Computer Viruses and Worms Computer Viruses and Worms Dragan Lojpur Dragan Lojpur Zhu Fang Zhu Fang Definition of Virus Definition of Virus  A virus is a small piece of software that piggybacks on real programs A virus is a small piece of software that piggybacks on real programs in order to get executed in order to get executed  Once it’s running, it spreads by inserting copies of itself into other Once it’s running, it spreads by inserting copies of itself into other executable code or documents executable code or documents Computer Virus Timeline Computer Virus Timeline  1949 1949 Theories for self-replicating programs are first developed. Theories for self-replicating programs are first developed.  1981 1981 Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games. the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.  1983 1983 Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer program that can affect other computer programs by modifying them in such a way as to include a program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself.” (possibly evolved) copy of itself.”  1986 1986 Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies had “© Brain” for a volume label. had “© Brain” for a volume label.  1987 1987 The Lehigh virus, one of the first file viruses, infects command.com files. The Lehigh virus, one of the first file viruses, infects command.com files.  1988 1988 One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus affects both .exe and .com files and deletes any programs run on that day. affects both .exe and .com files and deletes any programs run on that day. MacMag and the Scores virus cause the first major Macintosh outbreaks. MacMag and the Scores virus cause the first major Macintosh outbreaks.  … … Worms Worms  Worm Worm - is a self-replicating program, similar to a computer virus. A - is a self-replicating program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be program; however, a worm is self-contained and does not need to be part of another program to propagate itself. part of another program to propagate itself. History of Worms History of Worms  The first worm to attract wide attention, the Morris The first worm to attract wide attention, the Morris worm, was written by Robert Tappan Morris, who at worm, was written by Robert Tappan Morris, who at the time was a graduate student at Cornell the time was a graduate student at Cornell University. University.  It was released on November 2, 1988 It was released on November 2, 1988  Morris himself was convicted under the US Morris himself was convicted under the US Computer Crime and Abuse Act and received three Computer Crime and Abuse Act and received three years probation, community service and a fine in years probation, community service and a fine in excess of $10,000. excess of $10,000.  Xerox PARC Xerox PARC Worms… Worms…  Worms Worms – is a small piece of software that uses – is a small piece of software that uses computer networks and security holes to replicate computer networks and security holes to replicate itself. A copy of the worm scans the network for itself. A copy of the worm scans the network for another machine that has a specific security hole. another machine that has a specific security hole. It copies itself to the new machine using the It copies itself to the new machine using the security hole, and then starts replicating from security hole, and then starts replicating from there, as well. there, as well.  They are often designed to exploit the file They are often designed to exploit the file transmission capabilities found on many transmission capabilities found on many computers. computers. Zombies Zombies  Infected computers — mostly Windows machines — are now the Infected computers — mostly Windows machines — are now the major delivery method of spam. major delivery method of spam.  Zombies have been used extensively to send e-mail spam; between Zombies have been used extensively to send e-mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers 50% to 80% of all spam worldwide is now sent by zombie computers Money flow Money flow  Pay per click Pay per click Typical things that some current Typical things that some current Personal Computer (PC) viruses do Personal Computer (PC) viruses do  Display a message Display a message Typical things that some current Typical things that some current Personal Computer (PC) viruses do Personal Computer (PC) viruses do  Erase files Erase files  Scramble data on a hard disk Scramble data on a hard disk  Cause erratic screen behavior Cause erratic screen behavior  Halt the PC Halt the PC  Many viruses do nothing obvious at all except spread! Many viruses do nothing obvious at all except spread!  Display a message Display a message [...]... Computer security companies report that Mydoom is responsible for  approximately one in ten e­mail messages at this time. Slows overall  internet performance by approximately ten percent and average web  page load times by approximately fifty percent  MyDoom…    27 January: SCO Group offers a US $250,000  reward for information leading to the arrest of the  worm's creator 1 February: An estimated one million computers ... other programs on the disk  Boot Sector Viruses  Traditional Virus  infect the boot sector on floppy disks and hard disks   By putting its code in the boot sector, a virus can guarantee it gets  executed   load itself into memory immediately, and it is able to run whenever the  computer is on  Decline of traditional viruses  Reasons: – Huge size of today’s programs storing on a compact disk – Operating... users, typically the loss of network connectivity and services by  consuming the bandwidth of the victim network or overloading the  computational resources of the victim system.  How it works?        The flood of incoming messages to the target  system essentially forces it to shut down, thereby  denying service to the system to legitimate users.  Victim's IP address.  Victim's port number.  Attacking packet size. ... Took advantage of the programming language built into Microsoft  Word called VBA (Visual Basic for Applications) Prevention  Updates  Anti Viruses  More secure operating systems  e.g. UNIX Reference    http://mirror.aarnet.edu.au/pub/code­red/newframes­small­log.gif http://www.factmonster.com/ipka/A0872842.html http://www.faqs.org/faqs/computer­virus/new­users/ http://www.mines.edu/academic/computer/viri­sysadmin.htm ... 1 February: An estimated one million computers  around the world infected with Mydoom begin the  virus's massive distributed denial of service attack —the largest such attack to date.  2 February: The SCO Group moves its site to  www.thescogroup.com.   Executable Viruses  Traditional Viruses  pieces of code attached to a legitimate program  run when the legitimate program gets executed   loads itself into memory and looks around to see if it can find any ... Operating systmes now protect the boot sector E-mail Viruses  Moves around in e­mail messages  Replicates itself by automatically mailing itself to dozens of people in  the victim’s e­mail address book  Example: Melissa virus, ILOVEYOU virus  Melissa virus      March 1999  the Melissa virus was the fastest­spreading virus  ever seen  Someone created the virus as a Word document  uploaded to an Internet newsgroup  . History of Worms History of Worms  The first worm to attract wide attention, the Morris The first worm to attract wide attention, the Morris worm,. reward for information leading to the arrest of the reward for information leading to the arrest of the worm's creator worm's creator . .  1