Cosc 4765

Viruses, Worms, and Malware.

Some History

• The early “viruses” were not viruses. They were code that accidentally did something it wasn’t supposed to– It broke the bounds of memory locations to access

another programs– Or ended up running code from another program.

• Tracing the patterns of the code through memory looked like the design of holes in “worm-eaten” wood.– Which is were the term worm came from.

Worm Vs Virus

• Worm– Designed to copy itself from 1 computer to another– Relises less (or not at all) on humans to propagate

• Goal infect as many “computers” as possible

• Virus (plural viruses [Some use virii])– Designed to spread over as many files as possible on

a single– Spreads to computer computers by humans

(normally)

The brief (older) history

• We look at some of the original virus/worms and then talk in general about malware.

First Worm?

• The first “worm” is generally considered to be the Xerox worm.– It was an accident.– In the early 1980’s, Xerox researcher created

worms to perform useful tasks on computers connected to their network.• It got out of control due to a bug in the program, which

cashed computers.

MORRIS/INTERNET WORM (1988)

• The Morris Worm (sometimes called The internet worm) function was simply to spread itself to as many computers as possible. – The worm infection begins on a VAX 8600 at the University of Utah,

from there it spreads causing a incredible strain on processor load. This was a bug in the worm that caused it to overload networks, but it was not supposed to.

• The worm then spread to over 6,000 machines in the united states, the worm caused no physical damage to the machines affected by it.

• The worm exposed some serious security holes in UNIX environments, which could have gone undetected had the worm not used it to propagate its spreading.

The Internet Worm Details

• Program “worm” consisted of 2 parts– l1.c download this and compiled itself then, 11.c down

loaded worm.c compiled it and ran it. Worm.c looked for other machines in the network to repeat the process. Worm sent l1.c then …

– ll.c – tried to break passwords. This was CPU intensive and could not be stopped. If machine was shut off, it would get a worm again from some place on the network as soon as it rebooted.

The Internet Worm Details (2)

How the worm broke in

Used 1 of 3 methods to break into a machine

1. rsh (remote shell) - you can login on another machine w/o logging into the other. – This is a feature, not a bug in UNIX. If you found a

machine that trusted other machines, you can “infect” the other machines as well.

2. If that didn’t work, then used a bug in the “finger” command. – finger xyz@finger.uwyo.edu Returns info about the

user fingered. A bug in finger, did not check for a buffer overflow.

– Worm called finger w/ a specially handcrafted 536 byte string parameter

– overflowed daemons buffer which over wrote the daemons stack.

– When a procedure returns it returns to the stack to get the address of what to do next

– The procedure returned to a procedure inside the 536 byte string the procedure inside was a to start a shell that could be used by the worm with root privileges.

How the worm broke in (2)

How the worm broke in (2)

3. If these didn’t work he used– sendmail• It has a feature that allowed you to send e-mail with a

program and run it. bug??

• sendmail’s “features” in that have been exploited by worms and hackers for a long time.

Curing the Internet Worm

• cure: Run a dummy worm– if worm arrives it check to see if it was running

and it wouldn’t reinstall -- but 1 in 7 did anyway (a bug in the worm)

• Real cure– upgrade the system to remove bugs and disallow

programs that are vulnerable.

History of Viruses• Early virus history is difficult to reconstruct• There are 4 viruses that are basically dated to 1987

– These 4 viruses were used as base code for many times many viruses.• Stoned/Stoner virus, first report Feb 2, 1988

– Thought have been created in University of Wellington New Zealand.• Had a 1 in 8 chance of displaying 1 of the following messages• “Your PC is now stoned! LEGALIZE MARIJUANA!”• “Your PC is now Stoned!”• “Your computer is now stoned.”

– New stoned viruses are still being produced today.– There are at least 90 separate variants, which do different things.

Asher and Brain

• Asher and Brain virus family –May have started in 1986 based on a copyright

date, but most infections were found later, in 1988 and 1989

– First to use “stealth” techniques to hide itself.• Would actually show the real boot record, when asked

to display the boot record. Marked blocks as bad, so it would not get overwritten.

–Many believe the Asher was the first MSDOS virus.

Cascade Virus

• Cascade Virus (1987 and 1988)– Thought to have been written in Germany• Used encryption, so it was harder to repair any infected

files.– It introduced the ability to cause changes in the

screen.• All the letters on the screen dropped to bottom.

– This virus made IBM take viruses seriously, since so many IBM computer became infected.

Jerusalem virus (1987)

– Originated in Israel, as part of experimentation. There were actually 4 viruses, survi-1, survi-2, survi-3• Survi-4 became know as the Jerusalem virus after it

accidentally got lose.

– It has the ability to infect any .exe, .com, .sys, .pif, and .ovl files.• Except for the command.com• It would reinfect the same files over and over again,

because of bug in the code.

…

• There have been many notable viruses and worms in 20 years– DATACRIME/ COLUMBUS DAY VIRUS

• Most AV companies got their start because of it.

– Michelangelo virus (1992), concept virus (1995), happy99 virus (1999)

– Code Red (2001), blaster (2004) designed to spread as fast as possible.

– Netsky, Bagle, and MyDoom email worms– OSX/leap-A and Oompa-A 2006 (mac malware)

How malware works

• Stealth is a mechanism by which it hides size increase and/or it own code.

• Polymorphism involves encryption where the decryption routine code is variable

• Armouring is used to prevent anti-virus researchers from disassembling the malware (think Obfuscation).

• Multipartite/Multipart is where it infects multiple places and have multiple separate pieces.• Each part can regenerate the other parts as needed.

Malware Goals

• Once a system is infected, kept the infection by any means possible.

• Data thief– Normally bank (money/bitcoin/logins), email, and

blackmail

• Resources– Add the system to a botnet.

Example case: Conficker

• Conficker (2008-2012)– Infects at it high point 15 million MS windows

computers (2000 to Windows 7)– Armoring:• It uses SHA-1 and RC4 encrypted keys. The payload is

unpacked and verified before it runs. RSA key is 4096 bits• Conficker B is basically the first application to adopt

MD6, only a month after weaknesses in early algorithm are found.

Example case: Conficker (2)

• Self-defense– Variant C of the virus resets System Restore points and

disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.

– Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.

– An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service

The AV problem• The research, carried out at Hewlett-Packard's research labs in

Bristol (Later 2002), analyzed the effectiveness of the signature update approach to virus detection and elimination against a computer model designed to mimic viral spread.– The model showed that the signature update approach is

fundamentally flawed, simply because worms can spread faster than anti-virus signature updates can be distributed.

• Even if AV vendors produce an antidote to a virus as soon as it appears, the model breaks down because of the time it takes deliver a fix to desktops. – Within this "window of vulnerability" a worm can take hold, HP

researcher Matthew Williamson concludes.

The AV problem (2)• Anti-virus technology is reactive by its very nature

– signatures to detect malicious code are not produced until after a new strain of virus has appeared.

– It has evolved little over the last few years. – Some improvements have been made in heuristics and in pushing

updates around in corporate environments but it's hard to conclude that virus writers do not have the upper hand.

• AV companies have little financial incentive to solve this problem. Quite the opposite, in fact. The worse things become the rosier the financial future looks for AV vendors– at least in the short term.

• With the release of Microsoft’s free AV software, profits have as expected been dropping.

References

• Dozens of websites about individual viruses.– http://www.cknow.com/vtutor/vthistory.htm has a nice history.– http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_wor

ms

• The Register, http://www.theregister.co.uk• Sophos AV http://www.sophos.com• Norton AV http://www.norton.com• ClamAV http://www.clamav.net• Apple Mac malware: A short history (1982-2010)

• http://nakedsecurity.sophos.com/2010/11/24/apple-mac-malware-short-history/

• Computerworld.com and infoworld.com, and securityfocus.com

QA&