Infection Rates and Malware Evolution
Thank you to the people who are becoming regular readers of this column - it is really making it a worthwhile endeavour to sit down and write them each week. Please don't hesitate to email with your questions or suggestions for future column topics.
To start off the column, there have been some fairly significant vulnerabilities uncovered recently in PHP, in the XML_RPC library which is a standard module for a lot of PHP installations. The ubiquitous forum software phpBB has fallen victim to this particular vulnerability, which appears strange, as recent versions were not susceptible, but the most current version (at time of writing) re-introduced the vulnerability. With the history of phpBB vulnerabilities, and remotely exploitable PHP vulnerabilities, it is expected that exploits will appear in the wild, with active attacks to commence in the very near future. Workarounds are available for site administrators, and it is expected that the main version of phpBB will be updated to fix this issue.
Computer Security company, Sophos, announced last week that the average time to compromise of an unprotected Windows XP system when plugged into the Internet is only 12 minutes. The ISC team at SANS argue that the infection time is more like 31 minutes, and others claim that it is as low as 6 minutes. Anecdotal evidence suggests that the time to compromise could almost be immediate, given the appropriate environment such as a hostile University network. As a thought exercise, it is possible to argue that infection rates are dependent upon infection mechanisms:
- Linear infection rates exist when manual human input is required for each infection, such as some website defacement attacks. This means that for any given period in time the same number of machines will be attacked and compromised, irrespective of the number of previous compromised machines.
- Exponential infection rates exist when automated attacks are the cause of infection, such as the Blaster and Sasser worms which affected default services on Windows. If it can be assumed that there is an unlimited number of new machines that are vulnerable to attack, then an automated attack will result in this sort of infection spread. Automated attacks lead to exponential infection rates as each infected computer contributes in launching attacks against new targets.
- In a real world environment, the infection rate is probably more like a modified Sigmoid function. A Sigmoid function returns a curve which looks like an 'S' and represents a near exponential infection rate initially, which then slows down in a near exponential decay. What this sort of infection rate represents is a rapid initial automatic infection which is then controlled and mitigated by network administrators and network protection tools. If it is being graphed as number of infected machines against time, it might look something like a bell curve, with a drop in total machines infected once the administrators find a way to defeat them. If it is being graphed as percentage of possible victims infected against time, then it will look more like the 'S' curve.
Some of the regular readers of this column include senior high school level Computing Studies classes, and the extended effects from the different infection mechanisms are left as an exercise to the reader - for example, consider the bandwidth issues when an attack consumes 100 KB per instance, there are 12 attacking machines on the network connection, and the bandwidth available is only 1.5 MB/s.
Some news organisations were reporting early last week that the US Supreme Court had set down a ruling that companies that created peer to peer applications were to be held responsible for the use of the applications to download material that infringed copyright. This interpretation of the ruling is actually incorrect. What the US Supreme Court established was that it was illegal to promote the application usage for copyright infringement / illegal activity, and that the developers could then be held liable in that instance for infringement by third parties that used the application.
A case developing in Australia along similar lines has seen two ISP administrators being sued for apparently ignoring peer to peer activity on their networks, and ignoring the infringement notices that were sent to them. The administrators are being sued on the basis that they allegedly maintained a Bit-Torrent hub that was used to exchange music files. An initial court ruling found that their actions were within the limitations of their job specifications, but that has been overturned, allowing the current action to take place. The legal team for the ISP claim that the customers were responsible for maintaining the hub, not the ISP. The reporting on the Supreme Court decision was fairly widespread, with a lot of differing opinions being presented, twisting the ruling to their own viewpoints. Representatives of online music downloading services went on record claiming that the ruling meant that the use of P2P software was illegal, but these reports didn't appear to refer to the actual ruling.
In fairly big news from the mid week, Pakistan's undersea Communications cable suffered a failure such that all Internet connectivity to the nation was severed (internal networks continued to function). According to the news reports, the failure was due a power failure. Secondary connections are being planned through India, and connectivity was maintained through backup satellite links, which could only provide 10% of the original bandwidth. There are quite a number of countries which make use of the cable, including India, Dubai and Oman. With repairs to take up to two weeks, it is possible that the UAE and India will encounter connection disruptions while the cable (SME-3) is fixed, as they also utilise the cable for connection. Pakistan was not the only country to encounter difficulties with undersea connections recently, when New Zealand suffered difficulties when rats destroyed a cable at the same time as a second cable was offline for maintenance, and last November the undersea cable supplying Colombia and Ecuador with their access was severed.
Microsoft is apparently in talks to buy Claria, a well known spyware company initially called Gator. Rumours abound as to what the likely outcome from this potential acquisition will be. One of the more sane suggestions is that Microsoft will be using the terabytes of personalised computer use data that Claria has acquired, along with the Google Adwords equivalent that Claria has hinted at developing, to aid MSN in 'catching up to Google'. Other rumours suggested that some Claria / Gator technology would be making its way into the next Windows release as a means to ensure only legal copies of the software get installed.
Staying with the Microsoft news, and reports are rising again of trojans that claim to be legitimate Microsoft patches. This issue has been reported on and off for quite a while, now, and it should be considered that this is an ongoing issue which will continue to plague whichever is the most common / prevalent Operating System. Other recent reports, again largely affecting only Microsoft systems, indicate that various malware are evolving in their ability to cause mayhem. One of the more recent evolutions in the dirty tricks war has been an ability for malware applications to identify and disable antivirus applications, firewalls, and other protective software. This is now apparently progressing to malware engaging in packet filtering. A packet is a small parcel of information that crosses a network, and many packets combine to carry the information that has been requested. In packet filtering, an application watches the network packets that go back and forth, and identifies certain behaviour / content that is of interest for subsequent processing. What the malware is tending to do is drop (do not allow to pass through) packets to and from antivirus autoupdate sites, or Operating System update sites. This behaviour doesn't tend to require modification of system files (such as the modification of host files which is a common technique), and is more difficult to identify and troubleshoot.
4 July 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.