"Many security experts are looking at the evolution of viruses, worms and Trojans with scrutiny and preoccupation, looking into the various styles and ways of attack.
The focus of this article is centered on those so-called 'dormant viruses', and on the hundreds of variants stemming from the same type of viruses. The mission is to question and attempt greater understanding of the what dangers may await us if we look more critically at the facts and data already available to us.
Though we have no solid certainty of this, many experts fear that a 'grand' attack is in preparation, either to place the Western financial system in a crisis or to worsen the consequences of a terror attack rendered with explosives or biochemical substances.
Proofs that this is positively within the capability of present malicious developers and virus writers are amply accessible.
Powerful attacks coud also cripple emergency rescue operations by deeply damaging the communication and data infrastructures and causing consequent excessive network traffic, no cell phone coverage, or failure in the servers used for air traffic control.
Firstly, let's summarize the motivations of our preoccupations. In the past we have witnessed ferocious attacks of some viruses such as Red Code, Nimda and Gaobot which practically hit all companies worldwide.
These viruses were followed by a decrease in the frequency of attacks and their severity (19 alerts in 2002, 16 in 2003), without a substantial improvement in defenses, as the CSI/FBI, the Australian High Tech Crime Center and others have stated.
Terror attacks also decreased in gravity and frequency.
Yet, there's been a rise in 2004 and the last 18 months have witnessed a higher number of virus alerts, more than the sum of the two previous years in terms of gravity.
What is most worrying is an increase in variants of certain worms.
For example there are over 300 variants of Netsky and Bagle viruses, memory resident worm types, and about a hundred variants of Mytob.
This is an indication that there may in fact be an ongoing attempt at experimenting with all the possibile avenues leading to assess weak points in user habits and reaction rsponse to threats as well as trying-out the various consequences of little subtle changes to the tactic used to deliver and infiltrate these malicious software into unaware users.
Some worms trick the receiver into opening a message, or direct them to a certain site, while other types take advantage of 'holes' found in the computers' operating system.
Older worms are re-introduced (Sober, Gaobot, etc..) with new variants. Other worms work as platforms for the work of others such as Wurmark and Bobax.
There are Trojans which look for Excel, Winword or HTML files and when found send them out to encrypted destinations, while other Trojans encrypt these files and leave them on a hard disk from where they were read (these approach could be even used for blackmailing).
Some worms have been introduced simply to get into a computer and erase their previous versions, foreshadowing a new version which would somehow enter into conflict with them.
There are viruses whose only goal is to obtain information on the computer owner: name, last name, home address, the computer's use, passwords, subscriptions, tastes, etc... Some are set off for specific commercial interests while others only to execute identity theft missions.
It is self-evident that viruses may also be well applied to execute terror attacks on large financial or communication infrastructures.
We could go on forever, but the examples listed here will suffice for now.
Here are some further questions that may enhance your curiosity on the subject:
1. Multiple variants of the same worm or Trojan have been exclusively created to improve an attack, or do they hide the preparations for something bigger and more serious?
2. What have the thousands of Trojans which have affected millions of computers (more than 12ml just last year) picked up? Is it worth to mention that the countries affected the most by these Trojans were Western Europe and the US?
3. What will be done with the information collected by those behind the development of these malicious tools? Many have been used for blackmail, revenge and theft. What other malicious uses can be made of them?
4. Is there information out there that has been 'frozen'? If so, why?
5. Can we completely dismiss the possibility that virus makers have already picked up thousands of server administrator's passwords and could take hold of them at the drop of a hat?
Here some more recent interesting facts.
There's been an increase in the number of operating systems where 'holes' can be used by new viruses. Some examples are SAP and CISCO but not on those from EPOC and SYMBIAN (cell phones).
Up to this day, mainframes have remained immune. Why is that? Do they not use the standard TCP/IP protocol or have they been infected and we just haven't noticed?
Lastly, viruses in computers that carry a particular signature and others for which their type and functionality is presently unknown: are they dormant viruses, and what are they waiting for?
This is where we can start drawing some possible conclusions:
1. There is increase in experimentation of new worms and Trojans.
2. Dormant viruses can be found.
3. Information picked up by various Trojans have not been fully used.
4. There is evidence of an increase of the number and types of systems that can be violated.
5. The countermeasures taken up by companies reflect in general the minimum requirements, but in most cases have not been updated in accordance with the growing criminal trend.
Could we then consider the possibility that someone, somewhere is preparing an attack aimed not only towards home computers but at the same time to computer networks, clients and servers, firewalls and commercial routers?
Why would anyone plan such a thing?
Perhaps because a company is a financial intermediary, or maybe a particular company collaborates with a targeted country.
We really don't have a specific answer. But we've got to do something.
No one will ever forget the day when Red Code hit all companies worldwide.
Perhaps now we are all a little more prepared, but only for a 'traditional' attack.
If viral programs already lie in our networks, the situation is totally different.
If there's a concentrated and simultaneous attack on all computers of a company, the problem is even greater.
What to do?
First off, prevention is the key strategy.
Whether it be in the very short term (technical countermeasures and procedures to keep on going), medium term (increasing quantity and quality control, organizational changes) and the long term (establishing a culture of security in terms of service quality and accident prevention) prevention is the only wise way to proceed.
In the short-medium term, there must be changes in two distinct areas: the infrastructure and the employees.
Two teams should be assigned to the areas to analyze, plan and create controls. Hardening should preferably be assigned to a third and more specific team, where privacy and thorough knowledge of the company is needed.
This specific team should be able to locate specific viruses unrecognizable from the known ones (they could be hiding ad hoc software to capture information). They should also be able to point out an abnormal excess amount of traffic on a LAN.
They should also not limit checking on the security system inside a specific perimeter or only during office hours. Server administrators should be forced to change passwords every month, making sure not to use the same password twice.
An easier way would be to give administrators the possibility to use a "one time password" as to avoid any confusion.
If abnormal activity is detected, action should not be postponed to the next day and meticulous controls should be part of standard daily procedures.
Avoiding having databases with reserved data or directly connected to the Internet should be enforced, and abnormal computer activity outside office hours should be pointed out.
In terms of establishing a culture on security, specific software should be created by developers who are sensitive to the issue of security, and generally spreading a culture of security throughout a company should be considered a valuable investment.
The newly adopted controls should be introduced with new projects and systems, all the while teaching users, internal and external, about protecting data, quality service and installing a business continuity.
Yearly ICT risk analysis should be undertaken while integrating experiences and knowledge drawn from the Operational Risk Management team, the physical and ICT security teams, the Business Continuity team and using Human Resources to 'glue' it all together and make all of this information accessible.
Lastly, it would be a good idea to hypothesize working without an information system, and experiment with all possible and available emergency plans in case a complete IT breakdown was ever to happen."
But are protection and restrictions the only ways around this issue?
If we used some "lateral thinking" to analyze this issue what other venues would we see available to us?
What have we learned from other social universes about approaching danger and threat by way of adding more and more layers of protection and control?
What about if access to Internet was supported by an infrastructure that allowed proper identification of every person in a way that didn't require more privacy intrusion while leaving it to each one to decide how much of such identity data to reveal?
Too far fetched? Not feasible technologically?
I'd like to hear your comments and opinions on this, right here.
Translated by Robin Good and Chiara Moriconi
from the original article published by
CLUSIT ASSOCIAZIONE ITALIANA PER LA SICUREZZA INFORMATICA
31 agosto 2005 - Newsletter CLUSIT
[PDF available at: www.clusit.it/newsletter_31_08_05.pdf]
Original content Source: ANSSAIF - Associazione Nazionale Specialisti Sicurezza in Aziende di Intermediazione Finanziaria.
Robin Good and Chiara Moriconi - Clusit Newsletter [via Giovanni Canali De Rossi] -
Reference: ANSSAIF [ Read more ]