Malware

Malicious software is getting smarter.

By Andy Fell

Does any of this sound familiar? The widow of an African president wants you to invest in dubious oil stocks; you just got three e-mails apparently from your bank asking you to verify your account number; and your computer has not really worked properly since you (or your kids) downloaded those free game files. If so, you’re not alone. Malicious software has now become so prevalent that it is changing how people behave online: A survey by the Pew Internet and American Life Project published in July found that 91 percent of Internet users have altered the way they use the Internet because of these problems.

But as bad as the problem is now, it’s only going to get worse, say experts at UC Davis’ Computer Security Laboratory. The attacks by malicious software—or “malware”—will likely become more targeted and stealthier. And our ever- growing dependence on personal gadgets, computer systems and online databases is providing new opportunities for the malware writers.

In just one example of the escalating problem, MasterCard announced in June that some 40 million credit-card accounts had been put “at risk” by a security breach at CardSystems, an Atlanta-based company that processes credit- card transactions. According to news reports, malicious software planted on the company’s computer network was used to transmit some 68,000 account numbers to somebody outside the company.

“The CardSystems case is probably the first widely publicized security incident at a corporate system that may have been perpetrated by malware,” said Hao Chen, an assistant professor of computer science at UC Davis and a member of the Computer Security Laboratory.

The malware of the future will be both more subtle and more destructive than that seen so far, said Professor Karl Levitt, one of the laboratory’s principal investigators. For example, a spyware program might enter a computer system, send out your information and then delete itself, he said.

“It’s possible, though it has not been seen in the wild yet—we think,” Levitt said.

These are challenging problems for the lab’s researchers, who are looking at new approaches to take on malware and working with federal agencies, academic partners and industry to keep information safe.

The root of the problem

Today’s problems stretch back to the beginnings of computer networks in the 1960s: They were not built with security in mind.

“Security didn’t sell,” Levitt said.

Those comments were echoed by Scott Charney, vice president for trustworthy computing and security strategy at Microsoft, who spoke at an educational symposium on computer security at UC Davis in June.

During the IT revolution of the 1990s, the industry was focused on productivity, not crime, Charney said. The government left the private sector to regulate itself, but “markets don’t do national security and public safety,” he said. That changed on Sept. 11, 2001. Markets began to demand security as never before, and homeland security became a high priority for government.

The first networks were built with a “smart” core of large, powerful computers accessed through “dumb” terminals that were basically teletype machines. But as desktop computers became more powerful, the Internet and other networks developed as dumb cores with smart terminals. Security precautions were not built into the structure of the network itself.

Now, the nature of that network is changing again. An increasing number of devices—cell phones, Blackberrys, PDAs—can connect not only to the phone network but to the Internet or directly to each other through short-range wireless networks. Increasingly, these devices are used to send and receive text messages, images, and audio or video files. Malware writers are responding: In the past year, programs such as “Cabir” and “Commwarrior” that infect cell phones have appeared in several countries.

So far, the cell phone viruses do not seem particularly harmful, but they could become much more damaging than an attack on the Internet, Levitt said. For example, they could jam telephone and 911 networks by causing phones to dial numbers automatically or by sending large files. As cell phones have far less memory and processing power than computers, designing anti-malware programs for them will be challenging.

Even more worrisome, malware could also threaten major pieces of infrastructure, such as the electricity grid or water-management systems, that are controlled through computer networks, Levitt said. While those networks are not connected to the Internet, they are potentially vulnerable to a malware attack.

A question of trust

Computer security experts routinely advise us to accept files or open attachments only from sources we trust. But how do we know whom, or what, to trust?

To trust a source, you have to be able to establish its identity—that it is who it says it is. That can be done by using a “shared secret,” such as a public key, digital signature or certificate, that can be authenticated by a trusted third party. The key, signature or certificate also has to be encrypted, so that it cannot be read and stolen in transit.

Another security component is traceability, allowing e-mails and messages to be followed to their actual source.

There are proposals to build authentication, encryption and traceability into the basic levels of the Internet, but “it’s not there yet,” Levitt said.

“The fundamental problem is that there is no central trusted authority in the Internet,” Chen said. That, of course, is also the strength of the Internet—it’s a decentralized network that no one can fully control. At the same time, computer software applications have become so huge that it is impossible for one person to check them completely.

Constant catch-up

Corporate information security has traditionally been concerned with “active” break-ins or insider attackers, Chen said. Malware poses a different problem: It is written by attackers but is later downloaded and run by legitimate insiders unintentionally.

“Since hackers can hide malicious logic inside programs, it is very challenging to detect malware reliably,” he said.

Malware writers and the programmers who write antivirus software are in an arms race where the defenders are always slightly behind, Chen said. Antivirus programs work by looking for a signature, a piece of computer code that is known to be found in a particular virus or family of viruses. So a completely new virus cannot be detected by these programs until its signature hasbeen included in their databases.

Taking their cue from real viruses such as influenza, the attackers have developed viruses that “mutate” from generation to generation, masking their identity without losing their functions.

Consequently, computer users may place too much faith in their antivirus software, Chen said. Malware can take over your computer in minutes, but it might take weeks before the right update to your antivirus software is available.

“Investing unwarranted trust in antivirus software could make users less prudent in downloading untrusted software,” Chen said.

Chen is working on a different approach to the problem. Instead of looking for signatures in the computer code, he aims to step back and look for higher-level meaning in such pieces of software.

In human language, we can say different sentences that mean more or less the same thing—for example, “ I love you,” “I like you,” “I am fond of you.” Our brains can parse sentences to extract a higher level of meaning. Chen hopes to do the same for computer languages, finding ways to identify destructive meanings that would flag software as malicious.

The approach might sound easy in concept but is actually very difficult, Chen said. “But there’s likely to be a high payoff if we succeed.”

Joining forces

In addition to projects like Chen’s, the UC Davis Computer Security Lab is a partner in several national efforts to improve security online. For example, the lab is part of a project funded in 2003 by the Department of Homeland Security and the National Science Foundation to build a self-contained replica of the Internet to test defenses against malware. UC Davis, Pennsylvania State University, Purdue University and the International Computer Science Institute in Berkeley are designing experiments that replicate real cyberattacks for the system. Researchers at UC Berkeley and the University of Southern California are building the hardware for the network, called the Cyber Defense Technology Experimental Research network or DETER.

The test-bed network is now running Internet-scale experiments, Levitt said. The sponsors’ aim is eventually to make it available to researchers from other institutions for their own experiments.

The UC Davis lab is also a member of the Anti-Phishing Working Group, lead by Dan Boneh, professor at Stanford University. The working group, which includes representatives from academia, industry and law enforcement agencies, aims to combat fraud and identity theft based on e-mail scams such as the phony bank queries and other “phishing” attacks.

Researchers at the lab are also working to develop ways to respond automatically to attacks, to detect intruders in computer networks and to guarantee the accuracy of information held in databases that might have been accessed by hackers. The lab receives grant funding from agencies including the NSF, the National Security Agency, the Department of Homeland Security and the Defense Advanced Research Projects Agency—a descendant of the agency that helped create the Internet in the first place. Since 1999 the UC Davis lab has been recognized as a Centerof Excellence in Information Assurance Education by the National Security Agency.

“It’s an exciting time,” Levitt said. “There are lots of problems and they are open.”

Education and user behavior can address some of these problems, up to a point. Don’t download programs or open e-mail attachments from sources you don’t trust; keep your antivirus software up to date; avoid file-sharing programs that download adware or spyware along with the files you want. But people make mistakes, and there are legitimate—and powerful—uses for file sharing.

Cases like the CardSystems security breach and other recent incidents suggest growing sophistication in malware attacks. Our reliance on electronic networks and computer databases provides opportunities not just for mischievous hackers but also for terrorists or organized crime.

“We used to say in this field that the time to worry would be when the mob got involved,” Levitt said. Perhaps it is time to worry.