Malicious Code: History
Download
Report
Transcript Malicious Code: History
Dr. Richard Ford
Where viruses have been…
How it all began
Milestones in virus and antivirus history
The Technology Race Between Black Hats
and White Hats
Where Things Are Today
Bell Labs…
Core Wars
Two computer programs would “battle it out”
in the “core” of a computer. The victor would
be the last man standing
Mainstreamed in May 1984 in Scientific
American
Where it all began:
Elk Cloner
“It will get on all your disks It will infiltrate your
chips Yes it's Cloner! It will stick to you like glue It
will modify ram too Send in the Cloner!”
Virus folklore tells us that this virus was actually
an experiment gone wrong… readers beware
Attacked the Apple II
Fred’s work is really famous…
You can read some of his papers at
http://www.all.net/resume/papers.html
Cohen postulated that one could construct a
computer program that could “infect” other
programs with a “possibly evolved” version of
itself.
The following pseudo-program shows how a virus might be written in a pseudo-computer
language. The ":= symbol is used for definition, the ":" symbol labels a statement, the ";"
separates statements, the "=" symbol is used for assignment or comparison, the "~" symbol
stands for not, the "{" and "}" symbols group sequences of statements together, and the "..."
symbol is used to indicate that an irrelevant portion of code has been left implicit.
program virus:= {1234567;
subroutine infect-executable:= {loop:file = get-randomexecutable-file;
if first-line-of-file = 1234567 then goto loop;
prepend virus to file; }
subroutine do-damage:= {whatever damage is to be done}
subroutine trigger-pulled:= {return true if some condition
holds}
main-program:= {infect-executable; if trigger-pulled then dodamage; goto next;}
next:}
First virus that anyone really noticed
Basit and Amjad Farooq Alvi, of Lahore,
Pakistan.
Simple Boot Infector – harkens back to the
days of boot from floppy
Appeared in 1987
Introduced some important techniques:
Infected COMMAND.COM
Went resident in memory
Infected any disks that were accessed from the
infected machine
Had an unpleasant trigger: trashed the FAT after
four infections
Appeared in 1988 ,reported by Yisrael Radai
Memory-resident COM/EXE infector
Contained a big: infected itself over and over
again…
Spawned MANY virus variants
What’s a virus variant?
1987…
Written in REXX, a scripting language by IBM
Sent in SOURCE form by email
Required a user to run it
When it ran, sent itself to all your contacts
It was an early, human-driven WORM
1988
See:
ftp://coast.cs.purdue.edu/pub/doc/morris_worm
/ for all the details you could ever need and more
Used multiple vulnerabilities
Sendmail bug
Fingerd bug
Via .rhosts files
Via password cracking
Infected a *lot* of hosts for the then fledgling
Internet
Trojan Disk sent out widely in 1992
Encrypted data on the fixed disk after a certain number of
boots
License verbage:
"In case of breach of license, PC Cyborg Corporation
reserves the right to use program mechanisms to ensure
termination of the use of these programs. These program
mechanisms will adversely affect other program
applications on microcomputers. You are hereby advised
of the most serious consequences of your failure to abide
by the terms of this license agreement."
See:
http://www.virusbtn.com/magazine/archives/pdf/1992/199
201.PDF
More of an Icon than a reality
But, for a time, the most complex viruses did
come from Bulgaria
Many the work of one person, the mysterious
“Dark Avenger”
Dark Avenger ultimately wrote a “fast
infecting” virus and the infamous Mutation
Engine (aka MtE or DAME)
Welcome to Terry Tequila’s latest venture
1991
First fully polymorphic, full stealth virus
March 6th, 1992
Serious enough that there was actually a CERT
Advisory: http://www.cert.org/advisories/CA-199202.html
A Boot Sector Virus with a payload
Quotes: “hundreds of thousands of computers” – John
McAfee, also labeled with the number “five million”
“One out of four computers” – Reuters
In fact, total damage was low… very low: 10 to 20
thousand
For an interesting take on epidemiology, read:
http://www.research.ibm.com/antivirus/SciPapers/Ke
phart/PREV/prevalence.gopher.html
Also in 1992
A linkable object, never distributed in source
form
Caused massive variation in code structure of
a computer virus
Caused a complete redesign of several
antivirus products, and was the end of simple
“signature scanning”
Menu-driven virus creation for the masses!
Primarily simple COM infectors
Capable of basic encryption
The first of many…
Pathogen and Queeg
SMEG, the “Simulated Metamorphic Encryption
Generator”
See:
http://www.soci.niu.edu/~crypt/other/pyle.htm
for the full story
Also, see http://www.computerinvestigations.com/chist/chist01.html for an
account of the investigation from an old friend,
Jim Bates
Convicted under the UK’s Computer Misuse Act
Appeared around 1996
First “data” infecting virus? Well, not really…
Written in Word Macros
Forced large-scale changes in the antivirus
industry
Interestingly, everyone infected by concept
saw one of these:
Hot on the heels of Concept
Auto_open and Check_files
Simple example of what could be done
Infected PERSONAL.XLS, which is loaded
whenever Excel is run
1998
A virus that was written in Java that infects
Java class files
Primarily a proof of concept
See:
http://www.sophos.com/virusinfo/articles/jav
a.html for a useful FAQ
What about the Sandbox?
1999 (see CERT advisory CA-1999-04)
A virus that propagated via Email
attachments
Used MAPI to spread
Incredibly effecting technique
Poor David Smith! See:
http://news.bbc.co.uk/1/hi/world/americas/19
63371.stm
DDoS = Distributed Denial of Service
Simple process:
Pwn a large number of machines
Install a remote control “bot” on them
Command them to attack a particular site
Why is this so dangerous?
CERT advisory CA-2001-19
Common buffer overrun in IIS
Spread like WILDFIRE
Question: Why?
Launched in January 2003
Utilized a buffer overrun in Microsoft’s
popular SQL Server
Spread from machine to machine with a peak
population doubling rate of 8.5 seconds
Infected 90% of all machines it would ever
infect in 10 minutes
Actually impacted BGP Route Stability on the
Internet!
Windows makes it quite easy to write
Spyware
Spyware can take over a machine and make it
“unrecoverable” in many senses, without a
reinstall
As Spyware becomes more “commercial” (in
some senses of the word) it becomes a harder
problem to fight
Blurred lines between legal and illegal
Context sensitivity and EULAs
The “undetectable” rootkit
Server virtualization used for gain?
How much of this is a real threat?
Sony adds a “rootkit” to CDs in an attempt to
manage its digital rights…
More complicated than it sounds, but interesting
story
For the first time, the UK cybercrime rate
rises to meet the “real world” crime rate
Are everywhere:
PDF
Realplayer
IE
…
2007: Symantec acquires Vontu
Companies begin to focus on protecting data at
rest and while in transit
Autorun Worm found on the International
Space Station
Password-stealing, but not mission critical
More viruses
More Worms
More Trojans
More software that Blurs the Lines