Malware vs. anti-malware, 20 years into the fray

From Robert Morris Jr. to mayhem, with tips for practical living

As I recall, November 2, 1988, started as an ordinary day at Goddard Space Flight Center where I was working in the data communications branch. By the end of the day ... well, actually, that day never ended. We just kept fighting to bring our servers and networks back to life. Our SunOS and VAX/BSD systems, which were connected to the Internet, had slowed to a stop.

We didn't know it yet, but we were fighting the first Net-propagated malware program: the Robert Morris Internet worm. Twenty-four hours into our "day," we received a fix developed by the University of California, and we were back online.

As it turned out, the Morris worm wasn't a deliberate attack. It was a self-replicating program with a bug that caused it to reproduce at a rate so fast that it brought down the (then much smaller) Internet. That was almost 20 years ago, and eventually it came to light that Robert Morris Jr. didn't intend to wreak the havoc he did. He was simply trying to get a hard number as to how many systems were attached to the Net.

In contrast, today's malware causes less overt havoc but far more deliberate harm. Most 21st-century crackers aren't making malware to show off their skills or wreck systems for the sheer malicious fun of it all. They're making malware that hides in your system so they can use your personal information and PC resources to make money. Welcome to the era of capitalist hacking.

In response, the security vendors come up with anti-malware programs, and we're locked into a seemingly endless battle between crackers and the defenders for the safety of our networks, our computers and our personal information. At the moment, it appears the bad guys are winning. There's more malware than ever before.

In this corner, the challenger ...

Perhaps "malware" isn't the right word. Historically, viruses, worms and the like were hit-and-run attackers -- get in, zap some files and try to leap to another PC before they were caught and cleaned out. Modern invading programs are designed to curl up and make themselves at home in your system, but they're not there to destroy your computer or your files. They're not malicious in the way as famous computer viruses as ILOVEYOU, which in 2000 destroyed untold numbers of files on Windows systems.

No, they're there to wait for a chance to snatch an important password or a credit card number, to turn the PCs under your care into a 2am spam generator, and to hurt your users and your data, not your machines. You may not even be the main target. One of the more disturbing rumors, albeit a difficult one to prove, is that some malware may not be acting on the behalf or organized cybercrime crews but by terrorists or government agencies. The Baltic country Estonia's Web sites, for example, were hit by a massive DDoS (distributed denial of service) attack last year by what was believed to be a group of Russian hackers.

Not, mind you, that viruses such as Melissa, ILOVEYOU and Sasser didn't cause enormous damage; they did. But users could avoid infection by taking relatively few, relatively simple precautions, such as never, ever opening an executable attachment sent to them via e-mail. Or they could practice safe computing by not using Outlook -- the system vulnerability that claimed to be an e-mail client. Then, however, if you used an up-to-date virus detection program and practiced safe e-mail, chances are you'd be safe.

Page Break

Those kinds of threats are still around. My own carefully tended AV setup still sees postcard.exe, born sometime in 2005, coming by about two or three times a week. The fact that old-style Trojan horses like postcard still exist just goes to show that a sucker really is born every minute. The flood of infections that come in waves every time the usual suspects send out a toxic attachment on an e-mail message piggybacking on the news of the day means you can expect Olympic-themed spam with a little something "extra" any day now. Users will still click on any shiny object that floats by. And the extraordinary success of recent "spearphishing" efforts to capture C-level exec's machines by sending targeted e-mail claiming to include a subpoena indicates that foolish clicking happens all along the corporate food chain.

The real problem, though, is that all the easy human ways to spot troublemakers like the Storm attacks don't work against 21st-century malware. Instead of coming in big and brassy, as an e-mail attachment or on removable media, most malware today slides in when you visit a site that's been cracked and now contains a XSS (cross-site scripting) exploit or an unguarded social network page with a visitor-added link concealing a CSRF (cross-site request forgery) attack. You click on what appears to be a link (you may even see the page you expected) and in the meantime, your PC is downloading the latest attack code (and maybe scooping up your stored cookies as it goes along).

And one more thing: The Macintosh's burgeoning popularity isn't limited to just the good guys. The recent success of the hackers targeting the Mac at CanSecWest's Pwn 2 Own competition, in which security on the MacBook Air was breached before the defenses on the Windows Vista machine also in the competition, shows that there's no safety even in the platform commonly perceived to be somehow immune from the problems Windows users have faced for years. Next up? Most observers predict that the long-awaited boom in malware targeting mobile users is near at hand.

... and in this corner, the defense team

According to Symantec, nearly two-thirds of all threats were detected in 2007. There will doubtless be even more arriving in 2008. By 2009, Jari Heinonen, Asia-Pacific vice president at F-Secure, predicts that "the total number of viruses and Trojan [horses] will pass the 1 million mark." (If, indeed it hasn't already, as some reports claim.) These newborn malware pests are harder than ever to discover, challenging the authors of anti-malware software to keep abreast not only of a rising tide of threats but to battle threats that look entirely unique.

It used to be that all an antivirus program needed to do was to detect a virus' simple signature -- a unique sequence of numbers derived from the bug's executable code -- to identify the intruder and blast it into kingdom come. That was then. This is now. Any self-respecting malware program today is polymorphic. That's a fancy way of saying it keeps changing itself every time another copy is made so that it doesn't look exactly the same to antiviral programs. And increasingly, those programs are using server-side polymorphism, which means that the infection arrives on your machine pre-mutated, so your antivirus package can't even spot a suspicious arrival by noticing that it carries code for a mutation engine.

Page Break

Another common malware trick is to simply disguise the bug du jour using a packer program. A packer, just like the Zip utility you probably keep around to compress and decompress files, squeezes the unsocial program into an unrecognizable format. Then, when the time is right, which is likely these days to be at some random time after it's arrived, the bug unpacks its luggage and starts making a mess of your PC. Other disguise techniques turning up include encryption and, for script-based attacks, obfuscation attempts.

The anti-malware people continue to come up with signatures for both old and new malware programs in all their various polymorphic, packed, encrypted, obfuscated "glory." As you might guess, this isn't easy. Antivirus companies now run labs 24/7 to generate up-to-date signatures for your security programs.

A more modern and efficient way to tackle malware is to look not at what the programs look like, but at what they're capable of doing. This technique is called heuristics. The term itself is taken from the Greek for "rule of thumb," and the practice, as conducted in the human brain, is a combination of creativity plus common sense. In the security-software "brain," it entails applying rules of behavior rather than simple pattern-matching.

For example, your anti-malware scanner might find it a little odd that a new program seems to have the ability to open your Outlook and Gmail address books without requiring any user commands. "Hmmm," the scanner says to itself, "This doesn't look good." And, of course, it's right.

Still another approach is to simply give the suspicious program some virtualized space from which the rest of the system is protected. This is called a sandbox -- to do its business and see what happens. If it tries to dance a fandango on your financial files, we know it's a baddie. Some programs provide for sandboxing; others require administrator setup.

Zeroes and heroes

You may have noticed something with all these anti-malware techniques: They're all reactive. That's not good. But as things stand now, there has to be a problem for the engineers to react to; only then can they release a program update to care of the latest problem. Zero days (a.k.a. 0days) are a by-now-familiar shorthand for security vulnerabilities for which no patch yet exists. Seeing what a zero-day vulnerability means for both sides of the malware fence provides a sense of how each manages the situation.

Malware writers may pass each other news of zero-day discoveries for days or weeks before the makers of the compromised software know there's trouble. In a few cases, researchers who haven't been able to get the attention of a large software vendor have gone public with their information, either to prove they had the knowledge or to shame the manufacturer into doing the right thing and patching up.

But even when it's no longer zero day, the game isn't over. The same day that a zero-day security problem in Vista is fixed, for instance, malware makers start working like beavers on speed to retrofit their malware to use that "fixed" security problem.

What's that you say? Why would they do that when the hole has been patched? They do it because with a gazillion systems running Windows, they know that the sooner they get their rejuvenated trash program out there, the greater number of vulnerable systems it'll still find during the remaining "vulnerability window."

Page Break

This happens to some extent because proprietary operating systems and programs rely in part on the mistaken idea of security by obscurity: If no one knows there's a hole, the logic goes, then no one can exploit it. That works, so long as no one knows the hole is there. But if someone does know about the hole -- as is always the case by the time a patch is finally issued for it, thanks to excellent communications among malware factions -- then there's no security at all. The bug carnivals in the news during much of 2006 and 2007, in which security researchers declared that they were going to reveal a bug in a particular software or operating system every day for a certain amount of time, were based on that idea of shaming manufacturer out of the security-by-obscurity mind-set. According to logic, if researchers can point to a different vulnerability every day for a week/month, companies will be forced to address systemic problems in their security awareness.

Your first line of defense is, of course, to update your software as soon as humanly possible and to keep abreast of what's happening out there. If you're a network or system administrator, you need to keep an eye on zero-day tracking news sites like the Secunia Advisories by Product listings. If you see a product listed with a hole on such lists, you know that the program or operating system has a known security problem. Hopefully, the program's vendor, or a white hat hacker or researcher, will have a fix available before a baddie exploits the problem. In the meantime, these trackers will give you the information you need to keep an eye out for unexplained behavior from newly vulnerable software. That usually but not always means that the software vendor has to patch as soon as humanly possible, but on occasion a third party or even the researcher who first spotted the problem will have a patch prepared faster.

The dangers of installing third-party patches versus letting a zero-day flap in the breeze is a risk-tolerance question that most IT professionals will confront at least once in their careers; alas, there's no one-size-fits-all answer. And if you are unlucky enough to get hit by a zero-day attack anyway, there are ways of at least detecting and limiting the damage from such attacks.

Here, we move away from PC-centric protection to monitoring your network. If your company doesn't have network auditing and network intrusion-prevention tools, it needs them. The name of the game is to look for unexpected network traffic and network scanning activities. For example, there's no reason on Earth that Joe-in-accounting's workstation should be trying to reach a SMTP server when there's nothing else operating on his machine because he is out sick.

In short, if your PCs and servers start producing unusual network traffic patterns -- even if it's just a higher volume of ordinary network traffic -- you may, heuristically thinking, have malware on your systems. Poring over endless logs may not sound like a party to you, but keeping logs of Web requests may allow you to spot patterns over time if you suspect trouble. You should also fight the impulse to install everything plus kitchensink.exe on the servers and systems you monitor. In a world where patching eats up more and more of your time every month, the fewer programs you have running means the fewer attack surfaces available to the enemy.

If all this makes it sound like securing your systems from malware is a thankless task, well, you're right. On the other hand, it's also absolutely necessary work. Twenty-first century malware doesn't hurt you or your company by trying to wreck your systems with one massive attack. Instead, it seeks your ruin with the death of a thousand small cuts -- here, an important password, there a vital account number. But at the end of it all, today's malware is far more dangerous and more deadly than such historically more dramatic events as the Morris worm.

Steven J. Vaughan-Nichols has been writing about technology and business since smoke signaling was the hot new wireless communications technology.