December 2002 — Special Feature
Print this article | Email this articleClick here to receive your FREE subscription to T.H.E. Journal
Blended Threats - A Deadly Duo of Hackers and Mobile Code
Uses multiple attack methods. A blended threat will attempt to attack a system in a number of different ways. For example, Nimda injected malicious code into each EXE file on the system, created read and writable network shares worldwide, made numerous registry changes, injected script code into HTML files, etc. Clean up was particularly difficult because of all the points of damage.
Automated. Typically, viruses re-quire some human intervention to spread, such as sending an infected file to another user, or simply opening an e-mail attachment to trigger the propagation. Blended threats are automated, continuing to spread without human intervention. This can include scanning the Internet for vulnerable servers to infect and using their own mail (SMTP) server to send out infected e-mails.
Exploits vulnerabilities. One of the most dangerous aspects of a blended threat is that it can exploit vulnerabilities. This often results in unauthorized administrative access to servers, opening up the information stored on the server. Typically, blended threats exploit known vulnerabilities such as buffer overflows, HTTP input validation vulnerabilities, known default passwords, etc., which can be easily mitigated with existing operating systems and application security patches. Unfortunately, many systems are not up-to-date with the latest patches.
Multiple propagation methods. Multiple methods of propagation can make containment of the threat a challenge. A blended threat can automatically exploit one of many vulnerabilities to compromise a system. Even if one security patch eliminates one vulnerability, another unpatched vulnerability or misconfiguration of the system may allow compromise.
Proof of Concept
By combining these characteristics, blended threats have the potential to be more prolific and deliver more damage than the typical virus or worm. Alone, a single security technology is not sufficient to defend against these blended threats, as was demonstrated by Nimda and CodeRed. Even with firewall and anti-virus technologies implemented at some level, in many schools and businesses today these blended threats were still able to cause billions of dollars in damages to systems worldwide.
Many blended threats are still “proof of concept,” meaning the concept seems possible and has been implemented, but it has not, for one reason or another, ever been released into the real world. However, users are increasingly at risk of attacks in the wild due to:
