Vandals: The New Internet Threat - PDF document

Vandals: The New Internet Threat Internet and its innovative technologies such as Java and ActiveX, havecreated a new type of Internet-speciÞc threat, collectively called vandals.Unfortunately, existing antivirus software products are not able to dealwith these new threats. As opposed to viruses, vandals are auto-executablein order to replicate themselves. Since vandals are usually unknown, stan-dard methods of scanning for known virus patterns do not work. As I writethe Internet do not allow in Active Content (Java and ActiveX), choosingfor security reasons to block them all at the gateway level. In order to openchapter will investigate ways to deal with vandals in order to provide anadequate solution to this problem.VIRUSESA computer virus is a program that can infect other computer programs AU9987/ch16/frame Page 203 Monday, May 24, 1999 4:02 PM 62-01- 1.File infectors that attach themselves to ordinary program Þles. Theyusually infect .COM and/or .EXE programs, although some can infectany program containing executable code, such as .SYS, .OVL, .DLLwhere in memory the Þrst time an infected program is executed andinfect any program that is subsequently launched. Some Þle infec-tors are polymorphic viruses, which produce varied yet fully opera-tional copies of themselves, usually through self-encryption with avariable key. This is done in the hopes that virus scanners will not2.File system viruses are those that modify directory table entries sothat the virus is loaded and executed before the desired program.The program itself is not modiÞed, only the directory entry.3.Macro viruses infect Microsoft OfÞce documents (such as Word orExcel). They are generally written in a scripting language, except inOfÞce 97 where they are written in Visual Basic for added power.These viruses are responsible for the majority of virus infections,mostly due to the sharing of documents via e-mail. Macro virusescan switch words around in documents, change colors on thescreen, format the hard drive, send documents by e-mail without no-tifying the user, etc.4.System/boot record infectors infect executable code found in cer-tain system areas on a disk, which are not ordinary Þles. Some areboot-sector viruses, which infect only the DOS boot sector. Othersare MBR viruses, which infect the Master Boot Record on Þxed diskssettings as well. However, CMOS memory is not in the normal CPUaddress space and cannot be executed. A virus may corrupt or mod-ify CMOS information, but cannot hide there. Multi-partite virusesinfect both Þles and boot records.INTERNET VANDALSIn contrast to viruses (which require a user to execute a program in or-der to cause damage) vandals are applications. They arelikely to be made with malicious intent by programmers, but can also benormally harmless programs that are misused in order to steal or damageEarly in 1997, the world heard about a serious threat involving a freeplug-in advertised as a multimedia viewer that played Web movies. Thefree plug-in silently redirected the computerÕs modem from the Internet ac-bills. Within a few months of this attack, a hacker organization used an Ac-tiveX control to steal data from Quicken Þles located on the local drives ofpeople viewing their Web page. AU9987/ch16/frame Page 204 Monday, May 24, 1999 4:02 PM Vandals can be written into the code of Java Applets, ActiveX controls,JavaScript, or any number of new programming languages designed to en-hance Web pages. They can also be hidden in pushed content, e-mail at-tachments, or harmful plug-ins for Web browsers.Where Vandals Hideday. In addition to message text, e-mail can also include attachments of alltachments can carry vandals, Trojan Horses, or viruses. Anybody can sendand receive e-mail containing hostile content or attachments withouter. In an unprotected corporate environment, the hostile attachment willWeb Content.Web surÞng is the second most popular Internet activity,and it is the least secure. The newest Internet technologies, especially Javaand ActiveX, are used to create dynamic, content-driven Websites. Unfor-tunately, these compelling new technologies also pose the highest risk.Java applets and ActiveX controls are downloaded and executed automat-ically by simply viewing a Web page. In this manner, you are essentially al-lowing an unknown person to copy an unknown program to your networkand run it. Instructing Web browsers not to download any Java or ActiveXcontent is possible but increasingly less practical, as many Websites re-quire these technologies to provide full functionality.In addition, just because you are viewing a so-called ÒtrustedÓ Websitedoes not mean that its content could not have been altered to include van-dal programs. For example, in August 1996, the CIA Website was altered Ñan earlier victim was the Department of Justice. And on December 4, 1997the Yahoo! Website was penetrated. In fact, hackers often target traditionalwording or graphics on a site, he can also add a vandal program that mayAlthough transferring Þles is common on the Internet,and carries many of the risks noted previously, it poses less of a threat be-cause it is an activity usually undertaken by experienced users. However,by trusting a productÕs description to be factual, a user can inadvertentlydownload a program that does something unexpected upon execution.Netcasting enables news and other content providerstent to the userÕs desktop. This technology also often provides the meansby which nonsecurity-conscious software companies automatically supply AU9987/ch16/frame Page 205 Monday, May 24, 1999 4:02 PM stalls a small program onto the PC called a Òpush-client,Ó which constantlypolls the providerÕs server and transports the latest news, stock quotes,sports scores, etc. Just as software developers (such as Microsoft) have in-advertently provided CD-ROMs to customers that included viruses, it isvery likely that vandal programs and viruses will be inadvertently suppliedalong with the expected pushed content. To make matters worse, the natureof vandals makes them ideal tools for people trying to target a particularnetwork or company. Someone can easily send the vandal as an e-mail at-tachment or place it on a Website visited by the companyÕs employees.Up to this point, the only proposed solution to deal with vandals is au-thentication, which applies a digital signature to every application. BothMicrosoft (with their ActiveX technology) and Sun (for the Java language)are champions of authentication, and argue that digitally signed auto-exe-signed applications have a unique key, given by the CertiÞcation Authority(CA). This CA is also responsible for identifying and authenticating the ap-This entire authentication process lacks some security basics. Even ifapplicant actually wrote the application or that this application does notcontain any vandal code. We all know that providing a passport to an indi-vidual does not mean that that individual is not carrying a bomb in his suit-we might know who was responsible.The existing CertiÞcation Authority today, Verisign, merely checks thatthe applicantÕs Social Security number is valid and that he has records inthe Credit Bureau. There have already been instances in which individualswere illegally trying to sell issued, active authentication keys.a userÕs machine, a browser option allows the user to see the applicationÕscertiÞcation and decide if it will allow it to be executed. Since, in truth, onecannot rely on the CA and because the authentication of auto-executableapplications does not provide us with any real sense of security, there is nocan be used to Þnd and eliminate vandals as well. We have already estab- AU9987/ch16/frame Page 206 Monday, May 24, 1999 4:02 PM lished the fact that viruses replicate and thus tend to stay in the host sys-tem for as long as possible. This is not true of vandals, which are known tocuted on the client computer, its discovery will, by deÞnition, be too late todo anything about it. Indeed, usually the victim is completely unaware of avandal attack, making it virtually impossible to even recognize an assaultlet alone attempt to prevent one. Unlike viruses, the full vandal payload hasalready been delivered by the time the actual vandal program is identiÞed.Virus-scanning technology looks for known patterns and will not success-fully identify the unknown nature of vandals. In light of these facts, any pro-tection against vandals needs to be proactive and needs to cope with new,THE ANTIVANDAL SAND BOXWe have seen that, unlike viruses, vandals are designed to deliver theirpayload immediately. Therefore, application servers and Þle servers can-not be a target for vandals because browsing and the auto-execution of Ac-to the network). It is clear that vandals target the information inside clientcomputers, because this is the place where Internet Òhappens.ÓPreventing Vandal BehaviorBecause vandals do not attempt hostile activity on servers and they aregenerally unknown, there is no practical way to identify hostile vandals atthe gateway or server level. The only practical way to minimize vandaldamage is by utilizing security or access control measures and by monitor-ing auto-executable applications in real time.Access Control Lists are used in every up-to-date security system to con-trol usersÕ access to various system resources. We are all used to having avery limited guest-user proÞle, which is used when temporary or nontrust-ed users need to work in our systems. Since vandals are nontrusted guestsVandals are actually small applications that are executed (automatical-ly) as a process in the operating system or as an internal process of thebrowser. The solution is to use a security system that veriÞes access ofthose applications to system resources against a predeÞned limited AccessControl List.For the purpose of clarity we will call this security system with the pre-deÞned limited Access Control List a Vandals in the Sandbox are like children playing safely within limits Ñ they AU9987/ch16/frame Page 207 Monday, May 24, 1999 4:02 PM The majority of Internet users today are working in MicrosoftÕs Windows95 environment. Unfortunately, the Windows 95 operating system does notprovide any Access Control means either for users or for running applica-tions and processes.This Sandbox implementation provides a security layer on top of Win-dows 95 or a similar operating system that will monitor each and everyrunning process and application. A special system driver (VXD in Windows95) that will verify the use of system resources (system calls and other re-sources) against a predeÞned list of allowed activities can accomplish this.An example of a predeÞned Sandbox for Netscape Navigator would be asporary directories, and will be allowed to read only from the Windows sys-tem directory. All other activities Ñ read, write, execute, create, or deleteÑ in any directory other than those mentioned above, will be disallowed.Therefore, when Netscape Navigator (or a process within Navigator, likeJava or a plug-in) tries to read from the My Documents directory, this willprocess invoked by an e-mail client to establish a TCP/IP connection andsend information out. This would prevent e-mail-attached vandals to stealinformation from the hard disk or system memory (Windows 95 keeps net-work passwords in memory) and send it to somebody across the Internet. AU9987/ch16/frame Page 208 Monday, May 24, 1999 4:02 PM TodayÕs antivirus software products are able to detect, disinfect, andprotect against nearly all existing computer viruses. However, currentin e-mail, Þle attachments, or the World Wide Web. Internet vandals,X, are the newest Internet-borne threat, which must be dealt with usingBecause vandals are virtually unknown and require no action on thepart of the user to execute their code, traditional antivirus scanning prac-tices will not detect the vandal before it performs its given mission. Simi-larly, traditional security methods such as Authentication and CertiÞcateAuthorities only verify the identity of the sender, they do not guarantee theThe Sandbox implementation provides a security layer on top of the op-erating system, which monitors every running process and application,isolating potential vandals before they strike. Using this risk-free method,Content provides.AuthorÕs BioShimon Gruper is the founder of eSafe Technologies Inc., an EliaShim company, spe-cializing in antivirus, security, and antivandal software. Gruper founded EliaShim im-mediately after Þnishing his compulsory service in the Israeli Military in 1984. In 1987,he developed one of the Þrst antivirus software programs when the Þrst computer virusappeared. Since then he has been published in numerous scientiÞc and trade journalson the topics of Internet Security, PC/LAN security, and antivirus software. His exper-tise includes viruses, client and network security, as well as the emerging issue of In-ternet vandals (Internet-borne Active Content threats). AU9987/ch16/frame Page 209 Monday, May 24, 1999 4:02 PM