Malicious Code: HistoryDr. Richard Ford

What We’re Going to Talk About Where viruses have been… How it all began Milestones in virus and antivirus

history The Technology Race Between Black

Hats and White Hats Where Things Are Today

Way Back in the ’50s

Bell Labs… Core Wars Two computer programs would

“battle it out” in the “core” of a computer. The victor would be the last man standing

Mainstreamed in May 1984 in Scientific American

First Things…

Where it all began: Elk Cloner “It will get on all your disks It will

infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner!”

Virus folklore tells us that this virus was actually an experiment gone wrong… readers beware

Attacked the Apple II

Fred Cohen: Theory

Fred’s work is really famous… You can read some of his papers at

http://www.all.net/resume/papers.html

Cohen postulated that one could construct a computer program that could “infect” other programs with a “possibly evolved” version of itself.

Cohen: Example The following pseudo-program shows how a virus might be written in a

pseudo-computer language. The ":= symbol is used for definition, the ":" symbol labels a statement, the ";" separates statements, the "=" symbol is used for assignment or comparison, the "~" symbol stands for not, the "{" and "}" symbols group sequences of statements together, and the "..." symbol is used to indicate that an irrelevant portion of code has been left implicit.

program virus:= {1234567; subroutine infect-executable:= {loop:file = get-random-executable-file; if first-line-of-file = 1234567 then goto loop; prepend virus to file; }

subroutine do-damage:= {whatever damage is to be done} subroutine trigger-pulled:= {return true if some condition holds}

main-program:= {infect-executable; if trigger-pulled then do-damage; goto next;}

next:}

Milemarker 1: Brain

First virus that anyone really noticed Basit and Amjad Farooq Alvi, of

Lahore, Pakistan. Simple Boot Infector – harkens back

to the days of boot from floppy

Lehigh Virus

Appeared in 1987 Introduced some important

techniques: Infected COMMAND.COM Went resident in memory Infected any disks that were accessed

from the infected machine Had an unpleasant trigger: trashed the

FAT after four infections

Jerusalem

Appeared in 1988 ,reported by Yisrael Radai

Memory-resident COM/EXE infector Contained a big: infected itself over

and over again… Spawned MANY virus variants

What’s a virus variant?

Christma.EXEC

1987… Written in REXX, a scripting language

by IBM Sent in SOURCE form by email Required a user to run it When it ran, sent itself to all your

contacts It was an early, human-driven WORM

The Morris Worm 1988 See:

ftp://coast.cs.purdue.edu/pub/doc/morris_worm/ for all the details you could ever need and more

Used multiple vulnerabilities Sendmail bug Fingerd bug Via .rhosts files Via password cracking

Infected a *lot* of hosts for the then fledgling Internet

AIDS Trojan: The Law Catches Up Trojan Disk sent out widely in 1992 Encrypted data on the fixed disk after a certain number of

boots License verbage: "In case of breach of license, PC Cyborg Corporation

reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other program applications on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement."

See: http://www.virusbtn.com/magazine/archives/pdf/1992/199201.PDF

The Bulgarian Virus Factory More of an Icon than a reality But, for a time, the most complex

viruses did come from Bulgaria Many the work of one person, the

mysterious “Dark Avenger” Dark Avenger ultimately wrote a

“fast infecting” virus and the infamous Mutation Engine (aka MtE or DAME)

Tequila

Welcome to Terry Tequila’s latest venture

1991 First fully polymorphic, full stealth

virus

Michelangelo March 6th, 1992 Serious enough that there was actually a CERT

Advisory: http://www.cert.org/advisories/CA-1992-02.html

A Boot Sector Virus with a payload Quotes: “hundreds of thousands of computers” – John

McAfee, also labeled with the number “five million” “One out of four computers” – Reuters In fact, total damage was low… very low: 10 to 20

thousand For an interesting take on epidemiology, read:

http://www.research.ibm.com/antivirus/SciPapers/Kephart/PREV/prevalence.gopher.html

MtE

Also in 1992 A linkable object, never distributed in

source form Caused massive variation in code

structure of a computer virus Caused a complete redesign of

several antivirus products, and was the end of simple “signature scanning”

The Virus Creation Lab

Menu-driven virus creation for the masses!

Primarily simple COM infectors Capable of basic encryption The first of many…

The Black Baron Pathogen and Queeg SMEG, the “Simulated Metamorphic Encryption

Generator” See:

http://www.soci.niu.edu/~crypt/other/pyle.htm for the full story

Also, see http://www.computer-investigations.com/chist/chist01.html for an account of the investigation from an old friend, Jim Bates

Convicted under the UK’s Computer Misuse Act

Concept

Appeared around 1996 First “data” infecting virus? Well, not

really… Written in Word Macros Forced large-scale changes in the

antivirus industry Interestingly, everyone infected by

concept saw one of these:

Laroux

Hot on the heels of Concept Auto_open and Check_files Simple example of what could be

done Infected PERSONAL.XLS, which is

loaded whenever Excel is run

Laroux: Illustration

Strange Brew

1998 A virus that was written in Java that

infects Java class files Primarily a proof of concept See:

http://www.sophos.com/virusinfo/articles/java.html for a useful FAQ

What about the Sandbox?

Melissa

1999 (see CERT advisory CA-1999-04)

A virus that propagated via Email attachments

Used MAPI to spread Incredibly effecting technique Poor David Smith! See:

http://news.bbc.co.uk/1/hi/world/americas/1963371.stm

DDoS

DDoS = Distributed Denial of Service Simple process:

Pwn a large number of machines Install a remote control “bot” on them Command them to attack a particular

site Why is this so dangerous?

CodeRed

CERT advisory CA-2001-19 Common buffer overrun in IIS Spread like WILDFIRE Question: Why?

SQL.Slammer

Launched in January 2003 Utilized a buffer overrun in

Microsoft’s popular SQL Server Spread from machine to machine

with a peak population doubling rate of 8.5 seconds

Infected 90% of all machines it would ever infect in 10 minutes

Actually impacted BGP Route Stability on the Internet!

The Rise and Rise of Spyware Windows makes it quite easy to write

Spyware Spyware can take over a machine and

make it “unrecoverable” in many senses, without a reinstall

As Spyware becomes more “commercial” (in some senses of the word) it becomes a harder problem to fight Blurred lines between legal and illegal Context sensitivity and EULAs

Blue Pill

The “undetectable” rootkit Server virtualization used for gain? How much of this is a real threat?

Sony “rootkit” brouhaha

Sony adds a “rootkit” to CDs in an attempt to manage its digital rights… More complicated than it sounds, but

interesting story

2007: Cybercrime rates rise For the first time, the UK cybercrime

rate rises to meet the “real world” crime rate

2007: Zero-Day Attacks

Are everywhere: PDF Realplayer IE …

DLP Becomes Big Business 2007: Symantec acquires Vontu

Companies begin to focus on protecting data at rest and while in transit

Viruses in Space: August 08 Autorun Worm found on the

International Space Station Password-stealing, but not mission

critical

The Future?

More viruses More Worms More Trojans More software that Blurs the Lines