of Service (DoS)
attack, and is a straightforward availability attack. 

It should be noted, however, that an assailant cannot usually shut down
a server by flooding it from a single machine, as this would typically
only slow it down.  In Distributed DoS (DDoS) attacks, the attacker
utilises several different computers, launching a simultaneous and
concentrated attack against a specific target.  DDoS tools differ from
DoS tools by their capability to control and co- ordinate several
computers that later carry out the attack.  This feature enables the
aggressor to keep a safe 'distance' from the target, as other,
compromised computers, carry out the attack.  Furthermore, many DDoS
&amp; DoS malware are capable of faking their original Internet
protocol.  This, in turn, muddies any forensic trail to the attacker. 
The compromise of other computers in the process of preparing an attack
can also be categorised as a control attack. 

While it is possible to prevent your computer from being compromised, it
is more difficult to fend off a DoS, and especially DDoS, attack.  This
is due to the nature of the communications over the Internet, which
requires the swapping of information packets between connected
computers.  Hence, an open port can be flooded with devastating amounts
of information packets.  Although it is possible to closely monitor
information packets and filter suspicious ones, if traffic volume is
high, a filtering service might also fail.  Furthermore, tight
monitoring regimes slow down the system, affecting availability. 

The most significant attack from the Internet was a massive DDoS attack
in February 2000 which crippled prominent sites such as Amazon.com and
Yahoo.com.  DoS and DDoS attacks now occur on a daily basis: while
usually they simply slow down target servers, occasionally they succeed
in shutting some down.  Thirty-eight per cent of all CSI/FBI survey
respondents reported some sort of DoS attack in the past 12 months. 

Remote access agents

This type of malware provides an attacker with remote access to a system
and, in some cases, privileged administrative control over it.  These
agents perform a control attack.  Remote access agents are usually small
and stealthy, and are based on open code and can, therefore, be custom
designed or modulated.  As a result, they can be much more than just
remote access tools, and can be turned into data collection agents
and/or attack agents.  Remote access agents are similar to legitimate
remote access programs/administrative tools.  In practice, the main
difference is in the intended use; is it malicious or benign?

Remote access agents consist of a 'server component' and a 'remote
component'.  The 'server component' is secretly installed on a computer
through means such as a bogus e-mail attachment or through legitimate
software 'trojanised' with the agent.  The 'remote component' is then
able to control the compromised computer; in some programs, a single
remote can control multiple servers. 

Due to the increase in the use of firewalls and anti-virus software,
commanding a server component is becoming more difficult.  Yet, as
Zeltser points out, home users are still not accustomed to using
firewalls, and so are very vulnerable to this type of malware. 

Other

Different combinations of various types of malware or agents specially
created to attack a designated target present a high-level threat. 
Though these types of malware rarely surface in public and appear less
prevalent than other types, there are indications that some are coded by
computer professionals working for organised crime or by hostile
intelligence services. 

Support agents

Malware support agents are required to assist the various malware agents
discussed above.  These agents perform external scans, detecting
connected computers and their statuses, externally mapping networks,
misleading forensic investigators, performing probes and cracking
passwords. 

Bruce Schneider, an expert in the information security field, commenting
on the CSI/FBI survey results, said: "What's interesting is that all of
these attacks occurred despite the wide deployment of security
technologies...  Clearly, the technology is not working." However,
defensive technology is not solely to blame.  A combination of other
factors are partly responsible for this: most malware is readily
available on various websites to be downloaded free of charge.  Large
portions are open-code and can, therefore, be modified by skilled
programmers to include various different applications and
characteristics.  Adding to this is the fact that most types of software
are not designed with security in mind.  The market's constant demand
for new products and consumer pressure for more functionality are
resulting in complex software.  This software is never tested thoroughly
because of this cost-benefit market rationale.  The unique lack of
diversity within the software market makes it much easier to create
various programs that exploit widespread vulnerabilities.  The last
factor, and probably the most crucial one, is a mix between on-going
ignorance of computer security threats, lack of discipline and a
communication breakdown between technical and non-technical people. 

Izhar Lev is a researcher at the Information Assurance Advisory Council
(IAAC) www.iaac.org.uk

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT