Infocus
< http://www.securityfocus.com/infocus/1695 >
--------------------------------------------------------------------------------
Malware Myths and Misinformation, Part One: Windows, Mac, Exchange, and IIS
by David Harley
last updated May 19, 2003
Much Internet culture is founded on misinformation: computer security in general and the virus/malware arena in particular constitute prime examples. Most IT professionals and many people on the periphery (power users, hobbyists, computer journalists) see themselves as de facto security experts, and every security expert is a self-perceived virus expert. Virus writers, malware distributors, and their admirers add an extra spoonful of horsefeather sauce to the mix.
Anti-virus and other industry security researchers are generally a knowledgeable and well-intentioned bunch, but the public voices of the industry are usually drawn not from the research community, but from the marketing department. Their pronouncements are often neither technically well founded nor free from commercial considerations. The army of researchers outside the industry who dominate some open source, security and vulnerabilities discussion lists are often well meaning, but not always as competent or well informed as they think, or would like you to think, and some are far more interested in personal glory than the common good. As a result, virus/anti-virus/security lore bulges with received wisdom that lacks both wisdom and factual basis.
This is a bad news article. It addresses some common misconceptions deriving from complacency, wishful thinking, an inability to question, and a lack of research. The fallacies we address here tend to begin with the words "I'm safe from viruses because..." The good news is that there are plenty of misconceptions about the intellectual and programming superiority of malware authors and the inability of malware management software to offer some compensation. We will consider some of those issues in the third part of this three-part article.
The first group of misconceptions we'll be considering here can be summarised, not altogether fairly, as "I'm safe because the only Microsoft product I use is a mouse."
I'm Safe from Viruses Because...
...I Don't Use Windows
Windows does seem to be the most heavily attacked computing platform: at least in terms of the sheer volume of virus threats. Do the commonly cited alternatives confer the degree of invulnerability assumed by the adherents of this view?
MS-DOS (or its sundry variants) isn't, of course, safe from the multiplicity of boot-sector viruses, file infectors and multi-partites that plagued us when Windows was an unexciting cross between the Apple interface and GEM. These may not appear much of a threat anymore, but some of them are still reported from time to time, and remain officially "in the wild" as reported at http://www.wildlist.org. It hardly seems possible, but the occasional Form-infected floppy continues to be fished out of the back of the drawer.
Linux and other variations on the Unix theme are not generally overwhelmed with viruses, though some of the early research of Fred Cohen, whose work practically defined the anti-virus field, was carried out in Unix environments. But they are far from free of malicious software. Indeed, some of the earliest worms (notably the infamous Morris worm of the late 1980s) were Unix-specific. While Linux file-infectors have so far been more proof-of-concept than in-the-wild, there have been enough subsequent Linux worms (and indeed the occasional Solaris-specific slitherer) to constitute a significant problem.
The evangelical Linux view of Unix as being immune to malware because of its intrinsic security is based more on wishful thinking than on fact. A well-secured and properly patched Windows installation (I'm thinking NT and its derivatives here, of course) is more secure than the average out-of-the-box Linux machine, especially a desktop machine used by a single individual who always runs as root. Unix is not and never has been automatically secure. Looking at vulnerabilities lists and vendor advisories, we see a constant stream of security patch releases. This is not a tilt at open source or Unix (I've been a Unix administrator myself!): simply a reminder that the rarity of Unix viruses should not be seen as indicating an automatically secure platform. Indeed, there is no shortage of war stories concerning system administrators who didn't realize that their Web or FTP servers were sources of virus-infected programs, documents infected with a macro-virus, Trojanized applications and rootkits, and so on. One of the scariest stories concerns an email virus scanning solution implemented by a vendor who explained that they didn't have any form of server-hosted scanning on mail servers because there are no Unix viruses.
There are, in fact, some excellent Unix-hosted anti-virus solutions, as well as some less professional, more co-operative ventures. These include:
generic solutions based on change detection or on blocking of attachments including proscribed filetypes; and,
detection of specific viruses by mainstream AV products, either standalone or working with a more generic 'wrapper'.
While some sites find open source initiatives useful, these tend to be far less effective in terms of known virus detection. Partly, this is because developers and researchers outside the mainstream find it harder to get samples of all viruses; but it is also partly because they don't have the years of code tweaking that more established product developers have gone through.
Regrettably, platform-evangelical wishful thinking is not recent, and certainly didn't start with the rise of Linux. Some seven years after I commenced my solitary crusade to crush the myth that Macintoshes are immune to viruses, the myth continues to thrive. In fact, I've had to address it several times in the last few weeks, so I'm going to give it a section of its own.
...There are no Mac Viruses
Just as some of the earliest worms targeted Unix, some of the earliest viruses targeted Mac users: in fact, the Apple II, one of the Mac's predecessors, was targeted by replicative programs long before the Brain/Ashar brought real life to the IBM PC arena.
There aren't many Mac-specific malicious programs (forty or fifty, depending on how you count, and not including any number of Trojans and jokes that were never in the wild and that no-one has seen in many years). Some can only work against all obsolete Mac OS versions or applications. Apple-specific network-aware malware does exist, but is rarely reported currently.
Cross-platform viruses are, however, still a problem. Microsoft Office viruses rarely carry a payload that would work on a Mac, but many are potentially infective in that context. While it's unlikely that an incautious Mac user would suffer direct damage to their system from opening an infected document, they could be responsible for further dissemination of the infection. The current versions of the operating system have much the same advantages and disadvantages as other Unix platforms, except that so far it has had less attention from malware authors than has Linux.
A favourite Mac-specific myth is that the venerable anti-virus program Disinfectant is all a Mac user needs. Disinfectant was, indeed, a very capable program, and its author can, I believe, take much of the credit for the fact that Mac-specific viruses have never been a huge problem. However, the program is no longer supported or developed, and was never claimed to be an answer to all kinds of Mac-specific malware, let alone cross-platform malware. While the last release of the program is still available, the author has made it clear that he does not regard it as a panacea, and never did.
Other developers, however, have been less stringent. In fact, the Mac has long been disadvantaged by the altruism of program developers who have generously, and with every good intention, made freely available anti-virus software at no charge. In the short term, some of these programs have more than justified their existence by providing a quick fix when the commercial anti-virus companies were still working on an update. However, Mac users have tended to place as much trust in such programs as in the larger, more expensive, but better-supported and more thoroughly tested offerings. Sadly, there is no free, universal answer to the (relatively mild) Mac virus problem. In fact, those sad souls who are obliged to run Windows/PC emulation on an Apple machine are usually doubly cursed by the need to run a Windows anti-virus program as well as a Mac-specific program.
There is, however, good news for the extreme paranoid. CP/M is, as far as I know, totally free both from viruses and users, except for a few sad and solitary Amstrad PCW users with their 3 inch disk drives and Locoscript word processing software. They are as safe as it is possible to be this side of Richards' Laws of Data Security (which state: Don't buy a computer. If you must buy a computer, don't turn it on), but the price of that safety is extreme isolation in a connected world. Indeed, so extreme is their isolation that the whole virus issue seems to have passed them by and left them happily oblivious.
However, even CP/M users are not free of the closely related problems of latent viruses and heterogeneous virus transmission. Which is jargon for: "Just because a malicious program can't activate and do damage on your system, that doesn't mean you can't pass it on to someone whose system it can harm." Some of my favourite war stories concern Mac users who asked their PC-using secretaries to open a .SCR or .VBS attachment that wouldn't open on their own machines.
...I Don't Use Microsoft Office
It seems strange to recall the impact that macro viruses had on the world around 1995/1996 and for several years after. They tested to destruction the commonly accepted assumption that while programs can be replaced, perverted or infected by various forms of malicious software, data is data, and therefore safe. Actually, this was altogether true. Data is not always only data. Many data file formats contain some form of embedded code, and many programs (arguably, all) contain some form of data. The macro languages made available by Microsoft as part of their major office applications are powerful programming environments, and their vulnerability is greater than that of most macro-bearing applications, due to the fact that macros and data can and often do reside in the same file object. The reverse also applies: the primary task of a program may be to contain and to display data (or, better still, information) - PostScript files, for instance, or informational messages displayed by a batch file.
Macro viruses today are a persistent but easily controlled problem. They don't usually spread with the speed of a Melissa. (Though readers shouldn't forget that Melissa was a macro virus!) Comparatively few new ones are seen (and tend to be detected easily by macro virus detection heuristics). In the mid-1990s, though, it was a major jolt to the AV system to have to scan a whole new set of file types. In fact, it became harder to get away with not scanning all files, since Word documents don't have to have a .DOC, .DOT etc. filename extension, so there was much gloom and despair about the inevitability of extended scan times. In fact, the arrival of the macro virus may have had a beneficial side effect, in that it concentrated the minds of anti-virus vendors on improving scanning speeds and hastening the take-up of on-access scanning.
While Office and other Microsoft products do not constitute the only target for the writers of macro viruses, most of the malware that has afflicted other systems has been proof-of-concept. For most organizations, though, the business case for the increase in security that may result from not using Office applications is of little consequence. What matters most to them is the sheer nuisance value of the reduced ability to exchange data freely and conveniently with users of some of the most universally employed application software in the world.
...I Don't Use Exchange
Guess what? Microsoft Exchange isn't particularly unsafe. Like every other major mail program, it has its own weaknesses. These are well documented, constantly reviewed, not only by Microsoft but also by the disparate group of individuals who ceaselessly probe major and minor programs for weaknesses and make them public, whether for the common weal, for the advancement of malware, or for personal glory. And, of course, patches are made available at need.
While worms don't generally target Exchange directly, they obviously can and do affect the associated client (such as Outlook). However, Outlook can be used with other server technology with the same implications for dissemination of malware.
...I Don't Use Internet Explorer
This is certainly one approach to avoiding IE-specific vulnerabilities, though other browsers including Netscape, Opera and even Lynx have been reported as vulnerable to certain types of attack from time to time, in one version or another. However, Web developers tend to optimise Web pages for the latest version of IE and, possibly, Netscape, making this a pretty inconvenient strategy for some, who may thus be compelled to stay up-to-date with patches and updates to IE, which are, however, released at need.
...I Don't Use IIS
Clearly, this is one approach to avoiding the ills that plague unpatched IIS installations. Most notoriously, Code Red and the like, though it is essential to note that some malware in this family, most notably Nimda, uses multiple vectors, not just IIS. However, the feverish speculation about so-called Warhol worms and other network nasties has cast darkness into light corners. This view is symptomatic of a common and fundamental misunderstanding about the inner workings of malicious code. Memetic malware (hoaxes and such) apart, no-one has succeeded in writing a malicious program that isn't a program, and there are only a limited number of ways in which any program can work, malicious or not:
The computer user can execute it of his or her own volition.
The code can be executed without the knowledge of the computer user. This is by no means always sinister: in any sophisticated operating environment, programs call each other all the time. When someone clicks on a Windows icon, they often have no idea of how many programs and sub-programs are initiated by that click. Interpreted code an be executed by a program that knows how to read it, not always with the knowledge of the user. Word auto-macros are an obvious example. Linux/Slapper.A is an example of a worm that can exploit a buffer overflow vulnerability in OpenSSL-enabled Apache Web servers.
When a black hat writes a malicious program, viral or otherwise, he has to find a way to get it executed on the target system.
He can persuade the victim to collude in his own downfall by conning him into thinking the program does something desirable. Code that relies upon deceiving the victim in this way is sometimes called user-launched.
He can bypass the victim by writing code that can (under the right circumstances) execute without any direct action on the part of the victim. Such malware is sometimes called self-launching, or self-propelled.
IIS did indeed fall victim to a family of malicious programs that fell partly into the second group, using defects in the software to gain control of systems. (Later members of the Code Red family are actually hybrid, using multiple vectors and a combination of social engineering and self-launching to spread.) There are still too many unpatched machines around, but the supply of exploitable vulnerabilities in IIS (or anything else) is not infinite, though it sometimes seems so. Indeed, the success of this group of worms actually seemed to inspire a cluster of exploit attempts on other platforms.
Conclusion
In the next part of this three-part article, we'll consider a second group of fallacies and half-truths that are somewhat less Microsoft-phobic and are instead concerned with email usage and habit.
David Harley lives in the UK with his partner, daughter, 3 cats and a number of guitars. He works for the UK's National Health Service, specialising in threat assessment and malware/email abuse management. He is an active member of AVIEN and several industry forums. His books include "Viruses Revealed".
--------------------------------------------------------------------------------
Copyright © 1999-2003 SecurityFocus
Message édité par Krapaud le 21-05-2003 à 11:36:00