Virus wars' new battleground

With the global costs to corporates already running to billions of dollars, the destructive, wasteful nature of rampant, network-aware viruses such as Love Bug and Melissa is becoming plain to see.

The world already contains some 56,000 cyber viruses with others being spawned all the time. Computer users are trying to guess where this malevolent twist to the creative impulse will go next. What can we expect from the next generation of virus writer, and how dangerous are these next generation attacks likely to be?

One obvious answer, given the anticipated boom in wireless mobile devices, is that in future personal digital assistants (PDAs) and wireless phone users can expect to come under the same sort of sustained attack as today's desktop PC users.

Eric Chien, chief researcher at antivirus specialist Symantec, points out that the proliferating number of data-enabled wireless mobile devices, from PDAs to mobile phones, already constitutes an inviting target for any virus author who judges the success of his/her virus by the number of units it manages to infect.

"Today you can get a virus like the Love Bug on to millions of PCs. At some point in the future, you may well be able to get a virus to infect not just millions but billions of devices," he says.

From bad to worse
Although the first viruses have already appeared for the Palm OS - three at the time of writing this feature - and one for a well-known mobile phone, it is likely that the real onslaught on the mobile device is still some way off.

Once enough members of the virus writing community have easy access to a particular platform, viruses will begin to appear. Software developer kits are now much more available for the Palm OS and are becoming more widely available for the Epoc operating system.

Once they have access to the tools and to the platform, a section of the virus writing guild is bound to find the temptation to expand their field to the mushrooming new world of wireless devices too much to ignore.

Until all these devices are ubiquitously linked, the idea of attacking them will be inherently unattractive to many virus writers. The ability to have their creation propagate and spread like wildfire seems to be what motivates the virus writer. Killing single devices without the virus being able to leap from the target to a large number of other devices is not in itself seen as providing much sport.

"The most successful viruses don't just attack, they propagate," comments Simon Perry, vice president of security solutions at CA. "While it is theoretically possible for anything that executes code to be attacked, we are probably not going to see viruses leap into consumer electronics or household goods for a very long time."

What concerns Perry is the virus or worm that combines a destructive payload with very clever social engineering. As Chien points out, email systems can't be infected without human intervention.

Because virus writers have to get users to initiate actions, such as opening an email attachment, before their malicious code can be executed, they have to try to manipulate the user. Hence Love Bug with its appealing subject line, which engineers the response that the virus writer needs.

No accident
Anyone who remembers a couple of viruses, known as Kakworm and Bubbleboy, which executed if you simply read your email or highlighted a subject heading without opening any attachment, might query Chien's point. However, he argues that these viruses made use of a flaw in Microsoft Outlook, which was known and fixed with a patch before the viruses even appeared. Only email systems that had not deployed the patch were vulnerable.

"It is no accident that email systems are not vulnerable per se, without human intervention," says Chien. "If we wrote email systems to automatically open attachments, they would all be vulnerable without any human intervention.

"We know that it makes sense not do to this. We can say with confidence today that you can't get a virus just by reading your email - provided you are running the latest versions of Outlook."

The weak link
What this means is that the weak link in the chain, the most easily manipulated element, remains the human user - and this is likely to remain true in the device world as well, as we move on to next-generation viruses.

Chien is not overly concerned about the possibility of completely new virus attacks appearing from out of the blue. There are two reasons for this. First, although there has been an exponential increase in viruses over the last decade, most tend to be variations on a theme. Entirely new concoctions are rare, since they take deep skill and specialist knowledge.

Second, one of the more solid truths in this game is that the virus writers follow technology, they don't lead it. This means that the antivirus community generally tends to be able to predict in broad outline where the next threats are likely to materialise.

Chien points out that it is already obvious to antivirus specialists that corporates are soon going to be issuing PDA-type devices to their executives much as they issue mobile phones today. It is also clear that when this point is reached, virus attacks on devices are going to skyrocket.

However, the expectation - fulfilled so far by the three existing Palm OS viruses - is that viruses aimed at these new platforms will deploy known types of attack. The reason that antivirus vendors were able to respond so rapidly with antidotes for the Palm OS virus is that they had already anticipated likely attacks and had templates for the basic patterns used.

Chien argues that while the consequential costs to companies of virus attacks on the new digital era could be huge - lost business opportunities, cost of replacement and cleaning and so on - the likelihood of people suffering physical harm from viral attacks is, at this stage, slim to vanishing.

"PCs and devices that can be attacked do not tend to be in safety critical areas. The lack of trust that people still have in computer-based and device-based transactions is simply a sign of how dissociated and remote we still are from our devices. Obviously, the more these things get integrated into the fabric of our lives, the more vulnerable we will start to become," he argues.

While it is theoretically possible for virus writers to move beyond PCs and devices to attack virtually any chip-driven system, the opportunities for attacks on embedded processors or network chipsets and operating systems are now very restricted.

Cyber warfare
The greater threat will probably come from some kind of dedicated cyber warfare team which deliberately sets out to cause disruption through a combination of social engineering (to gain access, passwords, arcane compiler skills and the like) and virus/worm/Trojan attacks on key systems.

Even then, there are probably easier routes to cause disruption. Today, it is far easier to crash essential public-facing systems through massive denial of service attacks for example.

Various organisations in the US have carried out substantial work into the potential for cyber warfare attacks. While many of these attacks have been security-orientated - focusing on breaching security perimeters, for example, rather than virus driven - outside consultants have achieved some stunning successes, such as being able to access a sea borne destroyer's PCs from a land-based system.

"What is most worrying at the moment is that while developed countries like the UK have a decisive military superiority over developing countries, cyber warfare has the potential to level the playing field," says Perry.

"Take 10 hackers with laptops. Put them in a room anywhere in the world with good broadband connections and you can get them attacking power generation installations, hospitals, emergency services, banks and so on. There are real problems in defending against this kind of attack as we go forward, and viruses will obviously be one of the more dangerous tools in the cyber warfare specialist's kitbag."

Hacking and viral attacks may seem like two distinct activities but once hackers gain download access to a target system, they can drop any file they please into the system. This includes back-door access programs, password sniffers or various types of destructive worm. Once a virus has been implanted, ferreting it out, particularly if the effects are not obvious, and the pattern is new, can be hard work.

The most dangerous viruses are not the ones that nuke all the data immediately. In most cases people will have back-ups, new systems can be put in place and 95 per cent or so of the damage is repairable, albeit at a cost.

Subtle changes
A far worse infection is where the virus goes in for 'data dibbling', that is to say, where it simply changes the odd byte or bit here and there. Knocking a corporation's quarterly revenue figure down from £1bn to £100m would be a good example.

Even worse would be subtle changes throughout the data that gradually distorts the entire financial reporting structure until everything is out of whack. The problem with data dibbling is that if it is done gradually, it could take the user organisation a long while to discover that it has an infection. Meanwhile, it may well have gone through its entire back-up cycle, and have no clean data left to use as a recovery point.

Because of the tight coupling between viral threats and hacking threats (each can pave the way for the other), antivirus vendors are now focusing as much on infrastructure as they are at the end-user device level.

Raj Panesar, a product manager with Trend Micro, argues that the new model for virus protection is explicitly infrastructure-based, and that this model can only gain in power as the device age gains momentum.

"What we are seeing with new age viruses such as Melissa and Love Bug, is the power of the worm-based virus. Trojan technology is also huge. Both these things have huge implications for network systems, so you need a raft of security strategies. These will include intrusion detection, data tracking and management reporting capabilities as well as antivirus protection to maintain network and systems security."

The first mobile phone virus provided a great insight into both the strengths and weaknesses associated with attacking cheap wireless devices. Someone found a loophole in Short Message Service (SMS), the text-based messaging service offered by many mobile phone network providers around the world.

This message string caused the mobile phone to hang, once the message had been received, effectively killing the device. What makes the mobile phone vulnerable to this is that the manufacturers have 'opened' it to some extent, so that users can download customised ringing tones, special graphics and so on. The SMS message exploits hooks into the equivalent of the phone's Bios and renders it permanently unusable thereafter.

"In essence, this is just a repeat of the well-worn theme: the more functionality you give to a device, the more vulnerable it becomes," notes Panesar.

Virus writers face some severe challenges in shrinking today's large PC-based virus patterns down to the kind of payload size that can be handled by the low chip and memory capabilities of GPRS mobile phones.

However, once we move to true 3G telephony with the potential for an always-on model and higher bandwidth (the mythical 2Mb promised by some UMTS 3G vendors), the chances for infection are bound to increase dramatically.