Spam viruses, worms and worse

THE LESSON of the SoBig.F emal virus is that we're already in the opening stages of a war. (No, that's not a typo -- "emal" was coined by Mike Magee just the other day to mean "malicious email".) This stealthy war looks to be a long one because, so far, it appears we're losing.

Our existing Internet infrastructure and can only react to attacks like the aggressive spam flood of SoBig.F and the Windows worm infestations that preceded it. The Internet just isn't yet capable of recognizing and defending against these and other modes of subversion in real time, and it likely won't be for quite some time, due to it's simple protocols and distributed structure. These same characteristics that make the Internet so robust, efficient and highly flexible also make it vulnerable to such forms of attack.

These attacks have already had sobering, even alarming consequences.

The deluges of spam generated by SoBig.F ramped up a 20-fold increase in Internet traffic about 10 days ago, as reported by NetworkWorldFusion . It carried a payload that attempted to contact 20 websites, presumably to access newer and nastier code. This "phone home" behaviour of SoBig.F was a bit alarming to some network security researchers, since it manifested the sophistication of hybrid attack concepts. By exhibiting a form of zombie activity on top of the virus characteristic of propagating initially by email, it showed a higher level of malicious coding skills as well as a hint of goals.

Fortunately, network administrators were able to disassemble and analyze the SoBig.F virus in time to take down those targeted servers. So merely widespread network congestion was the only result of the problems due to the SoBig.F epidemic... that time. Due to the regular appearance of new variants of the SoBig virus family, it's been suggested that this virus is being developed for some larger goal, perhaps by organized crime. It might be spammers, under pressure from spam blacklist operators, looking for a tool to enlist millions of zombied Windows systems as the ultimate floating crapgame of spamming. It could be merely script kiddies too.

Or malicious recurring spam attacks might be something more sinister.

Barely some few days earlier, the Welchia worm -- a variation of MSBlast that attempted to innoculate Microsoft Windows computers against MSBlast -- kicked down an estimated three-quarters of the US Navy / Marine Corps Intranet (NMCI) networks: 75,000 US military desktops had to be isolated from the rest of the Internet while EDS scrambled to deal with this new infestation by acquiring and updating antivirus databases, according to the same source. That same well intentioned but fatally flawed Welchia worm also disrupted the network systems at Air Canada and CSX, a major US railroad. Those were only the obvious major victims.

Just days before, the original MSBlast worm had hammered down the State of Maryland's Department of Motor Vehicles, US Federal Court of Claims, and Georgetown University, as well as paralyzing networks and computers at countless businesses and in tens of thousands of homes, according to Wall Street Technology . Patching of Windows systems continued for several days and distracted large corporations -- including IBM, banks and brokerages, oil and chemical companies, etc.

That network attack coincided with the regional power grid blackout in the Northeast US. It has been conjectured that the widespread network disruptions and rebooting of Microsoft Windows based systems caused by MSBlast might have caused the blackout, but that was denied. As a critical observer, one cannot help but note that such denials began the day after the blackout, well in advance of initial inquiry, much less a thorough and impartial investigation.

The malicious spam virus and worm writers are improving their techniques and becoming more skilled at infecting systems and spreading malware all over the Internet. A few nasty examples have already surfaced and wildly careened around the 'net until being effectively countered. Surely, few have so soon forgotten Nimda, Code Red, Slammer, and a few other viruses and worms that plagued the electronic community, however briefly. Hybrid parasites are being created that combine some features of viruses, worms and less well known attacks like trojans, keyloggers, and zombies. Self morphing digital pests have been written and will only evolve to finally render malware signature matching less effective, if not wholly obsolete in a few short years. Routers, firewalls, and servers will be assaulted with ever more diverse and quickly adaptive forms of network subversions and denial of service attacks. Viruses and worms will become much more subtle, hiding right under the noses of inattentive or incompetent users -- much like present adware "utilities" that have been spread by P2P applications. An especially elusive and hardy recent example of adware is profiled here.

Anonymous digital crime, both misdemeanors and felonies, is only going to get worse before it gets dealt with effectively. Sometime within the next five to ten years, our digitally connected world will be seriously engaged by something -- probably several somethings -- so very stealthy, slippery, and cunningly criminal in both planning and execution that the existing network and private security measures and infrastructures won't catch problems in time to prevent some sort of real world disaster on a scale ranging from widespread filesystems damage or looting of personal finances though network outages or power disruptions up to and including serious damage to some large corporation, financial and trading systems, water supply, transportation gridlock or even a nuclear plant event. It has been reported that the troubled Davis-Besse nuclear plant in Ohio -- shut down earlier this year because it was a mere half-inch of bulging stainless steel liner from a nuclear release that would have beggared Chernobyl -- was infiltrated by the Slammer worm one day last winter.

As suggested above, most malware assaults we've experienced so far have been relatively minor instances. However, its distinctly possible that we've already seen a computerized attack on the US financial center in New York. Buying of Put options of United and American airlines peaked far above normal levels just prior to the 9/11/2001 attacks on the twin towers of the World Trade Center, and the investigation into that event has been mysteriously stalled for almost two years. Similarly, whatever went wrong in the recent power blackout in the Northeastern US is being spun by the current US Administration -- before any real investigation -- with assumptions presented as conclusions and prescriptions already being drafted to spend billions of dollars on fixes. Surely, there are failings due to prior deregulation to be corrected, and those utilities need to catch up for decades of neglecting transmission assets in their shortsighted pursuit of shareholders' profits and top executive bonuses. But wouldn't it be wiser to find out what really went haywire first?

If the recent power grid failure in the US was triggered by the MSBlast worm attacking utility or regional transmission authority systems that run Microsoft operating systems, then it might be a really good idea to make sure that can never happen again. One would assume that this would mean something more drastic than admonishing their technical support to keep up to date on critical security patches. Microsoft software EULAs explicitly warn that they are not suitable for use in systems that are "life and safety" critical. And if a nation's power grid that keeps the nuclear plants and hospitals and mass transportation operational isn't life and safety critical, one would have trouble imagining any systems that are more important. Covering up such a problem can't be helpful.

This isn't a manifestation of extreme pessimism or depressed doomsaying but simply a recognition of the recent history of malware episodes, the capabilities and vectors available for exploitation by those having bad motives and intents, and the extrapolation of these into the future.

Of course the antivirus software vendors are rubbing their hands in glee at all this damage. Although disinterested estimates of the overall SoBig.F virus damages to businesses are not too alarmingly high, the antivirus firms like Symantec and McAffee tend to publish inflated statistics to gain attention with high repair expenses for marketing and sales purposes.

But does the marketing hyperbole of antivirus software vendors mean we don't need to have serious concerns about devising more effective ways of preventing or deflecting such attacks? Not at all, because they are primarily interested in selling software products, not solving problems within the current networking protocols, infrastructures, and defenses that provide them with such reliably growing business opportunities. On the contrary, this dynamic is one that should make us very concerned.

It goes without saying that these antivirus vendors are not about to be pressuring Microsoft any time soon to fix the swiss-cheese insecurities in Windows. Despite its lip service to "trustworthy computing", the Vole likely sees antivirus software as just another category of "embrace and entend" software opportunities as well. Nor is it likely that antivirus software vendors and Microsoft will be tripping all over each other to work with the large telecommunications carriers and government agencies for developing better secured Internet protocols and infrastructures.

Can we avoid future disaster? Is there any hope? What should be done?

The answers to these questions seem to be yes, yes, and lots of things. If readers are interested, perhaps we can go into some depth about that latter question in a future article, since this one's grown too long.

Aside from replacing your vulnerable Microsoft desktop with something a lot more secure, one thing you can do immediately is put in an effective spam filter. There's the free product SpamAssassin, if you're already using Linux, or SAproxy, which uses SpamAssassin's methods and runs under Windows. There is a one-time, voluntary contribution of $6.50 requested for SAproxy, but surely your time and peace of mind are worth at least that, should you deploy it.

Finally, Linux users shouldn't start feeling invulnerable, as the crowd at Hermit's Cave is happy to remind the author in no uncertain terms from time to time. The virus writers will get around to us too, one imagines -- even though Linux is much more of a challenge for them than Windows -- and that day might even be sooner than you think. µ

L'INQS
NetworkWorldFusion 1
NetworkWorldFusion 2
Wall Street Technology
ZDnet UK
USA Today
BBC News
SpamAssassin
SAproxy