Feeds

It's time to pick your favourite virus

Infection vectors

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Comment The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However...

The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors.

No, I'm not referring to any generic, run-of-the-mill email virus that requires a user to first click on yet another executable attachment. The authors of Beagle/Bagel, Netsky, Mydoom and Erkez/Zafi should hang their hats, head down into their dark basement dwellings, and get back to work. Their latest variants released this year can barely stifle a yawn.

The best viruses are the ones that use new, novel propagation techniques that really work. Forget social engineering. Yes it still works, and yes it will always work, but it's also an excruciatingly boring way to target only the lowest of the low-hanging fruit. Just because a new virus variant was able to trick my Aunt Fern into clicking on it doesn't mean it's novel, innovative, or even interesting. I can tell my Aunt Fern a thousand times not to click on that attachment, and mark my words: one day, she's not going to click on it. Her action sets the virus in motion. Click, infection. Action, reaction. These are topics that she can conceptually understand.

Viruses that spread without human intervention are called worms, of course. These are a little harder to explain to the public at large. But worms have been having a tougher time lately, as personal firewalls become more commonplace (think XP SP2), home routers become the norm, and most Windows systems have automatic updates turned on. Old worms continue to crawl the Internet, infecting and reinfecting a few million unpatched machines, but the fact is that there hasn't been a major outbreak in quite some time. A long time ago I tried to explain the concept of a worm to my Aunt Fern, and even when she stopped squirming, I'm not sure if she was able to understand.

No warning, no notification, no noise at all

Try to explain to an average user about web-based virus droppers that install backdoors and worms via a browser, however. These average users are people that SecurityFocus readers typically support, people found everywhere in corporations, government, and in homes around the world. They visit a website (either directly, via a search engine, or via a simple link sent in an instant message) and ten minutes later a backdoor has been installed on their machine. No warning, no notification, no noise at all. Should I tell my Aunt it's no longer safe to click on web links? Give me a break.

Think this won't happen? Imagine the response when a high profile website (or its ad server) is compromised... the opportunity will appear again.

Getting infected via the web makes me feel like I'm in grade school again. The Web and web browsers are now the perfect place for virus writers to find new ways to infect a fully patched, firewalled machine. After all, it's a lot easier to find unpatched, exploitable holes in Internet Explorer than it is to automate your way through a personal firewall. Once inside, it's much easier to call home, download updates, and then start to spread. Isn't it great that Internet Explorer is now a part of the operating system?

While I've written about it before, the infamous CoolWebSearch family of malware is still my favorite of these malicious creations, because it's still very current, very nasty, and it's the clearest example of how you can easily get a virus-backdoor-trojan-worm (your choice) installed through your browser. Just click on a web link using Internet Explorer.

Since these "droppers" commonly exploit known and unpatched vulnerabilities, they are continually updated and enhanced (and are still extremely difficult to remove). As a virus dropper, it's an easy way to deliver and install an even nastier virus of someone's choosing. Basically, your users can still visit a website with a fully patched machine that allows for the download and execution of arbitrary code. Without user interaction (and no, I don't consider clicking on a web link to be "user interaction," thank you very much). Try to explain that one to Aunt Fern.

Many people in the security community look at viruses now with disinterest, because our defense-in-depth strategy makes us feel protected. As virus writers find new infection vectors that use a browser, however, your big investment in multi-layered security starts to look woefully ineffective. Think web based infection vectors. I think I've found my favorite virus (well, virus family) after all.

Copyright © 2005, SecurityFocus logo

Kelly Martin has been working with networks and security for 18 years, from VAX to XML, and is currently the content editor for Symantec's independent online magazine, SecurityFocus.

Related stories

Trojan Horse Christmas
Bofra worm sets trap for unwary
Rise of the Botnets
PCs throw nine sickies a year

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.