Computer Viruses and WormsComputer Viruses and Worms

Dragan LojpurDragan Lojpur

Zhu FangZhu Fang

Definition of VirusDefinition of Virus

A virus is a small piece of software that A virus is a small piece of software that piggybacks on real programs in order to get piggybacks on real programs in order to get executedexecuted

Once it’s running, it spreads by inserting Once it’s running, it spreads by inserting copies of itself into other executable code or copies of itself into other executable code or documents documents

Computer Virus Timeline Computer Virus Timeline 19491949

Theories for self-replicating programs are first developed. Theories for self-replicating programs are first developed. 19811981

Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.

19831983Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer program that can affect other computer programs by modifying them in such a way as to include a program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself.”(possibly evolved) copy of itself.”

19861986Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies had “© Brain” for a volume label.had “© Brain” for a volume label.

19871987The Lehigh virus, one of the first file viruses, infects command.com files.The Lehigh virus, one of the first file viruses, infects command.com files.

19881988One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus affects both .exe and .com files and deletes any programs run on that day.affects both .exe and .com files and deletes any programs run on that day.MacMag and the Scores virus cause the first major Macintosh outbreaks.MacMag and the Scores virus cause the first major Macintosh outbreaks.

……

WormsWorms

WormWorm - is a self-replicating program, - is a self-replicating program, similar to a computer virus. A virus attaches similar to a computer virus. A virus attaches itself to, and becomes part of, another itself to, and becomes part of, another executable program; however, a worm is executable program; however, a worm is self-contained and does not need to be part self-contained and does not need to be part of another program to propagate itself. of another program to propagate itself.

History of WormsHistory of Worms

The first worm to attract wide attention, the Morris The first worm to attract wide attention, the Morris worm, was written by Robert Tappan Morris, who worm, was written by Robert Tappan Morris, who at the time was a graduate student at Cornell at the time was a graduate student at Cornell University.University.

It was released on November 2, 1988It was released on November 2, 1988 Morris himself was convicted under the US Morris himself was convicted under the US

Computer Crime and Abuse Act and received three Computer Crime and Abuse Act and received three years probation, community service and a fine in years probation, community service and a fine in excess of $10,000. excess of $10,000.

Xerox PARCXerox PARC

Worms…Worms…

WormsWorms – is a small piece of software that uses – is a small piece of software that uses computer networks and security holes to replicate computer networks and security holes to replicate itself. A copy of the worm scans the network for itself. A copy of the worm scans the network for another machine that has a specific security hole. another machine that has a specific security hole. It copies itself to the new machine using the It copies itself to the new machine using the security hole, and then starts replicating from security hole, and then starts replicating from there, as well.there, as well.

They are often designed to exploit the file They are often designed to exploit the file transmission capabilities found on many transmission capabilities found on many computers.computers.

ZombiesZombies

Infected computers — mostly Windows Infected computers — mostly Windows machines — are now the major delivery machines — are now the major delivery method of spam.method of spam.

Zombies have been used extensively to Zombies have been used extensively to send e-mail spam; between 50% to 80% of send e-mail spam; between 50% to 80% of all spam worldwide is now sent by zombie all spam worldwide is now sent by zombie computerscomputers

Money flowMoney flow

Pay per clickPay per click

Typical things that some current Typical things that some current Personal Computer (PC) viruses do Personal Computer (PC) viruses do

Display a messageDisplay a message

Typical things that some current Typical things that some current Personal Computer (PC) viruses doPersonal Computer (PC) viruses do

Erase filesErase files Scramble data on a hard diskScramble data on a hard disk Cause erratic screen behaviorCause erratic screen behavior Halt the PCHalt the PC Many viruses do nothing obvious at all Many viruses do nothing obvious at all

except spread!except spread!

Display a messageDisplay a message

Distributed Denial of ServiceDistributed Denial of Service

A A denial-of-service attackdenial-of-service attack is an attack that is an attack that causes a loss of service to users, typically causes a loss of service to users, typically the loss of network connectivity and the loss of network connectivity and services by consuming the bandwidth of the services by consuming the bandwidth of the victim network or overloading the victim network or overloading the computational resources of the victim computational resources of the victim system. system.

How it works?How it works?

The flood of incoming messages to the target The flood of incoming messages to the target system essentially forces it to shut down, thereby system essentially forces it to shut down, thereby denying service to the system to legitimate users. denying service to the system to legitimate users.

Victim's IP address. Victim's IP address. Victim's port number. Victim's port number. Attacking packet size. Attacking packet size. Attacking interpacket delay. Attacking interpacket delay. Duration of attack. Duration of attack. MyDoom – SCO GroupMyDoom – SCO Group

DDoSDDoS

MyDoomMyDoom

26 January 2004:26 January 2004: The Mydoom virus is The Mydoom virus is first identified around 8am. Computer first identified around 8am. Computer security companies report that Mydoom is security companies report that Mydoom is responsible for approximately one in ten e-responsible for approximately one in ten e-mail messages at this time. Slows overall mail messages at this time. Slows overall internet performance by approximately ten internet performance by approximately ten percent and average web page load times by percent and average web page load times by approximately fifty percentapproximately fifty percent

MyDoom…MyDoom…

27 January:27 January: SCO Group offers a US $250,000 SCO Group offers a US $250,000 reward for information leading to the arrest of the reward for information leading to the arrest of the worm's creatorworm's creator..

1 February:1 February: An estimated one million computers An estimated one million computers around the world infected with Mydoom begin the around the world infected with Mydoom begin the virus's massive distributed denial of service attackvirus's massive distributed denial of service attack—the largest such attack to date. —the largest such attack to date.

2 February:2 February: The SCO Group moves its site to The SCO Group moves its site to www.thescogroup.com.www.thescogroup.com.

Executable Viruses Executable Viruses

Traditional VirusesTraditional Viruses pieces of code attached to a legitimate pieces of code attached to a legitimate

programprogram run when the legitimate program gets run when the legitimate program gets

executed executed loads itself into memory and looks around loads itself into memory and looks around

to see if it can find any other programs on to see if it can find any other programs on the disk the disk

Boot Sector Viruses Boot Sector Viruses

Traditional VirusTraditional Virus infect the boot sector on floppy disks and infect the boot sector on floppy disks and

hard disks hard disks By putting its code in the boot sector, a By putting its code in the boot sector, a

virus can guarantee it gets executed virus can guarantee it gets executed load itself into memory immediately, and it load itself into memory immediately, and it

is able to run whenever the computer is on is able to run whenever the computer is on

Decline of traditional virusesDecline of traditional viruses

Reasons:Reasons:– Huge size of today’s programs storing on a Huge size of today’s programs storing on a

compact diskcompact disk– Operating systmes now protect the boot sectorOperating systmes now protect the boot sector

E-mail Viruses E-mail Viruses

Moves around in e-mail messagesMoves around in e-mail messages Replicates itself by automatically mailing Replicates itself by automatically mailing

itself to dozens of people in the victim’s e-itself to dozens of people in the victim’s e-mail address bookmail address book

Example: Example: Melissa virusMelissa virus, , ILOVEYOU virusILOVEYOU virus

Melissa virus Melissa virus

March 1999 March 1999 the Melissa virus was the fastest-spreading virus the Melissa virus was the fastest-spreading virus

ever seen ever seen Someone created the virus as a Word document Someone created the virus as a Word document

uploaded to an uploaded to an Internet newsgroupInternet newsgroup People who downloaded the document and opened People who downloaded the document and opened

it would trigger the virusit would trigger the virus The virus would then send the document in an e-The virus would then send the document in an e-

mail message to the first 50 people in the person's mail message to the first 50 people in the person's address bookaddress book

Melissa virusMelissa virus

Took advantage of the programming Took advantage of the programming language built into Microsoft Word called language built into Microsoft Word called VBA (Visual Basic for Applications)VBA (Visual Basic for Applications)

PreventionPrevention

UpdatesUpdates Anti-VirusesAnti-Viruses More secure operating systems More secure operating systems

e.g. UNIXe.g. UNIX

ReferenceReference

http://mirror.aarnet.edu.au/pub/code-red/newframes-small-log.gifhttp://mirror.aarnet.edu.au/pub/code-red/newframes-small-log.gif http://www.factmonster.com/ipka/A0872842.htmlhttp://www.factmonster.com/ipka/A0872842.html

http://www.faqs.org/faqs/computer-virus/new-users/http://www.faqs.org/faqs/computer-virus/new-users/ http://www.mines.edu/academic/computer/viri-sysadmin.htm http://www.mines.edu/academic/computer/viri-sysadmin.htm