Monday, November 28, 2005

Lesson V - Blended, Not Stired

Massive military operations such as D-Day are often successful due in large part to their complex attacks from air, land, and sea. Similar invasion methods now thrive in cyberspace, but the enemy is much stealthier than a tank or C-47 bomber.
Blended threats are a relatively new breed of malware (code written for malicious and/or illegal reasons) that is difficult to detect and even harder to thwart. Several of the most devastating Internet-based attacks in recent years used blended tactics to spread infection and cripple computer systems, and because they continue to grow in number and complexity, blended threats are likely to cross your path in one way or another in the near future.

Sunday, November 27, 2005

Blended Threats, Defined

True to their name, blended threats (also known as complex, integrated, or mixed threats) employ a variety of tactics to achieve a goal, whether it’s to simply propagate across the Internet or attack and debilitate computer systems. More often than not, blended threats do intend to inflict damage and, as such, possess the powerful capacity to do so, as shown when recent versatile worms severely affected substantial portions of the Internet by clogging computer systems and networks with their malicious instructions (more about specific malware in a moment).
Today’s blended threats spread quickly and are often difficult to cure because they employ more than one infection method. Mirroring the complexity of the threats themselves, the cleanup involved with blended threats is often intricate and costly. According to Computer Economics, Code Red alone had a worldwide economic impact of $2.62 billion in 2001, and others caused a similar amount of damage.
Because blended threats attack from multiple points, they are generally very efficient and spread more quickly than their single-barreled viral brethren. In fact, Computer Economics estimates that Nimda infected 2.2 million servers and clients in a 24-hour period.
And it’s not just the number of attack methods that make blended threats so dangerous; it’s also the types of attacks themselves. Some worms feature automated infection abilities that spawn on computers with no user interaction necessary. Also, blended threats tend to assail little-known security holes in software, a practice hackers (savvy computer users who break into systems with the intent to cause damage or access information for illegal purposes) popularized. This combination of traditional virus activity and hacker behavior often creates a lethal package capable of penetrating supposedly secure computer systems around the globe.

Saturday, November 26, 2005

Massive Force

Some blended threats use just a few attack methods to spread their infection and inflict damage, whereas others use the everything-but-the-kitchen-sink approach. But consistent patterns of behavior exist across many complex worms, enough so that we can drill down the most common attack techniques found in blended threats. Let’s take a closer look at how these threats victimize computers.

Friday, November 25, 2005

Multifaceted Propagation

Blended threats usually are considered worms because most have the capability to propagate over computer networks, which is the defining behavior of worms. Blended threats use email, web pages, networks, instant messaging, and other online components to spread their infection, and some threats try to use more than one method to increase their wicked odds.
These propagation methods often share a common trait: speed. Whereas many viruses spread slowly (or hardly at all) due to their inability to travel online, blended threats use the Internet for lightning-quick dissemination across several channels. If computer systems can’t defend against the attack, they’ll serve as yet another outlet to expand the infection.

Thursday, November 24, 2005

Buffer Overflows

Acting as a popular intrusion method among hackers for quite a while now, buffer overflows blast a computer program or process with more data than it can hold, and when hackers (sometimes via worms) include malicious code in the data, they can seize full access to the remote computer system.
Because computer systems need to be flexible, they often utilize buffers (temporary data storage areas). These areas accept data that overflows from the original program or process, and because buffers only accept a certain amount of information, excess data can overflow yet again, possibly affecting valid data in other areas. Hackers and worms abuse this process by flooding the buffers with malicious instructions.

Wednesday, November 23, 2005

MIME Exploits

Many email programs, such as Microsoft Outlook, use MIME (Multipurpose Internet Mail Extensions) to send and receive non-ASCII messages that include content such as audio, graphics, and video. Microsoft Internet Explorer also integrates with MIME, handling email content when an email program receives an HTML (Hypertext Markup Language)-formatted message. In a process called MIME header parsing, IE performs certain actions as defined in the file headers, such as instructing programs (Windows Media Player, for instance) to execute certain content when received.
Blended threats prey on a hole peculiar to this process that causes some versions of IE to instruct the wrong application to execute the embedded instructions. Because this process occurs automatically and quickly (oftentimes, a victim only needs to open or preview an email message), the worm’s behavior remains hidden.

Tuesday, November 22, 2005

Trojan Horse Placement

Blended threats work hard to satisfy their goals, and in doing so, they resort to many tried-and-true intrusion methods, including planting Trojan horses. These shadowy tools impersonate legitimate programs while delivering information or access from the victimized computer to a remote user(s).
Although major anti-virus programs protect against most Trojan horses, some blended threats plant them simply to bolster their chances of total domination on infected computers.
These methods represent major tactics used by blended threats, but by no means does this list cover them all. As threats continue to evolve, the number of techniques they use perpetually increases, and because blended threats use what works, we’re apt to see almost anything appear as a fiendish ingredient in the blended stew.

Monday, November 21, 2005

Face the Danger

The concept of creating a blended threat is certainly intriguing, but do many actually exist? You better believe it. Due to both the challenge of writing them and their sheer effectiveness, blended threats are all the rage among virus writers; likewise, they now cause serious concern among security experts and system administrators. Examining the intricacies of both old and recent examples can help us understand this powerful type of menace.

Sunday, November 20, 2005


To explore the roots of today’s blended threats, we need to peer way back in computing history to the Morris worm. Launched on Nov. 2, 1988, by its creator, Cornell student Robert Tappan Morris, the worm exploited security holes in Unix-based system software by using a three-pronged approach. Although an attack wasn’t necessarily the intention of the Morris worm’s author (he intended for the worm to spread without damage to victimized computers), buggy code resulted in severe computer slowdowns.
Morris propagated by infiltrating holes in Unix’s sendmail, fingerd, and rsh/rexec components included on DEC’s VAX and Sun Microsystems’ Sun 3 systems. Morris used the buffer overflow technique, among other avenues, to infiltrate the systems.
The author intended for the worm to spread from computer to computer without causing any damage, but instead, the worm didn’t stop its replication process when it entered a new computer—it replicated hundreds of times until the computer’s resources couldn’t handle the overload. Because computers connected to the Internet were defenseless against Morris, owners of unaffected systems had to sever their online connections to avoid infection.
The attack was devastating, crashing between 5% and 20% of the 60,000 to 80,000 computers connected to the Internet at the time. Computer experts from the University of California, Berkeley, MIT (Massachusetts Institute of Technology), and Purdue University dissected the worm’s code and eventually helped release a fix, but not before Morris caused significant damage.
Convicted under The Computer Fraud and Abuse Act of 1986, Robert Tappan Morris received three years of probation, 400 hours of community service, and a $10,000 fine.

Saturday, November 19, 2005

Code Red

Long after the Morris worm wreaked havoc across the Internet, a devastating worm appeared with symptoms similar to Morris, infecting systems using Microsoft’s IIS (Internet Information Server) software.
Code Red started attacking Internet hosts in July 2001 by exploiting the Index Server (.IDA) buffer overflow vulnerability in IIS-based servers. By using this tactic, Code Red tries to spread its code among servers, deface web pages of sites run by Web servers, and uses these servers and a DoS (denial of service) routine to attack a White House Web Site.
Executing only in system memory, Code Red checks the system clock, and if the current date falls before the 20th of the month, the worm opens 100 copies of itself on the infected system and begins scanning for and attacking other systems. Although the different instances of the worm scan for and attack random systems, the worm’s code forces all open instances to attack the same list of servers, resulting in relatively slow propagation. If the date (as read by the system clock) falls between the 20th and 27th of the month, Code Red slams the IP (Internet Protocol) address associated with the White House’s site with connection attempts to try to disable the web site.
Because of its somewhat slow propagation, Code Red did not cause serious damage, although it did deface some web pages with a “Welcome to! Hacked by Chinese!” message. But shortly after Code Red appeared in the wild, a more dangerous variant, dubbed Code Red version 2 began infecting computers with incredible speed. Code Red version 2 uses an alternate method to infect computers; instead of attacking the same list of servers, each infected computer infects a completely different random list. According to the CAIDA (Cooperative Association for Internet Data Analysis), this single alteration resulted in the infection of more than 359,000 computers in 14 hours.
Weeks later, a new worm bearing the Code Red name appeared, carrying even more potential for damage and downtime. Although it’s unrelated to the original Code Red worm, this new worm featured the string “CodeRedII” in its source code, so experts began calling the worm just that: Code Red II. Where the original Code Red scans 100 systems at a time, Code Red II scans between 300 and 600 sites with each infection and deposits a backdoor Trojan horse application onto infected systems.
Code Red II doesn’t deface web pages, nor does it launch a DoS attack on a predetermined site. However, the backdoor Trojan horse application it plants in victimized computers can allow complete remote access to computers so hackers can use them for DoS attacks or similar strikes against other computers. This Trojan horse executes a number of instructions, including the disablement of WFP (Windows File Protection), which prevents the replacement of certain system files.
To make matters worse, users cannot completely remove Code Red II by simply rebooting the computer, like they can with Code Red and Code Red version 2. Instead, it’s necessary to manually remove the worm and then install a patch to prevent re-infection.

Friday, November 18, 2005


Just when fears surrounding Code Red and its scandalous relatives started to fade, another devastating worm appeared. Named by spelling “admin” backward, Nimda reared its ugly head in September 2001 and caused considerable panic among system administrators who scrambled to shore up their vulnerable systems.
Nimda assaults as many as 16 known vulnerabilities in both workstations (and clients) and servers running Windows 95/98/Me/NT/ 2000, even searching for holes created by previous notorious worms.
This intricate threat works by locating and infecting EXE (executable) files on a local computer, causing the worm to spread if the victimized user shares the files with other users. Next, Nimda gathers email addresses from the local computer’s email client (and local HTML files) and sends one email message to each address, complete with an attachment called Readme.exe. If the initial attempt is unsuccessful, the worm resends the infected email messages every 10 days. Depending on security settings, this attachment automatically runs on PCs using Microsoft Internet Explorer 5.5 SP1 or earlier (except Internet Explorer 5.01 SP2), thereby infecting the computer without user interaction. Otherwise, Nimda infects the computer if or when the user double-clicks the attachment.
Nimda tweaks several Windows security settings and begins scanning online for vulnerable IIS servers, seeking backdoors created by Code Red II and the sadmind/IIS worm. If it’s successful in its search, the worm places its code on the servers. At this point, Nimda’s activity grows increasingly alarming, as it modifies random web pages with JavaScript code to infect any users who try to access the pages. Nimda also traverses local networks, seeking directories that allow file sharing with a Guest account and no password, and upon finding one, it inserts a system file that automatically infects DOC (document) and EML (email) files upon execution by any user.
According to CAIDA, Nimda infected 160,000 hosts at its peak and caused significant slowdowns across the Internet. Its most significant impact, however, was probably the panic caused by its ability to infect computers using a wide range of resources, some of which infected computers automatically. And because of Nimda’s multifaceted approach (if it failed to infect a system using one method, it tried another), it often avoided anti-virus software’s detection.
Nimda prompted a push for stricter computer security more than any other single virus, worm, or Trojan horse in recent memory, and that push continues—with Nimda entrenched firmly in system administrators’ memories.

Thursday, November 17, 2005


This multifaceted threat contains both a worm component to spread and a Trojan horse component to open holes on infected computers for future rogue access.
Badtrans spreads by opening and replying to all unread email on a computer, and then remains active, replying to any new email messages that arrive. The reply contains the following message in its body: “Take a look to the attachment.” When the victim clicks the attachment, which Badtrans names randomly, the worm installs a copy of itself (as INETD.EXE) into the Windows directory (usually C:\ WINDOWS), along with the Trojan horse (HKK32.EXE). This Trojan is a variant of the Hooker Trojan, which steals system passwords and data and emails the information to a remote party.
To prevent multiple replies to the same message and replies to messages from other infected machines, the author instructed Badtrans to insert two spaces at the end of each email’s subject line and not to reply to messages with that trait. But most email servers abide by a well-known standard for formatting email messages, and in doing so; they delete extra spaces at the end of subject lines. This causes Badtrans to perpetually loop messages between infected computers, possibly causing email servers to crash under the heavy data flow.

Wednesday, November 16, 2005


Blended threats are often ingenious in their attempts to infiltrate and spread, and Goner is a particularly effective example of this quality.
Goner spreads in one of two ways. The more prevalent method is via email, where it transmits as an attachment that masquerades as a screen saver called GONE.SCR. The subject line typically reads, “Hi!” and the body typically reads, “How are you? When I saw this screen saver, I immediately thought about you ... I am in a hurry [sic], I promise you will love it!” On infected computers, Goner emails itself to all addresses listed in the Microsoft Outlook address book.
Goner also propagates by initiating file transfers in ICQ, a popular instant messaging program. If the ICQ user on the other end of the file transfer accepts the infected file (or if the user previously set ICQ to automatically receive files) and executes it, Goner infects that user’s computer. When users execute GONE.SCR, a splash screen and an error message appear as the worm replicates in the Windows system folder and modifies the Windows Registry (central database of settings and user preferences).
But Goner reserves its most sinister behavior for its nemeses: anti-virus programs. If Goner finds any programs associated with a large list of anti-virus and other security programs, it terminates them. This behavior also opens victimized computers to future attacks, especially for hackers that utilize computers as zombies (systems open to outside access so someone can control them remotely) in wide-ranging DoS attacks.

Tuesday, November 15, 2005


Also capable of terminating anti-virus and firewall programs is BugBear, a blended threat that propagates via email messages and shared network resources. But BugBear doesn’t stop with spreading its infection and battling security programs.
To facilitate theft of confidential information, BugBear installs a keylogging program on infected computers that records keystrokes to memory and emails the information (each time the user connects to the Internet) to one of several email addresses found in BugBear’s code. It also keeps one of the computer’s ports open; creating the potential for remote users to issue commands that let them alter files, retrieve passwords and other information, and more.

Monday, November 14, 2005


HTML formatting delivers a host of benefits to email users, but it can also introduce threats. One of the most infamous of these threats is BleBla, which includes the rather dreadful requirement that users simply preview or open email messages to initiate BleBla’s functions.
When BleBla arrives as an email message, it brings along two attachments: MyJuliet.chm and MyRomeo.exe. When a user opens or previews the email message, BleBla’s HTML component saves the attachments in the Windows Temp folder (usually C:\WINDOWS\TEMP) and executes MyJuliet.chm, which then launches the central worm component of BleBla, MyRomeo.exe.
MyRomeo.exe gathers email addresses from the Outlook address book and sends email messages using SMTP (Simple Mail Transfer Protocol) servers located in Poland. BleBla randomly selects a subject heading from a list of 12 choices. Some experts contend that BleBla’s ability to connect to outside servers gives it the power to download upgrades or payloads.

Sunday, November 13, 2005


Sonic is a blended threat with the confirmed ability (and desire) to connect to the Internet and download files and updates.
Sonic’s worm component propagates via email messages that have a subject line of “Choose your poison” or “Name your poison” and include an attachment called GIRLS.EXE or LOVERS.EXE. When a user double-clicks (or otherwise executes) the attachment, the initial component of the attachment runs. This component, called the loader, starts itself as a hidden system service, drops a copy of itself (as GDI32.EXE) into the Windows system directory (usually C:\WINDOWS\SYSTEM), and modifies the Windows Registry so that the loader executes each time the users starts Windows.
At this point, the primary component of the attachment attempts to access an anonymous web page every 10 minutes to download the latest versions of the worm and attachment components. Sonic then decrypts the files and saves a new version of GDI32.EXE to the Windows system directory. Finally, the worm propagates by emailing itself to entries in the Outlook address book.
Sonic’s primary component also includes backdoor abilities, which can let a remote party infiltrate and utilize system resources on infected computers.

Saturday, November 12, 2005


Although hearing reports about BubbleBoy infecting computers outside of controlled environments are rare, Bubble-Boy is significant because it’s the first blended threat to require Outlook email users to simply preview or open a message to infect their computer.
Carrying references to the hit television sitcom, “Seinfeld,” BubbleBoy uses an ActiveX control exploit within an HTML-formatted email message to spread its infection. BubbleBoy drops a malicious HTA (HTML Application) file in the Windows startup folder and mails itself to all email addresses in the Outlook address book.

Friday, November 11, 2005

Full-Scale Invasion

On their own, viruses, worms, Trojan horses, and cracking methods can encounter problems today when trying to perform their devious deeds, thanks in large part to successful efforts by security software developers.
But years ago, the Morris worm demonstrated the success inherent in a multipronged attack, and recent combinations of malware prove that computer threats can and will skillfully evolve alongside legitimate computer technologies. Blended threats continue to carry and use the tools and methods necessary to infiltrate so-called secure computing systems worldwide, so if you thought you heard the last of the likes of Code Red and Nimda, think again.