Infosecurity

In partnership with:

The four ages of malware

Roger Thompson, Computer Associates

As malicious code has evolved, one can see four distinct ages. They show a narrowing gap between the announcement of a vulnerability and an attack that exploits it, and a shift from a pure technology-based attack to those that exploit a sophisticated understanding of social behaviour to trigger the attack.

The viruses of the DOS age seem quaint. They include boot infectors, program infectors, stealth viruses, multi-partite viruses, tunnelers, and companion viruses. They appeared in 1987 and dominated until about July 1995 when Windows 95 was released. Win95 was the first “protected mode” operating system to become adopted widely. Almost none of the DOS viruses was effective on Win95 systems. While people continued to write them, they ceased to threaten most users.

To use a biological analogy, living creatures find it hard to adapt to swiftly changing environments. So too with technological phenomena like computer viruses. Changing the operating system disrupted the viruses’ environment almost overnight and so ended the first age.

The macro virus age — 1995 to early 1999

In 1995 very few programmers knew how to write assembly code for Win32, or much about its internal structures. This made new Win95-infecting viruses unlikely — the required knowledge simply didn’t exist. But even if the OS was safe, the applications were not.

Win95 was released with the Office95 application suite, which sported a
powerful macro language, Basic. In addition, Microsoft invented the compound file (a file system with file allocation tables, directories and both data and program files within a single file), which we came to understand as a DOC file.

To be fair, Microsoft did it for the right reason, to prepare DOCs to be multimedia-rich, containing pictures and sounds and even animations and movies. There was little documentation for these files, so anti-virus companies had to adapt their scanning engines and warn people that, unlike the first age, viruses now lurked in what seemed to be purely data files.

In the DOS age, geek pride made it lame to write a virus in anything other than assembler, but in the macro age, it became “kewel”. If virus writers were ignorant of Win95 assembler, they still made life hard for anti-virus developers by writing quickly, and figuring out how to use the tools in Basic to infect other Office applications.

Eventually it became apparent that while Basic has infinite possibilities, one needs only a few commands to make code self-replicate. By detecting these commands, anti-virus scanners could always find even brand-new macro viruses. They mightn’t know the variant or what it did, but they knew it was a virus.

Although macro viruses are still around, they were no longer a strategic problem by early 1999. Anti-virus scanners ended the macro age by acting like a broad-spectrum antibiotic, detecting and killing viruses by family trait.

The mass mailer age — 1999 to 2002

In January 1999 there were some 43 million hosts registered on the internet’s Domain Name Service (DNS); this was the bottom of the hockey stick curve that saw the number of registered domains top 285 million in July last year.

In March 1999, the Melissa virus hit an unsuspecting world. The results were devastating. Self-mailing viruses had been tried before, but Melissa was the first success, and it ushered in a new age.

Virus writers realised that if they could spread their virus faster than defenders could update their anti-virus signatures, it didn’t matter if they were easily detected. Ironically, Melissa’s author had actually meant to limit its spread to the first 50 addresses in each address book. But he didn’t realise that most large organisations use many of the first 50 addresses for all-company groups.

The next few years saw some stunningly successful self-mailers, including LoveLetter and AnnaKournikova. But organisations discovered that no matter how different each mass mailer was, there was a single chokepoint, the corporate email gateway. All one needed was to strip off any executable attachment at the gateway. There was no need to update anti-virus scanners at all.

Even though mass mailers are still written, and occasionally cause an outbreak when they use a new file type, such as the Zip file version of Bagle, any corporation doing intelligent filtering at the gateway has become pretty safe from mass mailers. As in nature, intelligent filtering ensures that harmful things stay outside the organism. This largely ended the third age.

The criminal age — 2001 to present

The fourth age began in July 2001 with the release of the CodeRed.A worm. It exploited a buffer overflow vulnerability in some versions of Microsoft’s Internet Information Server (IIS). This allowed the worm to explode into a system without user interaction. This was the start of a menagerie of spyware, VEWs (vulnerability-exploiting worms) and VEBs (vulnerability-exploiting bots).

The payload for CodeRed.A was that on a given day at a given time, all infected nodes would stop trying to spread, and would instead mount a distributed denial of service (DDoS) attack on the White House. But within a month CodeRed.C came out. Rather than bothering with DDoS, it simply opened a backdoor on all infected systems. Overnight tech support folk had to rebuild thousands of machines.

Some people have always made a sport of taking over other peoples’ computers, i.e. hacking them. The more pernicious turn these captive PCs into zombie machines to distribute spam and malware.

Since early 2003 the number of hacks has reached epidemic proportions. Then there were 300 to 500 viruses and Trojans “in the wild”. There are now perhaps 10,000. The motive is money. Instead of kids doing it for sport, it’s now a business driven by spammers, phishers and DDoS extortionists, many with criminal intent.

Other factors early in 2003 were the “wormwars” fought between the developers of Bagle, NetSky and MyDoom worms/bots, and the subsequent publication of much of the source code. This made it easy for lots of people to enter the scene. We now see as many as 30 variants of the common worms and bots each month. Once an exploitable vulnerability is published, we expect it to induce an attack within two weeks.

In 2001 and 2002, it took eight or nine months for an exploit to be used, and many were never used at all. For example, in 2001 there were about 90 published vulnerabilities for Internet Explorer. By year-end, Microsoft had patched only about 70. Only one was actually used (in Nimda), but the code to do this was cut and pasted into nearly every worm for the next two years.

At the other end of the spyware spectrum are the adware companies. Many are legitimate businesses that want to use the internet to do targeted marketing. Many users understand that the internet must become commercial to expand it. But millions object to unsolicited direct marketing in electronic form, better known as spam or more generically as adware.

Arms race continues

Looking back one can see this is an arms race. Competition and the development of anti-spyware and anti-adware make the new applications more virulent (like CoolWebSearch), more aggressive (like Claria), and spyware more dangerous. Already some malicious web sites and BotHerds install bots first, and then install normal adware, to make money from the advertiser.

One thing is clear: the present arms race will continue until the technology changes. Then the cycle will begin again. This is natural. This is how it has been, and how it will be.

Author: Roger Thompson
Position: director of malicious content research, Computer Associates.
url: http://ca.com