Much has been written about virus threats and the new “blended”
viruses. One thing is for sure – so far we have got off lightly. If there
ever is a deliberate and concentrated attack by computer virus it will turn
out to be a Killer!
THE KILLER VIRUS?
For a start it will not necessarily be a virus. The attack will come in the
form of a blended attack; this is where a combination of virus, worm and /or
Trojan is used. It will probably start life as a worm, since it will almost
certainly be spread directly from computer to computer but will almost certainly
have virus and Trojan elements. The attack will change during the course of
the life of the malware so that at times it may be pure worm and at others a
In the case of the “killer virus” we are looking at a combination
of code that will be particularly devastating. As we will be looking at a combination
of virus, worm and Trojan, It is for this reason we will therefore refer to
this particular form of attack as the killer “Virus”.
Why killer? The simple answer is that any virus that knocks out a large proportion
of computers in a country as dependant in IT as the UK is, will almost certainly
kill people. Hospital systems, emergency services, offices, factories, traffic
systems and airports may all be affected. The cost in economic terms will be
enormous, but the cost in human terms is hard to estimate. If the support systems
of a hospital were taken out of action, the impact could be disastrous. If patent
notes were unavailable people would suffer and in some cases, die.
By the nature of malware, this paper has to be speculative but it is based
on a study of a large number of malware attacks and also looks at the mentality
of the current breed of terrorist. I am therefore confident in the general description
of the way that the attack will take shape and how it will be started. What
I can’t know is the full impact of the attack, since this will depend
on the security of the computers of the country. However, if past attacks are
anything to go by, it will have a major impact across all computing departments,
both public and private sector.
The precise form that the attacking program will take will vary but it will
almost certainly use a newly discovered vulnerability in the Windows operating
system. Then it will use a combination of valid features to hide itself and
to operate. It could be that the terrorists will design and test their code
and then wait for a new vulnerability to be announced in the hacker news-groups
and strike before many of the country’s computers are protected.
It will make full use of standard facilities found in the most popular operating
systems (such as XP). In particular, it will be using valid code and program
code in combination so that it will be hard to detect. If there is specifically
written program code involved in the attack, it will be designed so that it
mimics non-malicious activity as far as possible and is therefore hard to detect.
The code is also likely to be a combination of malware types such as virus and
worm. These “blended” attacks are becoming increasingly common because
they rapidly increase the rate of spread of the malware.
A point to remember here is that up till now viruses have been badly written
and “buggy”. How do you test a virus in the wild? If you plan the
attack carefully and have unlimited funds to test the infection rate and capability
then a fully “quality assured” virus could be devastating.
Even if the infection were suspected it would be extremely hard to detect since
the main part of the attacking code could be “valid”. While it is
simple to dismiss the “valid” code idea as impractical, remember
that a large proportion of the viruses released will use standard facilities
in Microsoft Outlook or Outlook Express to propagate. Because the method of
propagation is “valid” it is not easy to prevent the code from propagating
without also removing standard facilities in these e-mail systems.
It is arguable that many virus writers will not release potentially devastating
code into the wild because of the damage that would be done. Perhaps the risk
of getting caught means that the “payload” is relatively benign.
However, a terrorist group, particularly if they were associated with Al-Qaida,
would not consider the outcome to be any reason for not releasing such code.
Another consideration is the use of code that “evolves” or “morphs”
so that there is not a single virus to detect. Evolving code has been used in
a small way with some of the existing malware but the Killer Virus will make
much more use of constantly changing code so that any examples of the code that
were found would only represent a small proportion of the infected computers
in the world. Because the code changed, it would take much longer to remove
than if there were a single form of the program.
The main problem with evolving code is that some forms will have a different
code footprint or maybe behavior pattern and therefore be detected at different
tomes and in different ways. What this means is that there will be a number
of false hopes as the anti-virus writers begin to make headway and announce
that they have an anti-dote, only to find the attack come back with renewed
There is one final point to bear in mind. Some virus writers design their code
so that they “own” it and can control it. The main objective being
to gain notoriety as the author within their own circle. If, for some reason,
they need to end an attack, they can always release information to help kill
off the attack. The killer virus is not designed to be detected and give fame
satisfaction to the author, therefore it will not be given any limits. It will
not be designed to last for a given amount of time, or to be limited in the
type of computers that it attacks.
While conventional virus writers may well include tests so that they do not
take out a medical system or an air-traffic control computer, the terrorists
will do no such thing. They will try to bring “The West” to its
knees and, at least in theory, it is easier than you may well believe to do
If we were to go back 30 years and remove the computers from Society, there
would be little impact outside of the major multi-national companies and large
Government installations. Now we are in a position where virtually every company
would stop working. The transport systems, food distribution, gas and electric
supplies along with the supplying of garages would all fail. The water companies,
the sewage works, hospitals, doctors, chemists, air-traffic systems and harbour
control computers would all be in the frame. Even if all of the Government systems
were designed to withstand such an attack (and I can’t imagine why they
would), the country would virtually grind to a halt.
Am I painting a black picture? Well I hope so, since I am almost certainly
understating the true scale of the problem. We no longer live in a society where
the local farmer takes his or her produce to a market to be sold to the local
shops. Almost everything we eat moves on a global scale. Without the IT Infrastructure,
the entire food distribution process would fall apart.
There is no manual backup for these systems, they are far too complex. We are
completely reliant on the computerised systems for our very existence. Don’t
think there will be food distribution problems. There will be no food, no water
or fuel. We are simply not equipped to cope without the IT systems. And while
it is true to say that we could learn to do so, we couldn’t learn to do
it quickly enough to save society from near melt-down. We simply have to have
a plan-B to deal with this potential problem.
We (as a nation) have spent billions of pounds preparing for and countering
a nuclear threat. We now need to spend a small amount of money to ensure that
this most devastating of weapons can’t be developed, since we will have
the technology ready to defeat it.
HOW WILL IT BE RELEASED?
It will initially be released into the Internet and given a few days or even
a couple of weeks to propagate. The release phase of the virus is particularly
dangerous for the attacker as it is vital from their point of view that they
are not arrested. If they were traced back from the original infection, as often
happens with an e-mail release, the code and all of the research that went with
it, will be lost to the terrorists and available to the authorities.
This would mean that the anti-virus companies would be able to attack the killer
virus based on it’s original design. Given the resources that they would
be able to pump into such a counter-attack, the anti-virus companies would win.
It is therefore vital from the terrorists point of view that they are able to
infect the Internet with a virus that we can’t trace back to it’s
source. Fortunately for the terrorists and unfortunately for us, they are able
to do this with less effort than you may imagine.
It is most likely that the initial release of the code will take place in a
large city, or several cities. What they are most likely to do is to search
for wireless access points, such as those provided by some café’s,
train stations, airports shopping centres. The terrorist will not even need
to go into the building, so that they can avoid any CCTV systems that may be
operating. By using a wireless enabled laptop, he will not need to log-on to
a particular computer and will almost certainly be able to avoid any CCTV systems
that may be operating in the building.
This means that he will be able to release the code, directly into a vulnerable
computer and let that start the propagation. Having done that, he will move
on to the next access point and infect that. Any computers that are protected
will simply repel the code, and the attacker will again, move on to the next.
It is reasonable to expect that in the course of a day, one terrorist will be
able to infect upwards of 70 computers. Given that the attack will not be obvious
at this stage, he could easily move from city to city spreading the code.
During this phase of the attack, the virus will probably not attack using all
the power of the computer. If it were to do this, someone will notice the virus
and report it to one of the anti-virus vendors. If this were to happen, the
code may well be destroyed before it can do serious damage.
Assuming that it can remain hidden during the propagation phase there are a
number of options open to the programmer. He may choose to split the attack
into groups of IP addresses, so that he gets the maximum propagation of the
virus. Remember that any computer that is connected to the Internet is addressable
by any other computer. The nature of the Internet means that you can either
talk to the whole world OR you can choose to talk to a part of it.
The Internet Protocol (IP) addresses show the country that the computer is
connected to. By splitting the attack into countries, the attacker will know
the time-zone of the victim machines. This means that the terrorists can choose
to attack a single country, or group of countries. Now, the IP addresses are
not completely fool-proof but they are about 99.5%. What this means is that
the terrorist can divide the attacks into countries, so that any attack that
is aimed at infecting a range of IP addresses can either use the location of
the IP address to attack or omit a country.
While there are very few “friendly” countries as far as Al-Qaida
is concerned, there may be other reasons to split the attack. A terrorist may
wish to “try” a new virus without giving away the secret of a new
exploit. If this were the case, the terrorists would probably want to limit
the range of the attack. They may even remove the virus after a while, or give
it a life of just a day or two so that when the test had been completed, the
virus will simply disappear.
If such a “trial run” were to be launched, the anti-virus companies,
the IT Security companies and the Governments of the world will have to be extremely
vigilant if they are to be aware of the warning. They will then have anything
from a few days to a few weeks (if they are lucky) to counter the coming attack.
WHAT FORM WILL THE ATTACK TAKE?
Given that the terrorists will be aiming for maximum impact, it is reasonable
to assume that they will arrange for the attack to start at the same time. Not
at the same “clock-time”, as this will stagger the attack, given
the number of time-zones in the world. The terrorist will arrange for the attack
to start at the same “staggered” time so that all of the major computer
systems in the world will fail at the same time.
Of course, not all computer systems will fail, since no virus will affect all
operating systems equally. The chances are that they will attack the Microsoft
Windows operating systems and, in all probability, the NT/2000/Xp range of operating
With such a co-ordinated attack many companies will simply cease to function.
Even if the affected companies have a mix of computer systems, it is most likely
that their desk-top computers will be running the Microsoft.
Many companies will have a disaster recovery plan that involves either restoring
or re-imaging PC’s or maybe acquiring new PC’s to re-build. If the
majority of your PC’s are dead then you have nothing to re-image from.
If everyone is in the same position then you have a very limited number of new
machines in warehouses or shops to acquire.
HOW LONG WILL IT LAST?
The attack will last as long as the designer of the attack can arrange for
it to last. Given that the virus will have had a number of days to spread and
infect as many computers as possible before turning into the full-scale attack
the whole purpose of the attack is to have the maximum impact for as long as
We have to assume that if the virus is able to evolve, even if the main attack
is defeated, the attack may well be able to resume. The impact on the business
community will bear a heave price in the course of the attack. The other problem
that we (as representatives of “The West”) face is that the attack
will go far beyond business.
As stated earlier, medical systems will almost certainly be seriously impaired
as will computers running traffic management systems. The impact on rush-hour
traffic as well as emergency services attempting to do their duty.
While military systems should not be affected, any deployment of troops will
be severely impacted if the roads are grid-locked. The same will be true of
any companies that are unaffected by the virus. They will still have serious
problems if their staff are unable to get into the office.
If you think about the number and range of activities that would be affected
by such an attack, it is easy to understand that it will not be a simple or
quick matter to remove such an infection. If the virus is a blend of attack
types and is largely making use of standard facilities then it will have the
potential to withstand a single removal attempt. It will have the ability to
keep re-infecting systems long after the original code has been neutralised.
WHAT WILL THE IMPACT BE?
The impact on business will be devastating. Many companies use large mainframe
computers to store their databases on but even if the main computer systems
of the company are not affected, the chances are that the staff that use LAN
based WinTel devices will not be able to connect to them.
Most companies run Microsoft Windows for their main customer-facing systems
and if these are attacked, there will be few of the major companies that will
be able to function. Bear-in mind that many companies will use Unix based servers
for their Internet service, and these will almost certainly not be affected
by such an attack but any systems that the employees use will almost certainly
not be working.
Of course, we are looking at a worst-case scenario but given the nature of
the enemy and the fact that the whole of Western society is their target, it
is wise to assume that they will attack with as much impact as possible.
It is not an exaggeration to say that if Al-Qaida understood how devastating
the attack on the World-Trade Centre was going to be, they would still have
gone ahead with their murderous plans. It is therefore wise to assume that any
cyber-based attack will have a massive and far-reaching impact. The only option
is to have a fall-back position so that if this attack were to happen, we (society
in general that is) will be in a position to defeat it.
There is one guiding principal in business and IT in particular. You don’t
EVER have a single point of failure. You would never build an IT department
to use a single massive computer, you would design your systems so that you
use two smaller machines. You don’t have a single phone line, you have
Auditors, regulators, accountants, IT security departments and business continuity
experts will scour companies looking for single points of failure and removing
them. Yet almost every company in the world has a single point of failure in
the operating system of it’s main office systems. Even the companies that
use large servers and mainframes will still be using off the shelf Microsoft
operating systems and office products to connect to the main computers.
Of course Microsoft products are popular for a reason, they are good but from
a disaster control perspective, this is a massive risk.
Copyright – Mike Lee & Brian Hitchen / www.homepc-security.com