Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Doomsday malware: It's only a matter of time

Roger A. Grimes | Aug. 29, 2012
The most destructive malware hasn't made it into the wild yet -- and when it does, it'll put today's 'supermalware' to shame

One of the few benefits of being old is that even if your memory is starting to fade, you can still remember more history than the youngster next to you. That's why I'm always sent the latest malware reports by friends, coworkers, customers, and other reporters, then asked to gauge the seriousness of the latest supposed superthreat.

For example, a friend recently brought my attention to a detailed rundown on the ZeroAccess/Sirefer malware program. It's a doozy -- besides being a rootkit botnet program, it creates its own hidden partition on the hard drive and uses hidden alternative data streams to hide and thrive. I'm impressed ... sort of.

Longtime antimalware experts are rarely bowled over by new malware. Most of the threats are retreads of programs we've seen dozens of times since the 1990s. Malware that hides from prying eyes and antimalware software? Hiding techniques were in the very first IBM PC computer virus, Pakistani Brain, from 1986. Malware that encrypts data and asks for a ransom to provide the decryption key? That started with the AIDS Trojan in 1989. Polymorphic, ever-changing, hard-to-detect malware? Try Dark Avenger's Mutation Engine from March 1992. He confounded the world's best antivirus expects, including John McAfee, for most of the next few years.

It really takes something new to impress us. It happens occasionally, most notably with Stuxnet and Flame. But even those programs failed to shake up most malware experts because they're cyber warfare bugs that required teams of people with a state-sponsored objective in mind. The scariest parts of those two programs don't appear in traditional malware.

My doomsday malware
No, it's superbugs with more general targets that scare malware fighters. Although most antimalware experts won't readily admit to it, especially to the press, each has an idea of the most dreaded supermalware program they'd hate to see unleashed on the general public. Here's mine.

The most important attribute is that it would not require end-user intervention to spread. Think SQL Slammer or Blaster. Truly remote buffer overflow worms are pretty rare, but when they kick off, they can inflict a lot of damage. Slammer holds the fastest record, infecting nearly every possible unpatched SQL server connected to the Internet in about 10 minutes. By the time most of had woke up to reports of Slammer (it was released in the early morning hours on a Sunday), it had been in charge of the victims' servers for almost an entire business day.

Slammer had a few other interesting traits; for one, it didn't contain any payload. It just took over its victim and aggressively looked for more targets to exploit. In fact, its aggressiveness gave it away. Because Slammer tried to use so many network connections, an admin could quickly realize Slammer's presence on their network due to an utter shutdown from all the malicious traffic.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.