Comment The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However...
The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors.
No, I'm not referring to any generic, run-of-the-mill email virus that requires a user to first click on yet another executable attachment. The authors of Beagle/Bagel, Netsky, Mydoom and Erkez/Zafi should hang their hats, head down into their dark basement dwellings, and get back to work. Their latest variants released this year can barely stifle a yawn.
The best viruses are the ones that use new, novel propagation techniques that really work. Forget social engineering. Yes it still works, and yes it will always work, but it's also an excruciatingly boring way to target only the lowest of the low-hanging fruit. Just because a new virus variant was able to trick my Aunt Fern into clicking on it doesn't mean it's novel, innovative, or even interesting. I can tell my Aunt Fern a thousand times not to click on that attachment, and mark my words: one day, she's not going to click on it. Her action sets the virus in motion. Click, infection. Action, reaction. These are topics that she can conceptually understand.
Viruses that spread without human intervention are called worms, of course. These are a little harder to explain to the public at large. But worms have been having a tougher time lately, as personal firewalls become more commonplace (think XP SP2), home routers become the norm, and most Windows systems have automatic updates turned on. Old worms continue to crawl the Internet, infecting and reinfecting a few million unpatched machines, but the fact is that there hasn't been a major outbreak in quite some time. A long time ago I tried to explain the concept of a worm to my Aunt Fern, and even when she stopped squirming, I'm not sure if she was able to understand.
No warning, no notification, no noise at all
Try to explain to an average user about web-based virus droppers that install backdoors and worms via a browser, however. These average users are people that SecurityFocus readers typically support, people found everywhere in corporations, government, and in homes around the world. They visit a website (either directly, via a search engine, or via a simple link sent in an instant message) and ten minutes later a backdoor has been installed on their machine. No warning, no notification, no noise at all. Should I tell my Aunt it's no longer safe to click on web links? Give me a break.
Think this won't happen? Imagine the response when a high profile website (or its ad server) is compromised... the opportunity will appear again.
Getting infected via the web makes me feel like I'm in grade school again. The Web and web browsers are now the perfect place for virus writers to find new ways to infect a fully patched, firewalled machine. After all, it's a lot easier to find unpatched, exploitable holes in Internet Explorer than it is to automate your way through a personal firewall. Once inside, it's much easier to call home, download updates, and then start to spread. Isn't it great that Internet Explorer is now a part of the operating system?
While I've written about it before, the infamous CoolWebSearch family of malware is still my favorite of these malicious creations, because it's still very current, very nasty, and it's the clearest example of how you can easily get a virus-backdoor-trojan-worm (your choice) installed through your browser. Just click on a web link using Internet Explorer.
Since these "droppers" commonly exploit known and unpatched vulnerabilities, they are continually updated and enhanced (and are still extremely difficult to remove). As a virus dropper, it's an easy way to deliver and install an even nastier virus of someone's choosing. Basically, your users can still visit a website with a fully patched machine that allows for the download and execution of arbitrary code. Without user interaction (and no, I don't consider clicking on a web link to be "user interaction," thank you very much). Try to explain that one to Aunt Fern.
Many people in the security community look at viruses now with disinterest, because our defense-in-depth strategy makes us feel protected. As virus writers find new infection vectors that use a browser, however, your big investment in multi-layered security starts to look woefully ineffective. Think web based infection vectors. I think I've found my favorite virus (well, virus family) after all.
Kelly Martin has been working with networks and security for 18 years, from VAX to XML, and is currently the content editor for Symantec's independent online magazine, SecurityFocus.