Assessing Internet Viruses Like Human Epidemics

underpar writes "This ComputerWorld.com article discusses the UCSD's $6.2 million attempt to study Internet viruses in a manner similar to the study of human epidemics. Stefan Savage, a computer science professor, is quoted in the article as saying, 'We'll be focused on what vectors are used, just like in assessing West Nile, to spread computer viruses and ultimately try to develop defenses to prevent them from spreading.'"

I'm involved, any questions?

[nweaver]

I'm involved in the center, at ICSI in Berkeley.

If people have questions, feel free to ask.

Internet Virus Hoaxes

[monsterhead78]

Periodically I get frantic messages from members and friends with "important messages" about new email and
computer viruses that are actually hoaxes. While savvy Internet users can usually immediately spot the hoaxes,
many of our members can be both intimidated and frightened (not to mention the time and effort wasted when the
messages are passed back and forth, to spread these 'alerts/hoaxes'). Running virus checking software can also be
a very time-consuming endeavor (especially on a large Local Area Network), when you find that you have
stopped everyone from working for several hours to check for a hoax, it can be really embarrassing.

My advice is to do a little checking on your own before you excitedly message all of your friends and associates,
and possibly embarrass yourself by wasting a lot of their time. Here are some of the better sites that track both
email and other computer viruses and virus hoaxes. I rely heavily on the U.S. Department of Energy Computer
Incident Advisory Capability's (CIAC) Internet Virus Hoaxes page, but the others all have good and usually
current information.

Between them, they describe more than a dozen hoaxes, from Good Times, to PENPAL GREETINGS, to Join
the Crew. Background, including the actual "warning" message is provided. These sites provide a valuable service
to the Internet community, especially for new users.

Re:Interesting Academic Exercise

How is this insightful? I do an occasional online scan and I haven't had a virus turn up in years.

No charge online virus scanner

[tepples]

how would you know [that you've been virus free without installing antivirus software]?

Periodically launching IE (after having firewalled it to connect only to microsoft.com and trendmicro.com) and going to Trend Micro's HouseCall site will tell you whether you have a virus on your machine, and you don't even need to pay for virus definition updates. Run a HouseCall scan overnight once a week (put something in Scheduled Tasks to remind you), and you'll be able to tell Windows XP SP2's security wizard the truth that you are already taking antivirus measures without having to shell out for Norton.

Primary sources...

[StefanSavage]

FWIW, readers should always understand that when they read a news story they are getting a reporter's interpretation of an interview that itself attempts to simplify a larger story. Inevitably, this means that technical details don't survive the translation. To wit, on the second page of the proposal we write: While it is tempting to repurpose the epidemiological models of infectious disease in humans [29], Internet pathogens are in fact quite different--they are authored by intelligent adversaries. Consequently, traditional stochastic analyses are highly fragile tools for predicting the dynamics or limitations of future outbreaks. For those actually interested in what our center is planning to do, I've made the proposal and the summary available. It also gives some insight into what an NSF grant proposal looks like for those who are curious. - Stefan

Re:Interesting Academic Exercise

[Osty]

Most of your list is good, but I take exception to this item:

Avoid OL/OE for eMail

For one, Outlook and Outlook Express are two separate, distinct applications. For another, Outlook itself has been pretty secure since service packs for Outlook 2000 (that's three versions ago, for those who are counting), which remove malicious attachments so you can't execute them. Outlook XP and Outlook 2003 do that out of the box.

However, I surf with IE, read mail with Outlook, don't automatically patch (Windows Update is set to download and notify me when it's ready to install, but I get to choose when is a convenient time to install), and so on, and I haven't had a virus in years. (last virus I had? Michealangelo. Yes, way back in the day.) It boils down to common sense. Don't install/run software you don't trust (in this case, I mean downloaded from a trusted source, since little Windows software is open source so you can't often audit the code), setup IE to ask you (or disable) to run ActiveX objects, don't visit warez sites, only visit "reputable" pr0n sites (yes, there really are such things!), etc.

Avoiding computer virii, like avoiding biological virii, comes down to common sense. Don't engage in risky behaviors, and you'll significantly reduce your exposure and likelihood of contracting a virus.

Re:Interesting Academic Exercise

[glpierce]

"- Automate patching"

I disagree with that one. I've found that there is nothing more annoying than having an application decide to launch itself while I'm working. All of a sudden, my word processor isn't listening for my typing (or it is doing so at an alarmingly slower rate), while I'm in the middle of a thought. Add in the fact that many updates on Windows require a restart, and you've got nothing but trouble on your hands. If you can set a schedule for a time you're never around (e.g. lunch break for office workers or class for students), you'd be fine. Otherwise, just remember to do it often. I've set up "Run Weekly" folders on my family members' desktops, and gave them a disclaimer that if they don't do everything there every week, I will not help them with computer problems under any circumstance. Far better than having them think their computer is slow or broken every time something wants to check for an update, in my experience.

Re:Interesting Academic Exercise

[SJS]

This is an interesing academic exercise, but the basic defenses that have been preached for years work just fine:

Um.... the actual basic defenses being preached go back much farther than you suspect. The Internet did not coincide with the development of the computer, or viruses.

Basic defenses are:

• Don't trust live data
• Don't let random programs run on your machine if there's any data accessible -- i.e. control access to your machine
• Don't engage in risky/stupid behavior -- practice safe computing
• Long-term backups are important

'Avoiding IE for surfing' should be "Don't use Microsoft Internet Explorer, full stop." Likewise, "Avoid OL/OE for eMail" should be "Don't use Microsoft Outlook or Outlook Express, full stop." Both of those fall under the category of "risky/stupid behavior". Just because your boss tells you that you have to use 'em doesn't make it any less risky.

Firewalls do two things -- one, they hide your network, so as to keep the black hats away from the data on your network, and two, they hide broken systems that are running insecure programs. This pretty much counts as controlling access to your machine.

I'm not a big fan of automated patching. Patching, yes, but if you automate it, you offer Yet Another Way for the black hats to sneak in to your system. A program that contacts another program to download programs that are replacing programs on that machine fails to (1) control access to your machine and (2) you're trusting "live data".

"Warn on Anomolous behavior" sounds good (intrusion detection systems are sometimes based on this concept), but it doesn't really help too much in *preventing* viruses.

An up-to-date virus scanner is the belt you use in addition to suspenders; it's there to catch your goofs, where you're falling down on the job. As a mitigation strategy, it is good for your network... but it's already too late to get your system back into a pristine state. (Thus a good backup strategy is essential.)

In "the old days", you could bring a system back to a known-good state by powering it down, inserting known-clean read-only media, and booting it up again. (In hindsight, those floppy-based systems had a lot going for them. If you were careful, you could avoid exposing your system to viruses, even if you ran a known-infected program.)

It's a bit harder on modern operating systems. For one, there isn't a good way to run a program in isolation. If you're lucky enough to get a statically-linked program, a chroot jail is a simple place to start, but chroot jails aren't terribly secure, and there's not a lot of statically-linked programs out there these days. Setting up a chroot jail can be prohibitively expensive (in terms of time or disk space).

User-mode Linux and virtual hardware (e.g. Virtual PC) are even more expensive in terms of disk space and set up costs.

Both chroot jails and user-space operating systems tend to keep a program from usefully interacting with other programs. If the output of one program is the input to another, and they're running in different jails/VMs, I need to start worrying about networking in order to facilitate communication. More complexity!

You can always partition your system so that /, /lib, and /usr are read-only, while /var, /tmp, and /home are noexec, but that's not often done, and more often than not, systems are shipping (or defaulting to) single-partition installs. (Madness, I say, madness!)

What would be nice is a system like chroot, but would make the entire system (to that process and sub-processes) read-only, aside from a list of directories, and no-exec, aside from a _different_ list of directories, and at no time would you have the same aspect of a filesystem both read-write and execut

Bacterial vs. human cells in body

"Which is why there are ten bacterial cells for every human cell in your body"

This is basically an urban legend. The vast number of bacteria to which you are referring are isolated inside the colon - they are not really "in your body" in a functional sense. Except for certain epithelial-lined surfaces (the GI tract, upper airways, surface of the skin, lower GU organs) all tissues are normally free of bacteria.

Trust me, I'm a doctor ;)

Re:Hasn't this been done before?

A virus could rewrite itself if the code was sufficiently modular.

A simple example would be to change ports opened on infested machines to random numbers. They could also actually attach themselves to system libraries or applications (like they used to), rather than just saving themselves to the hard disk in several places as they do now.

However a more interesting example might be a virus which had lots of different modules, some performing similar functions and redundant (much like stretches of dormant DNA). For example several ways to spread - via email, via email using outlook replying to messages already stored, via port-scanning on the local network etc. several ways to copy itself, semi-random destinations for copying, etc etc. Only some of these would be active at a time.

On infection, the virus would copy itself and in the process shuffle its 'genes', thus suppressing some of those functions and enabling others. This would make it harder to spot, and much harder to write, so thankfully it's probably not going to happen. It'd probably have to be trained extensively on a little test network to come up with a virulent strain.

Of course this isn't analogous to biological viruses, but would use some of the same tricks.

Selection pressure would be provided by the environment of PCs and anti-virus software.