Friday, September 12, 2003

The horrors to come

Up 'till now, we've had it pretty easy. Yes, even with the Blaster/Nachi/SoBig week. To date, virus writers haven't really gotten ahead of the anti-virus people. Proof? It only takes a day or so for a new signature update to come out.

The problem with most anti-virus products is that they're signature based. In reading various blogs, lists, and sites, the new technologies that we'll see in viruses include even better polymorphism and portless backdoors.

Polymorphism is the ability to change a stored file's appearance, usually through simple encryption and compression. This technology is only going to get better.

Portless backdoors is something that is being developed, under the guise of being a systems administrator tool, where a binary listens for a specific pattern of traffic followed by a command, all without opening a port to listen on.

To date, worms/viruses are pretty easy to detect. How do you know if you have an infected/compromised machine on your network? It's usually doing one of three things:

  • spitting up prodigious amounts of outgoing mail
  • noisily generating traffic on some other port
  • or listening on a specific port for commands from its new master.

Currently this requires driving the local NIC into promiscuous mode and then filtering incoming traffic. But from a virus/worm's point of view, this is a good thing as promiscuous interfaces are much harder to detect than open ports, remotely or otherwise. (We're going to have to get a lot better at detecting promiscuous interfaces!)

Given that the recent versions of malicious code already know how to turn off virus scanners and firewalls, things are going to get a whole lot darker before things improve.