Doomsday malware: It’s only a matter of time

One of the few benefits of being old is that even if your memory is starting to fade, you can still remember more history than the youngster next to you. That’s why I’m always sent the latest malware reports by friends, coworkers, customers, and other reporters, then asked to gauge the seriousness of the latest supposed superthreat.

For example, a friend recently brought my attention to a detailed rundown on the ZeroAccess/Sirefer malware program. It’s a doozy — besides being a rootkit botnet program, it creates its own hidden partition on the hard drive and uses hidden alternative data streams to hide and thrive. I’m impressed … sort of.

Longtime antimalware experts are rarely bowled over by new malware. Most of the threats are retreads of programs we’ve seen dozens of times since the 1990s. Malware that hides from prying eyes and antimalware software? Hiding techniques were in the very first IBM PC computer virus, Pakistani Brain, from 1986. Malware that encrypts data and asks for a ransom to provide the decryption key? That started with the AIDS Trojan in 1989. Polymorphic, ever-changing, hard-to-detect malware? Try Dark Avenger’s Mutation Engine from March 1992. He confounded the world’s best antivirus expects, including John McAfee, for most of the next few years.

It really takes something new to impress us. It happens occasionally, most notably with Stuxnet and Flame. But even those programs failed to shake up most malware experts because they’re cyber warfare bugs that required teams of people with a state-sponsored objective in mind. The scariest parts of those two programs don’t appear in traditional malware.

My doomsday malware No, it’s superbugs with more general targets that scare malware fighters. Although most antimalware experts won’t readily admit to it, especially to the press, each has an idea of the most dreaded supermalware program they’d hate to see unleashed on the general public. Here’s mine.

The most important attribute is that it would not require end-user intervention to spread. Think SQL Slammer or Blaster. Truly remote buffer overflow worms are pretty rare, but when they kick off, they can inflict a lot of damage. Slammer holds the fastest record, infecting nearly every possible unpatched SQL server connected to the Internet in about 10 minutes. By the time most of had woke up to reports of Slammer (it was released in the early morning hours on a Sunday), it had been in charge of the victims’ servers for almost an entire business day.

Slammer had a few other interesting traits; for one, it didn’t contain any payload. It just took over its victim and aggressively looked for more targets to exploit. In fact, its aggressiveness gave it away. Because Slammer tried to use so many network connections, an admin could quickly realize Slammer’s presence on their network due to an utter shutdown from all the malicious traffic.

Low-profile mayhem A more dreaded worm would be one that infected low and slow. The slowness isn’t that important, but the low attribute implies that the beast can infect as many victims as possible without incurring immediate responses from admins. The perfect malware program would go about doing its dirty work, hitting more hosts, possibly getting backed up along with normal data so that even all the saved backups were compromised.

Another interesting trait of Slammer was that it was a memory-only program, unlike most malware that writes itself to files, folders, and registry keys, a method that can guarantee it lives through a reboot. However, this sort of modification makes it easier to find by host intrusion detection systems. Compare this to flipping a few thousand bytes in memory (Slammer was less than 500 bytes in size), which tends to fly below the radar.

To qualify as uber-malware, it would need to be cross-platform, infecting all popular operating systems and computer sizes, from data center servers to smartphones. It would infect Windows, OS X, BSD, and Linux at a bare minimum, but it could add Solaris, Unix, Android, iOS, and other OSes for complete world domination.

This superbug would probably be ransomware, encrypting everyone’s data; if the malware is removed, the data is lost forever. Such ransomware already exists, and it’s scary when the decryption key cannot be cracked. I’ve had to reinfect systems with ransomware just to access the data it was encrypting; only then could it be removed permanently.

A scary malware program would use large keys from proven crypto (say, AES-256) and store those keys at the originator’s lair. That way, you must go through the creator if you want to decrypt the data. Or maybe the malware program does the exact opposite. Instead of encrypting  your data, it sends it all out onto the Internet where anyone can access it. I’m not sure which scenario is worse.

A ticking time bomb Low and slow, a superbug would infect as many computers as it could. It would slip into the source code of a popular software title (which already happens on a fairly regular basis). Everyone installs the product, and the malware sits dormant for months, with users blissfully unaware of the ticking time bomb on their hard disk.

Then, at some predetermined date and time … boom! Every possible computer — think hundreds of millions of consoles — goes down at the same time. Instead of resembling Slammer, which lacked a payload, the superworm would go off with devastating consequences.

Your home computer is down. The Internet is down. Your cellphone is down. The stock market is down. The television networks, the newpapers, your company, aviation, the military — they’re all down.

The worst case But isn’t such an extreme scenario highly unlikely? Not at all. Every malware expert knows this sort of thing could happen. Everything’s connected to the Internet now, using the same protocols and defenses. Most people run the same programs. There’s a Vegas betting chance it will happen.

The way I see it playing out is that a puckish, overzealous programmer creates a malware program. He or she sends out a draft creation hoping to create a little mischief, but it takes over the world instead. It happened with the Robert Morris Internet worm of 1988. It happened with Slammer.

This is the type of malware that scares me: Not the targeted likes of Stuxnet or Flame, but an app that attacks the general public, and instead of doing nothing, it does everything. In 10 minutes, every computer it hit could be permanently disabled. Game over.

In my humble opinion, it’s only a matter of time. Maybe then we’ll start taking security seriously.

This story, “Doomsday malware: Only a matter of time,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.