« Battle for a Single SOA Security Standard | Main | Los Alamos a Data Loss Leader »

Listen to or download the 11:01 min. podcast below:

Download file

What follows is the transcript of my podcast with Dr. Jose Nazario, Security Researcher for Arbor Networks, where we discuss the first computer virus, how it compares with today’s viruses, whether or not anti-virus is dead, what a company needs to do to protect itself today, and finally, the future of security threats.

This is the 25th anniversary of the very first computer virus. Tell me about the very first virus, how did it work and what sort of damage did it do?

A number of folks will actually disagree with calling Elk Cloner, which is what we’re going to be talking about, the very first computer virus. Computer viruses had been theorized much more before that and had actually been developed earlier than Elk Cloner. But Elk Cloner, which was from the early 80’s, was one of the first widespread in the wild viruses and it was an infector, a disk-infecter, actually, for the Apple II computers. So, at the time, Apple had the dominant personal computer share out there, this is right before the IBM PC hit it really big and Elk Cloner would basically take the diskette that you booted from, load itself into memory and whenever you put a new diskette in, you would actually infect the diskette as well.

And, it would pop up a message every now and then basically saying “Ha, ha, I’m the Elk Cloner” and it was basically a proof of concept written by the author, then a young man, to sort of play a game on his friends. He was exploring and having some fun with that but it wasn’t terribly malicious. It couldn’t really cause many big problems, you know, it didn’t delete files, it didn’t prevent the systems from booting, things like that that we’ve seen since then.

Cut to today, where one of the newest threats is the Trojan horse virus, Peacomm, which tries to infect users by getting you to open a fake postcard they say is from one of your best friends. Tell me about Peacomm, and does it bear any similarities to the first virus?

It doesn’t bear much resemblance at all to the first virus other than the fact that it is parasitic in nature and it spreads more or less without the users’ direct intervention of the users’ intentions. What’s interesting about it is that the term virus and the generic idea of malware is so generic and so flexible that it does allow for these two wildly different samples – Elk Cloner and Peacomm – to be categorized in much the same way. Whereas, Elk Cloner infects only diskettes and it had to be created at boot time on a system to infect other diskettes, Peacomm spreads over the network from computer to computer by basically emailing itself out. Originally, this past winter it was spreading itself as an executable attachment in email messages and then about a month or two ago, they started telling people to visit a website where they would then change the executable repeatedly throughout the day to avoid anti-virus detection and it went from basically being a social engineering virus where somebody would be enticed to look at the attachments and infect their computer to now they’re being enticed to go to a website because they want to see this postcard from their friend or their schoolmate or their relative. And when they go to visit the website, their browser is now exploited through one of multiple holes in the software that is actually accessible through the web browser and then the system is then commanded to download and begin running the executables tied together in Peacomm.

Peacomm is a very interesting piece of malware that is very representative of current malware trends in many respects. It has multiple components that fit together to provide communications, it’s primary function which is to send spam, it has replication functions in another executable and it even now has service attack capabilities within it that allow it to attack rival website and sometimes even researchers like myself and others who have been investigating this botnet, the communications it carries with it communicate from host to host, not from one host to a central server but rather from peer to another peer to be able to pass commands and receive them and to act on those commands. These commands might be to download and install a new spam template, to update some components or to launch an attack.

The capabilities of the machines are determined when the machine is actually infected it begins to try to communicate with others and find out how much it can do to the network. Can it be used, for example, to stand up a website that is, you know, one of those fake postcard websites. Or can it only send spam. Or can it launch denial-of-service attacks, those kinds of things.

Lately, some people have been saying that anti-virus is dead. What is motivating this, and how do you respond to that?

I’m actually one of the people who’s talked about this gap on anti-virus between what anti-virus provides and the threats that we’re facing right now. When I talk about anti-virus, I’m talking about any anti-malware software, any anti-malware system so this is designed to detect and prevent and remove unwanted software programs and this can include viruses, this can include Trojan horses, worms, spyware, adware, things like that. So, some folks in the anti-virus community are quick to point out that anti-virus is only about viruses and Trojan horses and not about much else. Now I’m talking about all of these threats. The gap that I’m talking about though is that the number of people writing malware samples and the ease of which they’re doing it and the variability that they are introducing when compared to the detection capabilities of the existing anti-virus and anti-malware solutions leaves a lot to be desired, so I am one of these people that believes that there is a problem there. What I call it “dead”, probably not. When some folks talk about it being dead, they’re talking about clearly it’s a failed technology and we need to have something new. A lot of folks are talking about it as it is not longer that front line of defense in many minds. I agree, a little bit with both of those perspectives. I think, as I mentioned, there is a gap. I think that there is a shortcoming, a dramatic shortcoming these days in the anti-virus and anti-malware world that folks are trying to address and they’re finding that they can’t yet address it as well as they want to.

Now it’s said that you can never truly protect yourself fully against viruses or malware, but what exactly does a company to do to protect itself at all?

It’s true that you can never be fully protected against viruses and I think this goes right back to some of the initial work done by people like Fred Cohen on virus and virus theory. It’s just impossible to enumerate everything that could be used maliciously to become comprehensive there. And so, anti-virus will always have that problem with it. What we are seeing that works pretty well, though, people were trying it with Windows XP and now it’s built into Windows Vista and that is going to be the idea of a very limited set of capabilities for the running user compared to the rest of the system. Often, malware will be able to infect a system completely because it has access to be able to write to the system folders and it has the ability to install itself as always running. If it’s just the user and it has a very limited set of privileges, then it can’t actually install itself permanently. A user might be infected for a session, might run into some problems but when they log out and log back in or re shut the computer, they’re just generally fine.

So, this dramatic change in the default stance through Vista is a big help there. And also applications are prevented, within Vista, much more so than in previous versions of Windows are much better at not cross interacting with each other. They’ve got more barriers between their interactions which prevent, in the case, for example of a web browser from dropping in and launching other files that are unwanted on the system.

Botnets seem to be growing bigger and more dangerous by the day. Why have they grown so fast so quickly?

Botnets are a natural outgrowth of the computer worm that plagued us in the early 2000’s, such as Code Red, Nimda, SQL Slammer and the idea that caused it to be a sort of natural outgrowth is that if you have your code on a hundred thousand machines and it can only do one thing, you’re at a loss. You have to launch new code to make it do something new. If you could update it, if you could command it dynamically, now you have well, you know, a much bigger installed base and so the bot is a natural outgrowth of that. We’re seeing a dramatic upsurge both in the prevalence of bots through more and more botnet operators as well as their tenacity with using better exploits and better defensive tools to protect their installed software, their installation base, if you will and that we think is what’s causing this dramatic upsurge, the availability and the skillset is also dramatically improving.

Botnets are being used by many people to send spam, to conduct phishing attacks, to conduct large scale denial of service attacks against security researchers and security professional organizations as well as even against governments and commercial organizations in many cases. The attackers are finding that a botnet is a fantastic platform from which to build their enterprise and it requires only a little bit of maintenance and a little skill lead into to actually conduct these widespread attacks and make a lot of money at the same time.

What do you see as the future of security threats and do you think it’s every going to get better for the good guys?

I think we are seeing a change back towards the Trojan horse and the idea where you require social engineering to fool a user into installing software. This was very popular in the early days of computer malware. Several years ago, we saw dramatic change towards software vulnerabilities being used to install malicious software and now I think we’re seeing a shift back towards social engineering possibly combined in some cases with exploits like we’re seeing in Pcom where you’re being socially engineered to go visit this website and once you do so, your browser is now being attacked and exploited. So, this combined threat is actually, it’s a big problem there. But, I think the requirement is now given the posture of operating systems and the, you know, default installation of a host-based firewall all of these things combine to having to get the user, if you will, sort of open up and make themselves vulnerable through a social engineering attack. That, I think is going to be the trend that is going to continue for awhile. What goes beyond that, I’m not necessarily sure.

I think that as we grow more interconnected and more capable on these platforms, it gets a little bit harder to anticipate all the pitfalls we’re going to explore there but I don’t want people to continue to think it’s going to get worse. I think that there are some great strides that we’re making in the defensive space and we’re better than we were even yesterday in this but I think the pace of the problem and the scale of the problem, is such that our darker days, I think are still ahead of us in this regards.

Posted by pschooff in Podcast |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2216