Response Strategies For Hybrid Threats
Date posted in ITsecurity.com: 14 July, 2002
A New Approach To Protecting Online Information ResourcesBy ISS
Businesses today are more networked – and
more dependent on being networked – than ever before. The advantages are obvious. With more connections come innovative,
cost-effective ways for corporations to better serve customers, suppliers, investors and employees.
Unfortunately, this growing dependence on network technologies also introduces more complexity, more
interdependence and more exposure to increasingly sophisticated online threats. The purpose of this paper is to explore the
most recent and frightening manifestation of online threat – the “hybrid” – and what organizations
and individuals can do to protect against it.
The hybrid, as demonstrated by Code Red, Nimda, BadTrans, and others, is a malicious program composed
of a combination of formerly “stand alone” information security threats. Viruses, worms, trojans and hacker techniques
have been merged into automated, multi-headed attack tools that rapidly propagate across the Internet to cause huge amounts
of economic damage. For example, Nimda infected over 2.2 million PCs and servers in 24 hours after its release to the wild
in September 2001 (Computer Economics), incurring over $530M in damages via downtime and cleanup. Code Red clocked in at an
even more staggering figure – an estimated $2.6 billion of damage.
Hybrids greatly complicate network security because they change the rules of the game. Their complex
nature neutralizes point solutions aimed at stand-alone threats. In addition, they morph very quickly into more virulent and
better hidden forms. As a result, hybrids require companies to diligently protect all parts of the network infrastructure,
responding in a coordinated fashion at the network, server, desktop and gateway levels.
It takes a comprehensive set of security technologies, knowledge of best practices, and experienced
staff – such as that provided by Internet Security Systems – to beat the hybrid threat. Let’s get started
on understanding what needs to be done.
Malicious Code 101
Understanding the hybrid requires a quick lesson in the history of malicious
code. Until the hybrid, there were three basic types of stand-alone software programs designed to damage servers or desktops:
viruses, trojans and worms. Each entity uses a distinct strategy to infect its target, then propagate after the initial infection.
In addition, how a virus or worm affects a computer depends on the “payload” it carries.
The payload can be an irritating message or it can be a destructive command. Even with no payload, viruses and worms can dramatically
reduce network capacity as they scan systems and/or email attachments across multiple networks. The following sections describe
each of these stand-alone threats in more detail.
Viruses hide and replicate themselves in a computer’s file system. To trigger
an infection, the virus must attach itself to a file being executed by the system. It therefore depends on human intervention/interaction
before it can become active. Once enabled, viruses copy themselves into essential system files, making them hard to remove.
Most viruses reside in memory and actively attempt to infect other programs. The objective of the virus writer, therefore,
is to create damage via wide-scale propagation, such as overwhelming a corporate Exchange server.
Most viruses spread by tricking the user into running a program, most commonly sent as an attachment
via email. In fact, over 85 percent of viruses now spread via email – a significant escalation from a few years ago
when the only way to spread a virus was via an infected floppy disk that was unwittingly walked from one PC to another. The
infected system then helps continue the virus’ spread by emailing it to everyone in the address book of the affected
Source of Viruses (ICSA, 2000)
Trojans are named after the mythical Trojan Horse. Like that famous masquerade, Trojans
appear to be a useful piece of software, but carry a dangerous payload that executes on the target computer with all the privileges
of the user. A trojan does not reproduce on its own, so it does not spread without assistance. Like a virus, however, it relies
on fooling the user into running it as trusted software.
Typically well-behaved, trojans draw little attention to themselves in order to monitor a network or
to provide a backdoor into an affected system at a later date. The first Trojans appeared in the 1950s in university settings
as students, out of time-share resources on their mainframe accounts, used simple Trojans to “backdoor” other
accounts and appropriate other users’ time allotments.
Prior to the arrival of the hybrid, worms were the fastest growing form of threat (see
chart below), and later became a key piece of the hybrid threat’s foundation. A worm is a software program that propagates,
by itself, across a network. Unlike viruses or trojans, it executes on a system without human intervention, and typically
performs a task in which it attempts to find other potentially vulnerable systems. It enters a system by exploiting bugs or
overlooked features in commonly used network software already running on the target, using an automated approach very similar
to those employed by human attackers. Worms often exist purely in memory, avoiding the file system and making them invisible
to file-scanning antivirus software.
Evolution, Not Revolution
Over the years, virus authors have learned how to make their viruses
spread faster. This process has been accelerated by the wide adoption of business networks and the Internet. Needless to say,
as viruses have become smarter and spread faster the cost to control them has increased dramatically. In response, the protection
focus has shifted from the corporate desktop to the gateway, since viral outbreaks are fed mainly by email and Internet-based
(i.e., HTML) services.
Time Required For Virus To Become Most Prevalent Virus In World (ICSA, 2000)
Time to #1
|.EXE boot sector
|Email-enabled Word macro
$93M to $385M
$700M to $6.7B
Meanwhile, worm writers and intruders continued to advance their trade. Looking to do more damage,
they began to exploit multiple vulnerabilities per worm, not just a single vulnerability as in the past. In fact, the number
of attackers who are gifted enough to discover a major exploit (e.g., some weakness in a major operating system) is relatively
small. At the same time, the number of hackers/intruders who are able to fully leverage this knowledge and put it to work
against vulnerable systems around the world is large and growing.
This is not a paradox. In March of 2001, the well-publicized AnnaKournikova worm (not a virus!) struck.
While mostly an annoyance, the true significance of “Anna” was that it was the first worm released into the wild
that was built using an automated tool, the “VBS Worm Generator.” The program, which is widely available on sites
frequented by attackers, highlights another disturbing trend in information security – the growing availability of powerful
tools to assist relatively unsophisticated malicious users. In an era where businesses are more dependent than ever on network
infrastructure for competitive advantage, this development represents a very dangerous escalation.
Finally, worm authors have learned from virus writers, and have begun to leverage email propagation
techniques as a means to broaden the reach and accelerate the spread of their worms. The stage was now set for the hybrid
threat to appear. In 2001, it did – the direct result of combining automated tools with the most effective, specialized
skills from the virus, trojan, worm and hacker underground communities.
So What, Exactly, Is a Hybrid?
Since no two hybrids are the same, it may be easier to describe
a hybrid than to define one.
For example, a simple hybrid may expand a basic email attachment virus technique to include peer-to-peer
(P2P) communications such instant messaging (e.g., ICQ, IRC, AIM or Microsoft Messenger) to propagate. The hybrid uses the
P2P chat network to transfer itself through the “file send” process, persuading the unwary (and overly curious)
user to run the malevolent code.
Regardless of the exact combination of techniques, automation greatly expands an individual attacker’s
reach, allowing hundreds or even thousands of compromised systems to methodically test and infect ever-larger number of victims.
Prior to the invention of the hybrid, each of those systems would need to have been probed individually by the attacker, one
at a time – a much more laborious, time-consuming process.
Case Study: Nimda
Nimda combined many malicious code techniques into a devastating punch
that infected 2.2 million systems in its first 24 hours in the wild. Nimda, which is “Admin” spelled backwards,
used four means of spreading (“propagation vectors,” in industry-speak):
Scanning – Nimda-infected systems scan a network looking for unpatched Microsoft Internet
Information Server (IIS) systems. Nimda then uses a specific exploit, called Unicode Web Traversal exploit, to gain control
of the target server.
Email – Nimda gathers email addresses from the mailboxes of any MAPI-based email system.
Nimda then formats messages to these addresses using both the To: and the From: fields so the From: address will not be from
the infected user. The worm also has its own SMTP server to send out the emails, thus avoiding Exchange or Notes servers.
When Nimda arrives in an email, it uses a MIME exploit that allows it to execute just by reading the infected message or opening
the message in a preview pane.
Browsing – Visitors to a Nimda-infected Web server are asked to download an Outlook Express
email file which contains the worm as a “readme” attachment. It then activates using the email technique described
Network Shares – Nimda creates open network shares on the target system (desktop or server),
allowing complete access to that system at a later date.
After the Infection
In the past, viruses existed mainly to propagate themselves, although
some were specifically crafted to perform damage – via the delivery of their payload – to the infected system.
Hybrid threats are much more dangerous. In fact, so many servers and desktops were infected with Nimda that the email traffic
and constant scanning for new targets created a mini-"denial of service” condition for those networks.
Typical post-infection actions include: Increasing the remote access exposure of the infected machine;
Hiding evidence of infection and removing audit trails; Placing backdoors for future unauthorized access; Rolling back existing
security measures; Or hiding the presence of malicious code by moving the illicit program into “stealth,” or hibernation,
mode until it is needed. Other hybrid threat activities include clearing system logs of evidence of infection, changing file
and registry settings, reformatting or altering drives, files and data, corrupting databases, denying access to critical system
functions or applications, and enabling remote access and control of the infected host.
Stand-Alone Security: Necessary, but Not Sufficient
One of the most maddening aspects of
hybrids is how rapidly new versions appear. Many current information security strategies do not address the ever-changing
nature of the threat. Divided into specific tools for a specific security needs, these applications, services and processes
do not have the ability to recognize broader patterns of attack, or to work cooperatively across operational boundaries to
provide a coordinated defense.
Combine this operational myopia with the increasing number of remote and mobile workers and the possibility
of multi-vector attack propagation becomes much easier to envision. Corporate networks no longer have a single point of entry,
so untrusted unauthorized access, improperly configured virtual private networks (VPNs), unsecured wireless connections and
poorly identified and protected ISP access points (dial-up, cable modem or DSL) introduce a dizzying variety of new vulnerabilities,
each accessible from a constantly changing range of external devices.
The usual security solutions fail to fully address these needs on several fronts:
For antivirus, the majority of the focus has been detecting and stopping passive viruses via
email, at either the server, desktop or gateway level. Other avenues of propagation, such as P2P chat systems, introduce new
vulnerabilities that traditional antivirus solutions only partially address. Additionally, antivirus cleanup focuses on removing
email attachments. With hybrid threats installing backdoors, applying new vulnerabilities, and modifying the system, antivirus
software lacks the ability to patch and protect against these types of damage.
Firewalls determine whether to block or allow network traffic by simply looking at TCP/IP packet
headers to determine if the packets are in accordance with predetermined security policy guidelines. They do not, however,
examine the data load within any given TCP/IP network packet. Therefore, firewalls in general do not have the capability to
recognize malicious code, nor any means to prevent its transfer to a target system.
VPN gateways also open up potential routes for improper access. If any element in a trusted
relationship between two systems has been compromised, then the entire network on either side of that relationship is potentially
open to a hybrid threat infestation. Poorly secured or configured remote mobile access points (e.g., laptops, personal digital
assistants/PDAs or cell phones) may themselves be compromised, then use their trusted relationship to the VPN gateway to transmit
the hybrid threat directly into the corporate network.
In general, Intrusion Detection Systems (IDS) do a good job identifying intruders based on known active
and techniques for breaking into a network. Because hybrid threats leverage known vulnerabilities and exploits, IDS can detect
many hybrid threats before other protection technologies, or even before an update for a new exploit is publicly available.
The limitation of IDS is that it is only responds to an attack after detecting an intruder. That IDS can identify some –
but by no means all – hybrid threats is a happy side benefit. It is far from a comprehensive, proactive solution, and
does not remove malicious code or undo damage.
Vulnerability Assessment technology proactively identifies potential security exposures. However, this
process is time-intensive and requires a fair amount of technical expertise in order to be at its most effective. Most organizations
do not have the resources for operationalized, routine security assessments, let alone the ability to prioritize and take
corrective action for every weakness discovered.
Next Generation Protection
Protection is, as it always has been, an ongoing process that
combines best practices, skilled people and best-of-breed products. That situation hasn’t changed, and hybrid threats
are not invincible. The stakes are higher and the game is played faster, but cost-effective, dynamic protection is already
a reality for many organizations.
All layers of the IT infrastructure – networks, servers, desktops, gateways and applications
– require defense against hybrid threats. Across all these layers, vulnerabilities should be identified, prioritized
and fixed (audit). Deploying and operating real-time defenses in a coordinated way – with emergency response services
– to block and/or contain the threat is also a key tactic. Any in-depth strategy must also include remote and mobile
In other words, successfully fending off the Hybrid in real-time requires a comprehensive technical
solution includes the following critical elements, all designed to interact seamlessly to create a “closed loop”
Network, server and desktop vulnerability scanners – Regular use of these products allows
administrators to proactively identify potential avenues of attack, and then take appropriate measures to ensure the security
exposures are properly repaired.
Network, server and desktop intrusion detection systems (IDS) – IDS is the online burglar
alarm for any network, signaling that an attack or misuse is underway. Host-based and network-based IDS remains the primary
work horse for all “non-email” attack vectors. High-speed networks will require gigabit (Gb) capability in order
to ensure that the IDS system can keep up with the speed and volume of the network traffic. Desktop IDS should be required
for all remote or mobile devices that connect to corporate networks.
Gateway, server and desktop antivirus – Some hybrid threats will always use email and
similar mechanisms to propagate. Therefore, antivirus, particularly at the gateway, will be a critical defense for the foreseeable
Firewall – By blocking many of the incoming connections against services and applications
that the outside world does not need to access, firewalls continue to play an important access control role in reducing the
risk from these hybrid threats.
Centralized administration, deployment, configuration and management – All are critical
for controlling the total cost of ownership (TCO), a key issue in today’s business environment. The ability to automatically
and remotely coordinate device configuration and response based on intelligent analysis of local and global security data
also significantly improves response time to any significant security event.
From a process perspective, “patching” is not a practical option for many organizations.
Ideally, maintaining operating systems and applications current with the latest security patches protects systems from attack
and can slow the spread of a hybrid. While it sounds simple, the “patch process” for corporations with thousands
of production servers (and tens of thousands of fixed and mobile desktops) is far from a trivial operation. Therefore, the
security solution must logistically realistic, as well as functional.
Likewise, forensics tools that log, report, correlate and analyze event activity are important. Understanding
that forensic information in real time is even more critical. Rapid access to threat experts can ensure rapid identification
and analysis of newly emergent threats before they reach the corporate perimeter.
Finally, for those organizations that lack the infrastructure and resources to manage information protection
on a 24/7 basis, managed security services are both logistically and financially attractive. Services typically include:
- Policy development
- Remote scanning to identify vulnerabilities and establish remediation needs
- Intrusion protection monitoring and response
- Gateway antivirus
- VPN management and firewall services
Since the services provider is responsible for recognizing and responding to hybrid threats, the client
receives both cost-effective protection and a degree of liability protection should the protection system not prove 100 percent
Hybrids are a dangerous costly escalation in the ongoing battle between good and
evil, both on corporate networks and across the Internet. These threats not only aren’t going away – they will
actually increase, in prevalence, complexity and virulence. Organizations that rely on network technologies to conduct business
operations have no option but to deal with this threat. The key to an effective defense is vigilance (i.e., early warning),
process (“best practice”), skilled people (both in-house and 3rd party experts) and comprehensive security products.
It’s a tall order – but help is available via Internet Security Systems, who provides a full range of software
and services that dynamically detect, prevent and respond to hybrid threats, across networks, servers and desktops.
About Internet Security Systems (ISS)
Founded in 1994, Internet
Security Systems (ISS) (Nasdaq: ISSX) is a world leader in software and services that protect critical online resources from
attack and misuse. ISS is headquartered in Atlanta, GA, with additional operations throughout the United States and in Asia,
Australia, Europe, Latin America and the Middle East.
Copyright © 2001 – 2002, Internet Security Systems, Inc. All rights reserved worldwide.