Transcript Malicious Code: History

Dr. Richard Ford





Where viruses have been…
How it all began
Milestones in virus and antivirus history
The Technology Race Between Black Hats
and White Hats
Where Things Are Today




Bell Labs…
Core Wars
Two computer programs would “battle it out”
in the “core” of a computer. The victor would
be the last man standing
Mainstreamed in May 1984 in Scientific
American

Where it all began:
 Elk Cloner
 “It will get on all your disks It will infiltrate your
chips Yes it's Cloner! It will stick to you like glue It
will modify ram too Send in the Cloner!”
 Virus folklore tells us that this virus was actually
an experiment gone wrong… readers beware
 Attacked the Apple II



Fred’s work is really famous…
You can read some of his papers at
http://www.all.net/resume/papers.html
Cohen postulated that one could construct a
computer program that could “infect” other
programs with a “possibly evolved” version of
itself.

The following pseudo-program shows how a virus might be written in a pseudo-computer
language. The ":= symbol is used for definition, the ":" symbol labels a statement, the ";"
separates statements, the "=" symbol is used for assignment or comparison, the "~" symbol
stands for not, the "{" and "}" symbols group sequences of statements together, and the "..."
symbol is used to indicate that an irrelevant portion of code has been left implicit.
program virus:= {1234567;
subroutine infect-executable:= {loop:file = get-randomexecutable-file;
if first-line-of-file = 1234567 then goto loop;
prepend virus to file; }
subroutine do-damage:= {whatever damage is to be done}
subroutine trigger-pulled:= {return true if some condition
holds}
main-program:= {infect-executable; if trigger-pulled then dodamage; goto next;}
next:}



First virus that anyone really noticed
Basit and Amjad Farooq Alvi, of Lahore,
Pakistan.
Simple Boot Infector – harkens back to the
days of boot from floppy


Appeared in 1987
Introduced some important techniques:
 Infected COMMAND.COM
 Went resident in memory
 Infected any disks that were accessed from the
infected machine
 Had an unpleasant trigger: trashed the FAT after
four infections




Appeared in 1988 ,reported by Yisrael Radai
Memory-resident COM/EXE infector
Contained a big: infected itself over and over
again…
Spawned MANY virus variants
 What’s a virus variant?






1987…
Written in REXX, a scripting language by IBM
Sent in SOURCE form by email
Required a user to run it
When it ran, sent itself to all your contacts
It was an early, human-driven WORM
1988
See:
ftp://coast.cs.purdue.edu/pub/doc/morris_worm
/ for all the details you could ever need and more
 Used multiple vulnerabilities







Sendmail bug
Fingerd bug
Via .rhosts files
Via password cracking
Infected a *lot* of hosts for the then fledgling
Internet
Trojan Disk sent out widely in 1992
Encrypted data on the fixed disk after a certain number of
boots
 License verbage:
 "In case of breach of license, PC Cyborg Corporation
reserves the right to use program mechanisms to ensure
termination of the use of these programs. These program
mechanisms will adversely affect other program
applications on microcomputers. You are hereby advised
of the most serious consequences of your failure to abide
by the terms of this license agreement."
 See:
http://www.virusbtn.com/magazine/archives/pdf/1992/199
201.PDF






More of an Icon than a reality
But, for a time, the most complex viruses did
come from Bulgaria
Many the work of one person, the mysterious
“Dark Avenger”
Dark Avenger ultimately wrote a “fast
infecting” virus and the infamous Mutation
Engine (aka MtE or DAME)



Welcome to Terry Tequila’s latest venture
1991
First fully polymorphic, full stealth virus







March 6th, 1992
Serious enough that there was actually a CERT
Advisory: http://www.cert.org/advisories/CA-199202.html
A Boot Sector Virus with a payload
Quotes: “hundreds of thousands of computers” – John
McAfee, also labeled with the number “five million”
“One out of four computers” – Reuters
In fact, total damage was low… very low: 10 to 20
thousand
For an interesting take on epidemiology, read:
http://www.research.ibm.com/antivirus/SciPapers/Ke
phart/PREV/prevalence.gopher.html




Also in 1992
A linkable object, never distributed in source
form
Caused massive variation in code structure of
a computer virus
Caused a complete redesign of several
antivirus products, and was the end of simple
“signature scanning”




Menu-driven virus creation for the masses!
Primarily simple COM infectors
Capable of basic encryption
The first of many…





Pathogen and Queeg
SMEG, the “Simulated Metamorphic Encryption
Generator”
See:
http://www.soci.niu.edu/~crypt/other/pyle.htm
for the full story
Also, see http://www.computerinvestigations.com/chist/chist01.html for an
account of the investigation from an old friend,
Jim Bates
Convicted under the UK’s Computer Misuse Act





Appeared around 1996
First “data” infecting virus? Well, not really…
Written in Word Macros
Forced large-scale changes in the antivirus
industry
Interestingly, everyone infected by concept
saw one of these:




Hot on the heels of Concept
Auto_open and Check_files
Simple example of what could be done
Infected PERSONAL.XLS, which is loaded
whenever Excel is run





1998
A virus that was written in Java that infects
Java class files
Primarily a proof of concept
See:
http://www.sophos.com/virusinfo/articles/jav
a.html for a useful FAQ
What about the Sandbox?





1999 (see CERT advisory CA-1999-04)
A virus that propagated via Email
attachments
Used MAPI to spread
Incredibly effecting technique
Poor David Smith! See:
http://news.bbc.co.uk/1/hi/world/americas/19
63371.stm


DDoS = Distributed Denial of Service
Simple process:
 Pwn a large number of machines
 Install a remote control “bot” on them
 Command them to attack a particular site

Why is this so dangerous?




CERT advisory CA-2001-19
Common buffer overrun in IIS
Spread like WILDFIRE
Question: Why?





Launched in January 2003
Utilized a buffer overrun in Microsoft’s
popular SQL Server
Spread from machine to machine with a peak
population doubling rate of 8.5 seconds
Infected 90% of all machines it would ever
infect in 10 minutes
Actually impacted BGP Route Stability on the
Internet!



Windows makes it quite easy to write
Spyware
Spyware can take over a machine and make it
“unrecoverable” in many senses, without a
reinstall
As Spyware becomes more “commercial” (in
some senses of the word) it becomes a harder
problem to fight
 Blurred lines between legal and illegal
 Context sensitivity and EULAs



The “undetectable” rootkit
Server virtualization used for gain?
How much of this is a real threat?

Sony adds a “rootkit” to CDs in an attempt to
manage its digital rights…
 More complicated than it sounds, but interesting
story

For the first time, the UK cybercrime rate
rises to meet the “real world” crime rate

Are everywhere:
 PDF
 Realplayer
 IE
…

2007: Symantec acquires Vontu
 Companies begin to focus on protecting data at
rest and while in transit

Autorun Worm found on the International
Space Station
 Password-stealing, but not mission critical




More viruses
More Worms
More Trojans
More software that Blurs the Lines