Feeds

It's time to pick your favourite virus

Infection vectors

  • alert
  • submit to reddit

Seven Steps to Software Security

Comment The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However...

The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors.

No, I'm not referring to any generic, run-of-the-mill email virus that requires a user to first click on yet another executable attachment. The authors of Beagle/Bagel, Netsky, Mydoom and Erkez/Zafi should hang their hats, head down into their dark basement dwellings, and get back to work. Their latest variants released this year can barely stifle a yawn.

The best viruses are the ones that use new, novel propagation techniques that really work. Forget social engineering. Yes it still works, and yes it will always work, but it's also an excruciatingly boring way to target only the lowest of the low-hanging fruit. Just because a new virus variant was able to trick my Aunt Fern into clicking on it doesn't mean it's novel, innovative, or even interesting. I can tell my Aunt Fern a thousand times not to click on that attachment, and mark my words: one day, she's not going to click on it. Her action sets the virus in motion. Click, infection. Action, reaction. These are topics that she can conceptually understand.

Viruses that spread without human intervention are called worms, of course. These are a little harder to explain to the public at large. But worms have been having a tougher time lately, as personal firewalls become more commonplace (think XP SP2), home routers become the norm, and most Windows systems have automatic updates turned on. Old worms continue to crawl the Internet, infecting and reinfecting a few million unpatched machines, but the fact is that there hasn't been a major outbreak in quite some time. A long time ago I tried to explain the concept of a worm to my Aunt Fern, and even when she stopped squirming, I'm not sure if she was able to understand.

No warning, no notification, no noise at all

Try to explain to an average user about web-based virus droppers that install backdoors and worms via a browser, however. These average users are people that SecurityFocus readers typically support, people found everywhere in corporations, government, and in homes around the world. They visit a website (either directly, via a search engine, or via a simple link sent in an instant message) and ten minutes later a backdoor has been installed on their machine. No warning, no notification, no noise at all. Should I tell my Aunt it's no longer safe to click on web links? Give me a break.

Think this won't happen? Imagine the response when a high profile website (or its ad server) is compromised... the opportunity will appear again.

Getting infected via the web makes me feel like I'm in grade school again. The Web and web browsers are now the perfect place for virus writers to find new ways to infect a fully patched, firewalled machine. After all, it's a lot easier to find unpatched, exploitable holes in Internet Explorer than it is to automate your way through a personal firewall. Once inside, it's much easier to call home, download updates, and then start to spread. Isn't it great that Internet Explorer is now a part of the operating system?

While I've written about it before, the infamous CoolWebSearch family of malware is still my favorite of these malicious creations, because it's still very current, very nasty, and it's the clearest example of how you can easily get a virus-backdoor-trojan-worm (your choice) installed through your browser. Just click on a web link using Internet Explorer.

Since these "droppers" commonly exploit known and unpatched vulnerabilities, they are continually updated and enhanced (and are still extremely difficult to remove). As a virus dropper, it's an easy way to deliver and install an even nastier virus of someone's choosing. Basically, your users can still visit a website with a fully patched machine that allows for the download and execution of arbitrary code. Without user interaction (and no, I don't consider clicking on a web link to be "user interaction," thank you very much). Try to explain that one to Aunt Fern.

Many people in the security community look at viruses now with disinterest, because our defense-in-depth strategy makes us feel protected. As virus writers find new infection vectors that use a browser, however, your big investment in multi-layered security starts to look woefully ineffective. Think web based infection vectors. I think I've found my favorite virus (well, virus family) after all.

Copyright © 2005, SecurityFocus logo

Kelly Martin has been working with networks and security for 18 years, from VAX to XML, and is currently the content editor for Symantec's independent online magazine, SecurityFocus.

Related stories

Trojan Horse Christmas
Bofra worm sets trap for unwary
Rise of the Botnets
PCs throw nine sickies a year

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.