The Great Cyber Comparison: Anthropology of Modern Malware and Development of Civilizations: The First Signs of Weaponized Malware
By Brian Laing
Jared Diamond states, “By selecting and growing those few species of plants and animals that we can eat, so that they constitute 90 percent rather than 0.1 percent of the biomass on an acre of land, we obtain far more edible calories per acre.” This greater density of plant and animal domestication directly led to denser human populations. Likewise, the increase in Internet use directly gave attackers far more attackable machines per network. The ubiquitous nature of Internet usage also increased the number of attacks by adding new attack paths via a plethora of new Internet services such as social networks.
Malware has always taken advantage of the human enthusiasm to share with one another. In the early days of the Internet both digital content as well as inadequate pathways limited our ability to share. Now with increased Internet use there is a superabundance of new content and many ways for it to be shared. Social networks greatly aided our desire to share – Everything from the mundane, “At Starbucks getting a coffee”, to the two billion daily photos shared on Facebook is fodder for our friends. But social networks are not just for fun and games; they are also utilized as key tools in business. Use of social networks not only facilitates the maintenance of social connections, they also extend those connections to broader second and third order interactions, which further increase the potential attack surface while adding even more new avenues of attack.
One way attackers have taken advantage of these increases is by changing the method of malware proliferation. Early malware spread via floppy disks and targeted users indiscriminately, which limited their infection rate. This also meant they could really only be used for destructive purposes. As the need for knowledge bases grew, intranets and extranets became common throughout corporate networks; malware matured and had new pathways to propagation. Initial Worms spread just as indiscriminately as the less-sophisticated malware, but spread far more rapidly. This was malware’s first major evolutionary step forward.
The Morris worm was one of the first computer worms distributed via the Internet instead of floppy disks. Its father, Robert Tappan Morris released the worm on November 2, 1988 (from an MIT server to disguise the fact that he was a graduate student at Cornell) ostensibly to find out how big the Internet was by gauging how many computers were connected to it. While his goals may have been altruistic, the code exploited known vulnerabilities. And worse, it had a bug! The worm failed to ask whether the worm was already installed on the host machine, so it kept replicating itself until the machine would slow down to the point of being useless. Robert Morris actually did break the Internet. Cleanup of the various networks connected into its backbone took several days, and although Morris has always sworn that his goal was not to cause damage, he was rewarded with a conviction for computer fraud for his effort.
Fast-forward fifteen years to January 25th, 2003 and the Internet had almost a quarter of a billion users. This was the day Michael Bacarella, posted a message to the Bugtraq security mailing list entitled, “MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!“ SQL Slammer had been initiated and almost all of the 75,000 victims were infected within ten minutes. The worm was a very small piece of code that exploited a vulnerability in Microsoft SQL Sever. It would generate random IP addresses and send itself to each of them. If the IP address was an unpatched Microsoft SQL Server, then that server also became infected and would begin to replicate the worm. Two primary aspects drove SQL Slammer’s rapid propagation: the worm infected hosts over UDP, (a sessionless protocol) and the entire worm was just 376 bytes in length, which meant it fit into a single packet and allowed infected hosts to “Fire and Forget” large numbers of packets as rapidly as possible.
Like the Morris worm, SQL Slammer had unintended consequences and set off a chain reaction that was probably more severe than the worm itself. More Internet connected machines equaled more networks and these networks connected via routers. As the worm spread these routers became overloaded, which under normal circumstances would cause the routers to delay or temporarily stop traffic, but instead many of them crashed. When a router crashes their neighboring routers update their routing tables to remove the crashed router. This flood of routing table updates crashed additional routers. But then the crashed routers started to come back online, which caused additional waves of routing table updates, but this time for routers coming online, which only compounded the problem. Other worms such as Mydom and Sasser could spread from machine to machine. Some caused issues that took longer than SQL Slammer to remediate, but SQL Slammer is still recognized as the most virulent and fastest-spreading worm ever.
In 2005 the first warnings from UK and US Computer Emergency Response Teams (CERT), organizations were being sent out to their subscribers. Malware was being tailored and delivered via socially engineered email in the hopes of infecting highly-targeted machines and organizations. The term “Advanced Persistent Threat” or APT had not been created, but the first examples of a new form of evolved malware had arrived. This evolutionary step forward would change security more than anything else. To cover this in detail we need overall context to fully understand the motivations and technology changes that allowed malware to take this step. This requires a review of other forms of attacks such as phishing attacks and traditional service based attacks along with how these attacks are used.
Brian Laing is an executive at IT security innovator Lastline. An entrepreneur and on the frontline of the security industry for more than 20 years, Brian is a leader in strategic business vision and technical leadership, shown through his work with a range of start-ups and established companies. Brian founded RedSeal Networks as well as Blade software, who released the industry’s first commercial IPS/FW testing tools.