The Trojan Horse Race

  • Bruce Schneier
  • Communications of the ACM
  • September 1999

1999 is a pivotal year for malicious software ( malware) such as viruses, worms, and Trojan horses. Although the problem is not new, Internet growth and weak system security have evidently increased the risks.

Viruses and worms survive by moving from computer to computer. Prior to the Internet, computers (and viruses!) communicated relatively slowly, mostly through floppy disks and bulletin boards. Antivirus programs were initially fairly effective at blocking known types of malware entering personal computers, especially when there were only a handful of viruses. But now there are over 10,000 virus types; with e-mail and Internet connectivity, the opportunities and speed of propagation have increased dramatically.

Things have changed, as in the Melissa virus, the Worm.ExploreZip worm, and their inevitable variants, which arrive via e-mail and use e-mail software features to replicate themselves across the network. They mail themselves to people known to the infected host, enticing the recipients to open or run them. They propagate almost instantaneously. Antiviral software cannot possibly keep up. And e-mail is everywhere. It runs over Internet connections that block everything else. It tunnels through firewalls. Everyone uses it.

Melissa uses features in Microsoft Word (with variants using Excel) to automatically e-mail itself to others, and Melissa and Worm.ExploreZip make use of the automatic mail features of Microsoft Outlook. Microsoft is certainly to blame for creating the powerful macro capabilities of Word and Excel, blurring the distinction between executable files (which can be dangerous) and data files (which hitherto seemed safe). They will be to blame when Outlook 2000, which supports HTML, makes it possible for users to be attacked by HTML-based malware simply by opening e-mail. DOS set the security state-of-the-art back 25 years, and MS has continued that legacy to this day. They certainly have a lot to answer for, but the real cause is more subtle.

It's easy to point fingers, including at virus creators or at the media for publicity begetting further malware. But a basic problem is the permissive nature of the Internet and computers attached to it. As long as a program has the ability to do anything on the computer it is running, malware will be incredibly dangerous. Just as firewalls protect different computers on the same network, we're going to need something to protect different processes running on the same computer.

This malware cannot be stopped at the firewall, because e-mail tunnels it through a firewall, and then pops up on the inside and does damage. Thus far, the examples have been mild, but they represent a proof of concept. The effectiveness of firewalls will diminish as we open up more services (e-mail, Web, etc.), as we add increasingly complex applications on the internal net, and as misusers catch on. This "tunnel-inside-and-play" technique will only get worse.

Another problem is rich content. We know we have to make Internet applications (sendmail, rlogin) more secure. Melissa exploits security problems in Microsoft Word, others exploit Excel. Suddenly, these are network applications. Has anyone bothered to check for buffer overflow bugs in pdf viewers? Now, we must.

Antivirus software can't help much. If Melissa can infect 1.2 million computers in the hours before a fix is released, that's a lot of damage. What if the code took pains to hide itself, so that a virus remained hidden? What if a worm just targeted an individual; it would delete itself off any computer whose userID didn't match a certain reference? How long would it take before that one was discovered? What if it e-mailed a copy of the user's login script (most contain passwords) to an anonymous e-mail box before self-erasing? What if it automatically encrypted outgoing copies of itself with PGP or S/MIME? Or signed itself? (Signing keys are often left lying around.) What about Back Orifice for NT? Even a few minutes' thought yields some pretty scary possibilities.

It's impossible to push the problem off onto users with "do you trust this message/macro/application?" confirmations. Sure, it's unwise to run executables from strangers, but both Melissa and Worm.ExploreZip arrive pretending to be friends and associates of the recipient. Worm.ExploreZip even replied to real subject lines. Users can't make good security decisions under ideal conditions; they don't stand a chance against malware capable of social engineering.

What we're seeing is the convergence of several problems: the inadequate security in personal-computer operating systems, the permissiveness of networks, interconnections between applications on modern operating systems, e-mail as a vector to tunnel through network defenses and as a means to spread extremely rapidly, and the traditional naivete of users. Simple patches are inadequate. A large distributed system communicating at the speed of light is going to have to accept the reality of infections at the speed of light. Unless security is designed into the system from the bottom up, we're constantly going to be swimming against a strong tide.

Bruce Schneier is CTO and Founder of Counterpane Internet Security, Inc.



Categories: Computer and Information Security

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.