Big Brother Awards
quintessenz search  /  subscribe  /  upload  /  contact  
/q/depesche *
Linuxwochen Österreich Tour
RSS-Feed Depeschen RSS
Hosted by AKIS
<<   ^   >>
Date: 1999-06-17

Schneier über Viren, Würmer & Trojaner

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

Der Kreator des Blowfish/algorithmus & anderer nützlicher
Schriften im vorausschauenden Rückblick auf die viralen
Ereignisse des Jahres 99.
Bruce wird bei zwei der wichtigsten Events des Jahres,
nämlich den Black Hat Briefings sowie der Defcon Anfang
Juli als Redner vertreten sein.

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Bruce Schneier
Looking back from the future, 1999 will have been a pivotal
year for malicious software: viruses, worms, and Trojan
horses (collectively known as "malware"). It's not more
malware; we've already seen thousands. It's not Internet
malware; we've seen that before, too. But this is the first
year we've seen malware that uses e-mail to propagate over
the Internet and tunnel through firewalls. And it's a really big

Viruses and worms survive by reproducing on new
computers. Before the Internet, computers communicated
mostly through floppy disks. Hence, most viruses
propagated on floppy disks, and sometimes on computer
bulletin board systems (BBSs).

There are some obvious effects of floppies as a vector. First,
malware propagates slowly. One computer shares a disk
with another which shares a disk with five more, and over the
course of weeks or months a virus turns
into an epidemic. Or maybe someone puts a virus-infected program on a bulletin board, and thousands get infected in a week or two.

Second, it's easy to block disk-borne malware. Most anti-virus programs can automatically scan all floppy disks. Malware is blocked at the gate. BBSs can still be a problem, but many computer users are trained never to
download software from a BBS. Even so, anti-virus software can automatically scan new files for malware.

And third, anti-viral software can easily deal with the problem. It's easy to write software to block malware you know about. You simply have the anti-virus scanner search for bit strings that signify the virus (called
a "signature") and then execute the automatic program to delete the virus and restore normalcy. This deletion routine is unique per virus, but it is not hard to develop. Anti-viral software has tens of thousands of sign
atures, each tuned to a particular virus. Companies release them within a day of learning of a new virus. And as long as viruses propagate slowly, this is good enough. My software automatically updates itself once a mo
nth. Until 1999, that was enough.

What's new in 1999 is e-mail propagation of malware. These programs -- the Melissa virus and its variants, the Worm.ExploreZip worm and its inevitable variants, etc. -- arrive via e-mail and use e-mail features in modern
software to replicate themselves across the network. They mail themselves to people known to the infected host, enticing the recipients to open or run them. They don't propagate over weeks and months; they propagate in
seconds. Anti-viral software cannot possibly keep up.

And e-mail is everywhere. It runs over Internet connections that block everything else. It tunnels through all firewalls. Everyone uses it.

It's easy to point fingers at Microsoft. Melissa uses features in Microsoft Word (and variants use Excel) to automatically e-mail itself to others, and Melissa and Worm.ExploreZip make use of the automatic mail features
of Microsoft Outlook. Microsoft is certainly to blame for
creating the powerful macro capabilities of Word and Excel,
blurring the distinction between executable files (which can
be dangerous) and data files (which, before now, were safe).
They will be to blame when Outlook 2000, which supports
HTML, makes it possible for users to be attacked by HTML-
based malware simply by opening an e-mail. Microsoft set
the security state-of-the-art back 25 years with DOS, and
they have continued that legacy to this day. They certainly
have a lot to answer for, but the meta-problem is more subtle.

One problem is the permissive nature of the Internet and the
computers attached to it. As long as a program has the
ability to do anything on the computer it is running on,
malware will be incredibly dangerous. Just as firewalls
protect different computers on the same network, we're going
to need something similar to protect different processes
running on the same computer.

This cannot be stopped at the firewall. This type of malware
tunnels through a firewall using e-mail, and then pops up on
the inside and does damage. So far the examples have been
mild, but they represent a proof of concept. And the
effectiveness of firewalls will diminish as we open up more
services (e-mail, Web, etc.), as we add increasingly complex
applications on the internal net, and as crackers catch on.
This "tunnel-inside-and-play" technique will only get worse.

And anti-virus software can't help much. If a virus can infect
1.2 million computers (one estimate of Melissa infections) in
the hours before a fix is released, that's a lot of damage.
What if the code took pains to hide itself, so that a virus
won't be discovered for a couple of days? What if a worm just
targeted an individual; it would delete itself off any computer
whose userID didn't match a certain reference? How long
would it take before that one is discovered? What if it e-
mailed a copy of the user's login script (most contain
passwords) to an anonymous e-mail box before self-erasing?
What if it automatically encrypted outgoing copies of itself
with PGP or S/MIME? Or signed itself; signing keys are often
left lying around the system. Even a few minutes of thinking
about this yields some pretty scary possibilities.

It's impossible to push the problem off onto users with "do
you trust this message/macro/application" messages. Sure,
it's unwise to run executables from strangers, but both
Melissa and Worm.ExploreZip arrive pretending to be friends
and associates of the recipient. Worm.ExploreZip even
replied to real subject lines. Users can't make good security
decisions under ideal conditions; they don't stand a chance
against a virus capable of social engineering.

What we're seeing here is the convergence of several
problems: the permissiveness of networks, interconnections
between applications on modern operating systems, e-mail
as a vector to tunnel through network defenses and as a
means to spread extremely rapidly, and the traditional
naivete of users. Simple patches won't fix this. There are
some interesting technologies on the horizon that try to
mimic the body's own immune system to automatically deal
with unknown malware, but I am not very optimistic about
them. Sure they'll catch some things, but it will always be
possible to design malware specifically to defeat the immune
systems. A large distributed system that communicates at
the speed of light is going to have to accept the reality of viral
infections at the speed of light. Unless security is designed
into the system from the bottom up, we're constantly going to
be fighting a holding action.

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 1999-06-17
comments to
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<   ^   >>
Druck mich
Linuxwochen Austria

meet q/uintessenz every friday


25. Oktober 2016
freier Eintritt
Big Brother Awards Austria
 related kampaigns

bits4free 18. Jan. 2012: Ihre Meinung zählt
Liquid Democracy - direkte Demokratie durch Online-Partizipation?
q/Talk, Di 29. Nov: Es gilt die unSchuldsvermutung!
Bürger unter Generalverdacht und stundenlange Einvernahme von Chattern