Information Warfare: Malicious Software and Technology
by David L. Potter
Do you care about computer viruses? Would it matter
if the information on your computer's hard drives suddenly and
without warning disappeared? Would you care if a computer virus
got into your service records and showed that you had been killed
while on that exercise next weekend or during that deployment
next month? Although these situations may seem far-fetched, both
of these situations could easily occur by a malicious software
code attack.
Most people think of an "attack" as something that usually
involves flying metal that could really kill you: bullets, tanks,
aircraft, that sort of thing. Most people do not realize that an
IW attack could probably do as much damage (or more, depending on
who you listen to) as conventional weapon systems, although the
initial effects may not be as bloody.
Information, and the systems that the DoD uses to process,
change, and distribute that information, have become a vital part
of the DoD's infrastructure. You cannot do anything these days
without a computer file being changed in some way somewhere, or
having a computer program direct another computer to do something
for (or to) you or something you have. All of these computer
resources rely on one common element to get the job
done software.
Computer software is contained in almost every weapon system
developed by the DoD. The amount of software code that you come
into daily contact with could vary from a few lines of code that
might be in your digital watch to the several million lines
required to control a modern fly-by-wire aircraft. Software
controls almost every aspect of everything we do, from the engine
in your car to managing your bank account. Although the computer
hardware itself is important, it cannot do anything until it is
told what to do by software.
Everybody has experienced some occurrence that they thought could
be attributed to a "software glitch" such as when the computer on
your desk stops working or your car stalls unexpectedly. Who has
checked to see if perhaps part of the problem was faulty software
code or a computer virus (or other malicious code segment)? Could
you tell the difference between faulty code and a virus (or other
form of malicious software code)?
Malicious Software
Malicious software has been around in one form or another since
the early 1980s when computers first started to appear in the
home. Today, malicious software code has probably touched every
computer network in existence. When the subject of malicious
software code comes up, one generally thinks of its most common
manifestation, the computer virus. Most people think of a
computer virus as a computer program that causes their computer
to crash and delete the information from their computers hard
disk. While this is certainly one possible situation, it is not
always the only one. Take the Microsoft Word Concept1 Macro Virus
(also called the Winword.concept virus); it does not delete any
information from your computer, but it does cause "disk full" or
"not available" errors or it places the document in a directory
that you would not normally use, making it difficult to find
later.
There are somewhere between 9,000 and 12,000 computer viruses in
existence today, depending on whose numbers you use. Viruses,
though, are only one possible type of malicious code. Malicious
codes include
- Nine different types of viruses: Bootstrap Sector, File
Infector, Memory Resident, Non-Memory Resident, Multi-Partite,
Stealth, Polymorphic, Network-Specific, and Bounty Hunter
viruses.
- Worms, programs which can move independently from
computer to computer via a network. They generally aim at
increasing the time required to perform a particular task,
thereby slowing down the network or system on which it is
running.
- Trojan Horses, programs which say they do something
useful, but contain a section of code that can be destructive or
have other hidden capabilities.
Although the term "virus" is used to refer to malicious software
code in general, the terms "virus," "worms," and "Trojan Horse"
are becoming less meaningful. Because malicious code can be
developed that would perform a particular function (and possibly
perform this function on a particular computer or computer
network), the typical definition of the code segments will not
adequately identify the code segment or capability.
Propagation
Can malicious software operate on a computer running UNIX as well
as a computer using MS-DOS? Quite possibly the answer is yes.
Although some types of computers operate using different
processors (e.g., Motorola versus Intel), the operating system
(including UNIX, MS-DOS, MacOS, OS/2) is what controls how the
hardware really works. Although DoD may have some nonstandard
computers that perform dedicated functions without an interface
to other computers (one example of this is the computers that
control a fly-by-wire aircraft), most computer systems are
procured as off-the-shelf commercially available items. The
commercial market has dictated that some software operate on
multiple platforms; as an example, DOS applications can run on
UNIX platforms using the X-Windows environment. Although this is
not a guarantee that a virus will be capable of infecting both
operating systems, it is an indication of compatibility.
The commercial market has dictated a commonality of hardware that
allows users with different requirements to use interchangeable
systems; computer hard-drive units are one of the best examples
of this. Small Computer System Interface (SCSI)-based computer
drives can be used in any computer. It is this commonality that
creates the greatest opportunity for the successful transmission
of a malicious code segment. Because the hardware is standard,
the software that controls the hardware and serves as the
interface between the hardware and the application (i.e.,
drivers) relies on the same set of commands to access the
hardware. Because malicious code (and viruses in particular)
generally executes a specific command set (such as writing " "s
to the boot sector of the drive as one example), writing a code
segment that has capabilities against several operating systems
is quite possible.
As malicious code is developed for specific applications, it is
possible that one could be developed that would initially infect
one platform (and operating system) and then migrate to another
platform or application. The ability to do this will depend to a
large degree on the skill of the virus writer, and the desired
effect of the virus (or code segment) on its target. It is quite
possible to develop a virus that would be capable of operation in
several OS environments, even though the number of existing
viruses for DOS systems is far greater than any other OS.
Spreading of malicious code is generally not a difficult task. In
most cases, a commonly used file is infected (game programs are a
particularly good example, but are by no means the only type of
"carrier" file); the popularity of the particular file causes it
to generally be spread to many other users. As the program is
executed, other files on the computers hard drive are infected.
Other documented means of dissemination have included
shrink-wrapped software obtained from a major software
manufacturer; there have been several cases of this, and they
have been traced back to infected files in the compiler used in
the development of the original software.
The global connectivity of computers and computer networks has
helped to create an environment conducive to the transmission of
malicious software. Files are routinely transferred from one
location to another within organizations. Searches of the
Internet are conducted to locate particular files or
programs programs used for entertainment, to enhance systems'
performance, or any one of a number of other uses. Unfortunately,
most organizations do not make effective use of anti-viral
software to screen incoming files for the presence of malicious
code, thereby proliferating the virus.
Writing Malicious Code
The skill level required to write effective malicious code has
decreased in the past few years. Writers of malicious code now
have several tools available to assist in the writing of code
- A standard Windows-like graphical user-interface.
- Pull-down menus.
- Features allowing for the incorporation of capabilities
for the code to change itself, making detection much more
difficult.
- Most of these programs are readily available on the
Internet.
Virus writing "organizations" exist on the Internet; they
routinely exchange ideas, technical information, code segments,
and methods of infection. Participants generally have an intimate
knowledge of the various computer operating systems, anti-viral
software characteristics, and a desire to write efficient code.
The groups do collect and study viruses and other code segments,
the goal being to make them more efficient and less likely to be
detected by anti-viral software.
With one exception, there are no confirmed cases where malicious
code was written to accomplish a specific task (the goal of
destroying data on a hard drive is not considered a specific task
in this context); this one exception was the Word1.concept virus.
This "virus" was written to demonstrate that a malicious code
segment could be propagated without infecting a .COM or .EXE
file.
Code Capabilities
Most current malicious software takes the form of computer
viruses. The most common features of viruses are to display a
message indicating that the system has been infected, and then
overwrite portions of the hard drive (destroying data in the
process). Do malicious codes perform other tasks? Yes, although
there have not been many documented instances of this occurring.
Take for instance a targeted attack, such as one that would
change your status to deceased. A code segment could be written
that would spread, without activating, until it reached a
particular IP address. Once the desired address had been
infected, the virus would activate and search for fields in a
database of personnel information. When the appropriate field had
been determined, the coding would be changed to indicate that the
individual was now deceased (for those who think correcting this
problem would be easy, think about how the government bureaucracy
works). This particular kind of attack would require a
significant amount of prior knowledge about the targeted system;
this information would have to be stored in the virus itself,
probably making the virus itself too large and cumbersome to
reach its destination undetected.
What malicious code developments are likely to occur? Code
segments themselves will likely be smaller and more efficient
than they are currently. It is also probable that code segments
will be written that will target either a particular system,
capability, or operating feature. Depending on the motivation of
the particular writer, specific systems could be targeted,
possibly by using keywords or some prior knowledge of the target
system. It is also likely that nondestructive code segments will
be written that would perform functions such as system
monitoring, analysis of system vulnerabilities, or information
gathering. Such code segments could report back to a central
point, using the computer's own network capabilities to do so.
Because this type of code would not operate like current virus
code, current anti-viral software may not be capable of detecting
it. Detection would be possible, but would require some knowledge
of the vulnerabilities of the weapons or information systems,
with a code segment written into the systems' operating
software something that will require recognition of the threat by
the material developers.
Impact of Technology
Technology is progressing at a significant rate, both in hardware
and software. New software developments in the commercial sector
have taken into account the threats posed by malicious software
code. Windows '95 is one example; it was designed with security
features that would make its vulnerability to malicious code
difficult. It did this by structuring the operating system so
that only trusted code segments could perform critical system
operations. As good as the effort was though, a virus capable of
attacking Windows '95 does exist. This is a situation that will
persist for quite some time. The motivation of the malicious code
writer is basically the challenge of developing something thought
to be impossible. As long as this motivation exists, there will
always be a threat; it would be cost-prohibitive to design
software completely invulnerable to attack.
The other factor that will play a significant role in this area
is the advancements in hardware. Hardware developments are
occurring in which multiple operating states exist (the Pentium
processor is one example). Malicious code will likely be written
that will capitalize on these background operating states;
because current anti-viral software searches for specific virus
operating characteristics, working in background states could
offer the advantage of longer operation without detection.
Because the development of anti-viral software is currently
reactive rather than proactive, the development of different
effective countermeasures against this particular type of code
will depend on how long it takes to detect it.
One final consideration is that current anti-viral software is
targeted against viruses, and not other forms of malicious code.
It is important to realize that other forms of malicious code
could be far more dangerous to operations than just the
destruction of data caused by viruses impacted operations could
include tactical, strategic, and sustaining base, but would most
likely originate against the private sector (targeted areas would
likely include financial and industrial areas). The reason for
this is that the potential gain could be far greater in these
areas, at least initially. Targeting these areas could also allow
for the refinement of techniques that could then possibly be used
against military targets.
Conclusion
Not all computer problems result from malicious software.
Operations are more likely to be adversely impacted by defective
code than malicious code (bear in mind that software testing
generally does not look for defective code, only proper operation
of intended functions). Awareness of the threats is important;
educating systems users about the threat is the key to
maintaining awareness and vigilance. Use of the latest anti-viral
software is critical to ensuring that this threat does not
adversely impact operations. Adherence to proper computer
security programs and goals are essential to ensuring that
threats are identified before they can become operational
problems.
Mr. Potter is an Electrical Engineer currently
working in the Acquisition and Technology Support Division of the
Directorate for Intelligence and Information Security, U.S. Army
Communications Electronics Command. He is a 1983 graduate of
California State University with a bachelor of science degree in
Mechanical Engineering. Readers can reach him at (908) 532-5873,
DSN 992-5873, or via E-mail at Potterd@doim6.monmouth.army.mil.