An emerging breed of sophisticated malware is raising doubts about the ability of traditional signature-based security software to fend off new viruses and worms, according to experts at this week's RSA Security Conference in San Francisco.
Signature-based technologies are now "crumbling under the pressure of the number of attacks from cybercriminals," said Art Coviello, president of RSA, the security division of EMC. This year alone, about 200,000 virus variants are expected to be released, he said. At the same time, antivirus companies are, on average, at least two months behind in tracking malware. And "static" intrusion-detection systems can intercept only about 70 percent of new threats.
Read the latest WhitePaper - Frost & Sullivan Report - Competitive Advantage Today, Competitive Requirement Tomorrow
RSA '07 HQ: Click here for complete coverage
"Today, static security products are just security table stakes," Coviello said. "Tomorrow, they'll be a complete waste of money. Static solutions are not enough for dynamic threats."
What's needed instead are multilayered defenses -- and a more information-centric security model, Coviello said. "[Antivirus products] may soon be a waste of money, not because viruses and worms will go away," but because behavior-blocking and "collective intelligence" technologies will be the best way to effectively combat viruses, he said.
Unlike the low-variant, high-volume threats of the past, next-generation malware is designed explicitly to beat signature-based defenses by coming in low-volume, high-variant waves, said Amir Lev, president of Commtouch Software, an Israeli vendor whose virus-detection engines are widely used in several third-party products.
Until last year, most significant e-mail threats aimed for wide distribution of the same malicious code, Lev said. The goal in writing such code was to infect as many systems as possible before antivirus vendors could propagate a signature. Once a signature became available, such viruses were relatively easy to block.
New server-side polymorphic viruses threats like the recent Storm worm, however, contain a staggering number of distinct, low-volume and short-lived variants and are impossible to stop with a single signature, Lev said. Typically, such viruses are distributed in successive waves of attacks in which each variant tries to infect as many systems as possible and stops spreading before antivirus vendors have a chance to write a signature for it.
Storm had more than 40,000 distinct variants and was distributed in short, rapid-fire bursts of activity in an effort to overwhelm signature- and behavior-based antivirus engines, Lev said.
One example of such malware is WinTools, which has been around since 2004 and installs a toolbar, along with three separate components, on infected systems. Attempts to remove any part of the malware cause the other parts to simply replace the deleted files and restart them. The fragmented nature of such code makes it harder to write removal scripts and to know whether all malicious code has actually been cleaned off a computer.
Wednesday, October 31, 2007
New version of Storm virus infects blogs and other Web postings
A new version of the Storm e-mail virus is populating blogs and online bulletin boards with links directing people to a Web site that is propagating the worm, representing a new mode of attack for hackers seeking financial gain, according to a security vendor that became aware of the virus Monday night.
the Storm Worm attacks in December and January used infected e-mails to hijack personal computers and add them to “bot-nets,” networks of infected computers used by hackers to distribute spam and viruses.
Within the past day, a variation of this virus was found to be using infected computers to place malicious links on various Web sites, according to Secure Computing, a messaging security vendor based in San Jose, Calif.
If your computer is infected, the virus can add malicious text to any message you post to a blog or bulletin board. The text says, “Have you seen this?” and is followed by a URL containing the phrases “freepostcards” and “funvideo.”
“The new thing about this virus is the way it propagates. It’s basically filling up Web pages all over the Internet with links to the malware,” says Dmitri Alperovitch, principal research scientist for Secure Computing.
A Google search on Tuesday afternoon located 71 sites containing the link, including message boards hosted by the Salt Lake Tribune and a site about Australian pythons and snakes.
Clicking on the link causes the virus to be downloaded to the user’s computer. “It turns you into a zombie. Your computer is now under full control under the criminal that is in control of this bot-net,” Alperovitch says.
The virus is a rootkit that integrates fully into an operating system, so it scans traffic to and from your machine and could intercept your bank account information or other sensitive data. The bot-net can also be used to launch an attack against a Web site, effectively shutting the site down by flooding it with traffic from infected computers, Alperovitch states. Hackers sometimes launch these attacks so they can demand ransom money from Web site owners in exchange for stopping the attack, according to Alperovitch.
Some antivirus programs have trouble finding the virus, he says, but you can figure out if your computer is infected by posting to a blog or bulletin board and seeing if your message contains the malicious link.
Typically, though, a user will not realize he or she is infected, and people who read postings to blogs and bulletin boards may be fooled into thinking the link should be trusted.
“Because they’re not looking to destroy data on your machine, you may not realize until much later that anything is happening,” Alperovitch says.
the Storm Worm attacks in December and January used infected e-mails to hijack personal computers and add them to “bot-nets,” networks of infected computers used by hackers to distribute spam and viruses.
Within the past day, a variation of this virus was found to be using infected computers to place malicious links on various Web sites, according to Secure Computing, a messaging security vendor based in San Jose, Calif.
If your computer is infected, the virus can add malicious text to any message you post to a blog or bulletin board. The text says, “Have you seen this?” and is followed by a URL containing the phrases “freepostcards” and “funvideo.”
“The new thing about this virus is the way it propagates. It’s basically filling up Web pages all over the Internet with links to the malware,” says Dmitri Alperovitch, principal research scientist for Secure Computing.
A Google search on Tuesday afternoon located 71 sites containing the link, including message boards hosted by the Salt Lake Tribune and a site about Australian pythons and snakes.
Clicking on the link causes the virus to be downloaded to the user’s computer. “It turns you into a zombie. Your computer is now under full control under the criminal that is in control of this bot-net,” Alperovitch says.
The virus is a rootkit that integrates fully into an operating system, so it scans traffic to and from your machine and could intercept your bank account information or other sensitive data. The bot-net can also be used to launch an attack against a Web site, effectively shutting the site down by flooding it with traffic from infected computers, Alperovitch states. Hackers sometimes launch these attacks so they can demand ransom money from Web site owners in exchange for stopping the attack, according to Alperovitch.
Some antivirus programs have trouble finding the virus, he says, but you can figure out if your computer is infected by posting to a blog or bulletin board and seeing if your message contains the malicious link.
Typically, though, a user will not realize he or she is infected, and people who read postings to blogs and bulletin boards may be fooled into thinking the link should be trusted.
“Because they’re not looking to destroy data on your machine, you may not realize until much later that anything is happening,” Alperovitch says.
Gathering 'Storm' Superworm Poses Grave Threat to PC Nets
The Storm worm first appeared at the beginning of the year, hiding in e-mail attachments with the subject line: "230 dead as storm batters Europe." Those who opened the attachment became infected, their computers joining an ever-growing botnet.
Although it's most commonly called a worm, Storm is really more: a worm, a Trojan horse and a bot all rolled into one. It's also the most successful example we have of a new breed of worm, and I've seen estimates that between 1 million and 50 million computers have been infected worldwide.
Old style worms -- Sasser, Slammer, Nimda -- were written by hackers looking for fame. They spread as quickly as possible (Slammer infected 75,000 computers in 10 minutes) and garnered a lot of notice in the process. The onslaught made it easier for security experts to detect the attack, but required a quick response by antivirus companies, sysadmins and users hoping to contain it. Think of this type of worm as an infectious disease that shows immediate symptoms.
Worms like Storm are written by hackers looking for profit, and they're different. These worms spread more subtly, without making noise. Symptoms don't appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.
Storm represents the future of malware. Let's look at its behavior:
1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.
2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.
3. Storm doesn't cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won't notice any abnormal behavior most of the time.
4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn't have a centralized control point, and thus can't be shut down that way.
This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn't show up as a spike. Communications are much harder to detect.
One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won't work with Storm: An infected host may only know about a small fraction of infected hosts -- 25-30 at a time -- and those hosts are an unknown number of hops away from the primary C2 servers.
And even if a C2 node is taken down, the system doesn't suffer. Like a hydra with many heads, Storm's C2 structure is distributed.
5. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called "fast flux." So even if a compromised host is isolated and debugged, and a C2 server identified through the cloud, by that time it may no longer be active.
6. Storm's payload -- the code it uses to spread -- morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.
7. Storm's delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites -- anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels.
8. The Storm e-mail also changes all the time, leveraging social engineering techniques. There are always new subject lines and new enticing text: "A killer at 11, he's free at 21 and ...," "football tracking program" on NFL opening weekend, and major storm and hurricane warnings. Storm's programmers are very good at preying on human nature.
9. Last month, Storm began attacking anti-spam sites focused on identifying it -- spamhaus.org, 419eater and so on -- and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy's reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.
Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it. Inoculating infected machines individually is simply not going to work, and I can't imagine forcing ISPs to quarantine infected hosts. A quarantine wouldn't work in any case: Storm's creators could easily design another worm -- and we know that users can't keep themselves from clicking on enticing attachments and links.
Redesigning the Microsoft Windows operating system would work, but that's ridiculous to even suggest. Creating a counterworm would make a great piece of fiction, but it's a really bad idea in real life. We simply don't know how to stop Storm, except to find the people controlling it and arrest them.
Unfortunately we have no idea who controls Storm, although there's some speculation that they're Russian. The programmers are obviously very skilled, and they're continuing to work on their creation.
Oddly enough, Storm isn't doing much, so far, except gathering strength. Aside from continuing to infect other Windows machines and attacking particular sites that are attacking it, Storm has only been implicated in some pump-and-dump stock scams. There are rumors that Storm is leased out to other criminal groups. Other than that, nothing.
Personally, I'm worried about what Storm's creators are planning for Phase II.
- - -
Bruce Schneier is CTO of BT Counterpane and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.
Although it's most commonly called a worm, Storm is really more: a worm, a Trojan horse and a bot all rolled into one. It's also the most successful example we have of a new breed of worm, and I've seen estimates that between 1 million and 50 million computers have been infected worldwide.
Old style worms -- Sasser, Slammer, Nimda -- were written by hackers looking for fame. They spread as quickly as possible (Slammer infected 75,000 computers in 10 minutes) and garnered a lot of notice in the process. The onslaught made it easier for security experts to detect the attack, but required a quick response by antivirus companies, sysadmins and users hoping to contain it. Think of this type of worm as an infectious disease that shows immediate symptoms.
Worms like Storm are written by hackers looking for profit, and they're different. These worms spread more subtly, without making noise. Symptoms don't appear immediately, and an infected computer can sit dormant for a long time. If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain.
Storm represents the future of malware. Let's look at its behavior:
1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.
2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. By only allowing a small number of hosts to propagate the virus and act as command-and-control servers, Storm is resilient against attack. Even if those hosts shut down, the network remains largely intact, and other hosts can take over those duties.
3. Storm doesn't cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. This makes it harder to detect, because users and network administrators won't notice any abnormal behavior most of the time.
4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. The most common way to disable a botnet is to shut down the centralized control point. Storm doesn't have a centralized control point, and thus can't be shut down that way.
This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn't show up as a spike. Communications are much harder to detect.
One standard method of tracking root C2 servers is to put an infected host through a memory debugger and figure out where its orders are coming from. This won't work with Storm: An infected host may only know about a small fraction of infected hosts -- 25-30 at a time -- and those hosts are an unknown number of hops away from the primary C2 servers.
And even if a C2 node is taken down, the system doesn't suffer. Like a hydra with many heads, Storm's C2 structure is distributed.
5. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called "fast flux." So even if a compromised host is isolated and debugged, and a C2 server identified through the cloud, by that time it may no longer be active.
6. Storm's payload -- the code it uses to spread -- morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.
7. Storm's delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites -- anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels.
8. The Storm e-mail also changes all the time, leveraging social engineering techniques. There are always new subject lines and new enticing text: "A killer at 11, he's free at 21 and ...," "football tracking program" on NFL opening weekend, and major storm and hurricane warnings. Storm's programmers are very good at preying on human nature.
9. Last month, Storm began attacking anti-spam sites focused on identifying it -- spamhaus.org, 419eater and so on -- and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy's reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.
Not that we really have any idea how to mess with Storm. Storm has been around for almost a year, and the antivirus companies are pretty much powerless to do anything about it. Inoculating infected machines individually is simply not going to work, and I can't imagine forcing ISPs to quarantine infected hosts. A quarantine wouldn't work in any case: Storm's creators could easily design another worm -- and we know that users can't keep themselves from clicking on enticing attachments and links.
Redesigning the Microsoft Windows operating system would work, but that's ridiculous to even suggest. Creating a counterworm would make a great piece of fiction, but it's a really bad idea in real life. We simply don't know how to stop Storm, except to find the people controlling it and arrest them.
Unfortunately we have no idea who controls Storm, although there's some speculation that they're Russian. The programmers are obviously very skilled, and they're continuing to work on their creation.
Oddly enough, Storm isn't doing much, so far, except gathering strength. Aside from continuing to infect other Windows machines and attacking particular sites that are attacking it, Storm has only been implicated in some pump-and-dump stock scams. There are rumors that Storm is leased out to other criminal groups. Other than that, nothing.
Personally, I'm worried about what Storm's creators are planning for Phase II.
- - -
Bruce Schneier is CTO of BT Counterpane and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.
Subscribe to:
Posts (Atom)
