In May 1998, Panda Software published a press release in which I made my first public statement.
This press release concerned a buffer overflow vulnerability detected in Microsoft Outlook, which caused considerable commotion at the time, as it was claimed that the bug would facilitate the creation of highly dangerous and rapidly spreading viruses.
The comment I made at the time was to the effect that it would be practically impossible for a virus writer to exploit a buffer overflow vulnerability as a virus entry point because of the technical complexity that this would entail.
This was my first public declaration and also, I'm afraid to say, my first erroneous prediction. I must add however, that I have since made a number of other predictions and written articles in the specialized press that have, unfortunately, turned out to be perfectly accurate.
To put recent developments in context, it is worth looking at a brief history of virus development. There have been several distinct 'eras' in virus technology in recent years, which can be summarized as follows:
pre - 1990 Boot and master boot viruses.
1990 - 1996 File viruses.
1996 - 1999 Script and document viruses.
1999 - 2001 Mass mailers
This is a highly simplified chronology but it does give an idea of the different generations of viruses. Within each generation there are many different types of viruses: resident, direct action, overwrite, worms, companion, trojans, message body etc. as well as different techniques used: stealth, tunneling, self-encryption, polymorphic, armoring...
It seems clear that in the latter half of 2001 and now in 2002 we are witnessing a new era of viruses based on vulnerabilities and buffer overflows.
Infections Using the Buffer Overflow Technique
This article aims to give readers an insight into the shape of things to come. Judging by what we saw during the last months of 2001, the future does not look too rosy. In the coming months, we can expect to see new vulnerability exploits opening the way for previously unthought of infection techniques and which will consequently diminish the effect of many anti-virus protection techniques.
It will become increasingly difficult to distinguish between potentially vulnerable file extensions and those that are innocuous. Whereas in the past, viruses like LoveLetter used a double extension to fool users, future viruses may well be able to infect files such as .BMP, .TXT or .WAV. These files are in themselves completely inoffensive, but due to vulnerability exploits in their corresponding applications, they could become as potentially dangerous as .EXE, .DOC or .VBX files are now.
A harbinger of this new infection technology was Code Red. This virus not only blew my theory of May 98 out of the water, but also proved that a virus can cause large-scale infection without anti-viruses being able to respond in time, as each new virus infection technique throws a spanner in the works of the anti-virus industry's capability to respond rapidly.
Brief Description of Code Red Infection Techniques
Before describing how a .BMP file could be infected, it is worth taking a look at some of the basic concepts behind the Code Red virus in order to understand how a buffer overflow can be used as a means of virus infection.
A buffer overflow occurs when an application is waiting to receive or read a block of memory but the buffer capacity, which is pre-determined by the application programmer, is exceeded. Imagine that the programmer that designed your web server believed that the maximum number of characters that a user would enter in a URL was 256. One day however, a user makes a URL request to your web server with 300 characters. If the programmer that developed your web server had only assigned enough memory to handle 256 bytes, on receiving the 300-byte request, the server would cease to operate correctly or could even block completely.
This is precisely what happens with IIS servers and was exploited by Code Red to cause thousands of infections. Code Red made a URL request that was perfectly crafted so that on causing a buffer overflow, the extra bytes in the server address space, which contain the viral code, would adjust the stack position so as not to block the server, and then take control of the application.
I use the expression "adjust the stack position" as normally, this type of virus causes a stack overflow which allows it to alter the return pointer value so that it points to the virus code in the overwritten stack. For this reason it is more accurate to talk of a stack overflow rather than a buffer overflow, even though the stack in itself is still actually a block of memory.
How Could a BMP File Become Infected?
Imagine, for example, that a vulnerability is discovered in the Paint application that ships with Windows 2000. When Paint reads the header of a .BMP file, this indicates that the file contains a 256-colour image, 100 pixels by 100 pixels. The application then assigns 10Kb of memory space to load the image and to be able to view and edit it. However, if the image was actually 100 pixels by 200 pixels, Paint would ignore the header data and read the 20Kb needed for an image of 256 colors, 100 x 200. At this moment, there is a buffer overflow because the application has copied 20Kb to a memory position reserved for 10Kb and the application will therefore probably block.
This could take place without the user realizing, as the problem might be attributed to a corrupt file. However, if the vulnerability were to be made public or a virus writer became aware of it, albeit accidentally, the vulnerability could be exploited to insert viral code. Logically, this would not be an infection in the traditional sense, but rather data within another file or item with the capability of infecting under certain circumstances, normally by exploiting an application stack overflow.
Conclusion: Everyone has a Part to Play
As we have seen, a vulnerability in an application is not just a flaw that affects product quality and customer satisfaction, but it is also a serious security problem and a potential virus entry point. The most serious infections in the latter half of 2001 demonstrated how the role of the software industry in general is paramount.
The manufacturer that has received most negative publicity regarding software vulnerabilities is undoubtedly Microsoft, although no company is free from the risk that their products could become virus entry points. The issue is not that Microsoft has most flaws in its software, but that it is probably the company that produces and distributes more software than any other and is therefore under closest scrutiny.
It is not just the software producers that need to act however. Users and, needless to say, the IT security industry, also have key roles to play in combating the new generation of malicious code.
Similarities are often drawn between the functions of the anti-virus industry and those of the police. The techniques of the virus authors are often said to be constantly one step ahead of the anti-virus companies just as the criminals are supposedly always one step ahead of the law. However advanced detection technology becomes, the bad guys always have tools like 'persuasion' - termed 'social engineering' in the AV industry - at their disposal, which often defeat even the most sophisticated security systems.
There is no getting away from the fact that user behavior is a determining factor in virus protection. If you open the door to a thief, no amount of security on Earth can protect you. Likewise, even the best anti-virus protection will not be of much use if users indiscriminately open any files they receive, disable the anti-virus or don't update it. The cornerstone of anti-virus protection is therefore the user, and user behavior is a determining factor in successfully curbing the spread of viruses.
As with many things in life, large-scale virus infections are cyclical. The anti-virus industry managed to stay on top of viruses during the year 2000 and for the most part of 2001, but the last few months have demonstrated the need for us to redouble our efforts to improve detection, protection and disinfection technology and also to ensure that we are communicating adequately. This final point is vital, as prevention is always better than cure.
Carlos Ardanza is director of research and development with Panda Software (www.pandasoftware.com). Panda Software is dedicated to the research and development of anti-virus software, data protection and network management.