Whale
advertisement
Cosc 4765 Viruses and Worms Categories • Viruses and worms – This lecture focuses on these two. • Trojans – – – – Used for remote access of systems Non replicating Disguised or concealed program Sometimes disguised as useful software • Logic Bombs – Timed devices – Designed to cause maximum damage possible – Very difficult to spot until they execute Some History • The early “viruses” were not viruses. They were code that accidentally did something it wasn’t supposed to – It broke the bounds of memory locations to access another programs – Or ended up running code from another program. • Tracing the patterns of the code through memory looked like the design of holes in “worm-eaten” wood. – Which is were the term worm came from. Some History (2) • The best way to understand viruses and worm to follow their evolution. • We’ll look at the on-going war between virus writers and Anti-Virus companies. – The changes the AV software had to make in order to detect/remove new viruses and worms. Description of a Worm • First we’ll look at worms, then viruses • Worm(s) – Worm Program is designed to copy itself from 1 PC to another – via e-mail, TCP/IP – Goal is to infect as many machines as possible • not interested in multiple copies on the same machine – Relies less (or not at all) on human intervention to propagate First Worm? • The first “worm” is generally considered to be the Xerox worm. – It was an accident. – In the early 1980’s, Xerox researcher created worms to perform useful tasks on computers connected to their network. • It got out of control due to a bug in the program, which cashed computers. MORRIS/INTERNET WORM (1988) • The Morris Worm (sometimes called The internet worm) function was simply to spread itself to as many computers as possible. – The worm infection begins on a VAX 8600 at the University of Utah, from there it spreads causing a incredible strain on processor load. This was a bug in the worm that caused it to overload networks, but it was not supposed to. • The worm then spread to over 6,000 machines in the united states, the worm caused no physical damage to the machines affected by it. • The worm exposed some serious security holes in UNIX environments, which could have gone undetected had the worm not used it to propagate its spreading. The Internet Worm Details • Program “worm” consisted of 2 parts – l1.c download this and compiled itself then, 11.c down loaded worm.c compiled it and ran it. Worm.c looked for other machines in the network to repeat the process. Worm sent l1.c then … – ll.c – tried to break passwords. This was CPU intensive and could not be stopped. If machine was shut off, it would get a worm again from some place on the network as soon as it rebooted. The Internet Worm Details (2) How the worm broke in Used 1 of 3 methods to break into a machine 1. rsh (remote shell) - you can login on another machine w/o logging into the other. – This is a feature, not a bug in UNIX. If you found a machine that trusted other machines, you can “infect” the other machines as well. How the worm broke in (2) 2. If that didn’t work, then used a bug in the “finger” command. – finger xyz@finger.uwyo.edu Returns info about the user fingered. A bug in finger, did not check for a buffer overflow. – Worm called finger w/ a specially handcrafted 536 byte string parameter – overflowed daemons buffer which over wrote the daemons stack. – When a procedure returns it returns to the stack to get the address of what to do next – The procedure returned to a procedure inside the 536 byte string the procedure inside was a to start a shell that could be used by the worm with root privileges. How the worm broke in (2) 3. If these didn’t work he used – sendmail • It has a feature that allowed you to send e-mail with a program and run it. bug?? • sendmail’s “features” in that have been exploited by worms and hackers for a long time. Curing the Internet Worm • cure: Run a dummy worm – if worm arrives it check to see if it was running and it wouldn’t reinstall -- but 1 in 7 did anyway (a bug in the worm) • Real cure – upgrade the system to remove bugs and disallow programs that are vulnerable. Melissa (1999) • First Mainstream macro hybrid – Virus and Worm – Spread via Word 2000 and 97 document file – Uses Outlook to spread infected Doc to first fifty users in address book – Affects Word environment to potentially affect all Docs on system – Sent to many users due to address book entries for “All at work” which would go to all people in the company - plus the other 49 entries in the book! ILOVEYOU WORM (2000) • This is a VBScript worm with virus qualities. • This worm will arrive in an email message with this format: • Subject "ILOVEYOU“ • Message "kindly check the attached LOVELETTER coming from me.“ • Attachment "LOVELETTER-FORYOU.TXT.vbs" • Replaced .jpg, .jpeg, .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta • Any .mp3 and .mp2 files were hidden and created a file with *.mp3.vbs with the virus. • It then sent itself out over IRC and through outlook • Downloaded and ran a password crack program and mailed them to the author. ILOVEYOU WORM (2) • The mail server crashed • The web site was overloaded and failed as well. • The author was caught, mostly because he used his own e-mail address. • There were at least 50 variants written. Timofonia (2000) • Visual Basic script that tries to send message to internet-enabled phones. – Attacked Spanish telephone network – Later variant attacked the Japanese emergency phone system. Code Red (2001) • Only a threat to W2K with IIS – Worm crashes on WinNT • The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise). • Web pages defaced with HELLO Welcome to http://www.worm.com ! Hacked By Chinese Code Red (2) • Spread through via TCP/IP on port 80 – It used the buffer overflow to send itself to the next computer. – It looked for c:\notworm if found it stops seeking other machines to infect – Randomly generated the next IP number of the machine to attack. • Has many variants, Code Red II, Code Green, Code Blue, just to name a few. Hello.worm (2001) • First MSN messenger worm – Arrives via MSN Messenger as a file called Hello.exe – If a user clicks on the file, which is actually a Visual Basic 5 application, the worm creates a shortcut, with no name or icon, in the Windows Start-up folder. It will then attempt to send a copy of itself along with the message "i have a file for u. its real funny", to people on the contact list of an infected user's machine. – If MSN Messenger is not installed on the machine in the expected directory the worm will crash, displaying the message "Run-time Error '91'. Object variable or With block variable not set." Nimda 2002 • Nimda worm/virus – Any Win9X/NT/2000/ME computer can be infected. • Infects many system files and .EXE files. Also adds itself to the registry, so it will launched with windows boots. – Infects via e-mail, network shares and MS web folder transversal vulnerability (attacks IIS servers) – Uses the backdoor created by CodeRed.c – Specifies a content-type of audio/x-wav for the content, so outlook and IE will auto launch it. Slammer Worm (2003) • The Slammer (aka Sapphire) worm, takes advantage of a six-month-old vulnerability in MS SQL Server 2000 to spread – a server resolution service buffer overflow flaw. – not destructive to an infected host (like Code Red it only exists in memory) – it generates a damaging level of network traffic when it scans for additional targets. The worm continuously sends 367 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. – Unlike Nimda these attacks are not directed towards local sub-nets but spread across the wider Internet. Slammer Worm (2) • During peak hours of infection, security firm Symantec observed more than 22,000 unique systems infected by the worm. • Some effects: – the majority of Bank of America's 13,000 automatic teller machines "were unable to process customer transactions", the Washington Post reports. – Windows XP activation servers were thrown offline – Korea (whose Net connections were particularly hard hit by the worm) shares in the country's two largest ISPs, KT Corp and Hanaro Telecom Inc, fell sharply while computer security stock rose sharply, Reuters reports. – In Portugal over 300.000 subscribers to Cable ISP Netcabo were without Internet access for more than 12 hours due to the worm SoBig (2003) • This worm is written in MSVC and attempts to spread via network shares and email. The worm contains its own SMTP engine. • The worm enumerates shares on the network, intending to copy itself to folders on remote machines. – Used to send out SPAM as well as it own email/worm code. Blaster (2004) • Purpose was to spread as fast as possible – Also to launch a DDOS against windowsupdate.com • By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing. • When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it Sasser (2004) • The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup – As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996. – It also rebooted windows pretty often. Virus vs Worm Category • Since about 2003 – Deciding whether a piece of malicious code is a virus or a worm has gotten pretty fuzzy. – Generally they get classified by the percentage they can transmit themselves on they own, in other words how much human intervention is needed. • AV companies may disagree on whether it’s a worm or virus. What Is A Virus? • Virus (plural viruses [Some use virii]): – Computer program designed to spread over as many files as possible on a single computer – Spreads to other computers because of humans or “Worm” techniques – Viruses may damage or modify data, cause the computer to crash, display messages, lie dormant until “trigger” event etc … Early Viruses • The first virus was for the Apple II in 1981 (Texas A&M). • Called “Elk Cloner”, it contained this rhyme It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner! – For more info on Elk Cloner see http://www.skrenta.com/cloner/ • There are historical notes about a “ARPAnet Virus” that crashed the ARPAnet in October of 1980 through a self prorogating status message. – Details for the ARPAnet virus are small, may have been sent out router discovery messages, that flowed the network. • Sounds more like a Worm History of Viruses • Early virus history is difficult to reconstruct • There are 4 viruses that are basically dated to 1987 – These 4 viruses were used as base code for many times many viruses. • Stoned/Stoner virus, first report Feb 2, 1988 – Thought have been created in University of Wellington New Zealand. • • • • Had a 1 in 8 chance of displaying 1 of the following messages “Your PC is now stoned! LEGALIZE MARIJUANA!” “Your PC is now Stoned!” “Your computer is now stoned.” – New stoned viruses are still being produced today. – There are at least 90 variants, which do different things. Asher and Brain • Asher and Brain virus family – May have started in 1986 based on a copyright date, but most infections were found later, in 1988 and 1989 – First to use “stealth” techniques to hide itself. • Would actually show the real boot record, when asked to display the boot record. Marked blocks as bad, so it would not get overwritten. – Many believe the Asher was the first MSDOS virus. Cascade Virus • Cascade Virus (1987 and 1988) – Thought to have been written in Germany • Used encryption, so it was harder to repair any infected files. – It introduced the ability to cause changes in the screen. • All the letters on the screen dropped to bottom. – This virus made IBM take viruses seriously, since so many IBM computer became infected. Jerusalem virus (1987) – Originated in Israel, as part of experimentation. There were actually 4 viruses, survi-1, survi-2, survi-3 • Survi-4 became know as the Jerusalem virus after it accidentally got lose. – It has the ability to infect any .exe, .com, .sys, .pif, and .ovl files. • Except for the command.com • It would reinfect the same files over and over again, because of bug in the code. Den Zuk (1988) • Creator claimed it was a anti-virus – It detected and removed Brain infections – Also immunizes against it. – A letter from the Author published in Feb 1991 in Virus Bulletin. DATACRIME/ COLUMBUS DAY VIRUS (1989) • Datacrime was a virus that would launch its payload on or after Oct. 13 or later in the year – It would format the first nine tracks of a hard disk and display the message "DATACRIME VIRUS RELEASED: 1 MARCH 1989" – By deleting the tracks the hard drive would be unreadable as the hard drive could not tell how to get to the data on the drive. – In US called Columbus day virus – thought to be written by Norwegian terrorists. • The big attack of the Datacrime virus was apparently at Royal National Institute for the Blind claiming that Datacrime had wiped out their most important data. Only to find out it was a minor outbreak of the Jerusalem virus. DATACRIME/ COLUMBUS DAY VIRUS (1989) (2) • This virus was probably one of the first, if not the very first virus to cause hysteria back in 1989. • The virus becomes a huge deal due to the media and wannabe-experts making false claims about the virus, in the end VERY few computers were ever touched by Datacrime. – confirmed reports was the only reports in 6 incidents of the virus infecting computers according to Mcafee. Some viruses of 1989 • While datacrime was bust • Dark Avenger and Frodo Lives – Dark Avenger actually did some damage • Write garbage to sectors of the drive – Over writing some files • It was also a fast infector – It infected as programs were opened. – Before that, they had to already be running. – Frodo Lives • While not much infection, because it tended it hangs system • It was the first of the real stealth viruses. Antivirus in 1989 • Most AntiVirus researchers got their start at this time period • The big antivirus companies were had their beginnings at this point as well. 1990 and new viruses • Stealth is a mechanism by which a virus hides size increase and/or it own code. • Polymorphism involves encrypted viruses where the decryption routine code is variable • Armoring is used to prevent anti-virus researchers from disassembling a virus • Multipartite is a virus that can infect both programs and boot sectors. VIENNA VIRUS (1990) • The vienna virus became the first known polymorphic virus, which caused a problem with anti-virus creators. – This virus requires AV companies to write an algorithm that would apply logical tests to the file and decide whether the bytes it was looking at were one of the possible decryptors. • The vienna virus' polymorphic technology caused quite a few AV products to generate false positives due to poor coding. • What did the vienna virus actually do to a computer? – The virus infected .COM files everytime they were run, – and 1/8th of the time it inserts a jump to the BIOS routines that reboots the machine. – Essentially the virus randomly rebooted the computer and corrupted files. THE WHALE VIRUS (1990) • The whale was a EXTREMELY complex polymorphic virus that took literally weeks for av vendors to decode it. • While the virus isn't particularly harmful or effective, it proved to be one of the toughest decode jobs by Antivirus Vendors. • Whale could also change to many different sizes, making it even more complex. • The biggest side effect was Whale would crash a computer if it was run VxBBS • Not a virus • It was people wanting to get viruses, but they had to upload a virus in order to down one on BBS systems. – So many people started altering ones they had or simply uploading fake viruses – These collections were in turn purchased by AV companies for test sets AV in 1990 • By December dozens of AV companies had been created – Some provide free anti-virus, while other charged for the software – It was all scanners, no “real-time” AV had been created it. 1991 • The year of VCS and VCL – VCS is Virus Construction Set. – VCL is Virus Construction Lab. – Now users could build their own from the base code of many other viruses. – If you look on AV sites there are thousands of VCS and VCL viruses. TEQUILA VIRUS (1991) • A polymorphic, stealth, and Multipartite virus – Also had an anti-anti-virus virus, retrovirus component. • Originated from Switzerland. Tequila had the ability to change its form in an attempt to avoid detection. • The virus is relatively harmless to data but will display messages such as: – "Execute: mov ax, FE03 / INT 21. Key to go on!" • If the user follows the directions they will get this message: – – – – "Welcome to T.TEQUILA's latest production. Contact T.TEQUILA/P.O.BOX 543/6312 St'hausen/Switzerland. Loving thoughts to L.I.N.D.A BEER and TEQUILA forever !" THE MICHELANGELO VIRUS (1992) • The Michelangelo virus was originally discovered in 1991, this virus would delete the data on a users hard drive. The payload would trigger each year of March 6th. • Michelangelo gained fame when a major computer manufacturer claimed to have shipped over 500 computers carrying the Michelangelo virus. – Then the press adds more fuel to the fire by claiming that hundreds of thousands of computers around the world MIGHT be infected. – Another major software company jumps on the bandwagon and claims they distributed 900 floppies containing the nifty virus. – Another reporter now claims millions of personal computers around the world are infected. • Finally the day came, the "millions" estimate ended up being in the thousands...10 to 20 thousand to be exact. While still quite a few people did get the virus, the claims of millions were WAY off. • Michelangelo also turns out to be a stoned variant. Return of Dark Avenger (1992) • Not a virus – It’s a mutation engine for viruses – Took AV days to figure it out and then they had “101%” detection rates • IE lots of false positives. Many AV software had to be rewritten. • Also released Commander Bomber virus AV in 1992 • AV companies between merge – They could all smell the money. – The publicly from Michelangelo alone sent AV sells through the roof. – Viruses writers had already taken note of AV companies and began to try to disable virus scanning. • Many AV companies simply disappeared – They were unable to handle the new polymorphic viruses. Satan Bug virus (1993) • Nothing special about the virus. – Actually, it was pretty bad virus. • Appeared in Washington DC. • It was just the first virus writer to actually go to Jail. • In 1994 another virus writer goes to jail in England for a virus called Pathogen MS-DOS 6 with AV (1993) • MS released MS-DOS 6 with Central Point Anti-Virus (CPAV) – Used the name Microsoft Anti-Virus (MSAV) • Updates were hard to come by. • A virus appeared in Germany named Tremor had code to disable the resident portion of MSAV – Was a very common virus in Europe for years afterward. BOZA VIRUS (1995) • First Windows 95 virus. • The virus is a slow infector but is fast enough to go undetected by the user. • The virus also carries a bug in which it can increase the infected file size by several megabytes would could potentially kill a lot of disk space. • The Boza virus resembles the simplicity of 1980 viruses, it is not very complex. If not the first Windows 95 virus it would never have achieved any fame. • The virus also displays a windows political message: WINDOW TITLE: Bizatch by Quantum /VLAD TEXT: "The taste of fame just got tastier! VLAD Australia does it again with the world's first Win95 Virus From the old school to the new... Metabolis Qark Darkman Automag Antigen RhinceWind Quantum Absolute Overload CoKe [ OK ] " Concept Virus (1995) • First of the Macro Viruses. By 1996 it was thought to the be MOST common virus of all time – Mostly because AV companies could not find it. Again another huge rewrite had to be done. – It worked only on MS Word documents. – Eventually macro viruses could infect any MS Office documents • Not much publicly until later in 1996 when the AV companies could detect them. THE HARE VIRUS (1996) • The real, but overblown virus of 1996. While the virus does have a destructive payload and it can potentially bring down a computer, the actual infection rate described at the time was insane. The virus was claimed to infect millions of computers around the world, and due to the claim that current AV products couldn't detect it there are people that don't even know they are infected. • Many people added to the hysteria of Hare by claiming their computer was infected by the Hare virus by certain common windows problems that occurred. • So what did the Hare virus actually do? – The payload loads on August 22nd and September 22, ONLY on these two dates will the virus overwrite the data on your hard drives. – The message commonly displayed by this virus is "HDEuthanasia" by demon emperor: Hare Krsna, hare, hare... THE CHERNOBYL VIRUS (1998) • Introduces a new concept of infection. It infects 95/98/ME/NT programs, however due to NTs nature the virus cannot function correctly. Therefore 95/98/ME is really the only platform affected. • The unique infection method is what is worth mentioning, the virus is able to find unused spaces in a file, split the viral code into smaller coding and insert into these unused spaces. This makes it so that the file size does not change. • Another unique feature is CIH's ability to overwrite FLASHBIOS which would cause the targeted computer to be unusable unless the BIOS is completely replaced. The chances of this working are VERY slim however, as technology has changed since this virus is written and some variants have bugs that don't allow this code to work. AV in 1998 • Many big AV companies began releasing “one-virus” fix programs. • If you thought you were infected by a specific virus, then you downloaded a program to remove it. – These were generally given away free by the companies. HAPPY99 VIRUS (1999) • This virus was distributed around 1999, generally as a attachment named Happy99.exe. – This does not mean it could come as other names however. Happy99.exe is unique as it is sort of a hybrid of a trojan/virus because running Happy99.exe appears to show a fireworks show, yet it does more than meets the eye. – Happy99.exe drops SKA.EXE and modifies WSOCK32.DLL, modifying WSOCK32.DLL – happy99 will get a list of message recipients and will begin to send itself out through your email even though you will not notice it. • Also attached itself to all outbound message the user sent. Viruses of note (1) • Bubbleboy (1999) – First worm that can activate by looking at an email (Outlook) or previewed in Outlook Express – Kakworm spread widely using this technique • W32/Hlam@MM (2001) – Sends two mails – first warns that they are sending you an attachment so it’s okay Viruses of note (2) • LFM-926 (2002) – First virus to infect Shockwave Flash (.SWF) files. • Donut (2002) – First worm directed at .NET Services • Sharp-A (2002) – Written in C#, directed at .NET, and written by a women Viruses of note (3) • Perrun Virus (2002) – Proof-of-concept that viruses could be spread through JPEG • SQLSpider (2002) – Worm/virus written in Javascript that attacked MS SQL Servers (and programs that used MS SQL tech, such as MSoffice!) About 2002 • Some AV companies begin producing on-line scanners from their web sites. • In the beginning they weren’t very good, but they could find many viruses and attempt to remove them. – It was also an advertisement for the companies them self. • Virus writers followed suit, with e-mails that said they would remove X virus(es), but instead infected the computer. 2002-2004 • Most viruses of any real threat are actually some kind of worm variant, like SoBig, Slammer, and Blaster. • All of these out paced AV companies by 12 hours, causing havoc. • A new category came about – The E-mail worm – Netsky, Bagle, and MyDoom Netsky (2004) • Internet worm and e-mail worm – Attempts to deactivate MyDoom – Arrives via e-mail, copies itself to varying files names (winlogon.exe is popular). • Into shares and P2P share folders as well. – Sends itself out to all e-mail address find on the computer via it’s own SMTP engine. – Attempts to turn off AV software and other security software – Some 20+ variants have been written since Feb 2004 Bagle (2004) • E-mail virus and worm sent out via e-mail in (COM, EXE, and/or SCR) – Copies itself all over the computer, into shares (file and P2P) – Open back doors that enable other people to take over the machine – Attempts to disable any NetSky versions it finds. – Attempts to turn off AV software and other security software – Some 20 variants of Bagle have been written since Feb 2004 MyDoom (2004) • E-mail virus and worm – Mass-mailing worm, harvested e-mails from the infected PCs, as well through search engines, via it’s own SMTP engine. • Search.lycos.com, search.yahoo.com, AltaVista, and Google. – Opens a back door (Zincite-A) on port 1034/TCP • Allows attackers remote, unauthorized accessed to the machine. – Other variants (Some 30 at this point) have • Deleted/corrupted digital entertainment files, MS documents, launched DDOS at varying places (MS, RIAA, to name a few) – Attempts to turn off AV software and other security software Netsky/Bagle/MyDoom • Many believe the three (?) virus writers know each other. – There was a war/contest going on. • More likely for profit. Being able to sell the infected computers to someone else for use. – There try and disable each other. – Some variants have had slurs about the other virus writers. Santy (2004) • the first known "webworm" is launched. • It exploited a vulnerability in phpBB and used Google in order to find new targets. It infected around 40000 sites before Google filtered the search query used by the worm, preventing it from spreading. More Worms • Zafi e-mail worm/virus (2004, new variants in 2005 & 2006) – Harvests, and e-mails via it’s own STMP server – Attempts to turn off AV software and other security software – Variants have DDOS against Hungry prime Ministers website and google’s website. • Sober (2003 - 2005) – E-mail virus/worm, with it’s own STMP – Claims to remove MyDoom – Uses English and German • Many German speakers have been infected, because most viruses have been in English, so don’t believe it’s a virus. More (2) • Mytob 2005 and 2006 – More of a Worm than of virus. – mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network. • harvests email addresses from files on the infected computer and from the Windows address book. – Turns off anti-virus applications – Allows others to access the computer – Modifies data on the computer OSX/Leap-A or OSX/Oompa-A • February 16, 2006 • discovery of the first-ever malware for Mac OS X, a low-threat trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is announced. BadBunny(2007) • Sophos discovered an OpenOffice multiplatform macro worm capable of running on Windows, Linux and Mac computers. • It dropped Ruby script viruses on Mac OS X systems, and displayed an indecent JPEG image of a man wearing a rabbit costume. The Storm • Storm, Dref, Peacomm Worm (Jan 2007) – more of a “spam virus” then worm. – A spreads via Email and infected files only. – Once infects a machine, send itself out to address found on computers. • also drops more malware on the computers. – Estimated to have infected 1.7 million machines by June 30 and at most 10 million by September. – Thought to have originated from Russia 2008 • Bohmini.A is a configurable remote access tool or Trojan that exploits security flaws in Adobe Flash 9.0.115 with Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2 • The Koobface computer worm targets users of Facebook and MySpace. New variants constantly appear USB and Autoplay • Viruses/worms return to old methods • Infection any network shares and USB devices • Autoplay function allows them to infect the devices when they are inserted and launch at the time they are inserted into a machine. • Not just USB drives, but think ipods, cameras, phones, kindle, and anything with storage space. • Stuxnet use a Zero day attack on autoplay even it is turned off. Conficker (2008-) • Computer worm Conficker infects anywhere from 9 to 15 million Microsoft systems running everything from Windows 2000 to the Windows 7 Beta. • • • Microsoft sets a bounty of $250,000 USD for information leading to the capture of the worm's author(s). Five main variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. • • The French Navy, UK Ministry of Defence (including Royal Navy warships and submarines), Sheffield Hospital network, German Bundeswehr and Norwegian Police were all affected. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. On December 16, 2008, Microsoft releases KB958644 patching the server service vulnerability responsible for the spread of Conficker. Conficker (2) • Armoring • • • To prevent payloads from being hijacked, variant A payloads are first SHA1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key. The payload is unpacked and executed only if its signature verifies with a public key embedded in the virus. Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits. Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6 Conficker (3) • Self-defense • • • Variant C of the virus resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated. An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service Ikee (2009) • First Iphone worm • This was a proof-of-concept worm that only infects phones that have been jaibroken and have the default password on the Secure Shell application. • And, it only changed the wallpaper on the phone. • But, the source code for the beast was released so follow-ons with worse payloads can be expected Stuxnet (2010) • • • • • targets specific industrial equipment. While it is not the first time that hackers have targeted industrial systems, it is the first discovered worm that spies on and reprograms industrial systems, and the first to include a programmable logic controller (PLC) rootkit. It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the PLCs and hide its changes. It uses a valid certificate from Realtek and JMicron. • Both have been revoked by VeriSign. The AV problem • The research, carried out at Hewlett-Packard's research labs in Bristol (Later 2002), analyzed the effectiveness of the signature update approach to virus detection and elimination against a computer model designed to mimic viral spread. – The model showed that the signature update approach is fundamentally flawed, simply because worms can spread faster than anti-virus signature updates can be distributed. • Even if AV vendors produce an antidote to a virus as soon as it appears, the model breaks down because of the time it takes deliver a fix to desktops. – Within this "window of vulnerability" a worm can take hold, HP researcher Matthew Williamson concludes. The AV problem (2) • Anti-virus technology is reactive by its very nature – signatures to detect malicious code are not produced until after a new strain of virus has appeared. – It has evolved little over the last few years. – Some improvements have been made in heuristics and in pushing updates around in corporate environments but it's hard to conclude that virus writers do not have the upper hand. • AV companies have little financial incentive to solve this problem. Quite the opposite, in fact. The worse things become the rosier the financial future looks for AV vendors, at least in the short term. • A survey by market analysts IDC predicts that anti-virus software market will grow from $2.2 billion last year (2003) to $4.4 billion in 2007. The AV Problem (3) • The fix many believe is a continued layered approached to security – IE, security is a process, not an AV program – AV will get used on e-mail clients and gateways. – Better IDS technology maybe able to detect the spread of a new worm • Mostly because it not “normal traffic” and block it. – Before the AV company has figured out the “Digital Signature” of the worm/virus. – Need I say, patch and updating systems! – Better awareness by users can also help. References • Dozens of websites about individual viruses. – http://www.cknow.com/vtutor/vthistory.htm has a nice history. – http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_ worms • • • • • The Register, http://www.theregister.co.uk Sophos AV http://www.sophos.com Norton AV http://www.norton.com ClamAV http://www.clamav.net Apple Mac malware: A short history (1982-2010) • http://nakedsecurity.sophos.com/2010/11/24/apple-macmalware-short-history/ • Computerworld.com and infoworld.com, and securityfocus.com Q&A
