Feeds

Delivering the 12kb Bomb

Total system compromise, some assembly required

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

The average size of email-bourne viruses so far this year has been well under 20 kilobytes. A young virus writer, sitting in his underwear in his parent's dark basement, takes a hex editor and modifies a few bytes of the latest Netsky.M (16.5kb), Beagle.J (12kb) or Mydoom.G (20kb) mutation, spawns a new virus variant, and then releases it into the wild. The resulting few thousand compromised machines, a conservative estimate perhaps, will sit naked as drones or "bots" on the Internet, waiting patiently for their summons and commands.

A mere 12 kilobytes of action-packed code is impressive. For a 12 kilobyte Beagle, you get total system compromise, plus a highly effective spam engine. This short column, in comparison, is about 29kb of plain text and HTML. A 12 kilobyte binary is thus very small. The latest code that brings a Microsoft computer to its knees is small enough that it could be silk-screened onto an extra-large t-shirt: a walking time bomb, if you will. With today's monolithic software programs and operating systems, often barely fitting compressed on a CD-ROM, it's easy to see how small bits of malicious code can slip under the radar.

David vs. Goliath

I still remember the days, many computer-years ago now, when BackOrifice and SubSeven Trojans first came out. At just over 100kb, they were impressive in their day. Back then most people were running Windows 98, and a small 100kb email attachment could easily slip into the operating system and wreak havoc without ever being noticed. Today these are 100kb Trojans are monolithic in comparison to our modern email-based worm-virus-backdoor-spam-engines that tend to be under 20kb; these old relics are still a useful footnote, however, for watching the long-term evolution of malicious code.

Speaking of monolithic: Windows XP Home Edition requires approximately 1,572,864 kilobytes (1.5Gbytes) for a typical install, according to Microsoft. Of course, it's better/faster/easier-to-use than previous versions, as the advertisements say, and if you believe the literature too it's also less buggy and significantly more secure. The public relations spin machine for such a large company is fascinating to me - Windows has become bloated into millions and millions of lines code, yet it only takes a mere 12 kilobytes to provide full system compromise and an annoying spam engine. The divide between David and Goliath has never been greater.

Consider an analogy on the size of modern malicious code: if Windows XP were the size of the Empire State Building, then the little barking Beagle virus - the size of a small dog - can come in through the front door, lift its leg, deliver its payload, and somehow cause the entire building to come crumbling down. Or, Beagle can simply hold the door open automatically, so that a large cement truck can drive in and deliver its mystery payload to the base of the operating system as required.

When Size Matters

The latest craze in the virus-worm-spam war has seen computer worms crawling inside of other computer worms - like watching maggots crawl on top of each other as they make their way through a tender piece of meat. Some of the latest worms found in the wild have multi-vector propagation algorithms and also make use of previous viral infections by Beagle and Mydoom. So basically you start with 12kb of code, whereby Beagle slips into your email and under the radar, opens a backdoor, and then gets automatically disabled and replaced later in the week by a yet-more malicious and larger piece of worm code - perhaps new code that tunnels the user's GUI onto the Internet, provides full remote-control capabilities, records keystrokes and searches for a user's sensitive data.

Worms are crawling on top of worms, eating out holes in Microsoft's dominant operating systems like a giant piece of swiss cheese in front of thousands of tiny, malicious rats. I do not know to what extent Microsoft's code is scrutinized through an exhaustive security audit, but two years after Bill Gates' long-heralded announcement the holes in the cheese are larger than they've ever been.

It is no wonder that dozens of virus variants appear just a week or two after the first incarnation is released into the wild - fitting a backdoor and a highly effective SMTP spam engine into a mere twelve kilobytes of code is not easy, and many young programmers want to learn how it's done. Microsoft could learn a few things from these bright, if mis-aligned, people to help them write more efficient code.

Perhaps with more efficient code, Windows XP on a modern AMD Athlon, Intel Pentium or Celeron with a gig of RAM would actually run more quickly and be more secure than Windows NT was on an old P-100 with 32 Mb of RAM. Who knows? For now we're stuck with millions and millions of lines code compiled into a giant operating system that can be wiped out of existence remotely with nothing but a small 12 kilobyte piece of code, launched by someone in his underwear on the other side of the world.

Copyright © 2004, 0

Kelly Martin is the content editor for SecurityFocus.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.