Computing Applications

Inside Risks: the Trojan Horse Race

  1. Article
  2. Author

This year has been pivotal for malicious software (malware) such as viruses, worms, and Trojan horses. Although the problem is not new, Internet growth and weak system security have increased the risks.

Viruses and worms survive by moving from computer to computer. Prior to the Internet, computers communicated slowly, mostly from floppy disks and bulletin boards. Initially, antivirus programs were fairly effective at blocking known types of malware entering PCs, especially when only a handful of viruses prevailed. But now there are over 10,000 virus types; with email and Internet connectivity, the opportunities and speed of propagation have increased dramatically.

Things have changed. Like Melissa, the Worm.ExploreZip worm, and other inevitable variants, viruses arrive via email and use email software features to replicate themselves across the network. They mail themselves to people known to the infected host, enticing the recipients to open or run them. They propagate almost instantaneously. Antiviral software simply cannot keep up. And email runs over Internet connections that block everything else. Email tunnels through firewalls. Everyone uses it.

Melissa uses features in Microsoft Word (with variants using Excel) to automatically email itself to others, and Melissa and Worm.ExploreZip make use of Microsoft Outlook’s automatic mail features. Microsoft is certainly to blame for creating the powerful macro capabilities of Word and Excel, blurring the distinction between executable files (which can be dangerous) and data files (which at one time seemed safe). They will be blamed when Outlook 2000, which supports HTML, makes it possible for users to be attacked by HTML-based malware simply by opening email. DOS set the security state-of-the-art back 25 years, and Microsoft has continued that legacy to this day. Microsoft certainly has a lot to answer for, but the real cause is more subtle.

It’s easy to point fingers at virus creators or at the media for publicity begetting further malware. But a basic problem is the permissive nature of the Internet. As long as a program has the ability to do anything on the computer it runs on, malware will be incredibly dangerous. Just as firewalls protect different computers on the same network, we’re going to need something to protect different processes running on the same computer.

Malware cannot be stopped at the firewall because email tunnels it through a firewall, popping up on the inside and causing its intended damage. Thus far, the examples have been mild, but they represent a proof of concept. The effectiveness of firewalls will diminish as we open up more services (email, Web, and so on), as we add increasingly complex applications on the internal net, and as misusers catch on. This "tunnel-inside-and-play" technique will only get worse.

Another problem is rich content. We know we have to make Internet applications (sendmail, rlogin) more secure. Melissa exploits security problems in Microsoft Word; others exploit Excel. Suddenly, these are network applications. Has anyone bothered to check for buffer overflow bugs in pdf viewers?

Antivirus software doesn’t help much. If Melissa can infect 1.2 million computers in the hours before a fix is released, that’s a lot of damage. What if the code took pains to hide itself, so that a virus remained hidden? What if a worm just targeted an individual and it would delete itself from any computer whose user ID didn’t match a certain reference? How long would it take before discovery? What if it emailed a copy of the user’s login script (most contain passwords) to an anonymous email box before self-erasing? What if a worm automatically encrypted outgoing copies of itself with PGP or S/MIME? Or signed itself? (Signing keys are often left lying around.) What about Back Orifice for NT? These are scary possibilities.

It’s impossible to push the problem onto users with "do you trust this message/macro/application?" confirmations. Sure, it’s unwise to run executables from strangers, but both Melissa and Worm.ExploreZip arrive pretending to be friends and associates of the recipient. Worm.ExploreZip even replied to real subject lines. Users can’t make good security decisions under ideal conditions; they don’t stand a chance against malware capable of social engineering.

What we’re seeing is the convergence of several problems: the inadequate security in PC operating systems, the permissiveness of networks, interconnections between applications on modern operating systems, email as a vector to tunnel through network defenses and as a means to spread extremely rapidly, and the naivete of users. Simple patches are inadequate. A large distributed system communicating at the speed of light must accept the reality of infections at the speed of light. Unless security is designed into the system from the bottom up, we’re constantly going to be swimming against a strong tide.

Back to Top

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More