The Coming Plague

Some­thing has been bug­ging me about the whole SoBig.F inci­dent and I believe that it has to do more with the self-congratulatory mes­sages from peo­ple who erad­i­cated most of it than from the virus itself. In a way, the virus is a clear rep­re­sen­ta­tion of where things are headed. Back in 2001, I heard about a virus called Hybris. The Virus was among the first of a new breed, a self-updating virus that could grab more infor­ma­tion from Usenet and there­fore mod­ify itself. A related arti­cle I wrote for the now defunct Planet IT con­cluded with a wor­ri­some quote from a hacker I interviewed:

This is a great tool to learn new ways to prop­a­gate a pay­load. New vari­ants of this will come out, and I think that within six months, Hybris and its kids could be the most wide­spread Tro­jan mak­ing the rounds.

Later that year, Code Red became the most wide­spread Virus in recent his­tory. I am now afraid to say that, with SoBig.F, we are now see­ing a merger of those two paths into some­thing that could become very scary.

Humor me for a sec­ond and fol­low me down a few lit­tle dystopia.

A tro­jan writer (and I will not go into the moti­va­tions of those peo­ple as they are as var­ied as moti­va­tions for pro­gram­ming) decides to write a tro­jan that attacks servers in the same way as Code Red did. How­ever, the writer makes sure that the attacks hap­pen at a rel­a­tively slow pace, infect­ing sys­tem at a rel­a­tively small pace over time. That tro­jan gets on a cer­tain num­ber of sys­tems and con­tains code to update itself from Usenet. When it has infected a server, the tro­jan sends a Usenet note say­ing that it is ready and wait­ing. Mean­while, the tro­jan writer keeps count of those notes until they reach a cer­tain amount. Once the amount of needed sys­tems has been infected, the tro­jan writer releases an update to the code. That update could be used for dis­trib­uted denial of ser­vice attacks against a num­ber of large tar­gets (CNN? Ebay? Ama­zon? Some gov­ern­ment site? Some other insti­tu­tions). This could take out a num­ber of sys­tems quickly but what if… what if, instead of just lim­it­ing itself to a DDoS attack, the tro­jan kicked off some­thing that would com­bine a DDoS with a full scale infec­tion of crit­i­cal sys­tems around the net. Or what if, instead of attack­ing a web site (or set of web sites), the tro­jan attacked routers. What if, for exam­ple, the attack was held against the 13 core domain name servers as hap­pened a year ago ? This kind of attack is loom­ing over the hori­zon, I think, and we may not be pre­pared for the kind of Inter­net black­out it would cre­ate. As more and more busi­ness is trans­acted over the Inter­net, this kind of attack could result in mil­lions (if not bil­lions) of dol­lars lost.

Another scary pos­si­bil­ity is what I called the Microsoft infec­tion pos­si­bil­ity. Blaster, a virus which hit only a week ago, was designed to take down windowsupdate.com, a site that is used by Microsoft to update soft­ware on win­dows machines. This, in itself is not a prob­lem but, with Microsoft now talk­ing about auto­mated updat­ing of sys­tems (some­thing they are con­sid­er­ing in the wake of the blaster attack), it could become one. What if some­one man­aged to put a file on the Microsoft update queue that con­tained a virus or tro­jan. Granted, Microsoft’s rep­u­ta­tion would be severely tar­nished by such an inci­dent but the big­ger prob­lem would be in how to recover from such an infestation.

Now com­bine the two sce­nar­ios I’ve high­lighted above and you get some­thing even more wor­ri­some. You end up with a virus pro­gram­mer exploit­ing the auto­matic update fea­ture of Microsoft to use it as a way to carry a pay­load that is then used to cre­ate an attack on the rest of the net. First, win­dows machines get infected. Then win­dows machines get used to take out the rest of the net, imped­ing everyone.

I’ve talked about this with a few fel­low geeks and many tell me that, in the­ory, all of it is doable now. How­ever, no one man­aged to point me to a way to avoid such a prob­lem in the future. Remove win­dows? That’s the answer many in the anti-Microsoft camp would give but it is not a real­is­tic one in a world where mil­lions of machines are installed. Avoid auto­matic updates? Then the smaller viruses and tro­jans get through and sce­nario one can still be accom­plished. What is the answer? If you know, con­tact me and I’ll post a list of answers.