Feeds

It's time to pick your favourite virus

Infection vectors

  • alert
  • submit to reddit

SANS - Survey on application security programs

Comment The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However...

The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors.

No, I'm not referring to any generic, run-of-the-mill email virus that requires a user to first click on yet another executable attachment. The authors of Beagle/Bagel, Netsky, Mydoom and Erkez/Zafi should hang their hats, head down into their dark basement dwellings, and get back to work. Their latest variants released this year can barely stifle a yawn.

The best viruses are the ones that use new, novel propagation techniques that really work. Forget social engineering. Yes it still works, and yes it will always work, but it's also an excruciatingly boring way to target only the lowest of the low-hanging fruit. Just because a new virus variant was able to trick my Aunt Fern into clicking on it doesn't mean it's novel, innovative, or even interesting. I can tell my Aunt Fern a thousand times not to click on that attachment, and mark my words: one day, she's not going to click on it. Her action sets the virus in motion. Click, infection. Action, reaction. These are topics that she can conceptually understand.

Viruses that spread without human intervention are called worms, of course. These are a little harder to explain to the public at large. But worms have been having a tougher time lately, as personal firewalls become more commonplace (think XP SP2), home routers become the norm, and most Windows systems have automatic updates turned on. Old worms continue to crawl the Internet, infecting and reinfecting a few million unpatched machines, but the fact is that there hasn't been a major outbreak in quite some time. A long time ago I tried to explain the concept of a worm to my Aunt Fern, and even when she stopped squirming, I'm not sure if she was able to understand.

No warning, no notification, no noise at all

Try to explain to an average user about web-based virus droppers that install backdoors and worms via a browser, however. These average users are people that SecurityFocus readers typically support, people found everywhere in corporations, government, and in homes around the world. They visit a website (either directly, via a search engine, or via a simple link sent in an instant message) and ten minutes later a backdoor has been installed on their machine. No warning, no notification, no noise at all. Should I tell my Aunt it's no longer safe to click on web links? Give me a break.

Think this won't happen? Imagine the response when a high profile website (or its ad server) is compromised... the opportunity will appear again.

Getting infected via the web makes me feel like I'm in grade school again. The Web and web browsers are now the perfect place for virus writers to find new ways to infect a fully patched, firewalled machine. After all, it's a lot easier to find unpatched, exploitable holes in Internet Explorer than it is to automate your way through a personal firewall. Once inside, it's much easier to call home, download updates, and then start to spread. Isn't it great that Internet Explorer is now a part of the operating system?

While I've written about it before, the infamous CoolWebSearch family of malware is still my favorite of these malicious creations, because it's still very current, very nasty, and it's the clearest example of how you can easily get a virus-backdoor-trojan-worm (your choice) installed through your browser. Just click on a web link using Internet Explorer.

Since these "droppers" commonly exploit known and unpatched vulnerabilities, they are continually updated and enhanced (and are still extremely difficult to remove). As a virus dropper, it's an easy way to deliver and install an even nastier virus of someone's choosing. Basically, your users can still visit a website with a fully patched machine that allows for the download and execution of arbitrary code. Without user interaction (and no, I don't consider clicking on a web link to be "user interaction," thank you very much). Try to explain that one to Aunt Fern.

Many people in the security community look at viruses now with disinterest, because our defense-in-depth strategy makes us feel protected. As virus writers find new infection vectors that use a browser, however, your big investment in multi-layered security starts to look woefully ineffective. Think web based infection vectors. I think I've found my favorite virus (well, virus family) after all.

Copyright © 2005, SecurityFocus logo

Kelly Martin has been working with networks and security for 18 years, from VAX to XML, and is currently the content editor for Symantec's independent online magazine, SecurityFocus.

Related stories

Trojan Horse Christmas
Bofra worm sets trap for unwary
Rise of the Botnets
PCs throw nine sickies a year

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.