Expert Reference Series of White Papers

Preparing for
Tomorrow’s Threat
Today:
What We Can Learn
from the History of
Malware and Defenses
1-800-COURSES www.globalknowledge.com
Preparing for Tomorrow’s Threat Today:
What We Can Learn from the History of Malware and Defenses
Mike Gregg, CISA, CISSP, CISM, MCSE, CTT+, A+, N+, Security+, CNA

Introduction
There is one given in the IT security realm and that is change. The challenges faced by security professionals
a decade ago are much different than the challenges we face today. Not long ago, hackers concentrated their
efforts on malicious software that was designed for recognition, fame, and glory. Attack vectors of the 21st cen-
tury have changed; now, many attacks are financial in nature. Current FBI estimates indicate that malicious soft-
ware and attacks targeting identity theft cost American businesses and consumers more than $50 billion a year.
Yesterday’s virus is today’s custom malware, while denial of service attacks have been replaced with botnets.

Early Attacks
While it might be nice to believe that there was a time when malware did not exist, the truth is that malware
has been around almost since the beginning of the computer age. The phrase “computer virus” came into
existence in 1984 when Fred Cohen was working on his doctoral thesis. In his thesis, he was discussing self-
replicating programs, and an advisor suggested he call them computer viruses.

About this time, programmers started writing self-replicating code. Ralf Burger, a German computer systems
engineer, created one of the first self-replication programs, Virdem, in 1985. Interest in these programs led Mr.
Burger to give the keynote speech at the Chaos Computer Club later that year. His discussion on computer
viruses encouraged others in this emerging field. Soon, many viruses started to be released into the wild. One
early computer virus that spread around the world was the Brain virus. The Brain virus was written by two broth-
ers in Pakistan. The Brain virus targeted a floppy disk by infecting its boot sector. It had full-stealth capability
built in. Systems that boot to DOS look for files like io.sys, command.com, config.sys, and autoexec.bat; if these
files are tainted, the computer will load the virus into memory and infect other users that inserted a floppy disk
into the infected system. The brothers thought the virus would bring them business and notoriety. While they did
end up getting many calls to their business, most who called were upset. In the end, the brothers were forced to
change their phone number to escape the flood of negative calls.

Other early attacks have a similar story. Consider the Melissa virus, which was written by David Smith. The goal
of the virus was to get the attention of the girl he named the virus after. In 1999, at the height of the infection,
more than 300 corporations’ computer networks were taken completely off line. The virus, which also had the
traits of a worm, used the victim’s email account to send the malware to others. Because the virus appeared to
come from someone the victim knew and probably trusted, a large portion of the public was tricked into open-
ing the infected document. Melissa not only spread itself via email, but it also infected the Normal.dot template
file that is typically used to create Word documents. By performing this function, the virus would then place

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2

a copy of itself within each file the user created. As a result, one user could easily infect another by passing
infected documents. David Smith was identified and eventually sentenced to five years in prison. Today, viruses
have evolved into many different categories including boot sector, stealth, polymorphic, multipart, self-garbling,
and meme.

Early Defenses
Defenses against these early attacks included anti-virus, IDSs, and vulnerability assessment. Anti-virus programs
can use one or more techniques to check files and applications for viruses. Signature scanning anti-virus pro-
grams work in a similar fashion as IDS pattern matching systems. Signature scanning anti-virus software looks
at the beginning and end of executable files for known virus signatures, which are nothing more than a series
of bytes found in the viruses code. Heuristic scanning is another method that anti-virus programs use. Software
designed for this function examines computer files for irregular or unusual instructions. Integrity checking can
also be used to scan for viruses. Integrity checking works by building a database of checksums or hashed values.
These values are saved in a file. Periodically, new scans occur and the results are compared to the stored results.
While not very effective for data files, this technique is useful for programs and applications as the contents
of executable files rarely change. Activity blockers can also be used by anti-virus programs. An activity blocker
intercepts a virus when it starts to execute and blocks it from infecting other programs or data.

One way to verify your anti-virus program is working is the EICER test. If you copy the following string into a
text file and rename it as an executable, your anti-virus should flag it as a virus.

X5O!P%@AP[4\PZX54(P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TEST-
FILE!$H+H*

It is not actually a virus, the code is harmless. It’s just a tool developed by the European Institute of Computer
Anti-virus Research (EICER) used to test the functionality of anti-virus software. Virus creators attempt to cir-
cumvent the signature process by making viruses polymorphic.

Another early defense was intrusion detection. The idea of intrusion detection was introduced in 1980 with
James Anderson’s paper, Computer Security Threat Monitoring and Surveillance. Dr. Dorothy Denning built upon
this work when she began working on the first deployable IDS designed to monitor user access to government
mainframes and create profiles of users based upon their activities. Later, in 1997, ISS developed one of the first
commercial network intrusion detection systems called RealSecure. A year later, in 1998, Martin Roesch led the
development of Snort.

Intrusion detection engines or techniques can be divided into two distinct types or methods, anomaly and signa-
ture. An anomaly-based IDS has the ability to learn normal behavior and alert administrators when something
out of the ordinary occurs. A signature-based or pattern-matching IDS system relies on a database of known
attacks. These known attacks are loaded into the system as signatures. As soon as the signatures are loaded
into the IDS, it can begin to guard the network. The signatures are usually given a number or name so that the
administrator can easily identify an attack when it sets off an alert. Alerts can be triggered for fragmented IP
packets, streams of SYN packets (DoS), or malformed ICMP packets. The alert might be configured to change

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 3

the firewall configuration, set off an alarm, or even page the administrator. While the development of the IDS
helped security professionals track what attackers were doing, these tools are detective in nature and did little
to prevent attacks.

Vulnerability assessment tools were another early defense that caused the big changes in the security arena.
In the early 1990s, two well known security professionals, Dan Farmer and Wietse Venema, wrote a landmark
paper titled “Improving the security of your site by breaking into it.” They went on to code the first automated
penetration tool known as SATAN (System Administrator Tool for Analyzing Networks). Dan Farmer was actu-
ally fired from his job at Sun for development of the program. At the time, some people believed that such
tools would aid the attackers more than security professionals. Vulnerability assessment tools provided security
professionals a way to easily examine what ports were open on a system or network.

A New Century Brings New Threats

While many IT shops were focusing on Y2K bug, attackers were busy thinking up new ways to bypass early
defenses. As an example, the term spyware was not even used until around the year 2000. Zone Labs was one of
the first to use the phrase “spyware” when it stated, “A computer with an always-on connection has a perma-
nent IP address, which makes it especially vulnerable to Spyware attacks.” Since the year 2000, there has been
a huge increase in spyware, extortion-ware, and attacks focused on making money. Spyware is not just one type
of program. It’s an entire category of malicious software that includes adware, Trojans, keystroke loggers, and
information-stealing programs. These programs have become increasingly intelligent. Many have the capabil-
ity to install themselves in more than one location, and any attempt to remove them triggers the software to
spawn a new variant in a uniquely new location. One example is CoolWebSearch. CoolWebSearch is actually
a bundle of browser hijackers united only to redirect their victims to targeted search engines and flood them
with popup ads. Another example is Cryzip. This piece of malware was developed to extort money from anyone
infected. After encrypting all of the user’s files, the malware orders its victims to deposit a ransom into an e-gold
account to obtain the key.

The new century also brought about a rise in Botnets. Botnets are a simply a massive collection of computers
that have been compromised or infected with dormant bots or zombies. Most malware researchers estimate
that there are thousands of botnets in operation at any time. One massive botnet was used to deliver the
Storm Trojan. According to www.sophos.com, it is believed that Storm could have infected more than 50 million
computers. During its height, Storm was believed to be sending billions of SPAM messages a day. To realize the
power of a botnet of this size, imagine a botnet that has infected 10,000 home users across the United States;
if each of these compromised computers has nothing more than a basic 56k dial-up connection to the Internet,
the collective bandwidth adds up to 56 gigabits of bandwidth. For an explanation of how Storm functions, take
a moment to review http://en.wikipedia.org/wiki/Storm_botnet.

New Defenses
Defenses have had to evolve to meet threats of this size and potential. Anti-spyware, intrusion prevention, and
next-generation vulnerability assessment tools are three such defenses. Running anti-spyware programs has
become an accepted practice and a part of routine computer security practices. Some well-known anti-spyware
programs include Spybot Search & Destroy, Microsoft Windows Defender, Webroot Spy Sweeper, MacAfee Virus

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 4

Scan, and Anti Spyware. Anti-spyware best practices can be found at http://www.onguardonline.gov/topics/spy-
ware.aspx.

Intrusion prevention systems (IPSs) are seen as an extension to intrusion detection. The term “Intrusion Preven-
tion System” was first used by Andrew Plato and represented a step forward from traditional IDSs. An IPS takes
a more proactive approach than the IDS. Whereas an IDS is seen as a detective control, an IPS is seen as a pre-
ventive control. When an IPS is deployed, it monitors the network for malicious or unwanted behavior and can
react in real-time to block or prevent those suspect activities. As an example, if a user brings a laptop to work
that is infected with a virus, an IPS can detect the virus and place the laptop user on a separate VLAN that only
has access to an anti-virus update.

One of the first commercial IPSs that was developed was StormWatch in 2001. StormWatch used a kernel-based
analysis of malicious traffic that built on access control rules based on acceptable behavior. While the concept
of an IPS overcame many of the problems associated with IDS, it still lacked a means of testing the efficiency of
such systems.

In 2002, TippingPoint developed the IPS testing tool Tomahawk to help build a standard means of testing an IPS.
Today, Tomahawk is freely available for testing any IPS or intrusion detection system (IDS) and is available at
http://tomahawk.sourceforge.net/.

Next-generation vulnerability assessment tools started to appear around the year 2000. One such tool, Nessus,
is a powerful, flexible security scanning and auditing tool. It takes a basic “nothing for granted” approach. The
concept of Nessus was first developed in the late 1990s by Renaud Deraison and was conceived to be an open-
source program. The design used community support to allow for fast updates. This open design would allow
community members to develop their own plug-ins for their use or use by the community. Nessus has evolved
since these early days and is used as a component of commercial products designed by IBM, VeriSign, Counter-
pane Internet Security, Symantec, ScannerX, and others. The Nessus Client and Server Model offers a distributed
means of performing vulnerability scans. Nessus tells you what is wrong and provides suggestions for fixing a
given problem. You can learn more about Nessus at http://www.nessus.org/nessus/. The basic components of
Nessus include.
• The Nessus Client and Server Model
• The Nessus Plugins
• The Nessus Knowledge Base

Bleeding-Edge Threats
The third and final section of this paper examines the future of malware and the defenses needed to counter
these bleeding-edge attacks. While attacks are still focused on making money, the motives are changing. Current
trends indicate that computer crime is no longer the exclusive realm of the underworld and organized crime.
Corporate espionage and government-sponsored spies are two emerging threats. These new attack vectors use
a variety of techniques such as social engineering and spear phishing to perform surgical strikes designed to
gain information, access, or data. These attacks can result in financial loss, and the loss of government secrets,
corporate secrets, or highly sensitive information.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 5

Consider the following examples. In 2002, the CEO of Qualcomm reported a laptop stolen that contained highly
sensitive data that could be of great value to foreign governments. The lack of encryption made this loss of data
even more damaging.

In 2007, the first recorded nation state DDoS attack was launched against Estonia. During this time, Estonia
came under a series of attacks that brought its Internet communications to its knees. Estonian institutions and
businesses were targeted. The attack was motivated by the removal of a Soviet war memorial from the center of
Tallinn, Estonia. Moving this Bronze Soldier was seen as an insult to the memory of Russian soldiers who were
killed during World War II. Emerging attack vectors show a willingness by attackers to bring down networks to
cause financial damage to the victim.

In 2008, four members of an Israeli private investigation firm were jailed after being found guilty of using cus-
tom malware to spy on and steal commercially sensitive information from a variety of companies, including the
HOT cable television group and a large mobile phone operator. In 2008, it was also reported that U.S. authorities
were investigating whether Chinese officials secretly copied the contents of a government laptop computer dur-
ing a visit to China by Commerce Secretary Carlos M. Gutierrez. Other new attacks have focused on
• The iPhone - First iPhone Trojan in 2008 targeted a fake phone firmware 1.1.3 prep
• iPod and solid state music devices - Podslurp allows the attacker to steal confidential information from
a business by loading malware on the portable device
• P ortable storage - USB attacks (Hacksaw, Switchblade, Dumper) that use storage devices to steal sensi-
tive data

Many new attacks have been developed to take advantage of the proliferation of USB ports and devices. The
attackers’ tools are capable of a range of activities from stealing information to running Nmap and other vulner-
ability scans, and sending the data to remote locations. USB thumb drives are now even being used to execute
USB-driven worms.

Bleeding-Edge Defenses
Just as attackers have opened new fronts in the ongoing cyber war, security professionals have been working on
new defenses. Defenses include Intrusion Detection and Prevention (IDP), Network Access Control (NAC), and
advanced penetration tools.

Systems designed to detect and defend against intrusions have matured into hybrid devices, so much so, that by
2006, the US government started to refer to such devices as Intrusion Detection and Prevention Systems (IDPS).
This was solidified with the release of NIST 800-94 , A Guide to Intrusion Detection and Prevention Systems,
which defined IDS and IPS as follows: “IDS and IPS technologies offer many of the same capabilities, and admin-
istrators can usually disable prevention features in IPS products, causing them to function as IDSs.”

Another emerging defense is Network Access Control (NAC). NAC offers administrators a way to verify that de-
vices meet certain health standards before they’re allowed to connect to the network. Laptops, desktop comput-
ers, or any devices that do not comply with predefined requirements can be prevented from joining the network

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 6

or can even be relegated to a controlled network where access is restricted until the device is brought up to the
required security standards. NAC can help achieve optimal network security by providing the following.
1. Access control: Organizations face special challenges in tracking who has access to the network and if
the level of access they have is appropriately set.
2. Malicious code: Most attacks against small businesses are automated and potentially debilitating to
the business. These attacks can appear as viruses, worms, Trojans, and bots.
3. Mobile device security: Mobile devices such as USB drives, iPods, and camera phones allow data and
information to be moved in and out of the network without normal access controls, creating a definite
security hazard.

There are several different incarnations of NAC available. These include infrastructure-based NAC, endpoint-
based NAC, and hardware-based NAC.

Vulnerability and penetration tools have also advanced since the development of tools such as SATAN. Today,
many third-generation security assessment tools are available, as are tools that can be used to simulate an at-
tack against a network. Metasploit, released around 2003, is one such tool. According to the Metasploit website,
“the Metasploit Framework is a development platform for creating security tools and exploits. The framework is
used by network security professionals to perform penetration tests, system administrators to verify patch instal-
lations, product vendors to perform regression testing, and security researchers world-wide.” Metasploit is an
attack platform with three basic ways that it can be controlled. These methods include
• The msfweb – A simple point-and-click interface
• The msfconsole – A console-based interface
• The msfcli – A command line interface

The basic approach includes

1. Selecting the exploit module to be executed
2. Choosing the configuration options for the exploit options
3. Selecting the payload and specifying the payload options to be entered
4. Launching the exploit and waiting for a response

Summary
It has been said that those who fail to learn from the past are doomed to repeat it, and there is a lesson to be
learned in this message for security professionals. Many times, we get lulled into thinking that security means
protection against current threats. But the truth is that attackers are always looking for the next attack vector
and for new ways to target an organization’s IT resources. What is needed is a sound methodology that can be
used to help protect from yesterday’s, today’s, and tomorrow’s attack vectors. This includes
1. Risk assessment
2. Policy
3. Implementation

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 7

 4. Training
5. Audit

Using a methodology as shown here on a periodic basis helps companies reassess critical assets, practice
defense in depth, and apply the principle of least privilege effectively. Risk assessments, asset valuation, and
periodic reviews of threats and vulnerabilities should drive the security process.

Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.
Check out the following Global Knowledge courses:
Certified Ethical Hacker
Essentials of Information Security - Security+
CISA Prep Course
Defending Windows Networks

For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a
sales representative.

Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our
expert instructors draw upon their experiences to help you understand key concepts and how to apply them to
your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning,
and On-site sessions, to meet your IT and management training needs.

About the Author

Michael Gregg has 20 years’ information security experience. Mr. Gregg is the CTO of Superior Solutions, Inc., a
Houston-based IT security consulting and auditing firm. Mr. Gregg has led security risk assessments, establishing
security programs within top corporations and government agencies. He is an expert in security risk assessment,
security risk management, security criteria, and building corporate security programs.

Mr. Gregg holds two associate’s degrees, a bachelor’s degree, and a master’s degree. Some of the certifications
he holds include CISA, CISSP, CISM, MCSE, CTT+, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CEH,
CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and SSCP.

In addition to his experience performing security assessments, Mr. Gregg has authored or coauthored more than
10 books, including Certified Ethical Hacker Exam Prep (Que), CISSP Exam Cram 2 (Que), Build Your Own Net-
work Security Lab (Wiley), and Hack the Stack (Syngress). Mr. Gregg has created more than 15 security-related
courses and training classes for various companies and universities.

Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 8