ISW Security Papers Contest
The Evolution of Malicious Agents by Lenny Zeltser on 06/05/05

Lenny Zeltser of has submitted the following:

In the context of this paper, a malicious agent is a computer program that operates on behalf of a potential intruder to aid in attacking a system or network. Historically, an arsenal of such agents consisted of viruses, worms, and trojanized programs. By combining key features of these agents, attackers are now able to create software that poses a serious threat even to organizations that fortify their network perimeter with firewalls.

This paper examines the evolution of malicious agents by first looking at replication and propagation mechanisms of programs such as the Morris Worm and the Melissa Virus. These programs are effective for illustrating the rate at which malicious agents can spread, as well as for demonstrating the ease with which they are able to penetrate the organization's network defenses.

Next, the paper discusses spying viruses such as Caligula, Marker and Groov, which, after infecting a computer system, report their findings to the home base. These viruses are limited in that their behavior has to be programmed in advance. However, they are especially dangerous because they utilize outbound connections to communicate with their authors, and can be used as powerful reconnaissance scanners. Because many firewall policies do not restrict outbound traffic such as HTTP and FTP, these viruses are able to stay in contact with their authors even when operating in an organization that considers itself secured from the outside.

The paper proceeds by analyzing features and limitations of remotely controlled agents such as Back Orifice and NetBus, as well as of distributed denial-of-service software such as Trinoo and TFN. These programs can provide attackers with the ability to remotely issue commands on the infected machine. In addition, distributed denial-of-service programs have the ability to coordinate actions of multiple agents, providing their operators with multiple attack launching points. However, current versions of these programs do not have propagation capabilities of viruses and worms, and are effectively prevented from accepting commands from the operator by most firewalls because the controlling traffic is primarily inbound.

Finally, the paper details the possibility of a new breed of malicious agents that combine propagation capabilities of old-fashioned viruses and worms with the interactivity of remotely controlled agents by using outbound traffic to obtain instructions. In particular, the paper focuses on the RingZero trojan, as an example of an existing malicious agent that already exhibits many of these characteristics.

As the result of such evolution, organizations may be faced with a remotely controlled worm that has the ability to infiltrate networks via open channels such as e-mail or Web browsing, can be controlled via outbound connections such as HTTP and FTP, which can pass through many firewalls, and has propagation capabilities that maximize its ability to perform an effective distributed attack.

This document is in PDF format. To view it click here.

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.