Computer Viruses and Worms Dragan Lojpur Zhu Fang

Definition of Virus A virus is a small piece of software that piggybacks on real programs in order to get executed A virus is a small piece of software that piggybacks on real programs in order to get executed Once it ’ s running, it spreads by inserting copies of itself into other executable code or documents Once it ’ s running, it spreads by inserting copies of itself into other executable code or documents

Computer Virus Timeline Theories for self-replicating programs are first developed Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself.” Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies had “© Brain” for a volume label The Lehigh virus, one of the first file viruses, infects command.com files One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus affects both.exe and.com files and deletes any programs run on that day. MacMag and the Scores virus cause the first major Macintosh outbreaks. …

Worms Worm - is a self-replicating program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. Worm - is a self-replicating program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself.

History of Worms The first worm to attract wide attention, the Morris worm, was written by Robert Tappan Morris, who at the time was a graduate student at Cornell University. The first worm to attract wide attention, the Morris worm, was written by Robert Tappan Morris, who at the time was a graduate student at Cornell University. It was released on November 2, 1988 It was released on November 2, 1988 Morris himself was convicted under the US Computer Crime and Abuse Act and received three years probation, community service and a fine in excess of $10,000. Morris himself was convicted under the US Computer Crime and Abuse Act and received three years probation, community service and a fine in excess of $10,000. Xerox PARC Xerox PARC

Worms… Worms – is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well. Worms – is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well. They are often designed to exploit the file transmission capabilities found on many computers. They are often designed to exploit the file transmission capabilities found on many computers.

Zombies Infected computers — mostly Windows machines — are now the major delivery method of spam. Infected computers — mostly Windows machines — are now the major delivery method of spam. Zombies have been used extensively to send spam; between 50% to 80% of all spam worldwide is now sent by zombie computers Zombies have been used extensively to send spam; between 50% to 80% of all spam worldwide is now sent by zombie computers

Money flow Pay per click Pay per click

Typical things that some current Personal Computer (PC) viruses do Display a message Display a message

Typical things that some current Personal Computer (PC) viruses do Erase files Erase files Scramble data on a hard disk Scramble data on a hard disk Cause erratic screen behavior Cause erratic screen behavior Halt the PC Halt the PC Many viruses do nothing obvious at all except spread! Many viruses do nothing obvious at all except spread! Display a message Display a message

Distributed Denial of Service A denial-of-service attack is an attack that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system. A denial-of-service attack is an attack that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system.

How it works? The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. Victim's IP address. Victim's IP address. Victim's port number. Victim's port number. Attacking packet size. Attacking packet size. Attacking interpacket delay. Attacking interpacket delay. Duration of attack. Duration of attack. MyDoom – SCO Group MyDoom – SCO Group

DDoS

MyDoom 26 January 2004: The Mydoom virus is first identified around 8am. Computer security companies report that Mydoom is responsible for approximately one in ten e- mail messages at this time. Slows overall internet performance by approximately ten percent and average web page load times by approximately fifty percent 26 January 2004: The Mydoom virus is first identified around 8am. Computer security companies report that Mydoom is responsible for approximately one in ten e- mail messages at this time. Slows overall internet performance by approximately ten percent and average web page load times by approximately fifty percent

MyDoom… 27 January: SCO Group offers a US $250,000 reward for information leading to the arrest of the worm's creator. 27 January: SCO Group offers a US $250,000 reward for information leading to the arrest of the worm's creator. 1 February: An estimated one million computers around the world infected with Mydoom begin the virus's massive distributed denial of service attack—the largest such attack to date. 1 February: An estimated one million computers around the world infected with Mydoom begin the virus's massive distributed denial of service attack—the largest such attack to date. 2 February: The SCO Group moves its site to 2 February: The SCO Group moves its site to

Executable Viruses Traditional Viruses Traditional Viruses pieces of code attached to a legitimate program pieces of code attached to a legitimate program run when the legitimate program gets executed run when the legitimate program gets executed loads itself into memory and looks around to see if it can find any other programs on the disk loads itself into memory and looks around to see if it can find any other programs on the disk

Boot Sector Viruses Traditional Virus Traditional Virus infect the boot sector on floppy disks and hard disks infect the boot sector on floppy disks and hard disks By putting its code in the boot sector, a virus can guarantee it gets executed By putting its code in the boot sector, a virus can guarantee it gets executed load itself into memory immediately, and it is able to run whenever the computer is on load itself into memory immediately, and it is able to run whenever the computer is on

Decline of traditional viruses Reasons: Reasons: –Huge size of today’s programs storing on a compact disk –Operating systmes now protect the boot sector

Viruses Moves around in messages Moves around in messages Replicates itself by automatically mailing itself to dozens of people in the victim ’ s e- mail address book Replicates itself by automatically mailing itself to dozens of people in the victim ’ s e- mail address book Example: Melissa virus, ILOVEYOU virus Example: Melissa virus, ILOVEYOU virus

Melissa virus March 1999 March 1999 the Melissa virus was the fastest-spreading virus ever seen the Melissa virus was the fastest-spreading virus ever seen Someone created the virus as a Word document uploaded to an Internet newsgroup Someone created the virus as a Word document uploaded to an Internet newsgroupInternet newsgroupInternet newsgroup People who downloaded the document and opened it would trigger the virus People who downloaded the document and opened it would trigger the virus The virus would then send the document in an e- mail message to the first 50 people in the person's address book The virus would then send the document in an e- mail message to the first 50 people in the person's address book

Melissa virus Took advantage of the programming language built into Microsoft Word called VBA (Visual Basic for Applications) Took advantage of the programming language built into Microsoft Word called VBA (Visual Basic for Applications)

Prevention Updates Updates Anti-Viruses Anti-Viruses More secure operating systems More secure operating systems e.g. UNIX

Reference