Viruses II

Introduction

As I write this, we have just "finished" the SoBig.F virus, and now the Internet is being hammered by the Swen.A virus and of course, the Blaster worm.

A client called me recently to tell me he thinks the current viruses "prove" me wrong about my previous thoughts about virus protection. I disagree -- if anything, the current crop of viruses reinforce my opinions that virus scanners are NOT the solution to the virus problem. First of all, let's look at a few of the recent viruses running around as I write this.

Blaster/Lovsan

This virus spreads from computer to computer over the Internet, using a bug in Windows NT/2000/XP/2003. Users need to do NOTHING other than attach a vulnerable computer to the Internet to be both infected by Blaster, and to start attempting to infect other computers. This virus also launched an attack against an insignificant web site owned by Microsoft, one that most people didn't even know existed. Microsoft negated that part of the threat by simply shutting down that web site. Hopefully, they appreciated the warning -- I don't believe an insignificant MS-owned domain was targeted accidently, this was just a shot across the bow. Had the target been www.microsoft.com, had the virus not made itself so annoyingly obvious on Windows XP systems (by causing them to reboot), had less time elapsed between the discovery of the virus and the attack date, Microsoft would have been in big trouble.

I lay the blame for this one right on Microsoft's front door. In their defense, they like to say that they had the fixes for this bug months before the virus was released. This is true. However, Microsoft has worked hard to earn the distrust of the "Update" process with their users. New updates bring "Enhanced" versions of programs, not just bug fixes. These new versions often have reports of "spyware" -- applications which report back to Microsoft what programs are installed on your system, what web sites you go to, what music you listen to, etc. Plus, there is always the risk of any update breaking a running system -- while Microsoft gets a lot of blame for this, this is a risk for any feature-adding update. There have been many reasons to distrust the Microsoft update process.

The bug blaster exploited should not have existed. The possibility of having a remote computer being able to influence your machine unsolicited should not have been possible on a consumer-oriented system (this is separate issue from the bug -- the feature shouldn't have been active, as a SECOND bug in the EXACT SAME FEATURE has proven. It is much like finding out a lock on the back door of your house is defective -- if you didn't even know there was a back door, why would you be watching the condition of its lock?).

The first call I got on this was the very morning it was released -- this virus spread fast and hard. The client that got it was running Windows XP with a up-to-date virus scanner, however standard virus scanners were useless against this kind of attack -- it just came in via an unanticipated channel. Further, it came in so fast that many people were infected before the updates were available.

SoBig.F

SoBig.F is yet another in the SoBig virus series -- this one far more successful and annoying than any of its predecessors, many of which were also very annoying. The rate I was getting copies of this virus in my e-mail was staggering; at its peak, I received 200 or more copies a day. Considering each SoBig.F copy was well over 100K in size, I received more than 20MB of garbage every day to my mail server. Now, granted, I am a public persona on the Internet, so I end up in a lot more people's address books than most people do, but still -- this virus was a major problem for mail servers all over the world. Considering that most commercial e-mail services will not hold more than 5M to 10M of incoming e-mail, a lot of people had serious problems with this virus.

This virus is very different from the Blaster worm -- in my mind, Microsoft gets virtually none of the blame on this one. This virus is very simple in concept -- it is an executable program that tried (a little) to not look like an executable. Ok, Microsoft Outlook was happy to help hide the type of file, Windows has a huge number of different file types which are directly executable, and the number of Outlook users makes a central store of e-mail addresses fairly easy to come by, but I'm going to give Microsoft a "pass" on this one -- I don't think they are the root problem here. (This is not a universal opinion -- one person who's opinion I respect considers the fact that Microsoft's Windows operating systems have very poor protection against users running programs just handed to them via e-mail a fatal flaw in the system design, however, any OS which prohibited that would be unacceptable to home and small business users).

I blame the users themselves on this one. For YEARS, people have been told "Don't click on attachments", and the long time bogus-advice of "Never click on something from someone you don't know!" (it really is bogus info until recently, as viruses always come from people you have already had e-mail contact with!), and yet...that is the only way SoBig.F spreads.

Mercifully, SoBig.F has an expiration date and time. On September 10, 2003 the virus just turned itself off. Why the SoBig author has done this with most of his or her work, no idea. Possibly, it is to "clear the decks" for the next version, or because he/she hates viruses as much as anyone, and didn't want to be dealing with the after effects of his/her own work.

New viruses

Unfortunately, new viruses are easy to write, and they continue to be seen. At the time I write this, my mail box is filling with the Swen mail virus -- very similar in many respects to SoBig, though it is a bit easier to trigger, as receiving it in Outlook can permit it to run without bothering the user. At this point, after the SoBig.F worm, I'm looking at that just as a minor detail -- even without this, odds are, it would have spread widely. This virus uses the "Urge To Upgrade" spread by Blaster, and pretends to be (among other things) an important Windows patch directly from Microsoft to you (hint, people: Microsoft doesn't send out patches, you have to go get them!). It also pretends to be one of the bounce messages triggered by SoBig.F, although, again, it pretends poorly...I doubt the author was as stupid as his wording is, I'm sure he's just laughing himself silly every time some idiot clicks on his poor spoof of a bounce message or Microsoft patch.

Comments

The current crop of viruses has made a few things very clear to me.

Microsoft Operating Systems and applications are not to be considered safe on the Internet

There. I said it. No Microsoft-based computer should be directly attached to the Internet without some kind of external firewall. The idea of an Microsoft Internet application server is just plain silly -- do you really want to put YOUR credit card info in something with this track record?

A hardware firewall should be considered mandatory at this point in time. Unfortunately, most home Cable Internet providers frown on these devices, as they typically can be used to hook multiple computers to one service account. Tough. At this point in time, they would CLEARLY benefit from more of their users using these devices. Note that I have no respect for software "firewall" products. Most are too difficult for the user to properly configure (though they offer some interesting potential additional security benefit to those who DO know how to use them), and the idea of a Windows computer protecting itself doesn't sit well with me.

Microsoft just does not understand the most basic concepts of writing secure and reliable software. They have been pursuing two contradictory business philosophies: 1) Every computer should be attached to the Internet with e-mail and web access. 2) software should have as many neat and cool features as possible. This just doesn't work -- fact is, those neat and cool features are much of the REASON for Microsoft's horrible track record in the security business. The features are put in, and THEN there are attempts made to make them safe. NO. That can not work! Applications and features have to have security considerations thought of from the very beginning, not as a bolt-on afterthought.

The idea of Internet on every office computer has to be reconsidered

This one is a little scary, and many people will think I'm very wrong here. The Internet is a wonderful thing, however it is very obvious that a huge number of its users are inept and dangerous to themselves and the other users of the Internet. I think the days of just assuming every office computer is to have full access to the 'net automatically are over. Users who have the need and the training to use the Internet safely and effectively should have it, of course. Those who do not need it should not have it. Those who do not have the training or knowledge to use it should not use it. Those who need it and can not use it safely should be looking for other work. Seriously.

The amount of time, money and effort spent cleaning up after Internet problems caused by inept users and bad software needs to be looked at, and hard decisions need to be made. The Internet can be seen as a playground, but a very dangerous playground -- with thugs, crooks and crazy drivers all over the place.

Virus Scanners are NOT the solution

If I can get you to click on a file, I can do bad things to your computer, your data, your job, your employer and probably, your life. If I write that file for you, no virus scanner maker will ever have seen it, and they won't protect you. Just today, I received a spam advertising a "trojan" program -- it *looked* like one of those E-Greeting cards that people send to each other. If you were to buy this thing (and if the maker was just a sleaze ball and not a crook), you would send it to your target, they would think you sent them an "E-Greeting card", they would click on it, and would see your message. What they wouldn't see was the keystroke logger that was placed in the system, recording your every keystroke -- your every password, your credit card numbers, your private communications with others, etc. Think about that next time you are tempted to see what someone sent you. It isn't worth it.

People have been clicking on stupid things in the work place, and the IT department mobilizes to fix the problem, the office suffers a productivity loss and more money and technology is thrown at the problem. The only thing that DOESN'T happen is the real problem doesn't get fixed: the user who did the stupid act doesn't have any reason to not do it again. As I commented in my last writing on this topic, we don't rely on technological solutions to bad and dangerous drivers -- we take the car away from them or we train them. The technological alternatives can't solve the problem -- that much should be clear now.

Macintosh and Linux users have been smugly saying, "Our systems are not vulnerable to these viruses!" These people are fools. Macintosh users are forgetting where the modern computer viruses started! For a number of years, while viruses were spreading like wildfire on Macintosh systems, some people argued that there was really no such thing as a virus on PC systems. While PC viruses are typically avoidable by common sense behavior issues, the early Macintosh basically required that the user use a virus scanner -- the viruses were unstoppable without one. As for Linux, just recently, someone floated a trojan program around for Linux systems which claimed to exploit a bug on the OpenSSH. In fact, it wasn't an actual exploit. It required the user to run it as root, and when run, it copied the system's password file and other critical info, and mailed it to a an e-mail address, where it could then be used to take over the user's computer. It wasn't a true virus, in that it didn't do anything to move from system to system, other than claim to have demonstrated a security exploit, and the Linux users then passed it around among themselves! The only reason viruses aren't spreading around on Macintosh and Linux systems at the rate they are on Windows systems is the market penetration that Windows has, and the glee people take in exploiting a Microsoft bug. It just isn't that hard to make a virus that spreads from user to user when something like 90% are using the same e-mail program. If Microsoft or their users ever get their act together, Linux and Macintosh users will quickly discover they are not immune from software bugs and "stupid user syndrome".

Solutions

There are a number of ways the Internet security issues can be dealt with effectively in business:

Training: Teach the users how to use the Internet safely. Really.
Selective use: Using authenticating firewalls or limiting the number of people who have full Internet access to those that need it to accomplish their job, or those demonstrated to not cause problems.
Segregated networks: A second computer can be placed on the desk of those that need Internet access for Internet activities, and their primary work computer can be kept on a separate network which is completely isolated from the Internet. Yes, this means you won't be able to pull files in from the Internet to your local computer; that's the point. E-Mail is intended as a way of communicating between humans -- the lack of positive authentication that a user is who they say they are pretty much means it has to be considered a dangerous way of sending files.

Viruses are not going away. It is clear technology is NOT the answer here. As long as users can be provoked to run programs on their machine they get from untrusted sources, these problems are going to continue to exist.

Holland Consulting home page
Contact Holland Consulting

since September 23, 2003