Code Wars: Virus Attack Trends; the Worms of 2001 Are the Building Blocks of the Next Generation of Threats to the Internet, Which Are Likely to Be Faster, Harder to Fight, and Deadlier. (Computer Security)

Article excerpt

In Star Wars, the forces of good and evil wage battle against one another, but ironically both draw their strength from the same source: The Force. The concept of a single power that can be used for ill or good is a fitting metaphor for the world of computers, where the ones and zeros at the heart of programming can be fashioned to do the bidding both of those who want to write software that improves systems and of those who want to create malicious code, spreading viruses and harming networks.

Unfortunately, most companies that do business on the Web are not taking sufficient measures to protect their networks, agree information security experts, and since any unprotected computer can be used to attack another computer or network, weakness for one can mean weakness for all. Even worse, those who study these online diseases worry that users have not learned from experience and that the future holds the specter of much more serious, and more widespread, infections. The code wars are likely to get fiercer.

Trends. The rapid evolution of viruses that occurred in 2001 is expected to continue at an increased pace in 2002, experts say. Like the Black Plague that spread rapidly across 4th century Europe and annihilated as much as a quarter of the European population, new computer viruses are expected to move quickly and quietly and be extremely adaptable and particularly lethal. Following are the characteristics that experts expect to be common in the next generation of cyberthreats.

Blended threats. One frightening characteristic of the new plagues that loom over the Internet is that they will combine various methods of infection as the Nimda virus did. (See sidebar for a discussion of Nimda and other specific viruses.) "They're combining multiple different aspects we've seen before: the backdoor Trojan or the creation of vulnerabilities or the exploitation of vulnerabilities, the speed of the mass-mailer replication, and the active network infectors that we've had for the past two years," says Vincent Weafer, senior director of the security response division of Internet security technology and anti-virus company Symantec. "They're all coming together in what we're terming the blended threat, where the worm has multiple different techniques and automation tools on it."

Chris Wysopal, director of research and development at digital security consulting company @stake, agrees that the use of multiple vulnerabilities and multiple vectors makes these new worms quite difficult to defeat compared with previous threats. The problem, he says, is that system administrators are already overwhelmed by the number of patches and fixes that need to be regularly installed across company networks to combat malicious code and other threats. "If you are only 75 percent effective with your patching, if there are some things you leave off because you don't think it's a big threat, and if the worm has three vectors, then you might get caught with one of them," he says.

Multiple platforms. Another trend that worries the information security community is that worms will target multiple operating systems. Ed Skoudis, vice president of ethical hacking, incident response, and digital forensics for Predictive Systems, a network infrastructure and security consulting company, explains that most of the worms in 2001 went after a single operating system; for example, Nimda targeted Windows, while the L1On worm was deadly to Linux boxes. "We're going to see worms in the future that go after multiple operating systems at the same time," Skoudis says. "For example, a single worm will infect a Linux box; from that box it will be able to spread to Windows boxes, from there it will go to Solaris, from Solaris to AIX, and so on."

This strategy will complicate the solution for system administrators, says Skoudis. Rather than having to patch a particular operating system, they will need to patch everything. "Your whole environment will have to be updated when you see a multi-platform worm come out," he says. …