Curated by: Luigi Canali De Rossi

Saturday, October 15, 2005

Virus Attacks To Major Internet Infrastructures Real Future Threat?

Sponsored Links

Are the virus and worm attacks of recent months preluding to a major disruptive attack on ur technological infrastructures?

Are we prepared to counter such a possibility?

Photo credit: George Crux

What are the strategies and approaches that security experts would suggest to adopt to reduce to a minimum the possibilities for such a technological disaster?

Is further protection and extra restrictions the only way to counter these threats or are there completely alternative approaches we haven't considered yet?

Here is what the ANSSAIF - Associazione Nazionale Specialisti Sicurezza in Aziende di Intermediazione Finanziaria, an Italian association of security experts in Italy, writes in a recent article entitled "Cosa bolle in pentola" (What is boiling in the pan?)

"Many security experts are looking at the evolution of viruses, worms and Trojans with scrutiny and preoccupation, looking into the various styles and ways of attack.

The focus of this article is centered on those so-called 'dormant viruses', and on the hundreds of variants stemming from the same type of viruses. The mission is to question and attempt greater understanding of the what dangers may await us if we look more critically at the facts and data already available to us.

Though we have no solid certainty of this, many experts fear that a 'grand' attack is in preparation, either to place the Western financial system in a crisis or to worsen the consequences of a terror attack rendered with explosives or biochemical substances.

Proofs that this is positively within the capability of present malicious developers and virus writers are amply accessible.

Powerful attacks coud also cripple emergency rescue operations by deeply damaging the communication and data infrastructures and causing consequent excessive network traffic, no cell phone coverage, or failure in the servers used for air traffic control.

Facts Analysis

Firstly, let's summarize the motivations of our preoccupations. In the past we have witnessed ferocious attacks of some viruses such as Red Code, Nimda and Gaobot which practically hit all companies worldwide.

These viruses were followed by a decrease in the frequency of attacks and their severity (19 alerts in 2002, 16 in 2003), without a substantial improvement in defenses, as the CSI/FBI, the Australian High Tech Crime Center and others have stated.

Terror attacks also decreased in gravity and frequency.

Yet, there's been a rise in 2004 and the last 18 months have witnessed a higher number of virus alerts, more than the sum of the two previous years in terms of gravity.

What is most worrying is an increase in variants of certain worms.

For example there are over 300 variants of Netsky and Bagle viruses, memory resident worm types, and about a hundred variants of Mytob.

This is an indication that there may in fact be an ongoing attempt at experimenting with all the possibile avenues leading to assess weak points in user habits and reaction rsponse to threats as well as trying-out the various consequences of little subtle changes to the tactic used to deliver and infiltrate these malicious software into unaware users.

Some worms trick the receiver into opening a message, or direct them to a certain site, while other types take advantage of 'holes' found in the computers' operating system.

Older worms are re-introduced (Sober, Gaobot, etc..) with new variants. Other worms work as platforms for the work of others such as Wurmark and Bobax.

There are Trojans which look for Excel, Winword or HTML files and when found send them out to encrypted destinations, while other Trojans encrypt these files and leave them on a hard disk from where they were read (these approach could be even used for blackmailing).

Some worms have been introduced simply to get into a computer and erase their previous versions, foreshadowing a new version which would somehow enter into conflict with them.

There are viruses whose only goal is to obtain information on the computer owner: name, last name, home address, the computer's use, passwords, subscriptions, tastes, etc... Some are set off for specific commercial interests while others only to execute identity theft missions.

It is self-evident that viruses may also be well applied to execute terror attacks on large financial or communication infrastructures.

We could go on forever, but the examples listed here will suffice for now.

Here are some further questions that may enhance your curiosity on the subject:

1. Multiple variants of the same worm or Trojan have been exclusively created to improve an attack, or do they hide the preparations for something bigger and more serious?

2. What have the thousands of Trojans which have affected millions of computers (more than 12ml just last year) picked up? Is it worth to mention that the countries affected the most by these Trojans were Western Europe and the US?

3. What will be done with the information collected by those behind the development of these malicious tools? Many have been used for blackmail, revenge and theft. What other malicious uses can be made of them?

4. Is there information out there that has been 'frozen'? If so, why?

5. Can we completely dismiss the possibility that virus makers have already picked up thousands of server administrator's passwords and could take hold of them at the drop of a hat?

Here some more recent interesting facts.

There's been an increase in the number of operating systems where 'holes' can be used by new viruses. Some examples are SAP and CISCO but not on those from EPOC and SYMBIAN (cell phones).

Up to this day, mainframes have remained immune. Why is that? Do they not use the standard TCP/IP protocol or have they been infected and we just haven't noticed?

Lastly, viruses in computers that carry a particular signature and others for which their type and functionality is presently unknown: are they dormant viruses, and what are they waiting for?

This is where we can start drawing some possible conclusions:

1. There is increase in experimentation of new worms and Trojans.

2. Dormant viruses can be found.

3. Information picked up by various Trojans have not been fully used.

4. There is evidence of an increase of the number and types of systems that can be violated.

5. The countermeasures taken up by companies reflect in general the minimum requirements, but in most cases have not been updated in accordance with the growing criminal trend.

Could we then consider the possibility that someone, somewhere is preparing an attack aimed not only towards home computers but at the same time to computer networks, clients and servers, firewalls and commercial routers?

Why would anyone plan such a thing?

Perhaps because a company is a financial intermediary, or maybe a particular company collaborates with a targeted country.

We really don't have a specific answer. But we've got to do something.

No one will ever forget the day when Red Code hit all companies worldwide.

Perhaps now we are all a little more prepared, but only for a 'traditional' attack.

If viral programs already lie in our networks, the situation is totally different.

If there's a concentrated and simultaneous attack on all computers of a company, the problem is even greater.

Possible Solutions

What to do?

First off, prevention is the key strategy.

Whether it be in the very short term (technical countermeasures and procedures to keep on going), medium term (increasing quantity and quality control, organizational changes) and the long term (establishing a culture of security in terms of service quality and accident prevention) prevention is the only wise way to proceed.

In the short-medium term, there must be changes in two distinct areas: the infrastructure and the employees.

Two teams should be assigned to the areas to analyze, plan and create controls. Hardening should preferably be assigned to a third and more specific team, where privacy and thorough knowledge of the company is needed.

This specific team should be able to locate specific viruses unrecognizable from the known ones (they could be hiding ad hoc software to capture information). They should also be able to point out an abnormal excess amount of traffic on a LAN.

They should also not limit checking on the security system inside a specific perimeter or only during office hours. Server administrators should be forced to change passwords every month, making sure not to use the same password twice.

An easier way would be to give administrators the possibility to use a "one time password" as to avoid any confusion.

If abnormal activity is detected, action should not be postponed to the next day and meticulous controls should be part of standard daily procedures.

Avoiding having databases with reserved data or directly connected to the Internet should be enforced, and abnormal computer activity outside office hours should be pointed out.

In terms of establishing a culture on security, specific software should be created by developers who are sensitive to the issue of security, and generally spreading a culture of security throughout a company should be considered a valuable investment.

The newly adopted controls should be introduced with new projects and systems, all the while teaching users, internal and external, about protecting data, quality service and installing a business continuity.

Yearly ICT risk analysis should be undertaken while integrating experiences and knowledge drawn from the Operational Risk Management team, the physical and ICT security teams, the Business Continuity team and using Human Resources to 'glue' it all together and make all of this information accessible.

Lastly, it would be a good idea to hypothesize working without an information system, and experiment with all possible and available emergency plans in case a complete IT breakdown was ever to happen."

But are protection and restrictions the only ways around this issue?

If we used some "lateral thinking" to analyze this issue what other venues would we see available to us?

What have we learned from other social universes about approaching danger and threat by way of adding more and more layers of protection and control?

What about if access to Internet was supported by an infrastructure that allowed proper identification of every person in a way that didn't require more privacy intrusion while leaving it to each one to decide how much of such identity data to reveal?

Too far fetched? Not feasible technologically?

I'd like to hear your comments and opinions on this, right here.

Translated by Robin Good and Chiara Moriconi
from the original article published by
31 agosto 2005 - Newsletter CLUSIT
[PDF available at:]

Original content Source: ANSSAIF - Associazione Nazionale Specialisti Sicurezza in Aziende di Intermediazione Finanziaria.

Robin Good and Chiara Moriconi - Clusit Newsletter [via Giovanni Canali De Rossi] -
Reference: ANSSAIF [ Read more ]
Readers' Comments    
2005-10-19 21:36:03

Larry Geller

Viruses depend on being able to execute their code on unprotected computers that they easily find. If they could not do this, they would not exist and the threat would evaporate. It is not necessarily true that network computers must be so hospitable to alien code. I wrote a comment to Danny Schecter's News Dissector blog on August 18, 2005 that I would like to repeat here:


How long will we continue to take this? The vulnerablity of Microsoft/Intel
systems to viruses and worms of all sorts is a tremendous drain on
business and individual productivity. Why don't we use the technology that's
available and end this plague of viruses?

Imagine for a moment that you lived on another planet. Your Windows PC
could not ever be infected by viruses, worms or trojans. Your mom, uncle,
or grandmother could buy one at the ComputerMARS store, take it home,
plug it in, send you some interplanetary email, check the weather back on
Earth, and enjoy her favorite classical Mars music. No need to install and
update virus checkers because viruses can't infect those systems.

Well, it would be as easy here also, except that Microsoft/Intel are not using
the technology that we've had right here on Earth since the mid 1980s.
Time- sharing computers ran up to 600 simultaneous users (maybe more, I
can't remember) and of course Ford could never access data in the space
used by General Motors. If that could happen -- even once -- the time-
sharing vendor would be out of business.

Ask yourself, Earthling, why is it that some code arriving in your computer
has complete access to memory and your hard disks? That is, any code,
whether a valid program, virus, or a programming mistake, can read or
write anywhere it likes. It can write into your Windows/system directories,
and -- get this -- it can read your Outlook address book! Now go back to
the time-sharing computer technology. Any program that tries to access
memory outside of its space, or read hard disk it has no permission to, will
either get an error message or be booted out completely.

If this architecture were used on the PC (which still resembles most closely
the original single-user IBM PC of yore [introduced 20 years ago August 9]),
a virus arriving in your computer might be able to run, but it couldn't do
anything to you. Maybe it could compute pi to a thousand digits, but that's it.

On those timesharing computers, writing to disk looks something like this
(for GE/Honeywell/NEC computers): the program lays out its data in a
buffer space it has previously requested. It then does a MME (Master Mode
Entry, pronounced "mee-mee") with data in the registers pointing to where it
wants to write that data. If it's ok to do that, the operating system takes the
data and writes it. The program cannot actually write anything, there's no
instruction it can execute to write.

And so forth. This is actually very simple.

Well, will we have to throw away all our Windows apps to go to this kind of
a system? If so, I'd do it happily. But with processor speeds so high,
probably current apps can run in an emulator. Maybe Windows as we know
it could just be an app under the new OS to keep industry moving while new
programs convert to the safe OS.

The virus-writers are getting increasingly clever, and Windows is slowly
getting dumber, with new holes opening up regularly. I believe you can get a
virus by viewing an image now. That's crazy.

Oh... no program should have access to the operating system area at all. It
should remain as pure as the day it was installed. Imagine that. And if it
needed upgrading, it replaces itself with the new version while processing

If business put Microsoft/Intel on notice, they would get results.

--Larry Geller
Honolulu HI
originally sent to to Danny Schecter's News Dissector blog on August 18, 2005

2005-10-17 04:52:10

Wes Kussmaul

This article performs a useful service in calling attention to the dire condition of the information infrastructure. But like so many others, it assumes that a corporation must act unilaterally to secure its own infrastructure. In other words, the “dire condition” refers to the company’s own infrastructure, network, employees, culture, etc.

But in a very large measure, security is a commons. The level of architected, built-in security in one company’s online facilities is affected by the security of all others in its community.

When we view an online facility through the same lens with which we view a physical facility, we can quickly see why security problems persist and indeed worsen in spite of steadily growing efforts to improve security.

For example: what would happen if a company were to build its next office building entirely on its own, without bothering to involve the local public authority infrastructure? In other words, rather than obtaining building permits, and observing local building codes whose purpose is to ensure that all structures in the municipality are safe for their occupants, a company just leased some construction equipment and started putting up an office building?

What if all corporations did that with their physical facilities? What would the resulting environment be like?

Actually there is a word for it. _Favela_ is a Portuguese word that identifies a neighborhood that is basically devoid of any observation of public building standards and codes, safety codes, and security codes. A favela is not a place where you want to keep anything important, or have important collaborations. It’s a dangerously insecure place.

Now, just to “build out” the metaphor, we might ask, what if we were to build a properly secure office building in the middle of a favela? What would the result be like?

The answer is that the building would still be in a favela and would never be secure. The infrastructure in which it resides would be utterly unable to contribute to its security.

The security of a company’s online information facility is at least as dependent upon the environment in which it resides as its physical office facilities are dependent upon the ability of the municipality in which it resides to support its need for security. We have extranets and portals and supply chain networks that provide access not only to employees of the company but employees of its suppliers, distributors, ad agencies, customers, channel partners, law firms, consulting firms, auditors, and on and on. The company’s online facility sits in a community exactly as its physical facility sits in a community. The standards of that community have everything to do with the security of the enterprise.

For there to be any hope of security, there must be a set of building codes and professional standards that are established and maintained by duly constituted public authority precisely as a municipal or provincial or national government establishes and maintains such standards in the physical world. Furthermore, to be part of a given online community – say a community of trading partners – all participating organizations must not only observe those standards but submit to proper inspections of plans and structures.

That is the only hope. Without the involvement of duly constituted public authority in the establishment, maintenance, and enforcement of facilities codes and professional licenses for facilities professionals, the thieves and terrorists and vandals will surely take over the world’s information infrastructure.

As the article implies, that is exactly what is happening.

In a favela, the criminals are in charge.

posted by Robin Good on Saturday, October 15 2005, updated on Tuesday, May 5 2015

Search this site for more with 








    Curated by

    New media explorer
    Communication designer


    POP Newsletter

    Robin Good's Newsletter for Professional Online Publishers  



    Real Time Web Analytics