Bugwatch: Malware comes of age

Each week vnunet.com asks a different expert to give their views on recent security issues, with advice, warnings and information on the latest threats.

This week Dr Jeremy Ward, risk consultant at Symantec UK, warns that something important has been taking place in the malware-writing community.

It is 20 years since Fred Cohen first coined the phrase 'computer virus' in his paper Computer viruses; theory and experiments. Since then, the term has been used as a 'catch all' for other types of malicious code (or malware), such as worms and Trojan horses.

But is it appropriate to use the term 'virus' for a piece of computer software? To find out we need to ask what similarities there are between a biological virus and its software counterpart. While it is clear that the nature of the 'virtual' virus is very different from the biological, there are some similarities.

The strongest resemblance, and that which originally gave rise to the application of the word 'virus' to a piece of malicious software code, is that viruses and malware are unable to exist outside the systems they infect.

So malware, like a virus, is definitely a parasite, but is it a successful one? There are three characteristics that demonstrate success in a parasite: its ability to spread rapidly and effectively; its ability to infiltrate a host's defences and avoid rapid destruction; and its ability to extract valuable resources from its host.

With the development of the macro virus, the mass-mailing virus and, more recently, infections that do not require an email to be opened, malware has shown its ability to spread rapidly and effectively. Malware has also developed the ability to mutate using polymorphic techniques in order to attempt to evade antivirus programs.

More recently, various strains even attempt to terminate antivirus processes and block access to security vendors' websites. Malware is therefore now able to evade its host's defences and avoid destruction.

However, historically there has been no clear mechanism by which malware could extract value from its hosts. That changed in 2004, taking malicious code to a new peak of evolution as a successful parasite.

It would be fair to say that most end users see a computer virus as something that disrupts operations or destroys data. Without obvious signs of an infection, many users will assume that they have avoided it.

However, with today's evolved malware the real threat is in the bits and bytes that go unnoticed. Indeed, the last three years have witnessed non-destructive strains increasing from zero to up to 20 per cent of all malware instances. The trend has been statistically very significant, indicating that something important has been taking place in the malware-writing community.

As with biological parasites, the most successful computer analogies are those that lie dormant until roused by an external stimulus. 'Backdoor' malware is of this type, and has become an increasingly significant phenomenon over the past three years. There are now at least 50 new backdoor malware strains every six months.

If malware is becoming less destructive, and opening more backdoors, then it is fair to wonder about the motivation of its authors. Malware writers have never been known for their public-spirited activity, so if they are electing not to directly harm our systems there must be something else in it for them.

During 2004, the purpose of backdoor infections has become increasingly clear. For each backdoor that is introduced, an attacker potentially acquires a controllable asset, or 'bot'. As their number increases, these bots can be networked into a 'botnet' that represents a massive resource in terms of its collective computing power.

A piece of successful malware can potentially give a hacker a botnet consisting of thousands of 'zombie' computers. Over the first six months of 2004, the number of computers in botnets rose from under 2,000 to more than 30,000.

Having acquired such resources, hackers can turn them to financial advantage in a number of ways. One established approach is to sell or rent the botnet to spammers as a means of sending junk mail and bypassing IP address blacklists. Another is to extort money from e-commerce companies by threatening denial of service attacks that can be launched by a botnet army.

Recently we have seen a supply chain emerging. Botnet 'herders' will pay hackers for the botnets they have assembled. Such herds can then be sold to organised criminals for spamming and extortion purposes. The ability of today's malware to 'feed' from infected systems means that we are now able to call computer viruses truly effective parasites.

At this point, it is also worth noting that, since malware can also make money for those that create and exploit it, the threat is worse than it has ever been. The entry of market forces into the world of malware has the potential to take it to realms at which we can only guess.