Upload File

what a littledefinution can do

5

Click here to load reader

Upload: richard-ford

Post on 02-Jul-2016

219 views

Category:

Documents


4 download

Report

TRANSCRIPT

Page 1: What a littledefinution can do

Computers & Security, 17 (1998) 11 O-l 14

Malware Briefing Dr. Richard Ford Senior Editor

What a Little Definition Can Do... This column marks the first in a regular series con-

cerning the threat posed by computer viruses and other forms of malware, and as such, it seems reason-

able to begin by attempting to lay out the ground which it will cover.This is best done by ensuring that we have an adequate understanding of the different threat types which we will involve ourselves with, and so this month we shall concern ourselves with the fundamentals: the definition of Virus, Worm and Trojan.

While a discussion of such fundamental topics may seem basic, experience shows that there is a great deal

of misconception concerning computer viruses, and the status that they should take in the overall corpo- rate security plan. To some, viruses are the most pressing danger to the security of IS assets.This con- clusion is drawn by their incredible prevalence: whereas most computer users do not have any first-hand experience with computer hacking, most users are well-aware of the existence of computer viruses, even if they do not have any knowledge of how to prevent them. To others, viruses are akin to weeds: they spring up, they are stamped out.They are mostly of note only for their nuisance value. As we shall discover, the truth lies somewhere between these positions.

As well as not being able to agree on how much of a threat viruses pose, there is also a continual debate about what they can and cannot do, as well as a mis-

understanding of what they are. These misunderstand- ings, combined with a healthy dose of incorrect infor- mation, deliberate misinformation and outright hype have assured the computer virus of a permanent place in our mental list of IS threats. However, prevention requires understanding, and understanding only comes from a clear statement of terms. In this article we will establish such a baseline, and use it as a basis for devel- oping a reliable as well as a cost-effective solution.

Fundamental Definitions While most readers should have a good grasp of the definition of computer viruses and malware, it is important that these definitions are distinguished from more formal definitions given elsewhere. First, let us speak in generalities: a computer virus is a computer program which shows the property of self-replication; that is, it is a computer program which ‘infects’ a host object with a copy of itself, such that when that object is later used, the virus can spread again.This can be put more formally as follows (borrowing from the excel- lent comp.virus FAQ):

A computer virus is a self-replicating program con- taining code that explicitly copies itself and that

110 0167-4048/98$19.00 0 1998 Elsevier Science Ltd

Page 2: What a littledefinution can do

Computers & Security, Vol. 77, No. 2

can ‘infect’ other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved copy of the virus.

Note here that a virus is only a virus with respect to a particular group of environments. While we generally think of an object as either infected or not, the defini- tion considers a virus to be a piece of code combined with a particular environment. This refinement adds a considerable amount of elegance to the working def- initions given above, and will be used in subsequent articles.

Viruses are subset of a more general problem: that of malware. Another important form of malware is the Trojan Horse. Borrowing once again from the excel- lent comp.virus FAQ, we have the following:

A Trojan Horse is a program that does something undocumented that the programmer intended, but that some users would not approve of if they knew about it.

According to some people, a virus is a particular case of aTrojan Horse, namely one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term ‘Trojan’ to refer only to non-repli- cating malware, so that the set ofTrojans and the set of viruses are disjoint.

Also in the class of malware are ‘worms’ - self-repli- cated programs that spread themselves from program to program, or more usually, machine to machine. A typical example of a worm would be the Internet Worm of 1988, which succeeded in crippling several Internet machines after its release. A worm might be defined as follows:

A computer Worm is a self-contained program (or set of programs), that is able to spread functional copies of itself or its segments to other computer systems (usually via network connections).

Cost of Protection Now that we have some good working definitions of several different classes malware, we should do our best to examine how much of a threat each of these beasts poses, and how best to provide a cost-effective strate- gy for their elimination. Despite the rather obvious construction of the last sentence, in it hides the secret to effective risk management: we are seeking the most cost-effective solution, not necessarily a 100% effective solution.Too many times have I examined the securi- ty policy of a company to find that the prevention of viruses was being held at such a priority that the cure had become far worse than the disease. Thus, we do not require a solution to be foolproof - its purpose is to provide a solution that imposes the maximum ben- efit to the health of the organization.

Consider the following example, concerning the imaginary company Widget Corp, which manufac- tures (like all imaginary companies) a wide variety of widgets. However, due to its client list, it places virus prevention very high on its list of overall priorities. Widget Corp. is well aware that the most frequently encountered type of virus is the Macro virus, which primarily causes a problem for computers running Microsoft Excel or Microsoft Word. Widget Corp’s Chief Security Officer proposes a solution that will prevent the spread of macro viruses completely: switching the entire company to a different word pro- cessor/spreadsheet combination. Although this solu- tion provides a very high degree of protection, there is also clearly a very high cost associated with it. Widget Carp’s board will have to carry out a careful risk assessment to see if their business and the current and predicted exposures make such a move cost-effective.

Although the preceding example seems obvious, it hap- pens all too often that companies do not carry out a thorough risk-assessment, and end up implementing solutions which have a bad effect on the bottom 1ine.A secure company is no use if it cannot make money; a profitable company needs to take the appropriate steps to protect its assets. While such risk-assessment is com- monplace when considering fire and flood, the decision of how to protect a company from the virus threat is often carried out with neglect to these basic principals.

111

Page 3: What a littledefinution can do

Ma/ware BriefinglDr. Richard Ford

Types of Solution Once we have committed to considering the cost of a solution, we can use our definitions to look at likely solutions to each of the general classes of malware. By working from the definition and working out with an understanding of the function of a solution, we will hopefully bypass assumptions concerning a good pro- tection methodology, and come to our own idea of what a long-term solution might involve. As each class of malware has its own properties, we will discuss them one at a time.

Worms Worms generally move from machine to machine automatically Therefore, there are a number of poten- tial solutions to the Worm problem: the most obvious is one which you will probably have already imple- mented - good system security. Consider the Internet Worm: by using well-known security flaws, the worm was capable of running wild through large parts of the online world. However, companies that had kept their sites secure did not suffer from the worm; it could not propagate in those environments. Note that the countermeasures employed at these sites were not specific to the Internet worm - by closing security holes, the chance of propagating any particu- lar worm is reduced, as well as the obvious general security benefits.

One of the interesting things about worms is their rar- ity: when talking about worms, most MIS staff would be hard-pressed to mention more than one.Therefore, many people think of worms as more of an intellectu- al curiosity than a threat to corporate networks. This is somewhat of a misconception. Although worms are very rare, when they strike they can have an incredi- bly large impact on a company Furthermore, they are very difficult to stop once they have started spreading, and so a proactive approach involving the patching of known security holes is vital to their prevention.

Lastly, it is worth considering the following. One of the reasons why it has been difficult to construct a successful worm has been the wide variety of machines and operating systems connected to the net- work. However, with the introduction ofWindows 95

and Windows NT, the network connected population of computers has been becoming increasingly homo- geneous - this homogeneity is a tremendous benefit to the would-be worm writer, making creation of a successful worm much easier.

Viruses A virus is very similar to a worm, with some subtle distinctions, to the extent that there can often be argument between to two researchers over precisely which category a new program should be placed in. In order to simplify this, we shall consider viruses as objects which generally require the user to execute an infected object to spread, and which add them- selves (infect) some other object. User interaction is usually not intentional or obvious: it could be run- ning an infected program, booting from an infected disk, or even just double-clicking on an infected document. Thus, although a user is required to ‘exe- cute’ the virus code, this process usually happens invisibly. Finally, most viruses do not rely on ‘flaws’ of the operating system under which they execute, but use functions and features which, although potential- ly undocumented, are used by many other non-viral programs.

Just from a brief examination of the definition, it quickly becomes obvious that closing security holes within operating systems is not likely to help the virus problem significantly. In the case of Word Macro viruses, all the individual actions carried out by a par- ticular virus might be entirely legal; it is the collective effect which leads to a problem.Thus, the type of solu- tion that we posited for the worm is not going to be effective - at least not in the short term. While more security-aware operating systems would limit the vir- ulence of a particular virus, they would be extremely unlikely to make virus creation and replication impos- sible, due to the requirements we have concerning the operations we carry out on our machines. Add this to the current concentration on usability, and it becomes clear that a holistic approach to virus prevention is a long way off. What, then, can be done?

Returning to the definition with more granularity, two additional factors come to mind:

112

Page 4: What a littledefinution can do

Computers & Security, Vol. 77, No. 2

1. Given that viruses spread when an infected object is executed, there is usually more time available for deal- ing with a virus incident than a worm.

2. Viruses infect a host object; thus, the virus will change that host object.

Such considerations lead us to the following ideas:

1. A reactive approach to computer viruses may be workable at this time, whereas a reactive approach to Worms is unlikely to be successful.

2. A proactive approach such as change detection could be used to alert us to the presence of a ‘new’ virus.

Let us look at these two statements. Firstly, by a reac- tive approach, we mean that a virus is discovered and a cure and detection algorithm extracted.This algo- rithm is then distributed to other machines, provid- ing an innate immunity to that particular virus. Such a solution is tenable, as the time required to spread from machine to machine is generally high enough that a solution can be generated and distributed faster than the virus can spread. Clearly, we have just described the most well-known anti-virus agent, the virus scanner.

Although scanners have traditionally been effective against computer viruses, we do need to consider their role in the future. As the number of viruses continues to rise, scanners must be continually updated in order to be effective. Additionally, a higher level of connec- tivity and greater integration of network functionality with the desktop have increased the rate at which a virus can spread from machine to machine. Thus, when a new virus is discovered, the potential speed with which a cure can be developed will need to increase. Thus, although some anti-virus vendors can (barely) keep up with the influx of new viruses, the entire turnaround time from infection with a new virus to worldwide distribution of a cure must be decreased from days (or sometimes hours) to minutes. If this is not done, a new virus could potentially reach epidemic prevalence before countermeasures are deployed. The concepts behind a system capable of

such rapid reaction times are complex, and provide ample material for another article; suffice it to say that this problem is soluble, and that scanners are currently a very effective prophylactic against viral infection.

One preventative against new viruses is strongly sug- gested in item (2.): the change detector. Change detectors generally gather certain pieces of informa- tion about a system in order to create a ‘fingerprint’ of the system in a clean state. If the system later becomes infected, these fingerprints can be used to identify and sometimes ever repair those objects effected. Although this technique is very powerful, it does have a number of drawbacks. Most importantly, it requires a snapshot of the system before it has become infected, which requires a certain amount of forethought. Finally, many change detectors do exactly what they claim to: report changes. A file can change for many reasons, and so simple change detectors do not indicate a file is infected, they indicate that a tile has changed. It is left to the user, or his tech support team to decide whether the change is legitimate or not. Such basic change detection is highly simplistic, and not terribly useful. However, it is possible to use the basis of this technique combined with other technologies such as heuristics and generic repair in order to provide a very high level of protection from new viruses without the annoying false alarm problems which simple-minded change detection is renowned for.

The Trojan Problem Our quick examination of definitions is almost com- plete, except for the most complex and controversial item, the Trojan Horse. The reason for the problem is almost immediately obvious from the definition: whether an object is a Trojan or not depends upon who is running it and why. This is impossible to know scientifically, and so solutions tend to be rather unsatis- fying. A classic example of this would be a tool that forces a machine to reboot after n seconds. Named ‘reboot. exe' and with the right documentation, the program is quite obviously a tool. Renamed to runme. exe, and with no documentation, the pro- gram may be a piece of malware. Renamed to sexgame . exe, and with documentation that states that it is a game, the program is a Trojan.Thus, whether

113

Page 5: What a littledefinution can do

Ma/ware BriefinglDr. Richard Ford

a particular program is classified as a Trojan Horse or

not depends on several undefined quantities, the most important of which being the opinion of the user.

Several solutions have been sought ranging from what I call the ‘you choose’ model, to the ‘paternalistic’. Software that conforms to the ‘you choose’ model is typified by programs which monitor the behaviour of new executables, and alert you to their actions. One example of this would be if a new file attempts to over- write the bootsector of a fmed disk, the anti-malware software would pop up a box explaining the intended

action, and asking if the action should be allowed to complete. This approach sounds fine, until we consider the many different potential payloads that a Trojan

could carry. At the other extreme is the ‘paternalistic’ model, a term borrowed shamelessly from ethical mod- els. In ethics, the paternalistic model is one where “I will decide what is good for you”. When applied to Trojan detection, this means the software decides what executables are okay, and which are not.The problem with this technique is that within certain confines it is

entirely reactive. How much of a problem that is, and how much a danger Trojans are in general is another

story, which we will examine in a later article.

Closing Thoughts In this article, we have created a solid foundation for further discussions about different classes of malware.

In particular, we have defined Virus, Worm and Trojan, and examined each in turn, searching for a solution based loosely upon the definition of each. In

the case ofWorms, it appears that the most powerful preventative is good system security. For viruses, detection of known viruses via a scanner, with the additional of change detection appears to be a work- able strategy.

How to protect against Trojan Horse is a more com- plex problem - a fact that is obvious after only a brief discussion of their definition. As the Internet gradual- ly fills with active content via Java and ActiveX, this area is attracting an increased level of interest. At this time, there are only two primary approaches to Trojan

prevention, neither of which looks entirely satisfacto- ry. Which turns out the best is yet to be decided; until then, perhaps the best protection is to follow the sim- ple advice: If you don’t trust where it came from, don’t run it!

Dr. Richard Ford studied for a PhD in Semiconductor Physics at Oxford University. During the course of his research, he encountered the Spanish Telefonica virus, and became interested in the subject of self-replicating code and emergent phenomena. After leaving Oxford, he became Editor ofVirus Bulletin, the foremost magazine devoted solely to the issues posed by viruses and other forms of malicious software. Since that time he has held the position of Director of Research for the National Computer Security Association, and Technical Director of Command Software Systems. He is currently employed by IBM Research, developing and test- ing IBM AntiVirus, as well as researching new technologies that can be applied to virus prevention.

114


What Words Can Do

"What can we do?"

What Animals Can Do

What can parents do?

WHAT WE CAN DO

What can you do

What HMMs Can Do

What Can We Do

What food can do…

Stormwater Management For Developing Municipalities What Residents Can Do What Towns Can Do

Kingston University: What can design do for technology? What can technology do for design?

What can we do?

What can creativity do?

MBS HEALTHY KIDS What can I do? & What can the nurse do for me?

Can you do what I can do?

What Can Animals Do?

What can light do

What can BLAST do?

Your Agriculture. What is the challenge? What can policy do? What can you do?

What Arduino Can Do

What Theory Can Do

What Police Can Do

SMS Can do What?

What can design do for technology? What can technology do for design?

What can I do

What Can I DO !?

What can europe do?

What Ministries Can Do

What can you do?

OVERVIEW Who OSI is What OSI can do for you What you can do for OSI What OSI and you can do together

What Humor Can Do ?

What I can do

What can do you

What ECI Can Do

Microsoft 365 What it can do & What can we do with it?