Return-Path: <sentto-279987-2456-1001630157-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 27 Sep 2001 15:37:07 -0700 (PDT) Received: (qmail 32354 invoked by uid 510); 27 Sep 2001 22:36:13 -0000 Received: from n20.groups.yahoo.com (216.115.96.70) by 204.181.12.215 with SMTP; 27 Sep 2001 22:36:13 -0000 X-eGroups-Return: sentto-279987-2456-1001630157-fc=all.net@returns.onelist.com Received: from [10.1.1.222] by n20.onelist.org with NNFMP; 27 Sep 2001 22:35:57 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_4_1); 27 Sep 2001 22:35:56 -0000 Received: (qmail 32130 invoked from network); 27 Sep 2001 22:35:56 -0000 Received: from unknown (10.1.10.26) by 10.1.1.222 with QMQP; 27 Sep 2001 22:35:56 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 27 Sep 2001 22:35:56 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id PAA22403 for iwar@onelist.com; Thu, 27 Sep 2001 15:35:55 -0700 Message-Id: <200109272235.PAA22403@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 27 Sep 2001 15:35:55 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:The.evolution.of.malware] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit The evolution of malware By Izhar Lev, Jane's Intelligence Review, 9/27/2001 No URL available. HIGHLIGHT: In the first of a series of surveys concerning the evolving threat posed by specific malware such as viruses, trojans and worms, Izhar Lev examines the current state of the threat from malware in light of continuing technological developments. BODY: As more sensitive commercial and personal information is stored on computers, the development of malicious agents and computer crime has evolved rapidly. A March 2001 survey conducted by the Computer Security Institute (CSI) and the FBI showed that 85% of surveyed corporations detected computer security breaches; of these, 64% reported financial losses due to the breaches, with an average annual loss of US$1.3 million. This article surveys the types of malicious software (malware), their effects and threats. Malware can be defined as a group of programs designed specifically to damage or disrupt a system. Before looking into the various types of malware, we should first survey the types of computer attacks. A recent National Institute of Standards and Technology study defined four basic types of attacks against computers: - Confidentiality attack: an attack causes a confidentiality violation if it allows attackers to access data without authorisation (either implicit or explicit) from the owner of the information; - Integrity attack: an attack causes an integrity violation if it allows the (unauthorised) attacker to change the system state or any data residing on or passing through a system; - Availability attack: an attack causes an availability violation if it keeps an authorised user (human or machine) from accessing a particular system resource when, where, and in the form that they need it; and - Control attack: an attack causes a control violation if it grants an (unauthorised) attacker privilege in violation of the access control policy of the system. This privilege enables a subsequent confidentiality, integrity, or availability violation; One typology of malware was devised by Lenny Zeltser, a computer security expert. A similar division of it into several sub- categories would include: Uncontrolled self-propagating agents Self-propagating agents consist mainly of viruses and worms. A computer virus can be defined as a typically small, self-replicating computer program that attaches itself to computer files or applications, and is designed to execute undesirable functions within the infected computer (the payload). Similar to a virus, a worm is an independent program that self-replicates and travels by itself across networks without, necessarily, being attached to a program. A virus or a worm payload can vary from a harmless prank through disclosure of data (confidentiality attack) to the destruction of files (integrity attack). Worms will also clutter bandwidth, grinding computer communications to a halt (availability attack). Viruses and worms are a serious threat to computers for three major reasons: their high prevalence; their growing sophistication; and the ease by which they can be created (see JIR, March 2001, pp53- 55). However, the average virus and worm has a major flaw: while designed to survive in the wild and infect as many computers as possible, they are typically indiscriminate about their infected targets and spread in an uncontrolled manner. Although one could claim that they initially target a specific network, the agent may very rapidly begin infecting other networks around the world, regardless of a designated target. Today, growing awareness about viruses and worms and the regular use of anti-virus software is becoming common practice. Thus, properly administered organisations cut rates of infections. However, this is still limited by developing anti-virus technology that cannot completely predict and block original forms of viruses and worms. Data collection and monitoring agents For the past decade, the value and need for competitive intelligence has been on the rise. Moreover, an alarming rise in identity theft is reported which is currently turning it into the fastest growing crime in the USA (see JIR, May 2001, pp54-55). The relative ease in gathering and transferring collected information through electronic means promoted the development of malicious data collection and monitoring agents. Information obtained is either used directly by the perpetrators, sold or bartered. These programs are designed to stealthily collect important sensitive information, and transmit it back to the antagonist. The malware itself can take the shape of a virus/worm or legitimate software which has been 'trojanised' with a spying agent. This malware is categorised as a confidentiality attack and/or an integrity attack. Information collected can either be classified as reconnaissance material or as sensitive data/intellectual property. Reconnaissance material is used to generate intelligence preceding an attack, for example mapping the internal structure and architecture of a network or monitoring outbound traffic. Both can be analysed for vulnerabilities in systems and communications. The second type of information collected is targeted for its intrinsic value. For example, active credit-card numbers, personal details and passwords, and intellectual property of any sort. This can be achieved in various ways - from secretly copying files to keeping a log of all keystrokes performed. A survey conducted by Cyveillance showed an increase in the past three years of 488% in the prevalence of hidden collection and monitoring agents in web pages. These unnoticed bugs collect information about surfers visiting the site; while information collected is often used for marketing, it might also be used in a malevolent way. Attack agents Attack agents are designed to slow or shut down a network. Generally, this is achieved by overwhelming the system with more information than it can handle, exhausting the system resources and causing it to slow down or crash. This type of attack is called a Denial of Service (DoS) attack, and is a straightforward availability attack. It should be noted, however, that an assailant cannot usually shut down a server by flooding it from a single machine, as this would typically only slow it down. In Distributed DoS (DDoS) attacks, the attacker utilises several different computers, launching a simultaneous and concentrated attack against a specific target. DDoS tools differ from DoS tools by their capability to control and co- ordinate several computers that later carry out the attack. This feature enables the aggressor to keep a safe 'distance' from the target, as other, compromised computers, carry out the attack. Furthermore, many DDoS & DoS malware are capable of faking their original Internet protocol. This, in turn, muddies any forensic trail to the attacker. The compromise of other computers in the process of preparing an attack can also be categorised as a control attack. While it is possible to prevent your computer from being compromised, it is more difficult to fend off a DoS, and especially DDoS, attack. This is due to the nature of the communications over the Internet, which requires the swapping of information packets between connected computers. Hence, an open port can be flooded with devastating amounts of information packets. Although it is possible to closely monitor information packets and filter suspicious ones, if traffic volume is high, a filtering service might also fail. Furthermore, tight monitoring regimes slow down the system, affecting availability. The most significant attack from the Internet was a massive DDoS attack in February 2000 which crippled prominent sites such as Amazon.com and Yahoo.com. DoS and DDoS attacks now occur on a daily basis: while usually they simply slow down target servers, occasionally they succeed in shutting some down. Thirty-eight per cent of all CSI/FBI survey respondents reported some sort of DoS attack in the past 12 months. Remote access agents This type of malware provides an attacker with remote access to a system and, in some cases, privileged administrative control over it. These agents perform a control attack. Remote access agents are usually small and stealthy, and are based on open code and can, therefore, be custom designed or modulated. As a result, they can be much more than just remote access tools, and can be turned into data collection agents and/or attack agents. Remote access agents are similar to legitimate remote access programs/administrative tools. In practice, the main difference is in the intended use; is it malicious or benign? Remote access agents consist of a 'server component' and a 'remote component'. The 'server component' is secretly installed on a computer through means such as a bogus e-mail attachment or through legitimate software 'trojanised' with the agent. The 'remote component' is then able to control the compromised computer; in some programs, a single remote can control multiple servers. Due to the increase in the use of firewalls and anti-virus software, commanding a server component is becoming more difficult. Yet, as Zeltser points out, home users are still not accustomed to using firewalls, and so are very vulnerable to this type of malware. Other Different combinations of various types of malware or agents specially created to attack a designated target present a high-level threat. Though these types of malware rarely surface in public and appear less prevalent than other types, there are indications that some are coded by computer professionals working for organised crime or by hostile intelligence services. Support agents Malware support agents are required to assist the various malware agents discussed above. These agents perform external scans, detecting connected computers and their statuses, externally mapping networks, misleading forensic investigators, performing probes and cracking passwords. Bruce Schneider, an expert in the information security field, commenting on the CSI/FBI survey results, said: "What's interesting is that all of these attacks occurred despite the wide deployment of security technologies... Clearly, the technology is not working." However, defensive technology is not solely to blame. A combination of other factors are partly responsible for this: most malware is readily available on various websites to be downloaded free of charge. Large portions are open-code and can, therefore, be modified by skilled programmers to include various different applications and characteristics. Adding to this is the fact that most types of software are not designed with security in mind. The market's constant demand for new products and consumer pressure for more functionality are resulting in complex software. This software is never tested thoroughly because of this cost-benefit market rationale. The unique lack of diversity within the software market makes it much easier to create various programs that exploit widespread vulnerabilities. The last factor, and probably the most crucial one, is a mix between on-going ignorance of computer security threats, lack of discipline and a communication breakdown between technical and non-technical people. Izhar Lev is a researcher at the Information Assurance Advisory Council (IAAC) www.iaac.org.uk ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT