Teach your children well

As the computer war advances and defensive technology improves, malicious code writers have been forced to get more creative. With end-user trepidation on the rise and more caution used when opening e-mail attachments, virus, worm and Trojan writers have moved on to better social engineering as a means of getting the payload inside. In fact, almost all viruses – and a great deal of worms and Trojans – rely on user curiosity or naivety to breach the corporate walls.

The kournikova virus was social engineering art. Millions of end users, figuring the e-mail might contain a sultry photo of the world’s most popular tennis player, opened the JPEG. Had they given the attachment a cursory glance, they would have noticed the file name was a little strange: kournikova.jpg.vbs. It was a visual basic script file and thus potentially infected with a virus.

When virus writers get lazy, figuring their machine-generated creations will get picked off by the most basic anti-virus software, there is always the hoax. These are a fraction of the work, nearly untraceable, demonically creative and potentially as damaging (especially for the neophyte computer user). The hoax often warns of a malicious file, invariably found on all Windows operating systems, which will destroy the computer if not deleted. The chosen “malicious” file is almost always a system file needed by the OS.

“[A hoax virus] is beautiful. It is anarchy at its best and the beauty is that you did it to yourself,” said one IT manager who has had to repair a few hoax related snafus and, for obvious reasons, requested anonymity.

Herein lies one of the biggest problems facing computer security: though systems design flaws frequently leave openings for hackers, viruses, bots, Trojans and rogue code usually get into computer systems by taking advantage of end-user ignorance. Though anti-virus companies generally have virus warnings posted within hours of their known existence, thus allowing IT managers to stop them at the door, it is often too late. The Internet, for all its good, is a dream come true for the malicious code writer: millions of potential victims ripe for the picking.

at least it wasn’t 1984

1982 seems to be the year computer viruses and worms were officially acknowledged to exist. That was the year Apple computer viruses were “found in the wild,” according to Symantec. It was also the year two Xerox researchers created worms, programs which make copies of themselves and need no human intervention to spread, in order to facilitate distributed computing. In a preview of things to come, the worms apparently wreaked havoc on the systems, which had to be shut down.

It is rare a day goes by without a new virus being released, a worm being created or a corporate system flooded by a denial-of-service (DoS) attack. Corporate IT managers have to constantly monitor systems to avoid falling prey to the latest attacks, some of which have been spectacular in both the speed of their spread and extent of their damage.

The Nimda worm was a brilliant yet nasty piece of work. In just 24 hours after its discovery in September 2001, it was calculated to have infected 2.2 million computers. No benign worm, Nimda was designed to scan networks looking for unpatched versions of Microsoft Internet Information Server. Using a specific exploit in the technology, it then attempted to gain control of the server giving a hacker unauthorized access and administrator privileges. Subsequent clean-up was calculated to have cost in excess of US$500 million. The Code Red worm, which preceded Nimda by a few months, left behind a clean-up bill reminiscent of the Exxon Valdez oil spill. Most estimates put the cost at more than US$2 billion.

Home-grown Canadian talent Mafiaboy, with little knowledge of the technology he used, managed to bring down some of the largest Web sites on the Internet. Amazon, Yahoo and CNN all fell prey to his distributed denial-of-service attack and it is unlikely he would have been caught had he kept his mouth shut. Bragging on a bulletin board led the cops to his lair.

denial floods like a river

Denial-of-service attacks are, simply put, the denial of access to a computer system or network. The most common DoS attacks involve the flooding of a corporate Web site so legitimate users can’t get the information or services they desire. Other than rare cases of true political hactivism, most DoS attackers seem to do it simply because they can. Machismo to the max.

There is some debate as to whether a talented hacker, with a well planned and thought-out distributed attack can actually be stopped. The general consensus is that he can’t. “We can not prevent (well planned) distributed denial of services, but we can mitigate the exposure the customer has,” said Ron Ross, CEO of JETNET Inc. in Ottawa.

Victor Keong, partner responsible for attack and penetration services with Deloitte & Touche in Toronto, agrees. “It is going to be hard to defend…because a very well planned distributed denial of service (DDoS) can just look like heavy use.” But as more and more of the major suppliers of Internet bandwidth (the UUNETs, AT&Ts and Bells of the world) get involved in stopping DDoS attacks, the job will become easier.

“They are on the lookout and are working together to stop them from even happening by cutting off DDoS attacks (locally) as they start,” he added.

On a positive note, Ross says the well orchestrated DDoS is a rare occurrence. “The DoS is probably 1,000 times more common than a DDoS,” he said. “[Distributed attacks] are the work of a sophisticated hacker and we don’t see too many of those.”

A distributed attack is much harder to thwart because, by its very nature, it is coming from all directions. Shutting off contact from a specific location will not stop the attack. In the past, typical DDoS attacks used many servers from one location (universities were a common target), and once the origin of the attack was pinpointed, contact could be shut off. But with email dropping Trojans and worms on to millions of unprotected computers, the DDoS attacks of today are much more sophisticated. Code Red is capable of launching DDoS attacks on IP addresses and, according to experts, still lurks undetected in the dark recesses of the Internet.

prevention is The solution

“If you have only one point of failure, be it a router or a firewall…you are susceptible to a large scale denial of service and there is very little you can do about it beyond switching off the IP,” said Vincent Weafer, senior director of Symantec Corp. Security Response in Santa Monica, Calif.

But Weafer said the technology designed to deal with DoS attacks is getting better. “We have come a long way from two years ago when you had the very high profile denial of service attacks.”

Larry Karnis agrees, adding that a good relationship with your ISP is key to a successful defence. “For DoS your first point of defence is having an ISP which is competent,” said the senior consultant with Application Enhancements Inc. in Brampton, Ont. A good ISP can react quickly to a request for help and put a packet filter on the link, especially if it is an HTTP attack where zombies are told to download Web pages as fast as possible from a URL, he explained. A packet filter can deny requests over a certain size. Obviously no legitimate end user is going to be reading 1,000 pages at a time.

Another solution is to the limit the number of requests coming through a given IP address. “After say 5,000 (requests), turn off the service,” Ross suggested.

Regardless, redundancy needs to be in place. “If you have only one Internet pipe, you are asking for it,” Keong said.

While a Web site manager is dealing with the attack by filtering packets, dropping illegitimate requests, blocking IPs and closing ports (when required), there needs to be a system in place to deal with the extra traffic as it comes in, because not all of the attack machines can be deflected or cut off. Since you don’t want to lose regular customers, it is necessary to let all potentially legitimate traffic through. Extra bandwidth will be needed as the attack is dealt with. If it is done successfully, your customers need be none the wiser. Often the extra bandwidth requires nothing more than a contract with your ISP make it available in the case of a denial of service attack. The alternative is not acceptable.

“Today, if you are down for even a (short) period of time, it is considered a business risk,” Weafer said.

the virus SCOURGE

The days of awe-inspiring virus writers are pretty much over. Today, script kiddies seem to dominate this domain. But just because they are downloading tools to create the viruses, know little about the core technology they are creating and are probably social geeks, it doesn’t mean they shouldn’t be feared.

“You can’t underestimate the script kiddies,” Weafer warned. “With the huge democratization of information…(they) can do quite complex attacks against your system…because the tools are already out there.”

The script kiddies aren’t the only ones a tad shy in the brains department.

Most e-mail viruses spread because end users open them. Most companies have tried to take the decision out of the employee’s hands by loading up-to-date anti-virus software at critical points on the corporate network, not the least of which is the e-mail server. This works once the virus has been detected and the system has been configured to remove it. But there is always a time when viruses enjoy a moment of anonymity before the storm winds blow. It may be only a few hours, but often this is enough. The ILOVEYOU bug spread around the world and into millions of e-mail inboxes while many of us were sleeping. Santa Claus should be so efficient.

“Viruses, Trojans, worms, things like that – it is very rare that a day goes by that we don’t see new ones,” said Ken Armstrong, senior network security engineer with CanCERT, an Ottawa-based Canadian computer emergency response team.

Anti-virus vendors make all sorts of claims about how their technology employs heuristics, whereby new viruses are “sniffed out” and pulled from the system before they get to the end user. But viruses still get through. The never-ending battle is much like the cold war arms race. Though anti-virus manufacturers seem to have the upper hand today, it is only a matter of time before the pendulum swings the other way.

In order to keep on top of the virus war, companies need responsible end users, not ones who act like Pavlovian dogs opening attachments because they have been programmed to believe there is a treat inside. Harsh words, but true nonetheless. Viruses spread because people don’t think when they open e-mail attachments.

Different companies have different ideas how to “teach” employees to be more responsible. Karnis’s company is working on technology that would pull attachments aside and rename them so the end user has to manually rename them to open them. This would give them time to think – a key to slowing down a virus’s spread.

“We think that feature alone would probably stop about 95 per cent of all virus attacks,” Karnis said.

Ken Nishidera, product manager of managed security services AT&T Global Network Services, Thornhill, Ont., is not so sure this will work. “As long as there is some kind of time delay in opening the file, it is going to be a tough sell to the end user,” he said. Nishidera admits that he too sometimes opens attachments too quickly.

Karnis agreed. “People tend to operate on auto-pilot.”

Armstrong said companies have to go beyond technology. “Right now technology is not going to solve the problem, people have to be aware of what the issues are,” he said.

He suggests regular alerts and reminders so employees are up to date on what is going on and having a half-day IT security and awareness briefing annually just to reinforce the concepts.

Like most battles, simplistically reduced to good and evil, the winning side is usually the one with the most information, not necessarily the most weapons. A more informed workforce can be the deciding factor in a battle that has traditionally been too close to call.