[ISN] Delivering the 12kb Bomb

From: InfoSec News (isn@private)
Date: Thu Mar 18 2004 - 00:33:07 PST

  • Next message: InfoSec News: "Re: [ISN] Symantec: Boom Times For Hackers"

    http://www.theregister.co.uk/content/55/36345.html
    
    By Kelly Martin
    SecurityFocus
    Posted: 17/03/2004
    
    The average size of email-bourne viruses so far this year has been 
    well under 20 kilobytes. A young virus writer, sitting in his 
    underwear in his parent's dark basement, takes a hex editor and 
    modifies a few bytes of the latest Netsky.M (16.5kb), Beagle.J (12kb) 
    or Mydoom.G (20kb) mutation, spawns a new virus variant, and then 
    releases it into the wild. The resulting few thousand compromised 
    machines, a conservative estimate perhaps, will sit naked as drones or 
    "bots" on the Internet, waiting patiently for their summons and 
    commands. 
    
    A mere 12 kilobytes of action-packed code is impressive. For a 12 
    kilobyte Beagle, you get total system compromise, plus a highly 
    effective spam engine. This short column, in comparison, is about 29kb 
    of plain text and HTML. A 12 kilobyte binary is thus very small. The 
    latest code that brings a Microsoft computer to its knees is small 
    enough that it could be silk-screened onto an extra-large t-shirt: a 
    walking time bomb, if you will. With today's monolithic software 
    programs and operating systems, often barely fitting compressed on a 
    CD-ROM, it's easy to see how small bits of malicious code can slip 
    under the radar. 
    
    
    David vs. Goliath 
    
    I still remember the days, many computer-years ago now, when 
    BackOrifice and SubSeven Trojans first came out. At just over 100kb, 
    they were impressive in their day. Back then most people were running 
    Windows 98, and a small 100kb email attachment could easily slip into 
    the operating system and wreak havoc without ever being noticed. Today 
    these are 100kb Trojans are monolithic in comparison to our modern 
    email-based worm-virus-backdoor-spam-engines that tend to be under 
    20kb; these old relics are still a useful footnote, however, for 
    watching the long-term evolution of malicious code. 
    
    Speaking of monolithic: Windows XP Home Edition requires approximately 
    1,572,864 kilobytes (1.5Gbytes) for a typical install, according to 
    Microsoft. Of course, it's better/faster/easier-to-use than previous 
    versions, as the advertisements say, and if you believe the literature 
    too it's also less buggy and significantly more secure. The public 
    relations spin machine for such a large company is fascinating to me - 
    Windows has become bloated into millions and millions of lines code, 
    yet it only takes a mere 12 kilobytes to provide full system 
    compromise and an annoying spam engine. The divide between David and 
    Goliath has never been greater. 
    
    Consider an analogy on the size of modern malicious code: if Windows 
    XP were the size of the Empire State Building, then the little barking 
    Beagle virus - the size of a small dog - can come in through the front 
    door, lift its leg, deliver its payload, and somehow cause the entire 
    building to come crumbling down. Or, Beagle can simply hold the door 
    open automatically, so that a large cement truck can drive in and 
    deliver its mystery payload to the base of the operating system as 
    required. 
    
    
    When Size Matters 
    
    The latest craze in the virus-worm-spam war has seen computer worms 
    crawling inside of other computer worms - like watching maggots crawl 
    on top of each other as they make their way through a tender piece of 
    meat. Some of the latest worms found in the wild have multi-vector 
    propagation algorithms and also make use of previous viral infections 
    by Beagle and Mydoom. So basically you start with 12kb of code, 
    whereby Beagle slips into your email and under the radar, opens a 
    backdoor, and then gets automatically disabled and replaced later in 
    the week by a yet-more malicious and larger piece of worm code - 
    perhaps new code that tunnels the user's GUI onto the Internet, 
    provides full remote-control capabilities, records keystrokes and 
    searches for a user's sensitive data. 
    
    Worms are crawling on top of worms, eating out holes in Microsoft's 
    dominant operating systems like a giant piece of swiss cheese in front 
    of thousands of tiny, malicious rats. I do not know to what extent 
    Microsoft's code is scrutinized through an exhaustive security audit, 
    but two years after Bill Gates' long-heralded announcement the holes 
    in the cheese are larger than they've ever been. 
    
    It is no wonder that dozens of virus variants appear just a week or 
    two after the first incarnation is released into the wild - fitting a 
    backdoor and a highly effective SMTP spam engine into a mere twelve 
    kilobytes of code is not easy, and many young programmers want to 
    learn how it's done. Microsoft could learn a few things from these 
    bright, if mis-aligned, people to help them write more efficient code. 
    
    Perhaps with more efficient code, Windows XP on a modern AMD Athlon, 
    Intel Pentium or Celeron with a gig of RAM would actually run more 
    quickly and be more secure than Windows NT was on an old P-100 with 32 
    Mb of RAM. Who knows? For now we're stuck with millions and millions 
    of lines code compiled into a giant operating system that can be wiped 
    out of existence remotely with nothing but a small 12 kilobyte piece 
    of code, launched by someone in his underwear on the other side of the 
    world. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Mar 18 2004 - 03:00:19 PST