Malware's tangled roots

 

Connecting state and local government leaders

The federal government's computer networks are, collectively, the single largest target in the world. And the Defense Department systems are the most aggressively pinged'the Global Information Grid, the military's primary electronic conduit for secure and unclassified network traffic, gets scanned millions of times a day.

The federal government's computer networks are, collectively, the single largest target in the world.And within the government, Defense Department systems are the most aggressively pinged'the Global Information Grid, the military's primary electronic conduit for secure and unclassified network traffic, gets scanned millions of times a day.Of even greater concern than the volume of attacks is their origin. Of the attacks not originating from the United States, the attempted intrusions come from China and other countries that are, if not exactly enemies, fierce competitors.Webroot Software Inc. of Boulder, Calif., issues a quarterly report on the geographic launch points of several classes of malware, such as worms, viruses, Trojan horses and key loggers, fired against systems all over the world.The company currently does not cross-reference attacks with their targets, so there is no way to track the geographic source of attacks against DOD. But as the largest target, DOD more than likely is bearing the brunt of these international raids.And the source of the attacks is shifting. Historically, the largest numbers have come from within the United States. But the percentage of domestic-based attacks has been dropping, and in the first quarter of this year, China-based sites became the single largest source, continuing a trend. In the fourth quarter of 2005, China was second in volume, behind the United States; in the third quarter, China was third, behind the U.S. and the Russian Federation, according to Webroot.'My sense is there are times that they [China] retrench, they regroup, then get ready for a new attack,' said David Moll, Webroot's chief executive officer.By contrast, attacks from the Russian Federation have been dropping'from 17.5 percent in the third quarter, to almost 4 percent in the fourth quarter, to just under 2 percent in the first quarter of this year.Gerhard Eschelbeck, Webroot's chief technology officer, is quick to point out that tracing malware back to a server in a particular geographical location does not necessarily mean it was launched from that country, only that security measures may be lax there.But Lt. Gen. Michael Maples, director of the Defense Intelligence Agency, said in a written statement to the Senate Armed Services Committee in February that nation-states represent the biggest threat to U.S. national security.'The Chinese PLA [People's Liberation Army], for instance, is striving toward a[n] ... information warfare capability. Many other nations are using computer network operations for intelligence collection,' he said. 'Over the last few years, hackers have exploited thousands of DOD systems. Attribution has remained elusive with identities established in only a few cases.'But there are clues contained in malware that might uncover their real origins.Companies in the business of protecting IT systems have looked at thousands of unique viruses, worms, Trojan horses and key loggers, and have seen these clues.'You can kind of tell when an engineer graduated from college or who they studied by the way they write their code,' said David Minton, chief scientist at Planning Systems Inc. of Reston, Va., and chief engineer of the Worldwide Consortium for the Grid, an initiative sponsored by the Office of the Secretary of Defense. 'You can tell what kinds of things they learned by how they solved their problems.'Chet Hosmer, chief executive officer and chief scientist of WetStone Technologies of Cortland, N.Y., said that nation- states are likely behind the creation of some of the most sophisticated malware, because of the resources needed to create them.Garden-variety hackers aren't likely to have the funds or equipment to test a piece of malware across multiple operating systems and platforms.'It is very difficult for an individual hacker to broadly experiment with a sophisticated, propagating piece of malware, because literally to do that you have to have thousands or tens of thousands of computers running in a network in order to test the weapon,' he said. 'So when worms or other malicious code are released that run very, very well in the Internet environment, that presumes there was a lot of testing.'He said testing malicious code by using the Internet itself would be a way around this problem, but it also would expose the hackers' methods and intent.'One thing you're looking for is ... sophistication,' Hosmer said, 'what kinds of tools and technologies were used to write it, the structure and flow of the program. ... Those are relatively easy things to define.'A second pointer to a piece of malware's origins, he said, is if it uses a component that has been found in other programs, whether it's a specific program structure, a particular attack approach, or the countermeasures built into the malware to evade detection.A January 2005 unclassified U.S. government report obtained by GCN addressed the growth of a market for software 'wrappers' in China'software to provide a shell around malicious code such as a Trojan horse to help disguise it and enable better penetration into systems.'Most of the wrapper programs available on Chinese-language Web sites are Chinese versions of wrapper programs that are widely available elsewhere,' the report concluded, but this 'does not necessarily indicate an overall lack of sophistication on the part of Chinese hackers. There is a trend of the increasing use of wrappers in hacking or at least interest among hacker communities. One information security expert noted that there is discussion on [Internet relay chat] channels of how to use wrappers to evade antivirus software and other products.'Some particularly advanced malware will self-destruct if trapped on a virtual machine, such as a so-called honey pot or honey net. Or the malware may try to destroy the virtual machine itself.'It has a sense of where it is. It includes software basically designed to evaluate the environment. If the environment appears to be a trap, it will take different actions than if it feels it's running in an unprotected host. That's a pretty significant step forward in the development of malware,' Hosmer said.The goal of self-destruction seems apparent'to avoid digital analysis. Crashing a machine could accomplish that, too, and has the added benefit that 'if you crash it, systems administrators and operators may just think they had a system crash, rebuild the network and never know what caused it,' Hosmer added.'They also put mechanisms in place to prevent reverse engineering,' Eschelbeck said. 'It's a pretty scary environment.'

NEXT STORY: Eureka! A $5 active RFID tag

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.