Dr. Dobb's Journal December 2003
If you think about it, most of the really famous hackers weren't all that sophisticated at computer technology—they were good at talking people into cooperating with them to give them passwords and various other means of access to systems they wanted to access.
Nearly all of the attacks this past August depended on the victim's cooperation, either by opening mail attachments or by not installing security modifications. Alas, there's no patch for the human brain.
Worms generally work this way: Once a computer has been infected by one of these evil programs, the worm uses the infected computer to search for ways to reproduce itself. It does this by causing the infected computer to send out signals looking for other computers to infect. It sends these out by the thousands and tens of thousands, and eventually it finds a machine vulnerable to its attentions. It then infects that machine, and that machine begins to send out probes.
The infection process exploits various defects in the computer's operating system. Microsoft and other OS publishers look for these vulnerabilities and hope to find them before someone else does. Often, they succeed and send out the fix before the worm—or virus—can be released into the wild. In the case of the Blaster and Nachi worms that made the rounds in August, the remedy for the Windows defect had been known and circulated for several weeks (http://www.microsoft.com/ security/antivirus/nachi.asp). Nevertheless, many computers—including all the Navy computers in the Pentagon—hadn't had the fix applied, and were not only infected, but began to infect other machines. As a result, many of the government's computers and many, many others owned by both individuals and businesses large and small were infected: The worm was known, the remedy was known, but the government's computer experts—consultants in many cases—either couldn't be bothered or just hadn't got around to applying the fix. The result was chaos, of course.
That's Microsoft's version of the story. The other side is that Microsoft sends out dozens of patches and updates, some critical and some trivial. It's no bother for someone like me simply to tell all the computers on my LAN to automatically seek out and download those updates, then tell me they're ready to install at my convenience. Microsoft uses the "drizzle" system for these downloads, sending them at times when nothing much is going on with my LAN and not using up much of my bandwidth, and I hardly notice this activity. If one of those patches breaks something (it has never happened here, but it could), it would be annoying but no disaster: I back up everything important, and incidents like that are grist for the column.
For system administrators responsible for hundreds or thousands of desktop systems, this flood of patches and updates can be a nightmare—not only must the patches be applied to each desktop, but the system must be tested. Administrators worry about this a lot because simply accepting every patch can cause a disaster, too. There are new products coming out to help with generalized protection against some of these Windows exploits, such as Cisco's Security Agent (http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html), but the basic problem of testing/patching/updating remains.
Since last year, there have been weekly and often daily security updates to the Windows operating system. This is in large part because Microsoft was persuaded to take this security matter seriously and to diligently search for holes and vulnerabilities, and its programmers and consultants found a lot of them well before anyone exploited them in the wild. In my judgment this is greatly to Microsoft's credit, even if it did make life difficult for systems administrators. Better a lot of tedious work than full system shutdowns. The consultants who do the Pentagon desktop management failed utterly in the SoBig.F, Blaster, and Nachi worm attacks.
It's hard to estimate the cost of that shutdown. On the one hand, about 30,000 professionals were unable to do much work. On the other, some used that time to catch up on less urgent tasks that had been accumulating for months. Some took vacation time. It happened in summer during the silly season anyway. It could have been a lot worse.
What we can do is take this as a warning. Were I an intelligence officer of an unfriendly foreign power, I would be studying the incident with a view to developing new tactics to use against the United States. There is increasing evidence that the effects of Blaster and Nachi played a role in the slowness of the power-grid operator responses to the recent North American cascading power outages. A targeted attack could potentially do much more real-world damage.
As a result of all this, UNIX-based systems such as Linux and Apple machines running the FreeBSD-derived OS/X are beginning to look more attractive to many. While there are some who say that those systems are just as vulnerable as Microsoft-based systems, but that Microsoft is merely a more attractive target for miscreants due to its market share, there's a bit more to it than that.
UNIX systems are actually more attractive platforms for compromise; if bad actors can hack their way into a machine running Linux or Solaris or any of a dozen UNIX variants, they have a much more powerful system that can be used to launch DoS attacks, snoop for passwords on local networks, and so on. And out of the box, many UNIX systems are, in fact, vulnerable to compromise if left running using their default settings. However, in most UNIX systems, system administrators can actually see everything running on the system, and can shut down or modify the operation of potentially vulnerable services. Whether they do so is another story, but the capability is certainly there, and that isn't always the case with Windows.
Another factor that makes Windows a more attractive target is the number of pervasive programming methods and APIs integrated into the OS itself, which can't be disabled by users. These features are designed to provide cool scripting methods to let applications play well together and do lots of things automatically. But the simple fact is that they weren't designed with security in mind, and when coupled with other, unpatched vulnerabilities, they can spell trouble. Visual Basic for Applications (VBA), ActiveX, Windows Scripting Host, and the like, all offer this type of functionality, but with a cost.
These pervasive APIs aren't generally found in UNIX-based operating systems; a notable exception to this is AppleScript (http://www.apple.com/applescript/), which, because it's both well-designed and is sitting on top of OS/X, simply can't break out of its context and wreak havoc at the superuser level on Apple systems.
My friend Roland Dobbins is a networking security professional and UNIX advocate of more than 20 years standing, and has been Microsoft OS-free since 1999. He uses Slackware Linux (http://www.slackware.com/) and Sun Solaris for his server systems, but has switched to Apple as his primary desktop and laptop provider because, as he puts it, Apple provides the power of UNIX without the administrative overhead. He keeps urging me to check out Apple's PowerBook laptops (http://www.apple.com/powerbook/ index15.html). So does Peter Glaskowsky of the Microprocessor Report. It looks as if I'll have to do that.
Finally, if you have any suspicion that your system was infected recently by either Sobig.F or the W32Blaster worm, go to Symantec (http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html and http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html) and follow the instructions. For SoBig.F, there's a test and cleanup program you can download and run. For W32Blaster, things are a bit more complicated, but the procedure is spelled out in detail. I am told it works fine. None of my machines were infected, and although I do a lot of silly things so you don't have to, infecting one of my systems so that I can test detection and removal tools isn't one of them.
Before a machine can be infected, the evil worm must find the computer. A good router makes your computer invisible to the worm, so even those who hadn't applied the published OS security fix weren't infected. That being the case, how did the government's machines—all safely behind firewalls—get infected?
A router protects all machines behind its firewall; software firewalls, in general, protect only the machine they are running on. Now this isn't entirely true: If you have multiple systems accessing the Internet through one computer running Windows XP and Internet sharing, and the "master" computer is running a good firewall program, all the machines are protected as well as the master system.
In my case, I use the router as a border firewall, and only a couple of critical machines inside my LAN have individual protection. That works for me, but there is a major drawback to having one border firewall router as opposed to individual firewalls on each internal system—the border router can't protect a machine from infections that begin inside the firewall. If someone connects an infected laptop to the LAN, it may—and probably will—infect every machine in that LAN. This can also happen if someone's machine is infected by opening infected e-mail. That's what happened to the Navy.
Even in that case, routers are still useful because worms generally direct outgoing traffic to unusual ports, so a properly configured border router/firewall provides some help by discarding outbound packets generated by the worm.
The difference between a virus and a worm isn't always clear, but usually involves methods of infection. A worm is sent out and looks for computers to infect. If it finds a vulnerable system, it can infect it without any cooperation (such as opening an infected attachment) from users. However, if your system is properly hidden behind a firewall, the worm can't find you, and if it can't see you, it can't attack you.
A virus, on the other hand, usually comes in the form of an e-mail. Those are also broadcast, but not in the same way as the worm: If the virus sender hits on your e-mail address, your router isn't going to protect you. You'll get the e-mail.
No router can protect you from a virus delivered as an e-mail attachment, and if someone is foolish enough to open that infected attachment, the computer will be infected. Worse, the infection may not be a simple virus: The infection may, in fact, turn your computer into a zombie transmission system for worms. And since your computer is inside your firewall, the worm may get to all the other computers on your LAN—even if that worm is one that your firewall would have blocked had it come from outside. A virus that can mutate into a worm would be rare, but there has been at least one, and I expect to see more of them.
Virus spreaders are getting more ingenious all the time, but some can still be pretty stupid. One of the latest tricks is to send e-mail purporting to be from Microsoft, and warning you to update your security software. The way to do that, it says (in bad English that couldn't possibly have come from Microsoft), is to run the program in the attachment. Of course, that program is a virus. Another method is to tell you that the details are in the attachment. Open the attachment and you've had it.
Another trick is to send you e-mail from a system administrator, telling you that the e-mail you tried to send was rejected. The details are in the attachment; just open it to find out. And once again, wham. You've had it.
Or consider this scenario: A computer belonging to someone who has you in his address book is infected. It generates infected e-mails faking you as the return address and sends them to everyone in the infected system's address book. Those go to systems protected with anti-virus (AV) software that sees this message has a virus. It then sends you a virus warning message—and thoughtfully attaches a copy of the intact virus! Open that attachment and once again, you've had it. You'd think that AV software smart enough to detect the virus would also eliminate it rather than sending it back across the Internet.
Once a virus gets into your system, it may turn into a worm that goes in search of other machines. I'm told that kind of mutation is rare, but I know it exists—there was actually an early case discovered by Dr. Alan Solomon a decade ago. Once a worm is loose inside your firewall, it can infect vulnerable machines without any cooperation on the part of the operator. Since it's inside your firewall, it will get to every other machine in your local network, and local antivirus programs probably won't protect them if it's a new enough virus/worm. If the machine is vulnerable it will be taken over, become a zombie, and start looking for more systems to infect. In the Pentagon's case, nearly all of them were infected, and they had to shut down a number of Pentagon offices.
A virus generally propagates through e-mail: It sends itself to every address it can find in your address book. It may do this several times, each time faking a different return address—yours and addresses it finds in your address book. Thus, you may get e-mail from people you know, with subjects that sound quite reasonable, and a message to the effect that the details are in the attachment. Open the attachment and you've had it.
The moral of that story is simple: Do not open unexpected e-mail attachments, even if they are from people you know. Be darned sure that the purported sender really is the sender who really did send you an attachment.
Mail attachments are, by far, the most common means of virus infection. I keep hearing stories about e-mail viruses that can infect your system through the mail preview panel. These are all secondary stories: people who know people it happened to. I have not yet met anyone who was infected that way. Still, the stories persist, and apparently there was at one time a virus that could infect an older version of Outlook Express through the preview panel. That vulnerability has been fixed.
I don't know of any current preview panel vulnerabilities in either Outlook or Outlook Express, but that leads us to another moral of this story: Keep both your operating system and your Office software updated. Updating and patching Office can be a pain, but updates aren't offered all that often. Check for them and just do it.
There is, of course, the alternative of switching to a Mac- or Linux-based system, or do what X-COR does—use Office for most work, but forbid the use of Outlook as a mail reader. I'll get to that in another column. Meanwhile, keep your OS, AV, and Office software up to date, be sure your router is stealthing your system, and don't open unexpected mail attachments.
The game of the month is Dark Age of Camelot; at least, that's the one I spent most time with at the time of writing, although I had little time for games at all. There are dramatic new revisions of online games coming and I'm looking forward to them. I did find the new Star Wars game a disappointment: If it were some other universe where you had different expectations, it might have been different, but I didn't really expect to find myself in gorgeous but nearly empty cities watching amateurs sing and dance. The flavor is all wrong, which is a pity.
The book of the month is by Sol Stern, Public School Lessons and the Imperative of School Choice (Encounter Books, 2003; ISBN 1-8935-5407-4). It seems clear enough to me that the U.S. school system is badly broken—20 years ago, the National Commission on Education said, "If a foreign government had imposed this system of education on the United States, we would rightfully consider it an act of war"—but I have very mixed emotions about vouchers and "privatization" of schools. This book makes the best case I have seen for breaking up the public school monopoly, with both positive examples of success in Milwaukee, and negative examples of disasters in the public school systems. It's not intended to be a balanced presentation, but you won't have any problems finding a defense of the public schools.
The computer book of the month is A History of Computing Technology, Second Edition, by Michael R. Williams (IEEE Press, 1997; ISBN 0-8186-7739-2). This book covers everything from ancient Chinese arithmetic and Napier's Bones through the slide rule. Williams spends quite some time on Charles Babbage, both on his life and the calculating machine for which he is famous; until reading this book, I had no idea that Babbage, while an undergraduate at Cambridge, collaborated on a translation of LaCroix's calculus text that was good enough to be the standard English text for half a century! Williams covers the considerable history of mechanical calculating machines, primarily for ballistic and tide tables, preceding the Second World War and the still not entirely unclassified doings at Bletchley Park. The last half of the book is a history of tube, core, and transistor computing (about 1939 through 1964), discussing everything from ENIAC, the Russian Zuse machines, and the Harvard Mark I, to a dozen others like LEO and SAGE. Considering its publisher, Williams unsurprisingly spends considerable time on unusual machine instruction sets (like EDSAC), with diagrams showing logic paths and illustrations of the equipment in question. It's good general reading, too, for those whose personal experience with computers probably started well after punch cards, mercury delay lines, and paper tape.
DDJ