Perhaps no other subject in the age information technology has garnered as much general publicity as the computer virus. Numerous strains and variants of computer virus have exposed the systematic security vulnerabilities prevalent in a widely networked environment. Properly defending against these attacks requires a tremendous amount or research and a thorough understanding of how computer virus attacks occur.
In his book, The Art of Computer Virus Research and Defense, author Peter Szor defines virus terminology, and explores how the attacks are deployed and the methods programmers use to circumvent your virus defense systems. The best way to defeat an enemy is to know the enemy. Chapter 9 from his book, Strategies of Computer Worms, is available from TechRepublic Downloads.
In the following interview, Peter Szor shares his thoughts on the changing scope of computer viruses, especially with regard to the increasing financial motivation of virus programmers. A virus or other form of attack may mean much more than mere inconvenience if you are not properly prepared.
[TechRepublic] Until recently, for the most part, viruses and worms have been more of a nuisance than anything else; inflicting economic harm indirectly with the time spent eradicating their presence. But some more recent virus scams are designed to steal information that can be used to commit fraud—in other words viruses for specific economic gain. Doesn't this signal an ominous change in motivation by virus writers?
[Peter Szor] We have never seen huge bounties for the heads of virus writers either. I mean, $250,000 sounds like a lot of money for the head of a single attacker, and you would think it should make a difference. I personally expect that attacks are going to decline because of that. Indeed, traditional virus writers seem to be much more careful to not to get into trouble these days. However, the face of the attacker is changing. The new attackers are serious fraudsters in organized crime.
Many fraudsters got interested about the utilization of computer worms. Using worms, they can compromise a large number of systems around the world, and using these machines they can execute phising and spam attacks to make money.
In addition, worms are used to steal personal information from the compromised systems. These can include social security numbers, bank account information, passwords, and so on. Attackers are highly motivated by money, and I believe the reason for the sudden increase in computer worm attacks is due to this.
And of course, they are not afraid to execute attacks: they are making a living out of it! Money quickly changes the picture.
[TechRepublic] The sophistication of viruses, worms and other network attacks continues to grow and evolve. Your book discusses the many ways these programs protect themselves from discovery and eradication. Are the network administrators and IT professionals in an "arms race" with virus developers? Is it a race the "good guys" can win?
[Peter Szor] Sure, we are always in an "arms race" with the attackers. As attacks evolve, the defense is getting stronger, and again, this will force a new challenge for the attackers to overcome. This is a war which never stops.
It is another matter that even system administrators did not understand the great challenges computer viruses carried for their networks. Their view changed a lot during the last couple of years. It used to be that nobody considered computer viruses a security problem. Today, the number one concerns are computer worms, and exploits. There is an awareness of the problem, and, as a result, the bar is raised higher for the attackers. IT professionals want to learn more about the strategies of the attackers to build better defense. Thus, we already feel a difference.
Indeed, people need to be a lot more security aware these days. Once you understand that the Internet is not just cool, but also a pretty violent place, you want to learn about self defense. This is the way the "good guys" can win.
[TechRepublic] Notwithstanding the answer to number two above, isn't the real weak link in the security chain the end-user? Social engineering plays a vital role in the spreading of viruses across the Internet. As long as the end-user remains in the dark about the potential danger of their actions won't the virus writers have the upper hand?
[Peter Szor] Right, it used to be so—every single virus needed some sort of participation from the end user. However, computer worms changed that a lot by exploiting the remote targets and automatically executing themselves. 15 years ago, the Stoned virus traveled for two years to get to a small town in Hungary to infect my brand new PC. (This virus was written in New Zealand, as I learned later.)
Today, you connect a vulnerable system to the Internet, and it can get infected within minutes. And well, the attacks might come from the other end of the world…
One of the greatest things of the digital age is that almost anybody can use a computer for browsing the Internet, to chat on Instant Messaging, send e-mail, or to download music, etc. When people go shopping, they go to a place, which they consider safe. They know what to expect in bad neighborhoods.
As it turns out, this is much more difficult on the Internet today. Even if you go to a Web site which you visit frequently and trust, your system might be exploited just by browsing the site. I know about major attacks that were implemented that way during the last few months. A lot of sites carry 3rd party content, such as advertisements, and these can easily hide an attack. So you can browse an indirectly "compromised" site with a vulnerable browser, and suddenly a Trojan horse is installed on your machine. Of course, the attacker is a serious fraudster who wants your money.
But of course, there are many attacks that depend on the interaction of the user even today. Many users are simply not aware that they need to use security on their machine. Simply, they just want to use their machine. People need to be educated, and security needs to be integrated into their systems in such a way, that it is not overly intrusive. And, of course, education can truly help. Especially when it comes to traditional social engineering attacks which can be largely avoided that way.
[TechRepublic] Much has been written about Microsoft Internet Explorer and the numerous vulnerabilities being exploited in its code. The popular response has been to switch to one of the open source browsers available. However, the TechRepublic community is starting to see problems with those browsers as well. Is the debate over which Web browser is more secure really inconsequential—the real battlefield lies beyond the browser wars doesn't it? Is the general debate too focused on the browser and not enough on what takes place on the network?
[Peter Szor] Today, an attacker can guess with about 90 percent reliability that you are a Windows user, running Internet Explorer. Chances are that your computer is not up to date with security patches. This chance is at least 50 percent. Attackers are motivated to find the easy target. Unless a single target carries a high return to them, they will not bother to attack it.
I believe people need to be able to make free choices on what system and browsers they wish to use. Of course, as soon as enough people start to use new environments and applications, attackers will follow. People need to be able to communicate easily, and as a result, the computing environment is pretty homogeneous nowadays. Thus, you cannot get away from the idea of Internet self-defense and security awareness just by switching to a less common platform. You need to think about your basic security needs on all environments, and take action.
When many attacks are focusing on a particular browser, it is natural that people get skeptical about it. This skepticism forces browsers to get more secure. Indeed, I agree with you that there is a lot of focus on client side vulnerabilities nowadays, but it is indeed highly fashionable to attack systems with them. Fashions change over time, due to the environmental changes. Threats continue to evolve. It is very healthy that people are aware of the risks, and try to mitigate the problems. It is a very good start in a long journey!
Mark Kaelin is a CBS Interactive Senior Editor for TechRepublic. He is the host for the Microsoft Windows and Office blog, the Google in the Enterprise blog, the Five Apps blog and the Big Data Analytics blog.