WeekEnd Feature: Why are we always so surprised?

by Ian Thompson, CCSP Staff Editor
February 07, 2004

You know, it often strikes me that people are like goldfish. Not in the sense that they are scaly and brightly coloured (except maybe property agents, but let's not go there right now…), but that they have incredibly short memories. Witness the continual hype over the 'latest virus threat'.

Of course, that's 'latest' in a non-specific sort of way, because I'm sure we won't be seeing the last highly-strung headline about what this, that or the other piece of malware is doing somewhere on 'the web'.

By the way, I'm having a slightly crazy week, so crank up your sarcasm meter… it's going to be more convoluted than normal, so here goes…


MyDoom
Headline writers in the tabloids must just love the fact that malware coders try to give their pet projects really catchy names - time to get out the rhyming dictionary, or look in the thesaurus for cleverly misspelt synonyms that have jokey double-entendre connotations.

MyDoom is, we are reliably told, the fastest spreading virus of all times. It's cleverly written and has a small package size that allows even the humblest of home-dialup users to be 'usefully employed' for its nefarious purposes. Already, the hacks in several of the computing trade press publications are dumbing this down slightly and are grouping both of the current variants into one common description. Witness statements like MyDoom targets software giants SCO and Microsoft, which is only partially correct. The two variants are different in target ('A' hit SCO on Feb 1, 'B' is set to hit Microsoft sometime soon), and 'B' is acknowledged to be more of a problem - for example, as well as following 'A's lead and spreading by it's own devices, plus the KaZaA network (like so many others), it overwrites the HOST file used by the OS to redirect web requests.

And, while we're on the subject, MyDoom is a two-variant problem, dubbed 'A' and 'B', presumably by those with less naming flair than the original coders. Most brand-new malware is automatically given the 'A' suffix because there will be other variants to follow. It's a habit that leads unmarried blokes (usually American, it has to be said) to adopt names like 'Joe Smith I, Snr', even though they haven't yet got any kids because, well, you never know how things will turn out. Face like a car wreck, breath like a volcano, and probably the largest living land animal in history, but more hope and self-belief in a future that involves partner and myriad offspring than any thing yet to be set on the earth. There will be a family line, oh yes.


YourDoom
As if we need any clearer example of the proliferation of variants, look no further than one of last years 'big hits', the Mimail worm, now up to variant 'S'. This wasn't one of those like Dumaru that seemed to jump from 'A' to 'Z' - Mimail has really gone through nearly twenty variations. This proliferation is largely due to the easy hex-editing of code, or use of virus 'kits' designed to make exploitation of weaknesses an easy thing to achieve, the sort of thing employed by the more mischievous, less technically-able users to cause annoyance.

I refrain from using the epithet of 'script kiddie' because that is now getting as tired as 'hacker', and almost as misused. I don't know, but it seems too cuddly a handle for folk whose actions lead to great cost and inconvenience. Even though it may not be chronologically true, the term does imply a general lack of knowledge - or even of effort - to do the job from scratch that is normally evident in youth of whatever era. And why should anyone have to code from scratch? After all, this is where the code-library approach has been heading for years - call a standard .DLL file, perhaps only use 10% of it's functionality and hang the fact that it took 700KB in total when a piece of crafted machine code would likely have taken 10-15KB for the same effect. I actually wrote an article on these lines back in 1992 - back when I was coding on my trusty Sinclair QL…

So, they're following the example set by the 'real' programmers. Except they're not; one glance at the stuff that Steve Gibson produces (www.grc.com ) will show you what real coding is about.


OurDoom
Looking back on 2003, we see the variant game in full swing. Depending on whose lists you look at, you'll see a couple of versions of BugBear, three of SoBig, a bunch of Blasters, Klez and of course Mimail. Scattered in there will be those that 'evolved' out of others, like Nachi and still further ones like the recent 'Gaobot.DK' that actually disable other malware (how helpful) before setting out on their own crusade (oops, spoke too soon). One common feature is that these all targeted Microsoft.

And yet, we never seem to learn from all this.

Most use social engineering to try and get us to open or run attached files (or, on occasions, embed the malicious instructions in the email code itself). Social engineering is, as I've said before, a con - they're trying to make people open these files and help their little creation to dominate the world. And, like a bunch of dateless wonders, folk seem to be under the impression that they really do know someone called Tiffany who is sending us pictures of her extra-curricular activities with all her sorority buddies, so they open this stuff and the cycle goes on.
If it's not social engineering, it's a reliance on older tricks, like finding someone who's still got the Preview Pane active in Outlook, or who has no AV or firewall software, or who has set up KaZaA on its default port of 1214 and has shared the entire C: drive…


We're all doomed!
According to analysts at corporate AV provider Sophos, August was the worst month last year. If we can remember the headlines that far back, we'd recall that most front pages carried news about virus attacks of one type or another.

Combined with this greater public awareness is the greater skill and effort employed by the malware coders in avoiding detection, or hoodwinking the recipients into opening files or visiting websites. The recently reported 'phishing' incidents were covered in the UK press like it was a new, sudden occurrence. This is, of course, rubbish. I recall receiving emails from Barclays bank regarding my account around June last year, and there have been a steady stream of them since - Citibank, eBay and Amazon, to name a few. The giveaway for me in the first case was that I don't bank with Barclays, but even if you do, remember the Golden Rule - never give up any security information, especially financial details, to anyone (even if they have been made to look like the real thing).

Here's another thing that always seems to be regarded as 'new' (like every time a Gartner spokesperson rolls out the 'wait till SP1' maxim for any newly-released title) - the doomsayers who foretell great disasters in future months. Past history shows an increase in the level of the malware problem. Clearly it is going to continue since more writing 'kits' are available, computers are faster and a growing number of people are connecting from home via high-speed lines. We don't need banner headlines on the newsstands that do more to panic and worry people than warn, inform and reassure them. And yet, there they are, every time the Internet shudders under the increased email traffic generated by an epidemic.


TheirDoom
Now, something that is changing to combat this is the increased use of 'bounties' to reward the supply of information that may directly result in the capture of the original malware coders. However, this doesn't have a good record to date, and enforcement agencies like the FBI have relied on tracing the malicious traffic back to source by examining the source code. This 'bounty' system may not continue forever, but it clearly works for now and has got people interested in tracking them down.

And despite legislation to combat other annoyances like spam, all malware users will move towards using the quicker kit-based software development. With any luck, this will result in poor standards of coding that may see a decline in the real sources because of this lack of skill.

Unfortunately, we're also going to see more of the 'Process Injection' types of malware that merge with legitimate applications, but the 'Anti' software is also adapting to cope.

One thing's for sure, though; 2004 will see yet more sensational headlines!




by Ian Thompson ComputerCops Staff Editor



Ian Thompson is a Network Manager of a 500-PC, 9-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.


Copyright ©Ian Thompson 2004