Are Viruses Working Together
by Doug Chick
Today’s viruses have become more than just a geek trying to find
self-identity; they have become organized units that call on other viruses
for support. Does this sound too absurd to believe? You better believe it
because they are already there and eating away at your bandwidth looking for
their next targets. If you look at the viruses that you are removing from
your networks you will see that each one seems to perform a specific task.
One virus may do nothing but e-mail out to a few 
specific IP addresses. Another may assimilate email addresses from an
address book and send itself to your friends and contacts; while another may
stay on your system and do nothing but port scans on other networks and
report back its findings to its designer. A network analyzer, or Sniffer, is
always a good way to detect and plot the activities of these types of
viruses. I use a relatively inexpensive packet analyzer named Commview. (The
reason that I like it is because you can monitor traffic live, and see what
ports are being accessed.)
A few weeks ago while running my packet analyzer program I saw a
computer on my network running port scans against several ranges of
addresses. I realized immediately that this was the work of a virus and
instead of unplugging it from the switch I decided to keep in on and monitor
its activity. What I found was actually three programs (viruses)
performing separate tasks reporting their results to the same e-mail
addresses. Other computers also had some or all of these viruses. This
particular computer would later be responsible for re-infecting the same set
of computers. That is when we found an additional virus that lay almost
dormant. That’s when I realized that it would be very likely for there to be a series
of viruses that would actually be capable of working together for the common
goal of thier master, or masters.
Trojan or Penetrating Viruses:
I believe that it is likely that there are viruses that do nothing but
penetrate a computer, open a back door and message back to another virus
laying in wait that the coast is clear. These types of virus may open the
door for many other viruses to join it. There are 4 very distinct ways that
these viruses travel in e-mail:
Buffer overflows that allow a virus to march right in.
Intruders write scripts to take advantage of buffer overflow and often
reprogram an application to run a different program. For example, an
intruder can open a back door; start a new program that sends private files
(checkbooks, password files, and the IP Address of the open computer) to the
intruder using email.
Using the e-mail addresses in the computers address book to send itself.
Another method is to use the users address book and send itself to his or
her friends or contacts. And since most viruses have to be initialized
before they become active, having one sent by a familiar name would be more
likely to be opened. By using missionary method. (Despite its
name, the missionary method doesn’t have anything to do with where your
partner is positioned during the course of virus penetration.) I’ll just
rephrase that one later too. **
Another method might be an executable script embedded inside an HTML e-mail
that would be executed if someone had the mail program to preview e-mail. In
other words, you are likely to find viruses embedded in SPAM. Once a
portal into a computer has been successfully opened it may launch a
secondary program, sitting dormant until the computers clock or an event
triggers it awake again, or sending for reinforcements.
Work Horses Viruses:
Work Horse Viruses may be designed to carry out specific tasks. One might
do nothing but scan a random or predetermined range of IP Addresses looking
for open ports, while another might do nothing but scan for known
vulnerabilities. And believe me, there are a lot of them out there and new
ones being discovered everyday. Looking for server security patches should
be the chore of any Network Administrator. Once this type of virus compiles
a list of IP Addresses with open ports and vulnerabilities, it sends its
product either back to its creator or to another program that impregnates
these servers with another program that allows them access to important
data. These viruses may be working on a million computers doing nothing but
scanning, reporting, impregnating and quickly going dormant. There’s a
joke about men in here somewhere.
Breeding Viruses:
One of the most frequently asked questions that I get is where do viruses
come from and who makes them? There was a time that the obvious answered
would have been, Teenagers that are not successful in pair bonding. (Geek
term for dating) but these days I’m not so sure. Today’s viruses are
written to perform a specific task for its creator, or creators. Gaining
access and retrieving data seems to be more on the mind of a modern virus
maker instead of mindless vandalizing to impress their peers. I suspect that
some countries are very organized and house a battalion of people that do
nothing but filter through results looking for information that would be
invaluable to the growth of their countries export market. A small program
can easily scan through a computer looking for a specific bit pattern that
might be a spreadsheet, word or text document and e-mail the results of its
finding back to whomever. In the course of a day a virus can impregnate, not
thousands, but millions of computers. And these are only the ones that we
catch. Well-written viruses may never go detected.
** Missionary Viruses Explained:
A missionary virus is a virus that depends on others to spread it, either
for reasons of irony or because the maker wanted to keep the program small
and simple. A missionary virus may be a virus embedded into a cute holiday
picture, an e-mail of spiritual inspiration or even the most command form
would be a warning that there is a dangerous virus out that will destroy your
computer. Please forward this to all of your friends. And of course the
unsuspecting victim sends this virus to everyone he or she knows. Most of
these types of viruses are hoax, but there are some out there that are the
back door Trojans. The reason I call them Missionary Viruses is simply because
Missionaries where infamous for traveling to remote locations, such as the
Hawaiian Islands or say South America spreading the word of God. What they
spread faster than gods words were plagues and diseases that killed over
half of these peoples population.
|
|
E-mail
your comments to dougchick@thenetworkadministrator.com