Blended threats combine the characteristics of viruses, worms, and Trojan horses with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spread and cause widespread damage. Characteristics of blended threats include the following:
Causes harm—Launches a Denial-of-Service (DoS) attack at a target IP address, defaces Web servers, or plants Trojan horse programs for later execution.
Propagates by multiple methods—Scans for vulnerabilities to compromise a computer, such as embedding code in HTML files on a server, infecting visitors to a compromised Web site, or sending unauthorized email from compromised servers with a worm attachment.
Attacks from multiple points—Injects malicious code into the .exe files on a computer, raises the privilege level of the guest account, creates world-read and writeable network shares, makes numerous Registry changes, and adds script code into HTML files.
Spreads without human intervention—Continuously scans the Internet for vulnerable servers to attack.
Exploits vulnerabilities—Takes advantage of known vulnerabilities, such as buffer overflows, HTTP input-validation vulnerabilities, and known default passwords to gain unauthorized administrative access.
Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.
Blended threats such as Code Red spread by exploiting services running on vulnerable computers, which in Code Red’s case was the Miscrosoft IIS service’s HTTP implementation. Code Red took advantage of a flaw in the initial coding that allowed the arbitrary execution of code on the server hosting the IIS service. Others spread by taking advantage of vulnerabilities discovered in various services, such as the Windows DCOM Remote Procedure Call (RPC) vulnerability exploited by Blaster, or through code injection and buffer overflows, such as those generated by malformed UDP datagrams exploited by the SQL Slammer worm. Nimda and its variations made use of multiple vectors for transmission in a single package by spreading through vulnerable file shares and buffer overflows, or by sending itself as an email attachment.
Blended threats are becoming increasingly sophisticated, allowing viruses, worms, and Trojan horses to spread through any of a number of different mechanisms, in case a vulnerable computer’s defenses are only partially in place. This multifaceted attack strategy requires administrators to plan their network defense carefully, to contain multiple layers of defense and response mechanisms implemented at the client, server, and the gateway.