Malware evolves in trends. Yesterday’s boot virus is today’s Web server exploit program. Malware follows popularity, and it morphs to get past ubiquitous defenses. Understanding the growing trends in malware will help you plan better defenses.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
A little history first: When I began fighting hackers and malware in the second half of the 1980s, Apple viruses ruled the land. I always laugh when I hear that malware can’t attack Apple PCs — for my first two years on the job, it was the only place I could find them. It’s not like Apple’s OS X is superimpervious to malware today; more than 100 vulnerabilities were patched in OS X last year, and there are already over 100 this year.
When the IBM PC and DOS replaced Apple as the dominant personal computing platform, DOS boot and file viruses quickly took over. Interestingly, even though boot viruses accounted for less than 5 percent of virus types, they were responsible for more than 80 percent of the infections. This was due to two reasons. First, although there were many worldwide communication networks (FIDOnet, BBS, and so on), they were not nearly as popular as today’s Internet. Second, back in the day, most computer users copied each other’s pirated software by copying complete disks. Stacks of floppy disks gave boot viruses a sizable infection point.
March 1992 was the climax of boot virus awareness due to the Michelangelo virus scare. I remember the date vividly, because thanks to Michelangelo, I got into Newsweek magazine. Some people discount the Michelangelo virus as nothing but media hype, but millions of computers were infected. Even after weeks of headline warnings, hundreds of thousands of people had their computer hard drives reformatted on the day Michelangelo’s payload went off.
In 1995, macro viruses took off. Looking back, I wish macro viruses were all we had to worry about. The years of 1999 and 2000 were the years of e-mail malware, such as Melissa and the Iloveyou incident. Remote-access Trojans, such as Back Orifice and NetBus, also appeared on the scene. Code Red and Nimda hit in 2001, with SQL Slammer and Blaster in 2003.
SQL Slammer set the bar for rapid infections by infecting nearly every vulnerable SQL server in about 10 minutes. Most people don’t remember that the vulnerability Slammer exploited had been patched for six months.
Up to this point, malicious infections were mostly easy to clean up: Remove the malware, replace any maligned files or data, and the damage was fixed.
That all changed in 2003 with the release of worms (such as Sobig, Mydoom, Bagle, Netsky) built specifically to spread spam (as spam bots). Created because e-mail administrators were closing off all open e-mail relays, spam bots introduced professional criminals to malware in a big way. Within a few years, criminally motivated, money-stealing, identity-thieving bots made up 99 percent of all malware. Today, you don’t have to ask why you are getting infected — it's an easy answer. They are trying to take your money.
This brings us to the current state of malware. Google recently released a paper entitled "The Ghost in the Browser: Analysis of Web-based Malware." Researched for more than 12 months through May 2007 by a crack team of malware analysts, including Niels Provos of Honeyd fame, this is one of the best malware reporting papers I’ve ever read. It’s a quick read and should be studied by anyone who has to protect computers.
In a nutshell, Google used all the Web page data collected by the Google search engine in indexing Web sites to look for malicious code. They searched more than 7 billion URLs and found 450,000 of them infected with malware designed to infect visitors' browsers (about 0.06 percent). When a suspicious Web page was found, it was then loaded using a virtual machined honey client (such as a honeypot mimicking an end-user’s browsing actions). They then recorded the changes the suspicious Web site made to the visiting honey client. If the Web site installed software without the explicit permission of the mimicked end-user, the site was marked as malicious. Some Web sites installed up to 50 malicious programs from a single visit.
For the past seven years, the most frequent way that people got infected with malware was by clicking malicious file attachments or rogue embedded Web links. Although I thought that some people would never stop opening every strange e-mail and clicking on every file attachment, apparently our anti-spam, anti-virus, and anti-malware filters are doing a better job, because frustrated hackers have moved on to infecting (mostly) innocent Web sites.
When users visit an infected Web site, if they have a vulnerable browser (not just Internet Explorer) or other application (Flash, Java, and so on), the user gets infected with a criminally minded bot. Web sites were compromised one of five ways (the Google paper uses four main categories):
-- Poor Web site security
-- Vulnerable applications (PHP, CGI, ASP, SQL, and so on)
-- User-contributed content (for example, cross-site scripting)
-- Malicious advertising inclusion
-- Malicious third-party software component (widget) inclusion
I don’t have the space to cover the specifics in this column, but the last two types really grabbed my interest. Many Web sites are paid to include roving advertising banners and pop-ups. While these services are often maintained by legitimate, respected Web advertisers, the actual ad content is often subcontracted to a subcontractor of a subcontractor. The top-level owner has no idea that their legitimate advertising banner service has been co-opted by malware criminals. They should know — it’s unexcusable — but they don’t.
The last item, widgets, is just as interesting. Many Web sites borrow free widgets (traffic counters, for example), and for months or years, the widget functions as intended. The widget code is often hosted on another external server. But at a later date, the “free” widget code may be maliciously manipulated to inject malware links. It appears that in many cases, the bad guys are giving away free widgets and encouraging widespread adoption so that they can use them as infection vectors later on.
The Google paper contains many other salient points, such as the widespread use of banking Trojans (which I’ve written about several times), and how many major, trusted Web sites are infected, but I want to highlight one last topic. It’s becoming more common for the Web page exploits to test the client for the presence of unpatched software, be it Windows, Internet Explorer, Firefox, RealPlayer, Shockwave Flash, Java, or QuickTime. The exploits actually scan the computers looking for a specific vulnerability, and then infect it.
The lessons to learn from this are fourfold:
-- Malware is trending away from malicious e-mails to innocently infected Web sites
-- You must make sure that all client OS and applications are patched (and not just the OS)
-- Consider investing more in technologies that can mitigate these types of rogue threats
-- Educate end-users about the evolving malware threat to keep them alert
Good luck, and keep your eyes open.