Cyber Security Expo
 
The Killer Virus by Mike Lee & Brian Hitchen on 25/03/04

Much has been written about virus threats and the new “blended” viruses. One thing is for sure – so far we have got off lightly. If there ever is a deliberate and concentrated attack by computer virus it will turn out to be a Killer!


THE KILLER VIRUS?

For a start it will not necessarily be a virus. The attack will come in the form of a blended attack; this is where a combination of virus, worm and /or Trojan is used. It will probably start life as a worm, since it will almost certainly be spread directly from computer to computer but will almost certainly have virus and Trojan elements. The attack will change during the course of the life of the malware so that at times it may be pure worm and at others a pure Trojan.

In the case of the “killer virus” we are looking at a combination of code that will be particularly devastating. As we will be looking at a combination of virus, worm and Trojan, It is for this reason we will therefore refer to this particular form of attack as the killer “Virus”.

Why killer? The simple answer is that any virus that knocks out a large proportion of computers in a country as dependant in IT as the UK is, will almost certainly kill people. Hospital systems, emergency services, offices, factories, traffic systems and airports may all be affected. The cost in economic terms will be enormous, but the cost in human terms is hard to estimate. If the support systems of a hospital were taken out of action, the impact could be disastrous. If patent notes were unavailable people would suffer and in some cases, die.

By the nature of malware, this paper has to be speculative but it is based on a study of a large number of malware attacks and also looks at the mentality of the current breed of terrorist. I am therefore confident in the general description of the way that the attack will take shape and how it will be started. What I can’t know is the full impact of the attack, since this will depend on the security of the computers of the country. However, if past attacks are anything to go by, it will have a major impact across all computing departments, both public and private sector.

The precise form that the attacking program will take will vary but it will almost certainly use a newly discovered vulnerability in the Windows operating system. Then it will use a combination of valid features to hide itself and to operate. It could be that the terrorists will design and test their code and then wait for a new vulnerability to be announced in the hacker news-groups and strike before many of the country’s computers are protected.

It will make full use of standard facilities found in the most popular operating systems (such as XP). In particular, it will be using valid code and program code in combination so that it will be hard to detect. If there is specifically written program code involved in the attack, it will be designed so that it mimics non-malicious activity as far as possible and is therefore hard to detect. The code is also likely to be a combination of malware types such as virus and worm. These “blended” attacks are becoming increasingly common because they rapidly increase the rate of spread of the malware.

A point to remember here is that up till now viruses have been badly written and “buggy”. How do you test a virus in the wild? If you plan the attack carefully and have unlimited funds to test the infection rate and capability then a fully “quality assured” virus could be devastating.

Even if the infection were suspected it would be extremely hard to detect since the main part of the attacking code could be “valid”. While it is simple to dismiss the “valid” code idea as impractical, remember that a large proportion of the viruses released will use standard facilities in Microsoft Outlook or Outlook Express to propagate. Because the method of propagation is “valid” it is not easy to prevent the code from propagating without also removing standard facilities in these e-mail systems.

It is arguable that many virus writers will not release potentially devastating code into the wild because of the damage that would be done. Perhaps the risk of getting caught means that the “payload” is relatively benign. However, a terrorist group, particularly if they were associated with Al-Qaida, would not consider the outcome to be any reason for not releasing such code.

Another consideration is the use of code that “evolves” or “morphs” so that there is not a single virus to detect. Evolving code has been used in a small way with some of the existing malware but the Killer Virus will make much more use of constantly changing code so that any examples of the code that were found would only represent a small proportion of the infected computers in the world. Because the code changed, it would take much longer to remove than if there were a single form of the program.

The main problem with evolving code is that some forms will have a different code footprint or maybe behavior pattern and therefore be detected at different tomes and in different ways. What this means is that there will be a number of false hopes as the anti-virus writers begin to make headway and announce that they have an anti-dote, only to find the attack come back with renewed strength.

There is one final point to bear in mind. Some virus writers design their code so that they “own” it and can control it. The main objective being to gain notoriety as the author within their own circle. If, for some reason, they need to end an attack, they can always release information to help kill off the attack. The killer virus is not designed to be detected and give fame satisfaction to the author, therefore it will not be given any limits. It will not be designed to last for a given amount of time, or to be limited in the type of computers that it attacks.

While conventional virus writers may well include tests so that they do not take out a medical system or an air-traffic control computer, the terrorists will do no such thing. They will try to bring “The West” to its knees and, at least in theory, it is easier than you may well believe to do this.

If we were to go back 30 years and remove the computers from Society, there would be little impact outside of the major multi-national companies and large Government installations. Now we are in a position where virtually every company would stop working. The transport systems, food distribution, gas and electric supplies along with the supplying of garages would all fail. The water companies, the sewage works, hospitals, doctors, chemists, air-traffic systems and harbour control computers would all be in the frame. Even if all of the Government systems were designed to withstand such an attack (and I can’t imagine why they would), the country would virtually grind to a halt.

Am I painting a black picture? Well I hope so, since I am almost certainly understating the true scale of the problem. We no longer live in a society where the local farmer takes his or her produce to a market to be sold to the local shops. Almost everything we eat moves on a global scale. Without the IT Infrastructure, the entire food distribution process would fall apart.

There is no manual backup for these systems, they are far too complex. We are completely reliant on the computerised systems for our very existence. Don’t think there will be food distribution problems. There will be no food, no water or fuel. We are simply not equipped to cope without the IT systems. And while it is true to say that we could learn to do so, we couldn’t learn to do it quickly enough to save society from near melt-down. We simply have to have a plan-B to deal with this potential problem.

We (as a nation) have spent billions of pounds preparing for and countering a nuclear threat. We now need to spend a small amount of money to ensure that this most devastating of weapons can’t be developed, since we will have the technology ready to defeat it.

HOW WILL IT BE RELEASED?

It will initially be released into the Internet and given a few days or even a couple of weeks to propagate. The release phase of the virus is particularly dangerous for the attacker as it is vital from their point of view that they are not arrested. If they were traced back from the original infection, as often happens with an e-mail release, the code and all of the research that went with it, will be lost to the terrorists and available to the authorities.

This would mean that the anti-virus companies would be able to attack the killer virus based on it’s original design. Given the resources that they would be able to pump into such a counter-attack, the anti-virus companies would win. It is therefore vital from the terrorists point of view that they are able to infect the Internet with a virus that we can’t trace back to it’s source. Fortunately for the terrorists and unfortunately for us, they are able to do this with less effort than you may imagine.

It is most likely that the initial release of the code will take place in a large city, or several cities. What they are most likely to do is to search for wireless access points, such as those provided by some café’s, train stations, airports shopping centres. The terrorist will not even need to go into the building, so that they can avoid any CCTV systems that may be operating. By using a wireless enabled laptop, he will not need to log-on to a particular computer and will almost certainly be able to avoid any CCTV systems that may be operating in the building.

This means that he will be able to release the code, directly into a vulnerable computer and let that start the propagation. Having done that, he will move on to the next access point and infect that. Any computers that are protected will simply repel the code, and the attacker will again, move on to the next. It is reasonable to expect that in the course of a day, one terrorist will be able to infect upwards of 70 computers. Given that the attack will not be obvious at this stage, he could easily move from city to city spreading the code.

During this phase of the attack, the virus will probably not attack using all the power of the computer. If it were to do this, someone will notice the virus and report it to one of the anti-virus vendors. If this were to happen, the code may well be destroyed before it can do serious damage.

Assuming that it can remain hidden during the propagation phase there are a number of options open to the programmer. He may choose to split the attack into groups of IP addresses, so that he gets the maximum propagation of the virus. Remember that any computer that is connected to the Internet is addressable by any other computer. The nature of the Internet means that you can either talk to the whole world OR you can choose to talk to a part of it.

The Internet Protocol (IP) addresses show the country that the computer is connected to. By splitting the attack into countries, the attacker will know the time-zone of the victim machines. This means that the terrorists can choose to attack a single country, or group of countries. Now, the IP addresses are not completely fool-proof but they are about 99.5%. What this means is that the terrorist can divide the attacks into countries, so that any attack that is aimed at infecting a range of IP addresses can either use the location of the IP address to attack or omit a country.

While there are very few “friendly” countries as far as Al-Qaida is concerned, there may be other reasons to split the attack. A terrorist may wish to “try” a new virus without giving away the secret of a new exploit. If this were the case, the terrorists would probably want to limit the range of the attack. They may even remove the virus after a while, or give it a life of just a day or two so that when the test had been completed, the virus will simply disappear.

If such a “trial run” were to be launched, the anti-virus companies, the IT Security companies and the Governments of the world will have to be extremely vigilant if they are to be aware of the warning. They will then have anything from a few days to a few weeks (if they are lucky) to counter the coming attack.


WHAT FORM WILL THE ATTACK TAKE?

Given that the terrorists will be aiming for maximum impact, it is reasonable to assume that they will arrange for the attack to start at the same time. Not at the same “clock-time”, as this will stagger the attack, given the number of time-zones in the world. The terrorist will arrange for the attack to start at the same “staggered” time so that all of the major computer systems in the world will fail at the same time.

Of course, not all computer systems will fail, since no virus will affect all operating systems equally. The chances are that they will attack the Microsoft Windows operating systems and, in all probability, the NT/2000/Xp range of operating systems.

With such a co-ordinated attack many companies will simply cease to function. Even if the affected companies have a mix of computer systems, it is most likely that their desk-top computers will be running the Microsoft.

Many companies will have a disaster recovery plan that involves either restoring or re-imaging PC’s or maybe acquiring new PC’s to re-build. If the majority of your PC’s are dead then you have nothing to re-image from. If everyone is in the same position then you have a very limited number of new machines in warehouses or shops to acquire.


HOW LONG WILL IT LAST?

The attack will last as long as the designer of the attack can arrange for it to last. Given that the virus will have had a number of days to spread and infect as many computers as possible before turning into the full-scale attack the whole purpose of the attack is to have the maximum impact for as long as possible.

We have to assume that if the virus is able to evolve, even if the main attack is defeated, the attack may well be able to resume. The impact on the business community will bear a heave price in the course of the attack. The other problem that we (as representatives of “The West”) face is that the attack will go far beyond business.

As stated earlier, medical systems will almost certainly be seriously impaired as will computers running traffic management systems. The impact on rush-hour traffic as well as emergency services attempting to do their duty.

While military systems should not be affected, any deployment of troops will be severely impacted if the roads are grid-locked. The same will be true of any companies that are unaffected by the virus. They will still have serious problems if their staff are unable to get into the office.

If you think about the number and range of activities that would be affected by such an attack, it is easy to understand that it will not be a simple or quick matter to remove such an infection. If the virus is a blend of attack types and is largely making use of standard facilities then it will have the potential to withstand a single removal attempt. It will have the ability to keep re-infecting systems long after the original code has been neutralised.


WHAT WILL THE IMPACT BE?

The impact on business will be devastating. Many companies use large mainframe computers to store their databases on but even if the main computer systems of the company are not affected, the chances are that the staff that use LAN based WinTel devices will not be able to connect to them.

Most companies run Microsoft Windows for their main customer-facing systems and if these are attacked, there will be few of the major companies that will be able to function. Bear-in mind that many companies will use Unix based servers for their Internet service, and these will almost certainly not be affected by such an attack but any systems that the employees use will almost certainly not be working.

Of course, we are looking at a worst-case scenario but given the nature of the enemy and the fact that the whole of Western society is their target, it is wise to assume that they will attack with as much impact as possible.

It is not an exaggeration to say that if Al-Qaida understood how devastating the attack on the World-Trade Centre was going to be, they would still have gone ahead with their murderous plans. It is therefore wise to assume that any cyber-based attack will have a massive and far-reaching impact. The only option is to have a fall-back position so that if this attack were to happen, we (society in general that is) will be in a position to defeat it.

There is one guiding principal in business and IT in particular. You don’t EVER have a single point of failure. You would never build an IT department to use a single massive computer, you would design your systems so that you use two smaller machines. You don’t have a single phone line, you have two.

Auditors, regulators, accountants, IT security departments and business continuity experts will scour companies looking for single points of failure and removing them. Yet almost every company in the world has a single point of failure in the operating system of it’s main office systems. Even the companies that use large servers and mainframes will still be using off the shelf Microsoft operating systems and office products to connect to the main computers.

Of course Microsoft products are popular for a reason, they are good but from a disaster control perspective, this is a massive risk.

Copyright – Mike Lee & Brian Hitchen / www.homepc-security.com

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.