Preparing for the Superworm at the Front Lines

Imagine a war in which the combatants are invisible and the weapons they bear are hidden in trickery and stealth. Now picture that war being waged on a battlefield consisting not of desert fields but of thousands of ragtag computers in bedrooms, dens and corporate cubicles across America. The attacks in this war take place silently while Ma and Pa write e-mail to Johnny at college. Office workers huddled over their keyboards inadvertently join the fray with a daily onslaught of corporate e-mail exchanges.

These battles are waged through virus-compromised computers tethered to the Internet, and the casualties reach into the billions of dollars as targeted corporate Web addresses or key government Web servers are brought to their knees. According to the mi2g Intelligence Unit, the recent MyDoom outbreak caused US$43.9 billion in economic damage in 215 countries.

Welcome to the age of cyberterrorism.

Regardless of whether the attackers are traditional domestic criminals or avant-garde computer fanatics in far-away lands, Internet security experts told TechNewsWorld that defending corporate and government networks against Internet attackers amounts to little more than playing duck-and-recover with the intruders.

In a feature last week, TechNewsWorld spoke with analysts and security experts to pose the following question: “Is the Superworm a Mere Myth?” In today’s article, we explore strategies for fighting the superworm on the front lines. Efforts are indeed under way to build better defenses, but most analysts say it is unlikely that new defense strategies will develop in time to deflect the superworm attacks expected to occur this year.

Improving the Worm

“So far, there hasn’t been a lot of improvement in the quality of worms, but they will be better and bigger as new holes aren’t plugged,” said Jerry Brady, CTO of Guardent, an Internet security services company that recently signed a deal to be acquired by VeriSign. “So far, they haven’t been well thought-out to be more effective.”

That’s a surprising statement, considering the widespread effect of the recent MyDoom outbreak. But Brady said we haven’t seen a really big superworm attack yet because worms haven’t evolved to a point at which they can react and adapt to changes in defense strategies in real-time. In fact, he is a little bit surprised that worm engineering has not progressed more rapidly. He said he believes virus writers are holding back to minimize the risk of getting caught.

“But when someone is actually running a controlled channel to modify the worm in progress and react to the defenses put up against it, we will be in trouble,” said Brady. And when that happens, warned Samuel J. Curry, vice president of eTrust solutions at Computer Associates, “There is nothing on a national scale today to deny a spiraling attack from a superworm.”

New Defense Strategies

Curry said he thinks the MyDoom worm showed signs that it could become the superworm that everyone has feared. “MyDoom.B can upgrade MyDoom.A,” he noted. “The last major virus breakthrough we saw was the transition from CodeRed to Nimda.”

He added that the typical superworm defense plan is based merely on detection and reaction. “There is not much being done yet to stop it.” The solution to preventing superworm damage lies in Internet security experts taking the same kind of steps taken by real-world security agents.

People in the United States are now more aware of security issues at airports, schools and job sites. Now, people must become aware of Internet safety — whether on their home computers or their corporate networks.

“We have to treat Internet threat levels the same as we respond to real-world threats. Everything online is mirrored in the real world. This is a coming of age for the Internet,” Curry told TechNewsWorld.

Control the Gateway

In today’s Internet battles, the generals are the IT security experts who lock down corporate and government computer systems. One of the biggest tools used to guard against a superworm attack is the relatively simple step of authenticating outbound e-mail. But this basic technique is not widely used.

“We have to put outbound controls at the server level to screen out viruses,” Guardent CTO Brady told TechNewsWorld. “People have to stop accepting e-mail from anyone not approved and checked.”

Brady sees consumers’ attitude as a big part of the missing defense in the war against superworms. Too many people, he points out, continue to use e-mail as if it were like the U.S. Postal Service’s registered mail delivery system — a trusted service. He said people are not adapting to a new medium and applying adequate safety procedures.

“We need more concern for changing the way people use the Internet. We need a change in their mindset,” he noted, adding that before drastic defensive measures are taken, people will have to say that enough is enough. Only then will we see a national shift from tactical defense to strategic defense.

Deny Unsafe Access

Mike Paquette, vice president of product management at Top Layer Networks, said the best superworm defense consists of a combination of educating users and developing better technology. It is essential, he believes, for network administrators to develop technology that will deny Internet access to any computer that is not certified as clean of viruses.

“This will require a pretty big change in the infrastructure,” Paquette told TechNewsWorld. “It will also mean a better balancing of inconvenience and cost.”

Louis A. Jurgens, executive vice president of security software maker SAGE, is convinced that making the Internet safe can only occur as a result of changing user models. “Get the world to adopt process-based security and we’d stop this nonsense,” he said.

“The superworms are successful because of the basic security model inherent in almost all computer systems: user-based security,” said Jurgens. He wants to see software developers change the user-based security model to a process-based model. If they did, he argues, worms and viruses would be severely limited and perhaps even completely eliminated.

The problem, he pointed out, is that user-based security is easy for application builders, while process-based security is harder to develop. “It means forcing applications and systems people to build access-control tables for every program, a daunting task for most,” according to Jurgens.

Better Protections Coming

Some security vendors already have developed process-like security software, such as the heuristics-based approach that Symantec’s antivirus software uses. This heuristics approach watches systems for processes that appear to be abnormal.

If a heuristics security application detects something out of place — such as an application writing abnormal information to the boot file of a Windows machine — it generates an alert to the user or blocks the action altogether. But such security strategies are not yet completely mature.

“The Internet is a wild frontier. We need to protect it. The Internet can now be used against us,” warned Computer Associates’ Curry. The only way to protect the Internet now in the event of a superworm, he believes, would be to shut down access to the Internet altogether when potential threats are found.

In the meantime, the network of detection and response is working, according to Curry. “In time, the next level of security will be in place. We are planting the buds now that will blossom into trees,” he said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Developers

Technewsworld Channels