Interesting post by Bruce Schneier on comp.risks
Chip Morningstar
chip@communities.com
Thu, 17 Jun 1999 09:46:39 -0700 (PDT)
Bruce Schneier has posted an interesting commentary on the
worm.explore.zip email worm. He almost-but-not-quite gets from the
ordinary commentator's "how can we stop this problem" to the more
interesting position of "why is this problem even possible?", almost
but not quite. Responding to this looks to me like an ideal
opportunity to spread the capabilities gospel, but I just don't have
the time this week. Anybody feel inspired today?
Date: Tue, 15 Jun 1999 16:48:25 -0500
From: Bruce Schneier <schneier@counterpane.com>
Subject: Risks of e-mail borne viruses, worms, and Trojan horses"
Looking back from the future, 1999 will have been a pivotal year for
malicious software: viruses, worms, and Trojan horses (collectively known as
"malware"). It's not more malware; we've already seen thousands. It's not
Internet malware; we've seen those before, tool. But this is the first year
we've seen malware that uses e-mail to propagate over the Internet and
tunnel through firewalls. And it's a really big deal.
Viruses and worms survive by reproducing on new computers. Before the
Internet, computers communicated was through floppy disks. Hence, most
viruses propagated on floppy disks, and sometimes on computer bulletin board
systems (BBSs).
There are some obvious effects of floppies as a vector. First, malware
propagates slowly. One computer shares a disk with another which shares a
disk with five more, and over the course of weeks or months a virus turns
into an epidemic. Or maybe someone puts a virus-infected program on a
bulletin board, and thousands get infected in a week or two.
Second, it's easy to block disk-borne malware. Most anti-virus programs can
automatically scan all floppy disks. Malware is blocked at the gate. BBSs
can still be a problem, but many computer users are trained never to
download software from a BBS. Even so, anti-virus software can
automatically scan new files for malware.
And third, anti-viral software can easily deal with the problem. It's easy
to write software to block malware you know about. You simply have the
anti-virus scanner search for bit strings that signify the virus (called a
"signature") and then execute the automatic program to delete the virus and
restore normalcy. This deletion routine is unique per virus, but it is not
hard to develop. Anti-viral software has tens of thousands of signatures,
each tuned to a particular virus. Companies release them within a day of
learning of a new virus. And as long as viruses propagate slowly, this is
good enough. My software automatically updates itself once a month. Until
1999, that was enough.
What's new in 1999 is e-mail propagation of malware. These programs -- the
Melissa virus and its variants, Worm.ExploreZip worm and its inevitable
variants, etc. -- arrive via e-mail and use e-mail features in modern
software to replicate themselves across the network. They mail themselves
to people known to the infected host, enticing the recipients to open or run
them. They don't propagate over weeks and months; they propagate in
seconds. Anti-viral software cannot possibly keep up.
And e-mail is everywhere. It runs over Internet connections that block
everything else. It tunnels through all firewalls. Everyone uses it.
It's easy to point fingers at Microsoft. Melissa uses features in Microsoft
Word (and variants used Excel) to automatically e-mail itself to others, and
Melissa and Worm.ExploreZip make use of the automatic mail features of
Microsoft Outlook. Microsoft is certainly to blame for creating the
powerful macro capabilities of Word and Excel, blurring the distinction
between executable files (which can be dangerous) and data files (which,
before now, were safe). They will be to blame when Outlook 2000, which
supports HTML, makes it possible for users to be attacked by HTML-based
malware simply by opening an e-mail. Microsoft set the security
state-of-the-art back 25 years with DOS, and they have continued that legacy
to this day. They certainly have a lot to answer for, but the meta-problem
is more subtle.
One problem is the permissive nature of the Internet and the computers
attached to it. As long as a program has the ability to do anything on the
computer it is running on, malware will be incredibly dangerous. Just as
firewalls protect different computers on the same network, we're going to
need something similar to protect different processes running on the same
computer.
This cannot be stopped at the firewall. This type of malware tunnels
through a firewall using e-mail, and then pops up on the inside and does
damage. So far the examples have been mild, but they represent a proof of
concept. And the effectiveness of firewalls will diminish as we open up
more services (e-mail, web, etc.), as we add increasingly complex
applications on the internal net, and as crackers catch on. This
"tunnel-inside-and-play" technique will only get worse.
And anti-virus software can't help much. If a virus can infect 1.2 million
computers (one estimate of Melissa infections) in the hours before a fix is
released, that's a lot of damage. What if the code took pains to hide
itself, so that a virus won't be discovered for a couple of days. What if a
worm just targeted an individual; it would delete itself off any computer
whose userID didn't match a certain reference? How long would it take
before that one is discovered? What if it e-mailed a copy of the user's
login script (most contain passwords) to an anonymous e-mail box before
self-erasing? What if it automatically encrypted outgoing copies of itself
with PGP or S/MIME? Or signed itself; signing keys are often left lying
around the system. Even a few minutes of thinking about this yields some
pretty scary possibilities.
It's impossible to push the problem off onto users with "do you trust this
message/macro/application" messages. Sure, it's unwise to run executables
>from strangers, but both Melissa and Worm.ExploreZip arrive pretending to be
friends and associates of the recipient. Worm.ExploreZip even replied to
real subject lines. Users can't make good security decisions under ideal
conditions; they don't stand a chance against a virus capable of social
engineering.
What we're seeing here is the convergence of several problems: the
permissiveness of networks, interconnections between applications on modern
operating systems, e-mail as a vector to tunnel through network defenses and
as a means to spread extremely rapidly, and the traditional naivete of
users. Simple patches won't fix this. There are some interesting
technologies on the horizon that try to mimic the body's own immune system
to automatically deal with unknown malware, but I am not very optimistic
about them. Sure they'll catch some things, but it will always be possible
to design malware specifically to defeat the immune systems. A large
distributed system that communicates at the speed of light is going to have
to accept the reality of viral affections at the speed of light. Unless
security is designed into the system from the bottom up, we're constantly
going to be fighting a holding action.
Melissa:
http://www.zdnet.com/zdnn/stories/news/0,4586,2233116,00.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2234121,00.html
Worm.ExploreZip
http://www.zdnet.com/zdnn/stories/news/0,4586,2274306,00.html
http://www.wired.com/news/news/politics/story/20160.html
http://www.symantec.com/press/1999/n990614d.html
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com