Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White.

Similar presentations


Presentation on theme: "Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White."— Presentation transcript:

1 Dr. Richard Ford

2 Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White Hats Where Things Are Today

3 Bell Labs… Core Wars Two computer programs would battle it out in the core of a computer. The victor would be the last man standing Mainstreamed in May 1984 in Scientific American

4 Where it all began: Elk Cloner It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner! Virus folklore tells us that this virus was actually an experiment gone wrong… readers beware Attacked the Apple II

5 Freds work is really famous… You can read some of his papers at Cohen postulated that one could construct a computer program that could infect other programs with a possibly evolved version of itself.

6 The following pseudo-program shows how a virus might be written in a pseudo-computer language. The ":= symbol is used for definition, the ":" symbol labels a statement, the ";" separates statements, the "=" symbol is used for assignment or comparison, the "~" symbol stands for not, the "{" and "}" symbols group sequences of statements together, and the "..." symbol is used to indicate that an irrelevant portion of code has been left implicit. program virus:= { ; subroutine infect-executable:= {loop:file = get-random- executable-file; if first-line-of-file = then goto loop; prepend virus to file; } subroutine do-damage:= {whatever damage is to be done} subroutine trigger-pulled:= {return true if some condition holds} main-program:= {infect-executable; if trigger-pulled then do- damage; goto next;} next:}

7 First virus that anyone really noticed Basit and Amjad Farooq Alvi, of Lahore, Pakistan. Simple Boot Infector – harkens back to the days of boot from floppy

8 Appeared in 1987 Introduced some important techniques: Infected COMMAND.COM Went resident in memory Infected any disks that were accessed from the infected machine Had an unpleasant trigger: trashed the FAT after four infections

9 Appeared in 1988,reported by Yisrael Radai Memory-resident COM/EXE infector Contained a big: infected itself over and over again… Spawned MANY virus variants Whats a virus variant?

10 1987… Written in REXX, a scripting language by IBM Sent in SOURCE form by Required a user to run it When it ran, sent itself to all your contacts It was an early, human-driven WORM

11 1988 See: ftp://coast.cs.purdue.edu/pub/doc/morris_worm / for all the details you could ever need and more ftp://coast.cs.purdue.edu/pub/doc/morris_worm / Used multiple vulnerabilities Sendmail bug Fingerd bug Via.rhosts files Via password cracking Infected a *lot* of hosts for the then fledgling Internet

12 Trojan Disk sent out widely in 1992 Encrypted data on the fixed disk after a certain number of boots License verbage: "In case of breach of license, PC Cyborg Corporation reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other program applications on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement." See: 201.PDF

13 More of an Icon than a reality But, for a time, the most complex viruses did come from Bulgaria Many the work of one person, the mysterious Dark Avenger Dark Avenger ultimately wrote a fast infecting virus and the infamous Mutation Engine (aka MtE or DAME)

14 Welcome to Terry Tequilas latest venture 1991 First fully polymorphic, full stealth virus

15 March 6th, 1992 Serious enough that there was actually a CERT Advisory: 02.htmlhttp://www.cert.org/advisories/CA html A Boot Sector Virus with a payload Quotes: hundreds of thousands of computers – John McAfee, also labeled with the number five million One out of four computers – Reuters In fact, total damage was low… very low: 10 to 20 thousand For an interesting take on epidemiology, read: phart/PREV/prevalence.gopher.html

16 Also in 1992 A linkable object, never distributed in source form Caused massive variation in code structure of a computer virus Caused a complete redesign of several antivirus products, and was the end of simple signature scanning

17 Menu-driven virus creation for the masses! Primarily simple COM infectors Capable of basic encryption The first of many…

18 Pathogen and Queeg SMEG, the Simulated Metamorphic Encryption Generator See: for the full story Also, see investigations.com/chist/chist01.html for an account of the investigation from an old friend, Jim Bateshttp://www.computer- investigations.com/chist/chist01.html Convicted under the UKs Computer Misuse Act

19 Appeared around 1996 First data infecting virus? Well, not really… Written in Word Macros Forced large-scale changes in the antivirus industry Interestingly, everyone infected by concept saw one of these:

20 Hot on the heels of Concept Auto_open and Check_files Simple example of what could be done Infected PERSONAL.XLS, which is loaded whenever Excel is run

21

22 1998 A virus that was written in Java that infects Java class files Primarily a proof of concept See: a.html for a useful FAQ a.html What about the Sandbox?

23 1999 (see CERT advisory CA ) A virus that propagated via attachments Used MAPI to spread Incredibly effecting technique Poor David Smith! See: stm stm

24 DDoS = Distributed Denial of Service Simple process: Pwn a large number of machines Install a remote control bot on them Command them to attack a particular site Why is this so dangerous?

25 CERT advisory CA Common buffer overrun in IIS Spread like WILDFIRE Question: Why?

26 Launched in January 2003 Utilized a buffer overrun in Microsofts popular SQL Server Spread from machine to machine with a peak population doubling rate of 8.5 seconds Infected 90% of all machines it would ever infect in 10 minutes Actually impacted BGP Route Stability on the Internet!

27 Windows makes it quite easy to write Spyware Spyware can take over a machine and make it unrecoverable in many senses, without a reinstall As Spyware becomes more commercial (in some senses of the word) it becomes a harder problem to fight Blurred lines between legal and illegal Context sensitivity and EULAs

28 The undetectable rootkit Server virtualization used for gain? How much of this is a real threat?

29 Sony adds a rootkit to CDs in an attempt to manage its digital rights… More complicated than it sounds, but interesting story

30 For the first time, the UK cybercrime rate rises to meet the real world crime rate

31 Are everywhere: PDF Realplayer IE …

32 2007: Symantec acquires Vontu Companies begin to focus on protecting data at rest and while in transit

33 Autorun Worm found on the International Space Station Password-stealing, but not mission critical

34 More viruses More Worms More Trojans More software that Blurs the Lines


Download ppt "Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White."

Similar presentations


Ads by Google