Battling the Internet parasites

Traditionally, we have classified hostile code in three categories, each based upon the behavior of the code. The Melissa Virus and the Love Bug Worm changed everything. They are harbingers of the evolution of malware in the world of the Internet.

The cover article on the August 2000 issue of Discover magazine was about parasites. The headline caption read, "...parasites not only control the behavior of their hosts, they can change entire ecosystems to suit their needs". In reading the article I was struck by the similarities between the lifecycle behavior of parasites in the natural world and those of the recent rash of viruses, worms and Trojans in the computer industry.

Traditionally, we have classified hostile code in three categories, each based upon the behavior of the code. The Melissa Virus and the Love Bug Worm changed everything. They are harbingers of the evolution of malware in the world of the Internet. With the advent of back end code such as Visual Basic, Active X, and Java, the ability to connect, communicate, and interoperate has been improved as never before.

YES

Simultaneously, the ability to spread, degrade, and destroy with malware has proliferated too. With this proliferation, the strict lines of definition between the various types of hostile code have been all but erased. Viruses, worms and Trojans now carry similar or overlapping characteristics.

Evolution of the 'information ecosystem'
The once independent stand-alone networks of yesterday no longer exist. They have evolved into the Internet--a world of global connectivity, and global risk. When virus writing was young, networks existed in small clusters like individual hosts. Each host existed in its own sphere, like species within dissimilar environments.

The Internet shrank the electronic world, creating one network out of many independent hosts. Dissimilar worlds, regardless of hostility or intent, now reside within one information ecosystem. Stand-alone independence has been replaced with interdependent trust, and the desire for interoperability has meant an upward shift in the ability of malware to degrade larger numbers of unique hosts. My network is now at greater risk because your network is connected to it, particularly when our security policies and practices are divergent. Because of the growth of this new interconnected Information Ecosystem, the evolution of malware in recent years has been parasitic. Hostile code is no longer limited to specific arenas of behavior. Like the natural world it mimics, hostile code has evolved along with the global network on which it now resides. Just as each new strain of virus or bacteria has grown in potency and resistance to immunity, so has malware evolved in its level of power and danger.

Although labeled a virus during its outbreak in 1999, the Melissa virus was actually more like a parasite. The original strain carried a payload that did nothing more than propagate itself throughout other hosts and networks. In electronic terms, this behavior was more worm-like than that of a virus. It did not damage or destroy files, it merely consumed resources by repeatedly e-mailing itself within address book lists until it had overwhelmed and crashed the servers of its host network.

The Love Bug [also known as 'I Love You' and the Love Letter worm] has been called both a virus and a worm. This is because its behavior mimicked both. It could technically also be considered a Trojan horse, as could any attachment that behaves in a way not intended by the victim who received and launched it. This is particularly true with code that attempts to exploit trust relationships, such as when you receive Melissa or Love Bug from someone who had you in their address book. Unlike Melissa, however, the Love Bug operated with hostile intent, destroying files and damaging systems with callous efficiency.

In the natural world, parasites invade their hosts and consume what resources they require, typically skipping from one to another. Oftentimes, this results either in degradation or destruction. Yet in nearly every case the parasite controls the host, making it do its bidding until it is ready to move on. This often results in the death of the host.

The Sacculina parasite, for example, invades its host, a crab, and makes the host cease to procreate in favor of its own ends. The world of the Internet has provided us with electronic versions of parasitic counterparts found in nature. The Love Bug, Melissa, Hybris, and CIH are examples of hostile code that invade, degrade, and eventually destroy their hosts. In yesterday's world of the sneakernet, signature file antivirus [AV] was a bold and effective solution. It provided users and administrators with a solid, reasonably efficient way to defend their networks against the proliferation of hostile code, usually through floppy disk transmission. This is no longer the case.

The Internet has caused an evolutionary change on many levels, from the speed at which malware can proliferate to how wide spread the damage can be. Releasing a virus in the pre-Internet era was like releasing a polio victim on a steam ship. The person carried a disease that was only new to some, with most either already being vaccinated against it or capable of being so before the ship reached its next port days later. Today, however, the release of hostile code into the wild is more like releasing Ebola into Times Square at rush hour. The transmission and effectiveness of the virus is far more immediate and disastrous.

Signature file AV was never designed to be proactive. Like any law enforcement agency, it was designed to respond and clean up the mess once something bad had already been committed. Although it remains good at cleaning up the mess to this day, a truly proactive approach is necessary to find and eradicate the new parasites--the "unknown malware". As with parasites in the natural world, it is not the known we fear today, but the unknown.

Signature file AV also requires exorbitant maintenance and overhead because of its requirement for frequent updating. Unlike yesterday, where a new virus may make its way into the wild on a monthly or quarterly basis, new strains of parasites attack the Information Ecosystem on an almost daily basis. Furthermore, as our reliance on this ecosystem continues to increase, this trend will increase to match it.

Just as viruses, worms and Trojans have evolved into parasites, our AV defenses must evolve to meet and beat them. Currently, there are companies implementing behavior-based AV solutions, rather than Signature file ones.

One stand out among these, Indefense's Achilles' Shield product [www.indefense.com], has been the only product I have found to stop unknown malware cold, right out of the box. Where the traditional products have failed, most notably during the Melissa and Love Bug outbreaks, my systems were protected and remained operational. Behavior-based AV is, in my opinion, the evolutionary answer to the proliferation of parasitic code.

Tomorrow: A world of parasites
As each new generation of malware has been developed, it has continued to blur the lines between classic hostile code definitions. This trend has been driven by the world's thirst for more bandwidth and connectivity. As these factors increase, and the backend software to support them continues to be built with security as an afterthought, the evolution of malware will continue to towards its current parasitic trends. The potency and proliferation of the code will continue to increase as well.

Just as the use of signature file anti-virus defense is no longer a viable solution for protection against hostile code, the restrictive, and often inaccurate, definitions of that code need to be readdressed as well.

Today's malware should be reclassified under the umbrella term of 'Parasite'. The behavioral tendencies of such code may vary slightly within the family, but the circumstances of the new Information Ecosystem have evolved three families of hostile code into one. Because viruses now behave like worms or Trojans, and because malware can proliferate across modern networks almost solely by existing, hostile code should be reclassified to match the trends of the time and the industry.

Robert Bagnall is the Director of Advanced Programs for Veridian's Critical Infrastructure Protection Sector. He has been involved with government and commercial infrastructure defense for over a decade, and is currently involved with several agent-based network protection efforts. He lives and works in the Washington, DC area.