Perhaps no
other subject in the age information technology has garnered as much general
publicity as the computer virus. Numerous strains and variants of computer
virus have exposed the systematic security vulnerabilities prevalent in a
widely networked environment. Properly defending against these attacks requires
a tremendous amount or research and a thorough understanding of how computer
virus attacks occur.

In his book,
The Art of Computer Virus Research and
Defense, author Peter Szor defines virus terminology, and explores how the
attacks are deployed and the methods programmers use to circumvent your virus
defense systems. The best way to defeat an enemy is to know the enemy. Chapter
9 from his book, Strategies of Computer Worms, is available from TechRepublic
Downloads.

In the
following interview, Peter Szor shares his thoughts on the changing scope of
computer viruses, especially with regard to the increasing financial motivation
of virus programmers. A virus or other form of attack may mean much more than
mere inconvenience if you are not properly prepared.

Interview

[TechRepublic] Until recently, for the most part,
viruses and worms have been more of a nuisance than anything else; inflicting
economic harm indirectly with the time spent eradicating their presence. But
some more recent virus scams are designed to steal information that can be used
to commit fraud—in other words viruses for specific economic gain. Doesn’t this
signal an ominous change in motivation by virus writers?

[Peter Szor] We have never seen huge bounties for
the heads of virus writers either. I mean, $250,000 sounds like a lot of money
for the head of a single attacker, and you would think it should make a
difference. I personally expect that attacks are going to decline because of
that. Indeed, traditional virus writers seem to be much more careful to not to
get into trouble these days. However, the face of the attacker is changing. The
new attackers are serious fraudsters in organized crime.

Many
fraudsters got interested about the utilization of computer worms. Using worms,
they can compromise a large number of systems around the world, and using these
machines they can execute phising and spam attacks to make money.

In addition,
worms are used to steal personal information from the compromised systems.
These can include social security numbers, bank account information, passwords,
and so on. Attackers are highly motivated by money, and I believe the reason
for the sudden increase in computer worm attacks is due to this.

And of course,
they are not afraid to execute attacks: they are making a living out of it!
Money quickly changes the picture.

[TechRepublic] The sophistication of viruses,
worms and other network attacks continues to grow and evolve. Your book
discusses the many ways these programs protect themselves from discovery and
eradication. Are the network administrators and IT professionals in an
“arms race” with virus developers? Is it a race the “good
guys” can win?

[Peter Szor] Sure, we are always in an “arms
race” with the attackers. As attacks evolve, the defense is getting
stronger, and again, this will force a new challenge for the attackers to
overcome. This is a war which never stops.

It is
another matter that even system administrators did not understand the great
challenges computer viruses carried for their networks. Their view changed a
lot during the last couple of years. It used to be that nobody considered
computer viruses a security problem. Today, the number one concerns are
computer worms, and exploits. There is an awareness of the problem, and, as a
result, the bar is raised higher for the attackers. IT professionals want to
learn more about the strategies of the attackers to build better defense. Thus,
we already feel a difference.

Indeed,
people need to be a lot more security aware these days. Once you understand
that the Internet is not just cool, but also a pretty violent place, you want
to learn about self defense. This is the way the “good guys” can win.

[TechRepublic] Notwithstanding the answer to
number two above, isn’t the real weak link in the security chain the
end-user? Social engineering plays a vital role in the spreading of viruses
across the Internet. As long as the end-user remains in the dark about the
potential danger of their actions won’t the virus writers have the upper hand?

[Peter Szor] Right, it used to be so—every single
virus needed some sort of participation from the end user. However, computer
worms changed that a lot by exploiting the remote targets and automatically
executing themselves. 15 years ago, the Stoned virus traveled for two years to
get to a small town in Hungary to infect my brand new PC. (This virus was written
in New Zealand, as I learned later.)

Today, you
connect a vulnerable system to the Internet, and it can get infected within
minutes. And well, the attacks might come from the other end of the world…

One of the
greatest things of the digital age is that almost anybody can use a computer
for browsing the Internet, to chat on Instant Messaging, send e-mail, or to
download music, etc. When people go shopping, they go to a place, which they
consider safe. They know what to expect in bad neighborhoods.

As it turns
out, this is much more difficult on the Internet today. Even if you go to a Web
site which you visit frequently and trust, your system might be exploited just
by browsing the site. I know about major attacks that were implemented that way
during the last few months. A lot of sites carry 3rd party content, such as
advertisements, and these can easily hide an attack. So you can browse an
indirectly “compromised” site with a vulnerable browser, and suddenly
a Trojan horse is installed on your machine. Of course, the attacker is a
serious fraudster who wants your money.

But of
course, there are many attacks that depend on the interaction of the user even
today. Many users are simply not aware that they need to use security on their
machine. Simply, they just want to use their machine. People need to be educated,
and security needs to be integrated into their systems in such a way, that it
is not overly intrusive. And, of course, education can truly help. Especially
when it comes to traditional social engineering attacks which can be largely
avoided that way.

[TechRepublic] Much has been written about
Microsoft Internet Explorer and the numerous vulnerabilities being exploited in
its code. The popular response has been to switch to one of the open source
browsers available. However, the TechRepublic community is starting to see
problems with those browsers as well. Is the debate over which Web browser is
more secure really inconsequential—the real battlefield lies beyond the browser
wars doesn’t it? Is the general debate too focused on the browser and not enough
on what takes place on the network?

[Peter Szor] Today, an attacker can guess with
about 90 percent reliability that you are a Windows user, running Internet
Explorer. Chances are that your computer is not up to date with security
patches. This chance is at least 50 percent. Attackers are motivated to find
the easy target. Unless a single target carries a high return to them, they
will not bother to attack it.

I believe
people need to be able to make free choices on what system and browsers they
wish to use. Of course, as soon as enough people start to use new environments
and applications, attackers will follow. People need to be able to communicate
easily, and as a result, the computing environment is pretty homogeneous
nowadays. Thus, you cannot get away from the idea of Internet self-defense and
security awareness just by switching to a less common platform. You need to
think about your basic security needs on all environments, and take action.

When many
attacks are focusing on a particular browser, it is natural that people get
skeptical about it. This skepticism forces browsers to get more secure. Indeed,
I agree with you that there is a lot of focus on client side vulnerabilities
nowadays, but it is indeed highly fashionable to attack systems with them.
Fashions change over time, due to the environmental changes. Threats continue
to evolve. It is very healthy that people are aware of the risks, and try to
mitigate the problems. It is a very good start in a long journey!