Blended Threats - A Deadly Duo of Hackers and Mobile Code


Imagine living in medieval times when castles and fortresses weren’t built solely as dwellings, but also for protection from outside attacks — the thicker and higher the walls, the better. Suppose one day a report comes to the king with news of suspicious activity outside of the castle’s walls. Strangers trying to find a way in are caught at the gate. The king discusses the situation with his advisors and decides to build a wall of fire that will circle the castle. For years the problem seems to be solved, until intruders start pouring buckets of water on the “firewall” to create a safe channel to the castle’s gate. A battle follows the security breach; and after recovering from the attack the king decides to surround the perimeter of the castle with a moat — deep and wide enough to prevent any outsiders from entering.

All is calm until one day the king again peers over the castle walls and sees a huge mass of wood built into the shape of a horse. The king brings the structure into the castle and ultimately grants access to enemies hidden within. Another battle ensues, and he restores security to the castle. Subsequently, the king implements a policy to screen any large packages delivered to the castle.

This seems to provide the perfect solution, until one day he looks outside and sees another curious structure. It is clear that it is nearly as high as the castle, although it is still several hundred feet off in the distance. The king squints to see people scurrying about the structure’s base. Suddenly the structure jolts and he realizes a large boulder is hurtling toward the parapet on which he stands. When the king realizes the peril, it is too late to react. In an instant, the parapet is reduced to rubble, and the king is crushed. Shortly thereafter, the castle walls are destroyed as well, allowing access to the bands of intruders.

This anecdote may be dramatic, but it is reflective of how computer security threats evolve and require defenses that also evolve. For any school or classroom that uses computer technology, Internet-borne security threats are evolving and becoming increasingly dangerous. It’s obvious to many that, like the castle-dwellers of old, computer users are involved in an arms race with hackers and virus writers. This makes it imperative to understand the types of computer threats that may affect school and classroom computers and networks.

Current computer threats are capable of significant damage to systems and data, but are often hard to place in a single category, such as a “virus,” “Trojan” or even “hacker exploit.” Thus, these threats are combining to create a new type of computer security concern experts are calling “blended threats.” Hackers, those trying to gain unauthorized access to computers and computer networks, and malicious mobile code, computer viruses and worms, are increasingly working in tandem. Because of these new blended threats, instructors must learn about the types of threats that exist as well as look to IT administrators to evaluate their current security strategies and develop comprehensive, adaptable protection.

The Deadly Duo

In the past, a computer hacker crept in through an unlocked door or vulnerable window — a pre-existing hole already in the system. This was often due to bugs in computer software or poor system configuration. For example, you may wish to share files on your computer with a teacher in the next classroom, which modern operating systems allow you to do with ease. However, if your configuration isn’t carefully thought out, you might be creating a share situation that allows not only the teacher next to you to read your files, but also allows a hacker halfway across the world to access your information. Security products such as firewalls have provided a great deal of protection against these kinds of hacks, but ultimately their danger is that the computer is doing exactly what it was told to do.

Another type of threat — the computer virus — can also cause damage by destroying or altering data on school computers. Hackers traditionally haven’t written computer viruses because of the lack of control over the virus. The very nature of a virus is that it is self-replicating, and once released it propagates on its own. The author of the virus cannot say: “stop replicating,” “come back” or “just affect these people.” The infamous Melissa virus, which affected thousands of computers in 1999, is an example of how quickly such a virus can spread.

Mobile code, which is code that can move autonomously from system to system, has changed the security landscape, enabling hackers to create exploits that move from place to place without the hacker ever having to touch it. They don’t have to break in anymore; the program d'es it for them. The end results are the blended threats that computer security experts fear. Such blended threats allow perpetrators to engage in a remote dialogue with their remote control component, which has been dispersed like a virus.

Given the pervasiveness of computers in classroom and school settings, hackers can merely trick unwitting users into downloading malicious code from infected e-mail or Web sites. The code — be it part of a virus, Trojan or garden variety exploit — can then engage in remote dialogue with an unauthorized third party by opening up a port on your computer unknown to the user. Once malicious code, commonly referred to as “malware,” has been installed on a system, the hacker has full command to perform a number of activities from grabbing files off your computer to turning on your Web cam.

Blended Threats

A blended threat is a security threat that uses multiple methods to attack or propagate; examples include Sadmind, CodeRed, Nimda and Lion. For teachers to understand the potential impact of a blended threat, it is helpful to understand its unique characteristics:

  1. Causes harm
  2. Uses multiple attack methods
  3. Is automated, i.e., requires no user actions to trigger
  4. Exploits vulnerabilities
  5. May have multiple propagation methods

Causes harm. Unlike some viruses and worms, a blended threat’s goal is to cause harm rather than being destructive or simply a nuisance. For example, “W97.Quest.A” was a macrovirus that did little other than display a message. In contrast, Sadmind, a blended threat, defaced thousands of Web sites.

Uses multiple attack methods. A blended threat will attempt to attack a system in a number of different ways. For example, Nimda injected malicious code into each EXE file on the system, created read and writable network shares worldwide, made numerous registry changes, injected script code into HTML files, etc. Clean up was particularly difficult because of all the points of damage.

Automated. Typically, viruses re-quire some human intervention to spread, such as sending an infected file to another user, or simply opening an e-mail attachment to trigger the propagation. Blended threats are automated, continuing to spread without human intervention. This can include scanning the Internet for vulnerable servers to infect and using their own mail (SMTP) server to send out infected e-mails.

Exploits vulnerabilities. One of the most dangerous aspects of a blended threat is that it can exploit vulnerabilities. This often results in unauthorized administrative access to servers, opening up the information stored on the server. Typically, blended threats exploit known vulnerabilities such as buffer overflows, HTTP input validation vulnerabilities, known default passwords, etc., which can be easily mitigated with existing operating systems and application security patches. Unfortunately, many systems are not up-to-date with the latest patches.

Multiple propagation methods. Multiple methods of propagation can make containment of the threat a challenge. A blended threat can automatically exploit one of many vulnerabilities to compromise a system. Even if one security patch eliminates one vulnerability, another unpatched vulnerability or misconfiguration of the system may allow compromise.

Proof of Concept

By combining these characteristics, blended threats have the potential to be more prolific and deliver more damage than the typical virus or worm. Alone, a single security technology is not sufficient to defend against these blended threats, as was demonstrated by Nimda and CodeRed. Even with firewall and anti-virus technologies implemented at some level, in many schools and businesses today these blended threats were still able to cause billions of dollars in damages to systems worldwide.

Many blended threats are still “proof of concept,” meaning the concept seems possible and has been implemented, but it has not, for one reason or another, ever been released into the real world. However, users are increasingly at risk of attacks in the wild due to:

  • The ease and availability of mobile code authoring tools.
  • The rising number of complex and flawed mobile code programs that inadvertently create “backdoor” entries for malware.
  • The rising trend toward downloading programs from the Web.
  • The growing number of teachers who access their network from home without security on their modem or DSL connection.

High-Profile Blended Threats

Making headlines in summer and fall 2001, CodeRed and Nimda are examples of blended threats. Their economic impact demonstrates the damage they left in their wake as they quickly spread across the globe.

  • Nimda was an automated worm, using known software vulnerabilities and multiple methods of infection to spread remarkably fast. Independent research firm Computer Economics estimates that Nimda infected more than 2.2 million servers and PCs in a 24-hour period in September 2001. The worldwide economic impact of Nimda has now reached more than $590 million.
  • CodeRed launched “Denial of Service” attacks, defaced Web servers, and its variant, CodeRed II, left Trojan horses behind for later execution. CodeRed was processed in memory, not on a hard disk, allowing it to slip past some anti-virus products. Computer Economics estimates the worldwide cost of CodeRed at $2.62 billion.

Rules of Thumb for Safe Computing

To protect school computers from this new generation of threats, teachers need to work with IT personnel to understand how to protect themselves with technology and common sense.

Teachers and Students

Teachers and students can prevent blended threats from spreading, which causes damage on school computers and networks, by learning about these new threats and exercising caution. The following tips provide a great deal of protection, and should be considered basic rules of thumb for safe computing in the classroom and computer lab:

  • When using e-mail, do not open attachments that are unexpected, even if they come from someone you know. Often, malicious code can be sent from the e-mail account of someone you know even though they aren’t aware of it.
  • Never open attachments from unknown sources.
  • Run a good anti-virus program and firewall at the desktop. This provides a solid barrier against viruses, hackers and blended threats. It is also critical to keep your virus definitions and firewall rules up to date.

IT Administrators

IT administrators should look at and thoroughly understand the security strategies that are currently in place. Enlisting a comprehensive approach, creating a defensive barrier that is comprised of anti-virus, content filtering, firewall, vulnerability management and intrusion detection measures will make systems extremely difficult and costly for intruders to compromise. All parts of the network must be protected, and there must be a response in place to provide security at the gateway, server and client levels. Some important basic tips include:

Implement strong passwords. Passwords should be at least eight characters in length, comprised of alphanumeric characters and changed regularly.

Keep patches up to date. As explained above, blended threats seek out known vulnerabilities to exploit. Staying up to date with the latest security patches for your operating systems and applications is a crucial measure of protection.

Use data forensics. Create an outline of the policies, procedures and standards for logging, reporting and auditing functions.

Remove unneeded services. All services present some form of exposure because they are listening on a TCP (transmission control protocol) or UDP (user datagram protocol) port, so eliminating unnecessary services diminishes the number of target entry points for intruders.

Employ a comprehensive security solution:

  • Anti-virus software and content security solutions to identify and remove threats;
  • Firewalls to block threats from entering your network;
  • Intrusion detection systems to monitor the network and hosts for improper activity and assist in forensic analysis; and
  • Vulnerability assessment tools to ensure that patches are applied, unneeded services are removed and passwords are strong, according to best practices.

This article originally appeared in the 12/01/2002 issue of THE Journal.