Welcome to the SecAware blog

I spy with my beady eye ...

28 Mar 2013

Molds and parasites - new families of malware

The following paragraph remains unredacted in a heavily redacted NSA newsletter from 1996:
"The most harmful computer virus will not be the one that stops your computer, but the one that randomly changes or corrupts your data over time."
Malware that causes data corruption perhaps ought to be called a fungus or mold rather than a virus but I guess "virus" remains the nondescript all-purpose term preferred by journalists and lay-people alike. 

Anyway, I partially agree with the statement.  Compared to incidents that are as crude and noisy as completely stopping the computer, more sophisticated and silent attacks (such as those behind APTs - Advanced Persistent Threats) are more dangerous and insidious because they can continue unabated for longer.  As with a parasite that exploits its symbiotic relationship with the host, a lengthy infection starts off with the host barely even recognizing that it has been victimized.

Random data corruption is a concern, for sure, but is fairly noisy in its own right.  Creeping data corruption in a relational database system, for instance, will eventually fall foul of the built-in database integrity controls, and may well be spotted by users who are aware and intelligent enough to appreciate that just because the computer says something does not necessarily mean it is true.  

So what about directed data corruption, where the malware targets particular data items and makes specific but relatively subtle changes?  Such a mold could be used to manipulate the system, the data, the users and their decisions in a concerted manner, leading them a merry dance for as long as possible before the inconsistencies came to light, by which time it might be too late to act.  The changes may appear as innocuous typoos in textual information (generally overlooked) or slight but consistent biases in numeric data.  Numeric changes might perhaps be picked up by statistical integrity-checking routines or Benford's Law - provided anyone bothered to consider the risk, implement and use the controls that is.  Aside from the NSA paper and our own security awareness materials on the topic of integrity, I have not seen this risk discussed (maybe I just missed it).

To close, let me return to the idea of parasitic malware.  Some living parasites have evolved the capability to alter their host's behavior, secreting toxins or hormones if not directly stimulating the host's nervous system.   Ophiocordyceps unilateralis, for example, is a fascinating parasitic fungus that infects certain ants, causing them to climb and cling to the top of foliage where the parasite kills them and sends out its fruiting bodies and spores over a wider area than it could have reached if the ants had remained at  ground level.  Imagine now an APT that not only stole and manipulated information, but influenced management and operational decisions made by managers and staff, changing the way the organization behaved.  

Remember this if your organization seems, for no obvious external reason, to be climbing the foliage.


No comments:

Post a Comment