Today’s threats spread further and faster than ever before. In the good old days, viruses could only travel as fast or as far as a users’ activity allowed them to. Boot sector viruses relied on the exchange of floppy disks in order to spread. Things changed significantly when macro viruses appeared in 1995, since they were able to piggyback all emails sent by the infected user. Even macro viruses relied on unsuspecting users to exchange infected files. However, it took computer worms to truly change the virus landscape. And updating antivirus solutions became critical once worms came to stay.
Melissa, which appeared in March 1999, marked a quantum leap forward in terms of speed of infection. Unlike earlier macro viruses, which waited for the user to send the infected data, Melissa hijacked the email system to spread itself proactively. All that was required of the user was to double-click on the infected email attachment. After this, the virus harvested email addresses from the Outlook address book and sent itself directly to the contacts listed in it. This mass-mailer was able to spread further and faster than any previous macro virus. As a result, infected corporate email systems quickly became clogged with email and many simply crashed under the pressure.
It’s hardly surprising that Melissa set a trend. Since March 1999, nearly all of the major viruses and worms to threaten corporate and home users have included mass-mailing capability. However, other developments have also combined to enable threats to spread more quickly.
In the first place, an increasing number of threats in recent years have made use of system exploits to enable them to get a foothold in the corporate network and spread more rapidly. Such attack methods were previously associated with the activities of hackers, rather than virus writers, so this marked a significant departure from the older generation of viruses. Previously, virus writers relied on their own code in order to spread and let the unsuspecting user do the rest. Increasingly, today’s threats have woken up to the potential helping hand provided by vulnerabilities in common applications and operating systems. Interestingly, Melissa was the first threat to make use of an application vulnerability, tapping into the spreading capability offered by Microsoft Outlook.
However, it wasn’t until 2001, with the appearance of CodeRed and Nimda, that this started to become a stock-in-trade of viruses and worms. CodeRed, which appeared in July 2001, was a ‘file less’ worm. In a complete departure from existing virus practice, the worm existed just in memory and made no attempt to infect files on the victim machines. The worm used a Microsoft IIS server vulnerability (MS01-033 ‘Uncheck Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise’) to attack Windows 2000 servers. It spread via TCP/IP transmissions on port 80, launching itself in memory via a buffer overflow and then sending itself in the same way to other vulnerable servers.
Nimda appeared shortly afterwards, in September 2001 and, unlike earlier mass-mailing threats, didn’t rely on the user to click on an infected EXE file attached to an email message. Instead, it made use of an Internet Explorer vulnerability to launch itself automatically on vulnerable systems (MS01-020, ‘Incorrect MIME header can cause Outlook to execute email attachment’). This was a six month old vulnerability, but a great many systems were still un-patched and vulnerable to attack and the use of this vulnerability helped Nimda to infect systems all over the globe in the space of just a few hours.
The use of system exploits has now become commonplace. In fact, some threats have avoided the use of ‘traditional’ virus techniques altogether. Lovesan, Welchia and, more recently, Sasser are examples of Internet worms pure and simple. There’s no mass-mailing, there’s no requirement for a user to run an infected program. Instead, these threats spread directly across the Internet, from machine to machine, using various system vulnerabilities.
Others combine the use of system exploits with other infection methods. Nimda, for example, incorporated several attack mechanisms. As well as the mass-mailing aspect of the virus outlined above, Nimda also appended viral exploit code (in the form of infected Java code) to HTML files. If the infected machine were a server, a user became infected across the web when they accessed the infected pages. Nimda went even further in its efforts to spread across the corporate network by scanning the network for accessible resources and dropping copies of itself there, to be run by unsuspecting users. On infected machines, the virus also converted the local drive(s) to open shares, providing remote access to anyone with malicious intent. For good measure, Nimda also used the ‘Web Folder Traversal’ security breach in Microsoft IIS (Internet Information Server) to infect vulnerable servers by downloading a copy of itself from already infected machines on the network. Nimda’s multi-faceted attack strategy, coupled with its use of system vulnerabilities, led many to refer to this as a ‘blended attack’.
This trend has continued. Many of today’s ‘successful’ threats (successful from the author’s perspective, that is) make use of multiple attack mechanisms and use system vulnerabilities to bypass the user and launch code automatically, dramatically reducing the ‘lead time’ between the appearance of a new threat and it reaching epidemic proportions. There’s no question that today’s threats are faster than ever before. Where it used to take weeks, or even months, for a virus to achieve widespread circulation, today’s threats can achieve worldwide distribution in hours – riding on the back of our business-critical email infrastructure and exploiting the increasing number of system vulnerabilities that give them a springboard into the corporate enterprise.
The number of new threats continues to grow steadily, with several hundred new threats appearing every day. As outlined above, many of today’s threats are a composite ‘bundle’ containing different types of threat. Malicious code writers have at their disposal a wide-ranging malware ‘menu’. Alongside the ‘traditional’ threat from viruses, there are now email and Internet worms, Trojans and various other types of threat. Often a virus or worm will drop a Trojan backdoor onto the infected system. This allows remote control of the machine by the author of the virus or worm, or by whoever has ‘leased’ the Trojan from them for spam propagation or other malicious purposes. Or the code may include a Trojan downloader, specifically designed to pull down malicious code from a remote site – perhaps an update to the virus or worm. Then again, it may include a Denial-of-Service (DoS) attack, designed to bring down a particular web site.
Antivirus products have become increasingly sophisticated over the years, to deal with the growing complexity of viruses, worms Trojans and other malicious code. This includes proactive detection mechanisms designed to find new, unknown threats even before they first appear in the field. Nevertheless, regular updating of antivirus protection is more important than ever before, given the speed at which today’s threats are able to spread. That’s why antivirus vendors have sought to reduce the time interval between virus definition updates, from quarterly, to monthly, to weekly, and finally to daily updates. And Kaspersky Lab now provides updated virus definition files every hour on the hour.