Something has been bugging me about the whole
SoBig.F incident and I believe that it has to do more with the self-congratulatory messages from people who eradicated most of it than from the virus itself. In a way, the virus is a clear representation of where things are headed. Back in 2001, I heard about a virus called Hybris. The Virus was among the first of a new breed, a self-updating virus that could grab more information from Usenet and therefore modify itself. A related article I wrote for the now defunct Planet IT concluded with a worrisome quote from a hacker I interviewed:
This is a great tool to learn new ways to propagate a payload. New variants of this will come out, and I think that within six months, Hybris and its kids could be the most widespread Trojan making the rounds.
Later that year, Code Red became the most widespread Virus in recent history. I am now afraid to say that, with SoBig.F, we are now seeing a merger of those two paths into something that could become very scary.
Humor me for a second and follow me down a few little dystopia.
A trojan writer (and I will not go into the motivations of those people as they are as varied as motivations for programming) decides to write a trojan that attacks servers in the same way as Code Red did. However, the writer makes sure that the attacks happen at a relatively slow pace, infecting system at a relatively small pace over time. That trojan gets on a certain number of systems and contains code to update itself from Usenet. When it has infected a server, the trojan sends a Usenet note saying that it is ready and waiting. Meanwhile, the trojan writer keeps count of those notes until they reach a certain amount. Once the amount of needed systems has been infected, the trojan writer releases an update to the code. That update could be used for distributed denial of service attacks against a number of large targets (CNN? Ebay? Amazon? Some government site? Some other institutions). This could take out a number of systems quickly but what if… what if, instead of just limiting itself to a DDoS attack, the trojan kicked off something that would combine a DDoS with a full scale infection of critical systems around the net. Or what if, instead of attacking a web site (or set of web sites), the trojan attacked routers. What if, for example, the attack was held against the 13 core domain name servers as happened a year ago ? This kind of attack is looming over the horizon, I think, and we may not be prepared for the kind of Internet blackout it would create. As more and more business is transacted over the Internet, this kind of attack could result in millions (if not billions) of dollars lost.
Another scary possibility is what I called the Microsoft infection possibility. Blaster, a virus which hit only a week ago, was designed to take down windowsupdate.com, a site that is used by Microsoft to update software on windows machines. This, in itself is not a problem but, with Microsoft now talking about automated updating of systems (something they are considering in the wake of the blaster attack), it could become one. What if someone managed to put a file on the Microsoft update queue that contained a virus or trojan. Granted, Microsoft’s reputation would be severely tarnished by such an incident but the bigger problem would be in how to recover from such an infestation.
Now combine the two scenarios I’ve highlighted above and you get something even more worrisome. You end up with a virus programmer exploiting the automatic update feature of Microsoft to use it as a way to carry a payload that is then used to create an attack on the rest of the net. First, windows machines get infected. Then windows machines get used to take out the rest of the net, impeding everyone.
I’ve talked about this with a few fellow geeks and many tell me that, in theory, all of it is doable now. However, no one managed to point me to a way to avoid such a problem in the future. Remove windows? That’s the answer many in the anti-Microsoft camp would give but it is not a realistic one in a world where millions of machines are installed. Avoid automatic updates? Then the smaller viruses and trojans get through and scenario one can still be accomplished. What is the answer? If you know, contact me and I’ll post a list of answers.