Malicious Code CS 419: Computer Information Security Kati Reiland Wed. March 5, 2003 What I’ll Cover • • • • Short Timeline of Malicious Code Definition of Malicious Code Closer Look at Viruses and Worms A Specific Look at the LoveBug Virus Timeline 1949: John Von Neumann researches the theory of self-replicating programs 1960: AT&T introduces the first commercial modem 1969: AT&T develop UNIX, the first multitasking operating system and launch ARPANET. 1979: Xerox researchers implement a “worm” that searches the network for idle processors. Timeline 1983: “Virus” is first used to describe software that affects other programs by modifying themselves to include a copy of the software. 1988: Robert Morris creates a worm that attacks ARPANET, disabling over 6,000 computers by flooding their memory with copies of itself. 1991: Symantec releases the first version of Norton Anti-virus, it is still the #1 PC security product. 1995: Microsoft releases Windows 95. Timeline 1999: The “Melissa” virus infects thousands of computers. 2000: The “I Love You” virus infects millions of computers in 24 hours. The author was a Filipino student; The Philippines have no laws against hacking or other computer crimes, so he goes without punishment. European Union’s global “Cybercrime Treaty” is created. 2001: The Code Red worm infects Windows NT and 2000 servers causing $2 billion in damages. 2001: Nimda attacks using 5 different methods of infecting systems and replicating itself. Timeline 2002: “Melissa” author David L Smith is sentenced to 20 months in federal prison. 2003: The “Sapphire Slammer” worm infects thousands of computers in 3 hours. Malicious Code • Also called “Malware” • Generally, “any unwanted, uninvited, potentially dangerous program or set of programs”. (2002, Norman Book on Computer Viruses) • General Categories – Virus • A program that replicates itself infecting boot sectors, programs, or data files. – Worm • A program that has the ability to spread. – Trojan Horse/Backdoors • A program that looks to be a useful or benign file/program. – Denial-of-Service • Software that doesn’t harm the host but uses the host to disrupt other networked computers. – Hacking Tools • Assists the author in the creation of a virus/worm. Does not cause any harm by itself. – Bugs/Logic Bombs/Time Bombs • Malfunctions within otherwise useable code. – Hoax • Generally a chain letter by email advising the removal of a needed system file. Does not actually replicate but “cons” the person to send it on believing that they are doing good. – A combination of any or all of the above • Most malicious code falls into this category • Ex. “ILoveYou” virus Why are these a security risk? • Data Loss (viruses, worms) • Downtime • Loss of Confidentiality (stolen data) Viruses and Worms • Types: – Binary File Viruses/Worms • Ex. W95/CIH otherwise known as “Chernobyl” – Binary Stream Worms • Ex. Code Red – Script File Viruses/Worms Exe 21% • Ex. ILoveYou – Macro Viruses • Ex. Melissa – Boot Viruses Scripts 7% • Ex. AntiWin – Multipartite Viruses • Ex. Civil Macro 29% Trojan Horses 29% others 14% Security Stats, 2002 Binary File Virus • A virus that attaches it’s code to a useable program file. • Six basic ways of attaching itself: companion, link, overwrite, insert, prepend and append. – Companion • Usually done by creating a program.com file in the same folder as the program.exe. – Link • Changes the workings of the file system so the program name will then refer to the virus instead of the program. – – – – Overwrite Insert Prepend Append Script File Viruses • Viruses that are pure text instructions that are interpreted by some associated program. – Examples of scripts: • Visual Basic Script – Many of Microsoft’s programs and OS functions can be manipulated, thus highly used • JavaScript – Doesn't affect the file system, so there are not many viruses using this. • Jscript – Not as often used as VBS, but just as dangerous • DOS BAT Language / UNIX Shell Script – Allows command line commands on DOS / UNIX machines (respectively) without actually typing the commands • IRC Scripts – Scripts support the automatic sending of files to other members. • Many others Macro Viruses • Take advantage of the many applications that contain/use macro programming languages – WordBasic (early versions of MS Word) – Visual Basic for Applications (VBA) • Can be used to control almost anything on a Windows computer • The first set of viruses that affect the reliability of the information in data files. • Sometimes used to create and/or execute other traditional viruses. • Highly dangerous. • As newer versions of Microsoft products are introduced, so were new versions of VBA, thus older viruses could not affect newer versions of the product. Boot Viruses • Viruses that infect System Boot Sectors (SBS) and Master Boot Sectors (MBS). • MBS vs. SBS – Floppy disks have only an SBS. • THE BOOT PROCESS – – – – BIOS (Basic Input/Output System) POST (Power On Self Test) Attempts to boot from floppy Loads OS • A boot virus generally infects the SBS of a floppy disk and when the attempt to boot is made, the virus goes to memory and runs active, infecting the system areas of the hard drive. • Up until a couple of years ago, boot viruses were the most common viruses. ILoveYou: The Love Letter Virus • May 4-8, 2000: CERT announces over 500,000 reported PCs infected. – Most commonly through an email attachment (LOVELETTER-FOR-YOU.txt.vbs) but also through IRC, Windows file sharing, and USENET news. • Overwrites all files with the extensions of *.vbs, *.vbe, *.doc, *.txt, *.js, *.jse, *.css, *.wsh, *.sct, *.hta, *.jpg, *.jpeg, *.mp3, *.mp2 and others with a copy of itself and changes the file extension but keeps the file name. VBS/ILOVEYOU: “LoveBug” • Any up-to-date anti-virus product should catch it. • Disable Windows Scripting Host and IE’s Active Scripting, though this disables other functionalities also. • There are currently 82 known variants to the original. (Symantec Corp.) – Some variants attempt to download a password-stealing trojan from a webpage. What it does • Sets the Windows Scripting Host timeout to zero • Attempts to send out an email with Microsoft Outlook. – Subject: ILOVEYOU – Body: kindly check the attached LOVELETTER coming from me” – Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs • Searches all network and local drives for a variety of the previously listed file extensions. – Overwrites these files with a copy of itself What it does, cont. • Places a file (a copy of itself) in the Windows System Directory – May be named mskernel32.vbs, win32dll.vbs, or loveletter-for-you.txt.vbs • Changes IE Homepage to a url beginning with http://www.skyinet.net/ • If mIRC is installed, it will overwrite the script.ini file. • Attempts to create an HTML file with the VBS script embedded. References About Viruses. Panda Software. http://www.pandasoftware.com/virus_info/about_virus/ Anti-virus round-up (January-June 2000). Sophos Antivirus. July 2000. http://www.sophos.com/virusinfo/articles/roundup162000.html Antivirus Software Ratings. Consumer Reports. June 2002. CERT Love Letter Advisory. http://www.cert.org/advisories/CA-200004.html Computer Virus Timeline. http://www.infoplease.com/spot/virustime1.html Cyberspace Invaders. Consumer Reports. June 2002. History of Computer Viruses. Discovery Channel. http://www.exn.ca/Nerds/20000504-55.cfm Kaliciak, Paul. ILOVEYOU Email Virus Floods Internet. Discovery Channel. http://www.exn.ca/Nerds/20000504-56.cfm Kaspersky, Eugene. Computer Viruses. http://www.viruslist.com/eng/viruslistbooks.html?id=3 McAfee Antivirus. http://www.mcafee.com/ Norman Book of Computer Viruses. Norman ASA. Oct 2001. http://www.norman.com/papers.shtml Sophos Antivirus. http://www.sophos.com/ Stupid Virus Tricks. Comsumer Reports. June 2002. Symantec Corporation. www.symantec.com Virus Encyclopedia. http://www.viruslist.com/ Virus Related Statistics. http://www.securitystats.com/virusstats.asp