1. Cosc 4765
Viruses and Worms

2. Categories Viruses and worms Trojans Logic Bombs
This lecture focuses on these two.
Trojans
Used for remote access of systems
Non replicating
Disguised or concealed program
Sometimes disguised as useful software
Logic Bombs
Timed devices
Designed to cause maximum damage possible
Very difficult to spot until they execute

3. Some History
The early “viruses” were not viruses. They were code that accidentally did something it wasn’t supposed to
It broke the bounds of memory locations to access another programs
Or ended up running code from another program.
Tracing the patterns of the code through memory looked like the design of holes in “worm-eaten” wood.
Which is were the term worm came from.

4. Some History (2)‏
The best way to understand viruses and worm to follow their evolution.
We’ll look at the on-going war between virus writers and Anti-Virus companies.
The changes the AV software had to make in order to detect/remove new viruses and worms.

5. Description of a Worm First we’ll look at worms, then viruses Worm(s)
Worm Program is designed to copy itself from 1 PC to another – via , TCP/IP
Goal is to infect as many machines as possible
not interested in multiple copies on the same machine
Relies less (or not at all) on human intervention to propagate

6. First Worm?
The first “worm” is generally considered to be the Xerox worm.
It was an accident.
In the early 1980’s, Xerox researcher created worms to perform useful tasks on computers connected to their network.
It got out of control due to a bug in the program, which cashed computers.

7. MORRIS/INTERNET WORM (1988)‏
The Morris Worm (sometimes called The internet worm) function was simply to spread itself to as many computers as possible.
The worm infection begins on a VAX 8600 at the University of Utah, from there it spreads causing a incredible strain on processor load. This was a bug in the worm that caused it to overload networks, but it was not supposed to.
The worm then spread to over 6,000 machines in the united states, the worm caused no physical damage to the machines affected by it.
The worm exposed some serious security holes in UNIX environments, which could have gone undetected had the worm not used it to propagate its spreading.

8. The Internet Worm Details
Program “worm” consisted of 2 parts
l1.c download this and compiled itself then, 11.c down loaded worm.c compiled it and ran it. Worm.c looked for other machines in the network to repeat the process. Worm sent l1.c then …
ll.c – tried to break passwords. This was CPU intensive and could not be stopped. If machine was shut off, it would get a worm again from some place on the network as soon as it rebooted.

9. The Internet Worm Details (2)‏

10. How the worm broke in Used 1 of 3 methods to break into a machine
1. rsh (remote shell) - you can login on another machine w/o logging into the other.
This is a feature, not a bug in UNIX. If you found a machine that trusted other machines, you can “infect” the other machines as well.

11. How the worm broke in (2)‏
2. If that didn’t work, then used a bug in the “finger” command.
finger Returns info about the user fingered. A bug in finger, did not check for a buffer overflow.
Worm called finger w/ a specially handcrafted 536 byte string parameter
overflowed daemons buffer which over wrote the daemons stack.
When a procedure returns it returns to the stack to get the address of what to do next
The procedure returned to a procedure inside the 536 byte string the procedure inside was a to start a shell that could be used by the worm with root privileges.

12. How the worm broke in (2)‏
3. If these didn’t work he used
sendmail
It has a feature that allowed you to send with a program and run it. bug??
sendmail’s “features” in that have been exploited by worms and hackers for a long time.

13. Curing the Internet Worm
cure: Run a dummy worm
if worm arrives it check to see if it was running and it wouldn’t reinstall -- but 1 in 7 did anyway (a bug in the worm)‏
Real cure
upgrade the system to remove bugs and disallow programs that are vulnerable.

14. Melissa (1999)‏ First Mainstream macro hybrid – Virus and Worm
Spread via Word 2000 and 97 document file
Uses Outlook to spread infected Doc to first fifty users in address book
Affects Word environment to potentially affect all Docs on system
Sent to many users due to address book entries for “All at work” which would go to all people in the company - plus the other 49 entries in the book!

15. ILOVEYOU WORM (2000)‏ This is a VBScript worm with virus qualities.
This worm will arrive in an message with this format:
Subject "ILOVEYOU“
Message "kindly check the attached LOVELETTER coming from me.“
Attachment "LOVE- LETTER-FOR- YOU.TXT.vbs"
Replaced .jpg, .jpeg, .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta
Any .mp3 and .mp2 files were hidden and created a file with *.mp3.vbs with the virus.
It then sent itself out over IRC and through outlook
Downloaded and ran a password crack program and mailed them to the author.

16. ILOVEYOU WORM (2)‏ The mail server crashed
The web site was overloaded and failed as well.
The author was caught, mostly because he used his own address.
There were at least 50 variants written.

17. Timofonia (2000)‏
Visual Basic script that tries to send message to internet-enabled phones.
Attacked Spanish telephone network
Later variant attacked the Japanese emergency phone system.

18. Code Red (2001)‏ Only a threat to W2K with IIS
Worm crashes on WinNT
The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).
Web pages defaced with
HELLO
Welcome to !
Hacked By Chinese

19. Code Red (2)‏ Spread through via TCP/IP on port 80
It used the buffer overflow to send itself to the next computer.
It looked for c:\notworm if found it stops seeking other machines to infect
Randomly generated the next IP number of the machine to attack.
Has many variants, Code Red II, Code Green, Code Blue, just to name a few.

20. Hello.worm (2001)‏ First MSN messenger worm
Arrives via MSN Messenger as a file called Hello.exe
If a user clicks on the file, which is actually a Visual Basic 5 application, the worm creates a shortcut, with no name or icon, in the Windows Start-up folder. It will then attempt to send a copy of itself along with the message "i have a file for u. its real funny", to people on the contact list of an infected user's machine.
If MSN Messenger is not installed on the machine in the expected directory the worm will crash, displaying the message "Run-time Error '91'. Object variable or With block variable not set."

21. Nimda 2002 Nimda worm/virus
Any Win9X/NT/2000/ME computer can be infected.
Infects many system files and .EXE files. Also adds itself to the registry, so it will launched with windows boots.
Infects via , network shares and MS web folder transversal vulnerability (attacks IIS servers)‏
Uses the backdoor created by CodeRed.c
Specifies a content-type of audio/x-wav for the content, so outlook and IE will auto launch it.

22. Slammer Worm (2003)‏
The Slammer (aka Sapphire) worm, takes advantage of a six-month-old vulnerability in MS SQL Server to spread
a server resolution service buffer overflow flaw.
not destructive to an infected host (like Code Red it only exists in memory)‏
it generates a damaging level of network traffic when it scans for additional targets. The worm continuously sends 367 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down.
Unlike Nimda these attacks are not directed towards local sub-nets but spread across the wider Internet.

23. Slammer Worm (2)‏
During peak hours of infection, security firm Symantec observed more than 22,000 unique systems infected by the worm.
Some effects:
the majority of Bank of America's 13,000 automatic teller machines "were unable to process customer transactions", the Washington Post reports.
Windows XP activation servers were thrown offline
Korea (whose Net connections were particularly hard hit by the worm) shares in the country's two largest ISPs, KT Corp and Hanaro Telecom Inc, fell sharply while computer security stock rose sharply, Reuters reports.
In Portugal over subscribers to Cable ISP Netcabo were without Internet access for more than 12 hours due to the worm

24. SoBig (2003)‏
This worm is written in MSVC and attempts to spread via network shares and . The worm contains its own SMTP engine.
The worm enumerates shares on the network, intending to copy itself to folders on remote machines.
Used to send out SPAM as well as it own e- mail/worm code.

25. Blaster (2004)‏ Purpose was to spread as fast as possible
Also to launch a DDOS against windowsupdate.com
By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.
When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it

26. Sasser (2004)‏
The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup
As the worm scans random ip addresses it listens on successive TCP ports starting at   It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.
It also rebooted windows pretty often.

27. Virus vs Worm Category Since about 2003
Deciding whether a piece of malicious code is a virus or a worm has gotten pretty fuzzy.
Generally they get classified by the percentage they can transmit themselves on they own, in other words how much human intervention is needed.
AV companies may disagree on whether it’s a worm or virus.

28. What Is A Virus? Virus (plural viruses [Some use virii]):
Computer program designed to spread over as many files as possible on a single computer
Spreads to other computers because of humans or “Worm” techniques
Viruses may damage or modify data, cause the computer to crash, display messages, lie dormant until “trigger” event etc …

29. Early Viruses
The first virus was for the Apple II in 1981 (Texas A&M).
Called “Elk Cloner”, it contained this rhyme
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!
For more info on Elk Cloner see
There are historical notes about a “ARPAnet Virus” that crashed the ARPAnet in October of 1980 through a self prorogating status message.
Details for the ARPAnet virus are small, may have been sent out router discovery messages, that flowed the network.
Sounds more like a Worm

30. History of Viruses Early virus history is difficult to reconstruct
There are 4 viruses that are basically dated to 1987
These 4 viruses were used as base code for many times many viruses.
Stoned/Stoner virus, first report Feb 2, 1988
Thought have been created in University of Wellington New Zealand.
Had a 1 in 8 chance of displaying 1 of the following messages
“Your PC is now stoned! LEGALIZE MARIJUANA!”
“Your PC is now Stoned!”
“Your computer is now stoned.”
New stoned viruses are still being produced today.
There are at least 90 variants, which do different things.

31. Asher and Brain Asher and Brain virus family
May have started in 1986 based on a copyright date, but most infections were found later, in 1988 and 1989
First to use “stealth” techniques to hide itself.
Would actually show the real boot record, when asked to display the boot record. Marked blocks as bad, so it would not get overwritten.
Many believe the Asher was the first MSDOS virus.

32. Cascade Virus Cascade Virus (1987 and 1988)‏
Thought to have been written in Germany
Used encryption, so it was harder to repair any infected files.
It introduced the ability to cause changes in the screen.
All the letters on the screen dropped to bottom.
This virus made IBM take viruses seriously, since so many IBM computer became infected.

33. Jerusalem virus (1987)‏
Originated in Israel, as part of experimentation. There were actually 4 viruses, survi-1, survi-2, survi-3
Survi-4 became know as the Jerusalem virus after it accidentally got lose.
It has the ability to infect any .exe, .com, .sys, .pif, and .ovl files.
Except for the command.com
It would reinfect the same files over and over again, because of bug in the code.

34. Den Zuk (1988)‏ Creator claimed it was a anti-virus
It detected and removed Brain infections
Also immunizes against it.
A letter from the Author published in Feb in Virus Bulletin.

35. DATACRIME/ COLUMBUS DAY VIRUS (1989)‏
Datacrime was a virus that would launch its payload on or after Oct. 13 or later in the year
It would format the first nine tracks of a hard disk and display the message "DATACRIME VIRUS RELEASED: 1 MARCH 1989"
By deleting the tracks the hard drive would be unreadable as the hard drive could not tell how to get to the data on the drive.
In US called Columbus day virus
thought to be written by Norwegian terrorists.
The big attack of the Datacrime virus was apparently at Royal National Institute for the Blind claiming that Datacrime had wiped out their most important data. Only to find out it was a minor outbreak of the Jerusalem virus.

36. DATACRIME/ COLUMBUS DAY VIRUS (1989) (2)‏
This virus was probably one of the first, if not the very first virus to cause hysteria back in 1989.
The virus becomes a huge deal due to the media and wannabe-experts making false claims about the virus, in the end VERY few computers were ever touched by Datacrime.
confirmed reports was the only reports in 6 incidents of the virus infecting computers according to Mcafee.

37. Some viruses of 1989 While datacrime was bust
Dark Avenger and Frodo Lives
Dark Avenger actually did some damage
Write garbage to sectors of the drive
Over writing some files
It was also a fast infector
It infected as programs were opened.
Before that, they had to already be running.
Frodo Lives
While not much infection, because it tended it hangs system
It was the first of the real stealth viruses.

38. Antivirus in 1989
Most AntiVirus researchers got their start at this time period
The big antivirus companies were had their beginnings at this point as well.

39. 1990 and new viruses
Stealth is a mechanism by which a virus hides size increase and/or it own code.
Polymorphism involves encrypted viruses where the decryption routine code is variable
Armoring is used to prevent anti-virus researchers from disassembling a virus
Multipartite is a virus that can infect both programs and boot sectors.

40. VIENNA VIRUS (1990)‏
The vienna virus became the first known polymorphic virus, which caused a problem with anti-virus creators.
This virus requires AV companies to write an algorithm that would apply logical tests to the file and decide whether the bytes it was looking at were one of the possible decryptors.
The vienna virus' polymorphic technology caused quite a few AV products to generate false positives due to poor coding.
What did the vienna virus actually do to a computer?
The virus infected .COM files everytime they were run,
and 1/8th of the time it inserts a jump to the BIOS routines that reboots the machine.
Essentially the virus randomly rebooted the computer and corrupted files.

41. THE WHALE VIRUS (1990)‏
The whale was a EXTREMELY complex polymorphic virus that took literally weeks for av vendors to decode it.
While the virus isn't particularly harmful or effective, it proved to be one of the toughest decode jobs by Antivirus Vendors.
Whale could also change to many different sizes, making it even more complex.
The biggest side effect was Whale would crash a computer if it was run

42. VxBBS
Not a virus
It was people wanting to get viruses, but they had to upload a virus in order to down one on BBS systems.
So many people started altering ones they had or simply uploading fake viruses
These collections were in turn purchased by AV companies for test sets

43. AV in 1990 By December dozens of AV companies had been created
Some provide free anti-virus, while other charged for the software
It was all scanners, no “real-time” AV had been created it.

44. 1991 The year of VCS and VCL VCS is Virus Construction Set.
VCL is Virus Construction Lab.
Now users could build their own from the base code of many other viruses.
If you look on AV sites there are thousands of VCS and VCL viruses.

45. TEQUILA VIRUS (1991)‏ A polymorphic, stealth, and Multipartite virus
Also had an anti-anti-virus virus, retrovirus component.
Originated from Switzerland. Tequila had the ability to change its form in an attempt to avoid detection.
The virus is relatively harmless to data but will display messages such as:
"Execute: mov ax, FE03 / INT 21. Key to go on!"
If the user follows the directions they will get this message:
"Welcome to T.TEQUILA's latest production.
Contact T.TEQUILA/P.O.BOX 543/6312 St'hausen/Switzerland.
Loving thoughts to L.I.N.D.A
BEER and TEQUILA forever !"

46. THE MICHELANGELO VIRUS (1992)‏
The Michelangelo virus was originally discovered in 1991, this virus would delete the data on a users hard drive. The payload would trigger each year of March 6th.
Michelangelo gained fame when a major computer manufacturer claimed to have shipped over 500 computers carrying the Michelangelo virus.
Then the press adds more fuel to the fire by claiming that hundreds of thousands of computers around the world MIGHT be infected.
Another major software company jumps on the bandwagon and claims they distributed 900 floppies containing the nifty virus.
Another reporter now claims millions of personal computers around the world are infected.
Finally the day came, the "millions" estimate ended up being in the thousands...10 to 20 thousand to be exact. While still quite a few people did get the virus, the claims of millions were WAY off.
Michelangelo also turns out to be a stoned variant.

47. Return of Dark Avenger (1992)‏
Not a virus
It’s a mutation engine for viruses
Took AV days to figure it out and then they had “101%” detection rates
IE lots of false positives. Many AV software had to be rewritten.
Also released Commander Bomber virus

48. AV in 1992 AV companies between merge
They could all smell the money.
The publicly from Michelangelo alone sent AV sells through the roof.
Viruses writers had already taken note of AV companies and began to try to disable virus scanning.
Many AV companies simply disappeared
They were unable to handle the new polymorphic viruses.

49. Satan Bug virus (1993)‏ Nothing special about the virus.
Actually, it was pretty bad virus.
Appeared in Washington DC.
It was just the first virus writer to actually go to Jail.
In 1994 another virus writer goes to jail in England for a virus called Pathogen

50. MS-DOS 6 with AV (1993)‏
MS released MS-DOS 6 with Central Point Anti-Virus (CPAV)‏
Used the name Microsoft Anti-Virus (MSAV)‏
Updates were hard to come by.
A virus appeared in Germany named Tremor had code to disable the resident portion of MSAV
Was a very common virus in Europe for years afterward.

51. BOZA VIRUS (1995)‏ First Windows 95 virus.
The virus also displays a windows political message:
WINDOW TITLE: Bizatch by Quantum /VLAD
TEXT: "The taste of fame just got tastier!
VLAD Australia does it again with the world's first Win95 Virus
From the old school to the new...
Metabolis
Qark
Darkman
Automag
Antigen
RhinceWind
Quantum
Absolute Overload
CoKe
[ OK ] "
First Windows 95 virus.
The virus is a slow infector but is fast enough to go undetected by the user.
The virus also carries a bug in which it can increase the infected file size by several megabytes would could potentially kill a lot of disk space.
The Boza virus resembles the simplicity of 1980 viruses, it is not very complex. If not the first Windows 95 virus it would never have achieved any fame.

52. Concept Virus (1995)‏
First of the Macro Viruses. By 1996 it was thought to the be MOST common virus of all time
Mostly because AV companies could not find it. Again another huge rewrite had to be done.
It worked only on MS Word documents.
Eventually macro viruses could infect any MS Office documents
Not much publicly until later in 1996 when the AV companies could detect them.

53. THE HARE VIRUS (1996)‏
The real, but overblown virus of While the virus does have a destructive payload and it can potentially bring down a computer, the actual infection rate described at the time was insane. The virus was claimed to infect millions of computers around the world, and due to the claim that current AV products couldn't detect it there are people that don't even know they are infected.
Many people added to the hysteria of Hare by claiming their computer was infected by the Hare virus by certain common windows problems that occurred.
So what did the Hare virus actually do?
The payload loads on August 22nd and September 22, ONLY on these two dates will the virus overwrite the data on your hard drives.
The message commonly displayed by this virus is "HDEuthanasia" by demon emperor: Hare Krsna, hare, hare...

54. THE CHERNOBYL VIRUS (1998)‏
Introduces a new concept of infection. It infects 95/98/ME/NT programs, however due to NTs nature the virus cannot function correctly. Therefore 95/98/ME is really the only platform affected.
The unique infection method is what is worth mentioning, the virus is able to find unused spaces in a file, split the viral code into smaller coding and insert into these unused spaces. This makes it so that the file size does not change.
Another unique feature is CIH's ability to overwrite FLASHBIOS which would cause the targeted computer to be unusable unless the BIOS is completely replaced. The chances of this working are VERY slim however, as technology has changed since this virus is written and some variants have bugs that don't allow this code to work.

55. AV in 1998
Many big AV companies began releasing “one-virus” fix programs.
If you thought you were infected by a specific virus, then you downloaded a program to remove it.
These were generally given away free by the companies.

56. HAPPY99 VIRUS (1999)‏
This virus was distributed around 1999, generally as a attachment named Happy99.exe.
This does not mean it could come as other names however. Happy99.exe is unique as it is sort of a hybrid of a trojan/virus because running Happy99.exe appears to show a fireworks show, yet it does more than meets the eye.
Happy99.exe drops SKA.EXE and modifies WSOCK32.DLL, modifying WSOCK32.DLL
happy99 will get a list of message recipients and will begin to send itself out through your even though you will not notice it.
Also attached itself to all outbound message the user sent.

57. Viruses of note (1)‏ Bubbleboy (1999)‏ W32/Hlam@MM (2001)‏
First worm that can activate by looking at an (Outlook) or previewed in Outlook Express
Kakworm spread widely using this technique
(2001)‏
Sends two mails – first warns that they are sending you an attachment so it’s okay

58. Viruses of note (2)‏ LFM-926 (2002)‏ Donut (2002)‏ Sharp-A (2002)‏
First virus to infect Shockwave Flash (.SWF) files.
Donut (2002)‏
First worm directed at .NET Services
Sharp-A (2002)‏
Written in C#, directed at .NET, and written by a women

59. Viruses of note (3)‏ Perrun Virus (2002)‏ SQLSpider (2002)‏
Proof-of-concept that viruses could be spread through JPEG
SQLSpider (2002)‏
Worm/virus written in Javascript that attacked MS SQL Servers (and programs that used MS SQL tech, such as MSoffice!)‏

60. About 2002
Some AV companies begin producing on-line scanners from their web sites.
In the beginning they weren’t very good, but they could find many viruses and attempt to remove them.
It was also an advertisement for the companies them self.
Virus writers followed suit, with s that said they would remove X virus(es), but instead infected the computer.

61.
Most viruses of any real threat are actually some kind of worm variant, like SoBig, Slammer, and Blaster.
All of these out paced AV companies by 12 hours, causing havoc.
A new category came about
The worm
Netsky, Bagle, and MyDoom

62. Netsky (2004)‏ Internet worm and e-mail worm
Attempts to deactivate MyDoom
Arrives via , copies itself to varying files names (winlogon.exe is popular).
Into shares and P2P share folders as well.
Sends itself out to all address find on the computer via it’s own SMTP engine.
Attempts to turn off AV software and other security software
Some 20+ variants have been written since Feb 2004

63. Bagle (2004)‏
virus and worm sent out via in (COM, EXE, and/or SCR)‏
Copies itself all over the computer, into shares (file and P2P)‏
Open back doors that enable other people to take over the machine
Attempts to disable any NetSky versions it finds.
Attempts to turn off AV software and other security software
Some 20 variants of Bagle have been written since Feb 2004

64. MyDoom (2004)‏ E-mail virus and worm
Mass-mailing worm, harvested s from the infected PCs, as well through search engines, via it’s own SMTP engine.
Search.lycos.com, search.yahoo.com, AltaVista, and Google.
Opens a back door (Zincite-A) on port 1034/TCP
Allows attackers remote, unauthorized accessed to the machine.
Other variants (Some 30 at this point) have
Deleted/corrupted digital entertainment files, MS documents, launched DDOS at varying places (MS, RIAA, to name a few)‏
Attempts to turn off AV software and other security software

65. Netsky/Bagle/MyDoom
Many believe the three (?) virus writers know each other.
There was a war/contest going on.
More likely for profit. Being able to sell the infected computers to someone else for use.
There try and disable each other.
Some variants have had slurs about the other virus writers.

66. Santy (2004) the first known "webworm" is launched.
It exploited a vulnerability in phpBB and used Google in order to find new targets. It infected around sites before Google filtered the search query used by the worm, preventing it from spreading.

67. More Worms Zafi e-mail worm/virus (2004, new variants in 2005 & 2006)‏
Harvests, and s via it’s own STMP server
Attempts to turn off AV software and other security software
Variants have DDOS against Hungry prime Ministers website and google’s website.
Sober ( )‏
virus/worm, with it’s own STMP
Claims to remove MyDoom
Uses English and German
Many German speakers have been infected, because most viruses have been in English, so don’t believe it’s a virus.

68. More (2)‏ Mytob 2005 and 2006 More of a Worm than of virus.
mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
harvests addresses from files on the infected computer and from the Windows address book.
Turns off anti-virus applications
Allows others to access the computer
Modifies data on the computer

69. OSX/Leap-A or OSX/Oompa-A
February 16, 2006
discovery of the first-ever malware for Mac OS X, a low-threat trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is announced.

70. BadBunny(2007)
Sophos discovered an OpenOffice multi- platform macro worm capable of running on Windows, Linux and Mac computers.
It dropped Ruby script viruses on Mac OS X systems, and displayed an indecent JPEG image of a man wearing a rabbit costume.

71. The Storm‏ Storm, Dref, Peacomm Worm (Jan 2007)‏
more of a “spam virus” then worm.
A spreads via and infected files only.
Once infects a machine, send itself out to address found on computers.
also drops more malware on the computers.
Estimated to have infected 1.7 million machines by June 30 and at most 10 million by September.
Thought to have originated from Russia

72. 2008
Bohmini.A is a configurable remote access tool or Trojan that exploits security flaws in Adobe Flash with Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2
The Koobface computer worm targets users of Facebook and MySpace. New variants constantly appear

73. USB and Autoplay Viruses/worms return to old methods
Infection any network shares and USB devices
Autoplay function allows them to infect the devices when they are inserted and launch at the time they are inserted into a machine.
Not just USB drives, but think ipods, cameras, phones, kindle, and anything with storage space.
Stuxnet use a Zero day attack on autoplay even it is turned off.

74. Conficker (2008-)
Computer worm Conficker infects anywhere from 9 to 15 million Microsoft systems running everything from Windows to the Windows 7 Beta.
The French Navy, UK Ministry of Defence (including Royal Navy warships and submarines), Sheffield Hospital network, German Bundeswehr and Norwegian Police were all affected.
Microsoft sets a bounty of $250,000 USD for information leading to the capture of the worm's author(s).
Five main variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E.
They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.
On December 16, 2008, Microsoft releases KB patching the server service vulnerability responsible for the spread of Conficker.

75. Conficker (2)
Armoring
To prevent payloads from being hijacked, variant A payloads are first SHA1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key.
The payload is unpacked and executed only if its signature verifies with a public key embedded in the virus. Variants B and later use MD6 as their hash function and increase the size of the RSA key to bits.
Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6

76. Conficker (3) Self-defense
Variant C of the virus resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.
Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.
An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service

77. Ikee (2009) First Iphone worm
This was a proof-of-concept worm that only infects phones that have been jaibroken and have the default password on the Secure Shell application.
And, it only changed the wallpaper on the phone.
But, the source code for the beast was released so follow-ons with worse payloads can be expected

78. Stuxnet (2010) targets specific industrial equipment.
While it is not the first time that hackers have targeted industrial systems, it is the first discovered worm that spies on and reprograms industrial systems, and the first to include a programmable logic controller (PLC) rootkit.
It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes.
Stuxnet includes the capability to reprogram the PLCs and hide its changes.
It uses a valid certificate from Realtek and JMicron.
Both have been revoked by VeriSign.

79. The AV problem
The research, carried out at Hewlett-Packard's research labs in Bristol (Later 2002), analyzed the effectiveness of the signature update approach to virus detection and elimination against a computer model designed to mimic viral spread.
The model showed that the signature update approach is fundamentally flawed, simply because worms can spread faster than anti-virus signature updates can be distributed.
Even if AV vendors produce an antidote to a virus as soon as it appears, the model breaks down because of the time it takes deliver a fix to desktops.
Within this "window of vulnerability" a worm can take hold, HP researcher Matthew Williamson concludes.

80. The AV problem (2)‏
Anti-virus technology is reactive by its very nature
signatures to detect malicious code are not produced until after a new strain of virus has appeared.
It has evolved little over the last few years.
Some improvements have been made in heuristics and in pushing updates around in corporate environments but it's hard to conclude that virus writers do not have the upper hand.
AV companies have little financial incentive to solve this problem. Quite the opposite, in fact. The worse things become the rosier the financial future looks for AV vendors, at least in the short term.
A survey by market analysts IDC predicts that anti-virus software market will grow from $2.2 billion last year (2003) to $4.4 billion in 2007.
By John Leyden
Published Friday 5th September :59 GMT

81. The AV Problem (3)‏
The fix many believe is a continued layered approached to security
IE, security is a process, not an AV program
AV will get used on clients and gateways.
Better IDS technology maybe able to detect the spread of a new worm
Mostly because it not “normal traffic” and block it.
Before the AV company has figured out the “Digital Signature” of the worm/virus.
Need I say, patch and updating systems!
Better awareness by users can also help.

82. References Dozens of websites about individual viruses.
has a nice history.
worms
The Register,
Sophos AV
Norton AV
ClamAV
Apple Mac malware: A short history ( )
malware-short-history/
Computerworld.com and infoworld.com, and securityfocus.com

83. Q A
&