HISTORY OF CYBERNETIC WARFARE:

Viruses and Worms

By: Peter XuKaoutar Settar

Ido Iloni

Introduction To Viruses

• The first virus appeared in the early 1970’s on the ARPANET.

• These viruses were classified as “Wabbit Viruses.”

Wabbit Virus (1st Type Ever!!)

• A Wabbit Virus is a self-replicating program.• These programs make multiple copies of

themselves.• Thus they fill up most of the victim’s

computer, creating massive lag and eventually crashing the computer.

Creeper Virus(1st)

• The Creeper Virus was written by Bob Thomas at BBN in 1971.

• It was designed to demonstrate a mobile application.

• Fortunately it was contained within a isolated system.

• Was a Wabbit

Elk Cloner

• It was written around 1982 by a 15 year old high school student named Rich Skrenta for Apple 2 systems.

• Elk Cloner was a “boot sector” virus. When a infected disk is inserted to a computer, the computer became infected. Then, any disk inserted would become infected.

Elk Cloner

• It was the first virus to be in the “wild.” meaning that it was not contained within one system.

• At the time there was no anti-virus programs to defend against the virus. But, it can be deleted through lots of manual effort.

CIH (Chernobyl/Spacefiller)• A Microsoft Windows computer virus written

by Chen Ing Hau.• CIH infects Portable Executable Programs by

splitting its code into many small bits and pieces and reassembling itself. This type of infection is extremely complex and unique.

• The CIH virus was extremely destructive receiving a status of highly destructive from Symantec.

CIH (Chernobyl/Spacefiller)Continued

• According to the security company Symantec it caused $250 million by infecting as many as one million computers.

• CIH attempts to disrupt the relationships and the data flow between the hard drive ports, keyboards, mouse and other central devices.

• It overwrites the hard drive with random data, and also attacks the Flash BIOS causing permanent damage.

CIH (Chernobyl/Spacefiller) Continued

• The first megabyte (1024KB) Hard Drive is overwritten with zeros causing the computer to lose any data in that megabyte.

• The Chernobyl virus destroys so much of the central system only a system technician will be able to fix this, and only through physical efforts.

ILOVEYOU (Worm)• The ILOVEYOU worm was originated in the

Philippines and caused 5.5 billion USD in damages.

• The email contained a file called “LOVE-LETTER-FOR-YOU.” Once opened it sent a copy of itself to everyone in the Windows address book.

• This is a great example of an e-mail-spread worm.

ILOVEYOU (Worm)Continued

• It also made a number of malicious changes to the users computer.

• The Worm overwrote music files, multimedia files, and many other types with itself.

• The Pentagon, CIA, and the British Parliament had to shut down their mail systems because of the Worm.

• By May 13, 2000 15 million infections have been reported.

Pikachu Worm• Was the first piece of malware targeting

children.• The worm, like ILOVEYOU, spread though

email.• Thankfully, the worm only affected systems

running Microsoft Outlook.• The worm, when opened, showed this:

Conficker

• Conficker is believed to have created the largest computer worm infection to date, with seven million government, business and home computers in over 200 countries infected.

• Conficker infected INTRAMAR the system and spread into the internet through media uploads.

• It used dictionary attacks on administrator passwords.

Conficker Continued

• A dictionary attack uses the most likely passwords and continuously enters them in.

• Conficker infects new computers through removable media (i.e. flash drives). Using AutoRun, an automatic run-program that starts inserted media, to run the virus immediately after insertion of the media file.

Conficker Continued

• The unknown makers of Conficker continuously update the virus by sending out new variants to include anti-virus and error-notify deactivators and to patch up weak spots in the coding.

• The fifth and latest update was on 4-7-2009• Because of these updates, the virus continues

to adapt to new anti-virus counter-measures and to reduce the possibility of detection.

W32.MyDoom.M@mm• It’s the fastest spreading email worm ever.• MyDoom was e-mailed to victims with the

subject line of “error”, “mail delivery system”, and “mail transaction failed”.

• Then, it copies itself into the shared folder of peer-to peer file sharing application KaZaA in an attempt to spread in that way.

• An estimated 1 million computers around the world infected with MyDoom started the viruses massive denial of service attack.

MyDoom Cont…

• A denial of service attack floods the bandwidth or resources of a targeted system

• The virus was so severe that one of the victims, The SCO GROUP offered $250,000 in exchange for the arrest of the ones creator.

• In addition, the FBI and secret service began investigations on worm January 27th, 2004 and still haven’t found the creator.

Stuxnet

• Stuxnet was a worm that attacked the Iranian Nuclear Enrichment Plants at Natanz. Stuxnet specifically infects project files belonging to Siemens‘ SCADA control software. According to the security company Symantec, the worm, written in several different programming languages such as C and C++, was the most sophisticated and most expensive piece of malware ever released.

Stuxnet Continued

• Symantec also added that “it would have taken thirty highly-trained specialists about six months to prepare the worm.”

• In addition to that, the project would have needed the financial resources of a government to create and deploy.

• It is unknown yet where Stuxnet was made and released, how it works entirely, and who actually funded it.

Stuxnet Continued

• Stuxnet was initially spread using infected removable drives such as USB flash drives, and then uses peer-to-peer RPC to infect and other computers that are not directly connected to the Internet.

• RPC (Remote Procedure Call) is communication between computers on a network. It causes the procedure from one computer to activate in another computer.

Stuxnet Continued

• Once Stuxnet gains power over the control programs, it forces motors first to spin at 2 Hz and then at 1064 Hz, and thus damages the connected motors.

Model of the Bushehr Nuclear Power Plant, one of the infected sites.

Stuxnet Continued

• Like Conficker, Stuxnet’s creators updated the virus in adaption to anti-virus counter-measures.

• Two websites in Denmark and Malaysia were configured as command servers for Stuxnet allowing it to be updated. Both websites have been taken down to disable the malware.

Conclusion

• In our technology-dependent society, the computer is the master it controls our entertainment, our power plants, our military and much more. However, because of the dependency on the computer and other technologies, the virus or the worm can easily do millions or even billions of dollars in damage.