------------ Forwarded Message begins here ------------
SPLIT INTO THREE PARTS. CVIRUS PART 3 OF 3
IP attack against a specific target on the same day at the same time then
there is no way to
stop the attack because it has originated from thousands of sites all of
which are live
hostages. The site under attack will have to go off line since the
Internet service providers
will be helpless in the face of a coordinated dispersed attack. Since the
impact against
each individual hostage system is low, the hostages may not even notice
that there is a
problem. The Internet service provider attached to the target system is in
the best position
to detect the attack, however, they are as subject to this attack as the
target since they
may "crash" from the excessive bandwidth usage flooding their network from
multiple
sources.
10. SCENARIO OF A VIRUS ATTACK AGAINST A SECURE UNIX NETWORK
The military and many other companies believe that they are protected
against focused
attacks because they employ a closed network configuration. In some cases
these
networks may also use highly secure "B" rated operating systems [NCSC-TG-006].
Typically, the network will not allow modems, Internet connections or have
any electronic
connections to organizations outside of the immediate need. In addition,
the networks are
almost always heterogeneous because of legacy equipment, primarily PC
systems. The
network designers normally allow the PC systems to retain their floppy disk
drives even
thought their attachment to a network renders them nonessential. Networks
of this type
have been considered secure, however, they are open to information warfare
attacks via
focused virus.
Assuming that the perpetuator is an outsider without access to the
equipment or premises,
one possible method of attack against this type of network would take
advantage of both
the Typhoid Mary Syndrome and Transplatform Viruses to produce an attack
that is
targeted against the Unix systems but originated from an attached PC. A
virus can be
created whose payload is triggered by executing on a PC that is attached to
the target
network. This is not hard with a little inside information about the
configuration of the
network. The perpetuator would then install the virus at all of the local
Universities in the
hope that someone working at the installation is taking a night class or
that one of their
children will unknowingly infect a common usage home computer. At that
point, the virus
has a good chance of entering the target network. This is a well known
vector and is
enhanced because the virus will not reveal itself. Once on the target
system, the PC virus
will act like a dropper releasing a Unix virus into the backbone. The
payload virus may be
necessary because many Unix backbone systems are not PC compatible. The
Unix virus
payload can then install a backdoor which can be remotely directed. In
addition, the virus
can create a covert channel by making use of messenger viruses. While the
use of
messenger viruses are slow and have low bandwidth, they are bi-directional
and can be
used for command and control of more complex attacks.
10. CONCLUSION
I believe that the problem of attack software targeted against Unix systems
will continue
to grow. Viruses may become more prevalent because they provide all of the
benefits of
other forms of attack, while having few drawbacks. Transplatform viruses
may become
common as an effective attack. All of the methods currently used in
creating MS-DOS
viruses can be ported to Unix. This includes the creation of automated
CAD/CAM virus
tools, stealth, polymorphism and armor. The future of viruses on Unix is
already hinted at
by the wide spread use of Bots and Kill-bots (slang term referring to
software robots).
These programs are able to move from system to system performing their
function. Using
a Bot as a dropper or creating a virus that includes bot-like capability is
simple. With the
advent of global networks, the edge between viruses, bots, worms and
Trojans will blur.
Attacks will be created that use abilities from all of these forms and
others to be
developed. There have already been cases where people have used audit
tools such as
COPS and SATAN to attack a system. Combining these tools with a virus CAD/CAM
program will allow a fully functional virus factory to create custom
viruses to attack
specific targets.
As these problems unfold, new methods of protection must be created.
Research has
hinted at several promising methods of protection, including real time
security monitors
that use artificial intelligence for simple decision making. It is my hope
that these
problems never reach existence, but I am already testing them in an attempt
to devise
methods of counteracting them. If I can create these programs, so can others.
Even with the current problems and the promise of more sophisticated
problems and
solutions in the future, the one thing that I believe to be certain is that
Unix or Unix-like
systems will continue to provide a payback that is well worth the cost of
operating them.
================================================================
END OF DOCUMENT
================================================================
------------ Forwarded Message ends here ------------
------------------------------------------------------
K.M. Goertzel
Manager, International Programmes and Special Projects
Secure Systems and Services Operation
Wang Federal, Inc.
7900 Westpark Drive - MS 700
McLean, Virginia 22102-4299
TEL: 703-827 3914
FAX: 703-827 3161
goertzek @
wangfed .
com
http://www.wangfed.com
+----------------------------------------------+
| ...I guessed not half |
| Life's symphony till I had made hearts beat, |
| And touched Love's body into trembling cries |
| -- Wilfred Owen, MUSIC |
+----------------------------------------------+
|
|
