worm blog: The Evolution of Malicious Agents

« Non Conventional Virus Attack | Main | Call for Participation: Workshop on Rapid Malcode (WORM 2005) »

The Evolution of Malicious Agents

I enjoy studying history, mainly because it helps you understand where you may find things heading in the near term. This paper is no different.

In the context of this paper, a malicious agent is a computer program that operates on behalf of a potential intruder to aid in attacking a system or network. Historically, an arsenal of such agents consisted of viruses, worms, and trojanized programs. By combining key features of these agents, attackers are now able to create software that poses a serious threat even to organizations that fortify their network perimeter with firewalls.
This paper examines the evolution of malicious agents by first looking at replication and propagation mechanisms of programs such as the Morris Worm and the Melissa Virus. These programs are effective for illustrating the rate at which malicious agents can spread, as well as for demonstrating the ease with which they are able to penetrate the organization's network defenses.
Next, the paper discusses spying viruses such as Caligula, Marker and Groov, which, after infecting a computer system, report their findings to the home base. These viruses are limited in that their behavior has to be programmed in advance. However, they are especially dangerous because they utilize outbound connections to communicate with their authors, and can be used as powerful reconnaissance scanners. Because many firewall policies do not restrict outbound traffic such as HTTP and FTP, these viruses are able to stay in contact with their authors even when operating in an organization that considers itself secured from the outside.
The paper proceeds by analyzing features and limitations of remotely controlled agents such as Back Orifice and NetBus, as well as of distributed denial-of-service software such as Trinoo and TFN. These programs can provide attackers with the ability to remotely issue commands on the infected machine. In addition, distributed denial-of-service programs have the ability to coordinate actions of multiple agents, providing their operators with multiple attack launching points. However, current versions of these programs do not have propagation capabilities of viruses and worms, and are effectively prevented from accepting commands from the operator by most firewalls because the controlling traffic is primarily inbound.
Finally, the paper details the possibility of a new breed of malicious agents that combine propagation capabilities of old-fashioned viruses and worms with the interactivity of remotely controlled agents by using outbound traffic to obtain instructions. In particular, the paper focuses on the RingZero trojan, as an example of an existing malicious agent that already exhibits many of these characteristics.
As the result of such evolution, organizations may be faced with a remotely controlled worm that has the ability to infiltrate networks via open channels such as e-mail or Web browsing, can be controlled via outbound connections such as HTTP and FTP, which can pass through many firewalls, and has propagation capabilities that maximize its ability to perform an effective distributed attack.

Source: The Evolution of Malicious Agents by Lenny Zeltser.

September 22, 2005 in malware , papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit