Information Warfare: Malicious Software and Technology

by David L. Potter

Do you care about computer viruses? Would it matter if the information on your computer's hard drives suddenly and without warning disappeared? Would you care if a computer virus got into your service records and showed that you had been killed while on that exercise next weekend or during that deployment next month? Although these situations may seem far-fetched, both of these situations could easily occur by a malicious software code attack.

Most people think of an "attack" as something that usually involves flying metal that could really kill you: bullets, tanks, aircraft, that sort of thing. Most people do not realize that an IW attack could probably do as much damage (or more, depending on who you listen to) as conventional weapon systems, although the initial effects may not be as bloody. Information, and the systems that the DoD uses to process, change, and distribute that information, have become a vital part of the DoD's infrastructure. You cannot do anything these days without a computer file being changed in some way somewhere, or having a computer program direct another computer to do something for (or to) you or something you have. All of these computer resources rely on one common element to get the job done software.

Computer software is contained in almost every weapon system developed by the DoD. The amount of software code that you come into daily contact with could vary from a few lines of code that might be in your digital watch to the several million lines required to control a modern fly-by-wire aircraft. Software controls almost every aspect of everything we do, from the engine in your car to managing your bank account. Although the computer hardware itself is important, it cannot do anything until it is told what to do by software.

Everybody has experienced some occurrence that they thought could be attributed to a "software glitch" such as when the computer on your desk stops working or your car stalls unexpectedly. Who has checked to see if perhaps part of the problem was faulty software code or a computer virus (or other malicious code segment)? Could you tell the difference between faulty code and a virus (or other form of malicious software code)?

Malicious Software

Malicious software has been around in one form or another since the early 1980s when computers first started to appear in the home. Today, malicious software code has probably touched every computer network in existence. When the subject of malicious software code comes up, one generally thinks of its most common manifestation, the computer virus. Most people think of a computer virus as a computer program that causes their computer to crash and delete the information from their computers hard disk. While this is certainly one possible situation, it is not always the only one. Take the Microsoft Word Concept1 Macro Virus (also called the Winword.concept virus); it does not delete any information from your computer, but it does cause "disk full" or "not available" errors or it places the document in a directory that you would not normally use, making it difficult to find later.

There are somewhere between 9,000 and 12,000 computer viruses in existence today, depending on whose numbers you use. Viruses, though, are only one possible type of malicious code. Malicious codes include

Nine different types of viruses: Bootstrap Sector, File Infector, Memory Resident, Non-Memory Resident, Multi-Partite, Stealth, Polymorphic, Network-Specific, and Bounty Hunter viruses.
Worms, programs which can move independently from computer to computer via a network. They generally aim at increasing the time required to perform a particular task, thereby slowing down the network or system on which it is running.
Trojan Horses, programs which say they do something useful, but contain a section of code that can be destructive or have other hidden capabilities.

Although the term "virus" is used to refer to malicious software code in general, the terms "virus," "worms," and "Trojan Horse" are becoming less meaningful. Because malicious code can be developed that would perform a particular function (and possibly perform this function on a particular computer or computer network), the typical definition of the code segments will not adequately identify the code segment or capability.

Propagation

Can malicious software operate on a computer running UNIX as well as a computer using MS-DOS? Quite possibly the answer is yes. Although some types of computers operate using different processors (e.g., Motorola versus Intel), the operating system (including UNIX, MS-DOS, MacOS, OS/2) is what controls how the hardware really works. Although DoD may have some nonstandard computers that perform dedicated functions without an interface to other computers (one example of this is the computers that control a fly-by-wire aircraft), most computer systems are procured as off-the-shelf commercially available items. The commercial market has dictated that some software operate on multiple platforms; as an example, DOS applications can run on UNIX platforms using the X-Windows environment. Although this is not a guarantee that a virus will be capable of infecting both operating systems, it is an indication of compatibility.

The commercial market has dictated a commonality of hardware that allows users with different requirements to use interchangeable systems; computer hard-drive units are one of the best examples of this. Small Computer System Interface (SCSI)-based computer drives can be used in any computer. It is this commonality that creates the greatest opportunity for the successful transmission of a malicious code segment. Because the hardware is standard, the software that controls the hardware and serves as the interface between the hardware and the application (i.e., drivers) relies on the same set of commands to access the hardware. Because malicious code (and viruses in particular) generally executes a specific command set (such as writing " "s to the boot sector of the drive as one example), writing a code segment that has capabilities against several operating systems is quite possible.

As malicious code is developed for specific applications, it is possible that one could be developed that would initially infect one platform (and operating system) and then migrate to another platform or application. The ability to do this will depend to a large degree on the skill of the virus writer, and the desired effect of the virus (or code segment) on its target. It is quite possible to develop a virus that would be capable of operation in several OS environments, even though the number of existing viruses for DOS systems is far greater than any other OS. Spreading of malicious code is generally not a difficult task. In most cases, a commonly used file is infected (game programs are a particularly good example, but are by no means the only type of "carrier" file); the popularity of the particular file causes it to generally be spread to many other users. As the program is executed, other files on the computers hard drive are infected. Other documented means of dissemination have included shrink-wrapped software obtained from a major software manufacturer; there have been several cases of this, and they have been traced back to infected files in the compiler used in the development of the original software.

The global connectivity of computers and computer networks has helped to create an environment conducive to the transmission of malicious software. Files are routinely transferred from one location to another within organizations. Searches of the Internet are conducted to locate particular files or programs programs used for entertainment, to enhance systems' performance, or any one of a number of other uses. Unfortunately, most organizations do not make effective use of anti-viral software to screen incoming files for the presence of malicious code, thereby proliferating the virus.

Writing Malicious Code

The skill level required to write effective malicious code has decreased in the past few years. Writers of malicious code now have several tools available to assist in the writing of code

A standard Windows-like graphical user-interface.
Pull-down menus.
Features allowing for the incorporation of capabilities for the code to change itself, making detection much more difficult.
Most of these programs are readily available on the Internet.

Virus writing "organizations" exist on the Internet; they routinely exchange ideas, technical information, code segments, and methods of infection. Participants generally have an intimate knowledge of the various computer operating systems, anti-viral software characteristics, and a desire to write efficient code. The groups do collect and study viruses and other code segments, the goal being to make them more efficient and less likely to be detected by anti-viral software.

With one exception, there are no confirmed cases where malicious code was written to accomplish a specific task (the goal of destroying data on a hard drive is not considered a specific task in this context); this one exception was the Word1.concept virus. This "virus" was written to demonstrate that a malicious code segment could be propagated without infecting a .COM or .EXE file.

Code Capabilities

Most current malicious software takes the form of computer viruses. The most common features of viruses are to display a message indicating that the system has been infected, and then overwrite portions of the hard drive (destroying data in the process). Do malicious codes perform other tasks? Yes, although there have not been many documented instances of this occurring. Take for instance a targeted attack, such as one that would change your status to deceased. A code segment could be written that would spread, without activating, until it reached a particular IP address. Once the desired address had been infected, the virus would activate and search for fields in a database of personnel information. When the appropriate field had been determined, the coding would be changed to indicate that the individual was now deceased (for those who think correcting this problem would be easy, think about how the government bureaucracy works). This particular kind of attack would require a significant amount of prior knowledge about the targeted system; this information would have to be stored in the virus itself, probably making the virus itself too large and cumbersome to reach its destination undetected.

What malicious code developments are likely to occur? Code segments themselves will likely be smaller and more efficient than they are currently. It is also probable that code segments will be written that will target either a particular system, capability, or operating feature. Depending on the motivation of the particular writer, specific systems could be targeted, possibly by using keywords or some prior knowledge of the target system. It is also likely that nondestructive code segments will be written that would perform functions such as system monitoring, analysis of system vulnerabilities, or information gathering. Such code segments could report back to a central point, using the computer's own network capabilities to do so. Because this type of code would not operate like current virus code, current anti-viral software may not be capable of detecting it. Detection would be possible, but would require some knowledge of the vulnerabilities of the weapons or information systems, with a code segment written into the systems' operating software something that will require recognition of the threat by the material developers.

Impact of Technology

Technology is progressing at a significant rate, both in hardware and software. New software developments in the commercial sector have taken into account the threats posed by malicious software code. Windows '95 is one example; it was designed with security features that would make its vulnerability to malicious code difficult. It did this by structuring the operating system so that only trusted code segments could perform critical system operations. As good as the effort was though, a virus capable of attacking Windows '95 does exist. This is a situation that will persist for quite some time. The motivation of the malicious code writer is basically the challenge of developing something thought to be impossible. As long as this motivation exists, there will always be a threat; it would be cost-prohibitive to design software completely invulnerable to attack.

The other factor that will play a significant role in this area is the advancements in hardware. Hardware developments are occurring in which multiple operating states exist (the Pentium processor is one example). Malicious code will likely be written that will capitalize on these background operating states; because current anti-viral software searches for specific virus operating characteristics, working in background states could offer the advantage of longer operation without detection. Because the development of anti-viral software is currently reactive rather than proactive, the development of different effective countermeasures against this particular type of code will depend on how long it takes to detect it.

One final consideration is that current anti-viral software is targeted against viruses, and not other forms of malicious code. It is important to realize that other forms of malicious code could be far more dangerous to operations than just the destruction of data caused by viruses impacted operations could include tactical, strategic, and sustaining base, but would most likely originate against the private sector (targeted areas would likely include financial and industrial areas). The reason for this is that the potential gain could be far greater in these areas, at least initially. Targeting these areas could also allow for the refinement of techniques that could then possibly be used against military targets.

Conclusion

Not all computer problems result from malicious software. Operations are more likely to be adversely impacted by defective code than malicious code (bear in mind that software testing generally does not look for defective code, only proper operation of intended functions). Awareness of the threats is important; educating systems users about the threat is the key to maintaining awareness and vigilance. Use of the latest anti-viral software is critical to ensuring that this threat does not adversely impact operations. Adherence to proper computer security programs and goals are essential to ensuring that threats are identified before they can become operational problems.

Mr. Potter is an Electrical Engineer currently working in the Acquisition and Technology Support Division of the Directorate for Intelligence and Information Security, U.S. Army Communications Electronics Command. He is a 1983 graduate of California State University with a bachelor of science degree in Mechanical Engineering. Readers can reach him at (908) 532-5873, DSN 992-5873, or via E-mail at Potterd@doim6.monmouth.army.mil.