Do you feel the force? Malware can pull you apart

By on

Gerhard Eschelbeck discovers that as malware becomes more sophisticated, your defenses must improve to prevent damage.

Exploiting IT systems has never been easier. Intruders are increasingly enjoying the worldwide path to mischief via the internet, aided by weaker enterprise network perimeters and many new entry points, such as wireless and virtual private networks.

Networks and applications are more complex, which results in thousands of exploitable vulnerabilities. Attacks are more sophisticated, and new automated attack tools are easy to use, enabling the quick flood of destructive threats over the internet before security administrators can react.

However, a good layered security approach should rely on more than mere reaction - it demands planning. Administrators can prepare networks for maximum protection of business operations against current and future automated threats, but to do this right they need to understand the evolution of these attacks and learn all about the many ways to launch a sound defense.

Security attack methodologies and technologies have changed dramatically. Threats used to be simple and low- tech with limited scope. Now, threat sophistication is rising, partly due to use of automated tools that ease the implementation of attacks. An aspiring cyberattacker no longer requires 'guru hacker' experience to wreak potent, worldwide damage, as the chart of the following page illustrates.

Unwitting accomplices

A confluence of other technical and operational issues also fuels new intrusions. Many popular standards-based network services are inherently insecure. Default system settings are well known and often left unchanged after installation.

Design errors are common, due to the complexity of technology involved. Software implementation flaws are discovered and published daily, and users often unknowingly trigger intrusions through inconspicuous emails and simply browsing the web.

These factors contribute to the soaring rate of new security incidents reported to the CERT Coordination Center. Incidents rose 2,099 percent from 1998 through 2002 - an average annual compounded rate of 116 percent. And now, exploitation of these security issues is entering a third generation.

In the evolution of malware, first generation threats are the virus-type attacks spread by email and file sharing, which need human action (e.g. opening an file attachment) to trigger their spread. Anti-virus products are designed and updated to detect such threats.

Active worms attacking systems and applications dominate the category of second-generation threats. Here, user actions are not required; they work by leveraging system and application vulnerabilities. Identifying and fixing vulnerabilities is a proactive defense against such threats.

Third generation threats are future ones, differentiated from the others by penetration speed as well as target selection strategy. The goal is to maximize system penetrations in the first hour, to prevent any practical response from the attack.

Recent security attacks are beginning to fulfill characteristics of third-generation threats - and provide a convincing preview of devastating new results. On January 25, 2003, for example, the SQL Slammer worm rapidly hit more than 120,000 servers running Microsoft SQL Server. Slammer crippled internet operations in South Korea, disabled cash machines at a major U.S. bank, disrupted 911 call center operations in Seattle and caused still more disorder worldwide.

Slammer was the fastest worm ever, infecting more than 90 percent of vulnerable hosts within 10 minutes. In the first minute alone, the infected population doubled in size every 8.5 seconds. It reached a full scanning rate of more than 55 million scans per second after just three minutes. The exploit leveraged a well-known, documented vulnerability and was limited to just one attack vector. All host penetrations could have been prevented with application of a Microsoft patch published six months before the attack.

Graduating to the next level

Although Slammer demonstrated the hyper-propagation characteristics of third-generation threats, it is still considered a second-generation threat. To really graduate to that third-generation threat category, the attack must involve ultra-fast propagation, leverage known and unknown vulnerabilities and employ multiple attack vectors.

From a hacker's perspective, faster penetration creates more damage because it prevents timely intervention by security administrators. The authors of Slammer used a random scanning strategy for identifying new targets and achieved exponential growth. The strategy got good results quickly due to the leverage of UDP as a low overhead communication protocol. But, Slammer also stepped on its own toes by quickly overloading networks used by SQL server hosts. Third-generation threats will improve penetration by their authors first pre-compiling systems with targeted vulnerabilities - and then launching an attack.

Pre-compiling allows attackers to scan the internet, assess the chances of a successful attack and catalog likely targets. This tactic is also a more efficient strategy, much like using a map to quickly reach planned destinations instead of randomly driving down all roads in one's path. Plus, with pre-compiling, a blitzkrieg of penetrations occurs faster and faster, similar to the power of an avalanche's short but destructive lifespan.

Virtually all past attacks have exploited known vulnerabilities. A big reason for this track record is that discovering new vulnerabilities is hard work, eclipsing the technical abilities of the average attacker. The exploit code for Slammer's core component, for instance, came from publication of research at a Black Hat security conference in 2002.

Future attacks will continue exploiting the low-hanging fruit of known vulnerabilities. Future attacks will also exploit vulnerabilities that are unknown and unpublished to security administrators. More importantly, the overall universe of exploitable targets will rise with the use of pre-compiled attacks.

In the past, threats were addressed mainly at the most popular applications and systems in order to get traction with random propagation techniques. In the future, even obscure applications and devices will be exposed to exploitation of their own vulnerabilities by automated, pre-compiled attacks. Even now, the risk of attacks on unknown vulnerabilities is rising, with tech-savvy, resource-rich players eager to stir digital havoc against their enemies.

Third-generation security threats will exploit multiple attack vectors. Many new technologies will be especially vulnerable because they lack widespread security threat discovery and protection capabilities. These include instant messaging (IM), wireless network infrastructure and voice-over-IP based systems.

Take for example servers acting as instant messaging hubs. IM communications are usually unencrypted and have limited gateway protection technology. IM threat detection also is mostly limited to desktop applications. Powerful file-sharing capabilities will become the big issue, such as malicious use of IM applications to transfer data and files carrying attack code. Third-generation threats will also leverage polymorphic techniques for concealment and encryption to prevent discovery during an attack.

The implications of hyper-propagation require security administrators to address network threats in a new way. In the past, the discovery/attack life cycle curve was one or two years from advent of discovering a vulnerability to widespread exploitation. A new sense of urgency is rising from a shorter discovery/ attack curve - Slammer happened six months after discovery, Nimda was four months, and Slapper came just six weeks after discovery of the vulnerability.

Threats of the future require an equal-force response because attackers are taking every advantage of automated tools. This malicious technology allows them to automatically scan for potential victims, to compromise vulnerable systems, self-replicate attack code after penetration, and centralize the management and control of attack code for future activity.

Proactive defenses

The most effective way to fight automated attacks is by automating defenses. Some protective strategies include undertaking regular audits of security systems, keeping software up to date and constantly evaluating policy.

Regular security audits assessing system and application vulnerabilities are an important way to ensure strong defenses. Security audits range from traditional penetration testing to new automated services delivered over the web. Frequent audits ensure quick, effective reaction to new exposures. Key elements of a thorough audit are shown in the boxout on the right.

Also, use of anti-virus software is essential for blocking known threats, especially as they recycle periodically after an initial attack wave. Traditional anti-virus software matches application files against a file of virus signatures. Effective defenses must ensure that users install up-to-date versions of the vendor-supplied signature file.

Additional anti-virus defenses include anomaly/heuristics tools, which attempt to identify viruses by analyzing the behavior of applications instead of matching virus signatures.

Another component to mounting a layered defense against internet attacks is through the launch of a patch management program. Application vendors frequently issue patches, which modify existing applications without replacing the entire code. Timely application of patches is key. Users can monitor announcements for new patches and react to notification from security audits. Most attacks can be prevented by timely application of security patches.

And finally, security is a moving target, so organizations should regularly assess internal policies and measures used to enforce policy. Trend analysis provided by regular security audits provides data for ensuring that security systems help meet the ever-changing nature of attack threats.

Key elements of a thorough audit 

  • Identify network topology and all points of entry - from outside and inside the enterprise firewall 
  • Identify all services, operating systems and applications on all network-attached IPs in order to know what vulnerabilities might apply 
  • Identify and prioritize critical vulnerabilities 
  • Match identified vulnerabilities with appropriate remedies, such as patches and new configuration settings 

There is no doubt that network security attacks are increasing in number and sophistication. Experience gleaned by hackers from two generations of attack technology is yielding a new generation of automated security threats. The result of this trend is that attacks of the future will spread faster than any possible human response effort.

The timely and complete detection of security vulnerabilities and rapid application of remedies is the most effective preventive measure security administrators can use to thwart automated attacks and preserve network security.

Gerhard Eschelbeck is chief technology officer and vice president of engineering, Qualys, Inc. (


Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?