Viruses, Trojan Horses & Worms

By Matthew Saltzman

Spam isn't the only annoying thing showing up uninvited on computers these days. An IOL area editor recently received e-mail from a member purporting to contain nude pictures of the member. It turned out to be an e-mail virus.

Viruses, Trojan horse programs and Internet worms have been wreaking havoc on the Net for years, but the frequency and extent of security events seems to have increased dramatically over the past year. Many victims are not companies, but individuals who simply have not felt the need to pay much attention to the security of their own machines before. These people are not helped by the attitudes of system and software vendors, who have traditionally opted to distribute software with insecure features turned on by default as a convenience. (This attitude is finally changing. New OS distributions tend to have most network features turned off by default.)

In this column, I describe various kinds of security threats, how they propagate and how they affect computers — in other words, how you might be at risk from these threats. Next issue, I will make some suggestions about how you can protect yourself and describe some measures we take to protect IOL.

The term "hacker" has come to be used in the popular press to describe malicious programmers. Among programmers, however, the term refers to best-of-breed programmers. These hackers refer to the malicious programmers as "crackers." The term "virus" has also come to be used generically to describe programs that exploit security holes to propagate themselves or to damage computer systems. But beyond the generic term is a somewhat more refined taxonomy of security threats.

A worm is a program that propagates itself from computer to computer, perhaps by exploiting a security flaw in a daemon (a service program that runs in the background and responds to requests sent to a particular port from other machines on the network). The first major Internet disruption by a worm program occurred in 1988, when Cornell Ph.D. student Robert Tappan Morris released a program that exploited a flaw in a common Unix daemon. The program was not intended to be malicious. It was designed to propagate slowly, but a bug caused it to run out of control. Recent famous worms include "Code Red" (which exploited a weakness in Microsoft's IIS Web server) and "Nimda" (which incorporated multiple propagation methods including e-mail, an IIS security hole, Windows network file shares and Web browser file downloads.

A virus is a program fragment that attaches itself to a program file, thus "infecting" it. The virus acts when the program is executed, infecting other program files and performing whatever other action is intended. Viruses are popular weapons against Microsoft DOS and Windows systems because the typical user on such systems can write to system files. It is much more difficult to propagate viruses on a protected-mode OS such as Linux or Unix because the typical user is prevented from altering program files other than his own. Hence, it is difficult for a virus to either infect system files or do serious damage to a system. Early viruses spread relatively slowly, as programs were generally distributed between PCs using floppy disks rather than the Internet.

A Trojan horse is a program that claims to do one thing, but does something else when executed. A Trojan horse program is typically spread by unsuspecting users who install the supposedly useful program, perhaps after downloading it over the Internet. The program may or may not perform as advertised, but it will also have some other side effect. Most so-called e-mail viruses are really worm-Trojan horse hybrids, propagating themselves but relying on the user to execute an attachment.

The payload of a virus, worm or Trojan horse is the part that acts on the target system, as opposed to the portion of the code responsible for replicating or transmitting it. The payload's effect on the target system may range from benign (a message to the user or modification to the video display) to destructive (wiping out disk drives or worse). The payload action may also be to start a daemon that allows an attacker to take over the machine.

In addition to these self-propagating threats, computers can be subjected to direct attacks. A program called a port scanner is run on one computer, and attempts to identify vulnerabilities on another. Once vulnerability is identified, it can be used to install a set of programs to allow the attacker access to the victim machine (a root kit). Once a machine is "owned" by an attacker, the attacker might steal information, damage the system by deleting files, or use the system to attack other systems.

In order to minimize the impact of these attacks, it is incumbent on all users to take precautions to prevent becoming victims.

Corrigendum: After my February 2002 column went to press, I ran across an article describing Hormel Foods' corporate stance on the use of the term "spam" to describe unsolicited bulk/commercial e-mail (http://www.spam.com/ci/ci_in.htm). In essence, Hormel requests that the all-uppercase version of the word be reserved to describe SPAM® Luncheon Meat, and that the slang term for UBE/UCE be written in lower case. In consideration of Hormel's gracious attitude, all occurrences of "SPAM" in the February column should be replaced with "spam."



Matthew Saltzman (mjs@ces.clemson.edu) is an associate professor of mathematical Sciences at Clemson University and the editor of Informs Online.