Malicious Code
CS 419: Computer Information Security
Kati Reiland
Wed. March 5, 2003
What I’ll Cover
•
•
•
•
Short Timeline of Malicious Code
Definition of Malicious Code
Closer Look at Viruses and Worms
A Specific Look at the LoveBug Virus
Timeline
 1949: John Von Neumann researches the theory
of self-replicating programs
 1960: AT&T introduces the first commercial
modem
 1969: AT&T develop UNIX, the first
multitasking operating system and launch
ARPANET.
 1979: Xerox researchers implement a “worm”
that searches the network for idle processors.
Timeline
1983:
“Virus” is first used to describe
software that affects other programs by
modifying themselves to include a copy of the
software.
1988:
Robert Morris creates a worm that
attacks ARPANET, disabling over 6,000 computers
by flooding their memory with copies of itself.
1991:
Symantec releases the first version of
Norton Anti-virus, it is still the #1 PC security
product.
1995:
Microsoft releases Windows 95.
Timeline
 1999: The “Melissa” virus infects thousands of
computers.
 2000: The “I Love You” virus infects millions of
computers in 24 hours.
The author was a Filipino student;
The Philippines have no laws against hacking or other computer
crimes, so he goes without punishment. European Union’s global
“Cybercrime Treaty” is created.
 2001: The Code Red worm infects Windows NT
and 2000 servers causing $2 billion in damages.
 2001: Nimda attacks using 5 different methods
of infecting systems and replicating itself.
Timeline
 2002: “Melissa” author David L Smith is
sentenced to 20 months in federal prison.
 2003: The “Sapphire Slammer” worm infects
thousands of computers in 3 hours.
Malicious Code
• Also called “Malware”
• Generally, “any unwanted, uninvited, potentially
dangerous program or set of programs”. (2002, Norman
Book on Computer Viruses)
• General Categories
– Virus
• A program that replicates itself infecting boot sectors,
programs, or data files.
– Worm
• A program that has the ability to spread.
– Trojan Horse/Backdoors
• A program that looks to be a useful or benign file/program.
– Denial-of-Service
• Software that doesn’t harm the host but uses the host to
disrupt other networked computers.
– Hacking Tools
• Assists the author in the creation of a virus/worm. Does not
cause any harm by itself.
– Bugs/Logic Bombs/Time Bombs
• Malfunctions within otherwise useable code.
– Hoax
• Generally a chain letter by email advising the removal of a
needed system file. Does not actually replicate but “cons”
the person to send it on believing that they are doing good.
– A combination of any or all of the above
• Most malicious code falls into this category
• Ex. “ILoveYou” virus
Why are these a security risk?
• Data Loss (viruses, worms)
• Downtime
• Loss of Confidentiality (stolen data)
Viruses and Worms
• Types:
– Binary File Viruses/Worms
• Ex. W95/CIH otherwise
known as “Chernobyl”
– Binary Stream Worms
• Ex. Code Red
– Script File Viruses/Worms
Exe
21%
• Ex. ILoveYou
– Macro Viruses
• Ex. Melissa
– Boot Viruses
Scripts
7%
• Ex. AntiWin
– Multipartite Viruses
• Ex. Civil
Macro
29%
Trojan
Horses
29%
others
14%
Security Stats, 2002
Binary File Virus
•
A virus that attaches it’s code to a useable
program file.
• Six basic ways of attaching itself: companion, link,
overwrite, insert, prepend and append.
– Companion
• Usually done by creating a program.com file in the same
folder as the program.exe.
– Link
• Changes the workings of the file system so the program
name will then refer to the virus instead of the program.
–
–
–
–
Overwrite
Insert
Prepend
Append
Script File Viruses
• Viruses that are pure text instructions that are
interpreted by some associated program.
– Examples of scripts:
• Visual Basic Script
– Many of Microsoft’s programs and OS functions can be
manipulated, thus highly used
• JavaScript
– Doesn't affect the file system, so there are not many viruses
using this.
• Jscript
– Not as often used as VBS, but just as dangerous
• DOS BAT Language / UNIX Shell Script
– Allows command line commands on DOS / UNIX machines
(respectively) without actually typing the commands
• IRC Scripts
– Scripts support the automatic sending of files to other
members.
• Many others
Macro Viruses
• Take advantage of the many applications that
contain/use macro programming languages
– WordBasic (early versions of MS Word)
– Visual Basic for Applications (VBA)
• Can be used to control almost anything on a Windows
computer
• The first set of viruses that affect the reliability
of the information in data files.
• Sometimes used to create and/or execute other
traditional viruses.
• Highly dangerous.
• As newer versions of Microsoft products are
introduced, so were new versions of VBA, thus
older viruses could not affect newer versions of
the product.
Boot Viruses
• Viruses that infect System Boot Sectors (SBS)
and Master Boot Sectors (MBS).
• MBS vs. SBS
– Floppy disks have only an SBS.
• THE BOOT PROCESS
–
–
–
–
BIOS (Basic Input/Output System)
POST (Power On Self Test)
Attempts to boot from floppy
Loads OS
• A boot virus generally infects the SBS of a floppy
disk and when the attempt to boot is made, the
virus goes to memory and runs active, infecting
the system areas of the hard drive.
• Up until a couple of years ago, boot viruses were
the most common viruses.
ILoveYou: The Love Letter Virus
• May 4-8, 2000: CERT announces over 500,000
reported PCs infected.
– Most commonly through an email attachment (LOVELETTER-FOR-YOU.txt.vbs) but also through IRC,
Windows file sharing, and USENET news.
• Overwrites all files with the extensions of *.vbs,
*.vbe, *.doc, *.txt, *.js, *.jse, *.css, *.wsh, *.sct,
*.hta, *.jpg, *.jpeg, *.mp3, *.mp2 and others with a
copy of itself and changes the file extension but
keeps the file name.
VBS/ILOVEYOU: “LoveBug”
• Any up-to-date anti-virus product should catch it.
• Disable Windows Scripting Host and IE’s Active
Scripting, though this disables other
functionalities also.
• There are currently 82 known variants to the
original.
(Symantec Corp.)
– Some variants attempt to download a password-stealing
trojan from a webpage.
What it does
• Sets the Windows Scripting Host timeout to zero
• Attempts to send out an email with Microsoft
Outlook.
– Subject: ILOVEYOU
– Body: kindly check the attached LOVELETTER coming
from me”
– Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
• Searches all network and local drives for a variety
of the previously listed file extensions.
– Overwrites these files with a copy of itself
What it does, cont.
• Places a file (a copy of itself) in the Windows
System Directory
– May be named mskernel32.vbs, win32dll.vbs, or loveletter-for-you.txt.vbs
• Changes IE Homepage to a url beginning with
http://www.skyinet.net/
• If mIRC is installed, it will overwrite the script.ini
file.
• Attempts to create an HTML file with the VBS
script embedded.
References
About Viruses. Panda Software.
http://www.pandasoftware.com/virus_info/about_virus/
Anti-virus round-up (January-June 2000). Sophos Antivirus. July 2000.
http://www.sophos.com/virusinfo/articles/roundup162000.html
Antivirus Software Ratings. Consumer Reports. June 2002.
CERT Love Letter Advisory. http://www.cert.org/advisories/CA-200004.html
Computer Virus Timeline. http://www.infoplease.com/spot/virustime1.html
Cyberspace Invaders. Consumer Reports. June 2002.
History of Computer Viruses. Discovery Channel.
http://www.exn.ca/Nerds/20000504-55.cfm
Kaliciak, Paul. ILOVEYOU Email Virus Floods Internet. Discovery Channel.
http://www.exn.ca/Nerds/20000504-56.cfm
Kaspersky, Eugene. Computer Viruses.
http://www.viruslist.com/eng/viruslistbooks.html?id=3
McAfee Antivirus. http://www.mcafee.com/
Norman Book of Computer Viruses. Norman ASA. Oct 2001.
http://www.norman.com/papers.shtml
Sophos Antivirus. http://www.sophos.com/
Stupid Virus Tricks. Comsumer Reports. June 2002.
Symantec Corporation. www.symantec.com
Virus Encyclopedia. http://www.viruslist.com/
Virus Related Statistics. http://www.securitystats.com/virusstats.asp