20 Years of Malware Risk20 Years of Malware Risk

Robert M. Slade, M. Sc., CISSPRobert M. Slade, M. Sc., CISSPmalware@shaw.camalware@shaw.ca, rslade@isc2.org,, rslade@isc2.org,

rslade@computercrime.orgrslade@computercrime.org

http://victoria.tc.ca/techrev/rms.htmhttp://victoria.tc.ca/techrev/rms.htm

(c)1986Brain(c)1986Brain

Was it the first?Was it the first? Are the risks the same?Are the risks the same?

Prehistory - 1940s-50sPrehistory - 1940s-50s

von Neumann architecturevon Neumann architecture Harvard architectureHarvard architecture

Howard Aiken, Mark I – IVHoward Aiken, Mark I – IV Risk – Law of unintended consequencesRisk – Law of unintended consequences

Cost/benefit – development versus viruses?Cost/benefit – development versus viruses?

Prehistory - 1960s-70sPrehistory - 1960s-70s

Core WarsCore Wars DARWIN – 1969DARWIN – 1969

““Survival” of programsSurvival” of programs ImpImp

Replication, quite successfulReplication, quite successful Risk – beware of playful programmersRisk – beware of playful programmers

TrojansTrojans

Various types, difficult to defineVarious types, difficult to define Password stealingPassword stealing PranksPranks Malicious damageMalicious damage Phishing (ID theft)Phishing (ID theft)

RisksRisks TrustTrust Ill-defined threatsIll-defined threats

PranksPranks

Non-maliciousNon-malicious AnthemAnthem FlipFlip

Risks?Risks?

Prehistory - 1980sPrehistory - 1980s

Infamous Xerox wormInfamous Xerox worm Shoch and HuppShoch and Hupp

Experiment in distributed computingExperiment in distributed computing Application with multiple “segments”Application with multiple “segments” Bug in the programBug in the program

Risk – unintended consequences againRisk – unintended consequences again

Prehistory - 1980sPrehistory - 1980s

Apple virusesApple viruses 1980-811980-81 TexasTexas Like Core Wars, examining survivalLike Core Wars, examining survival

Variant 1 successfulVariant 1 successful Variant 2 escaped, interfered with gameVariant 2 escaped, interfered with game Variant 3 to hunt down 2Variant 3 to hunt down 2

Risk – buggy codeRisk – buggy code Risk – antivirus viruses - OhioRisk – antivirus viruses - Ohio

Fred CohenFred Cohen

Replication proposed at 1983 seminarReplication proposed at 1983 seminar Len AdelmanLen Adelman

1984 thesis1984 thesis 1986 dissertation1986 dissertation Three major antiviral types identifiedThree major antiviral types identified

(c)1986Brain(c)1986Brain

Brain Computer Services, PakistanBrain Computer Services, Pakistan Ashar and AsharAshar and Ashar

StealthStealth Boot sector infectorBoot sector infector Risk – variants – Ohio, Den ZukRisk – variants – Ohio, Den Zuk

19871987

LehighLehigh CHRISTMACHRISTMA

Risk - DoSRisk - DoS

19871987

JerusalemJerusalem Risks – variants, malicious damage, reputationRisks – variants, malicious damage, reputation

19871987 PolymorphismPolymorphism

Many shapesMany shapes Self-encryptionSelf-encryption

stubstub Modular constructionModular construction

module signaturesmodule signatures UpdatingUpdating

update module signatureupdate module signature File pickupFile pickup

other signaturesother signatures

RisksRisks AV expert blood pressure (“zero day”)AV expert blood pressure (“zero day”) CPU timeCPU time File distributionFile distribution

19881988

StonedStoned Risk – holdover technology (boot sector)Risk – holdover technology (boot sector)

Internet/UNIX/Morris WormInternet/UNIX/Morris Worm Risks - defaultsRisks - defaults

MacMagMacMag Risks – data, commercialRisks – data, commercial

19911991

Desert StormDesert Storm Risk – don't believe everything you readRisk – don't believe everything you read

MSAVMSAV Anti-antivirusAnti-antivirus Risk - There is hardly anything in the world that Risk - There is hardly anything in the world that

some man cannot make a little worse and sell a little some man cannot make a little worse and sell a little cheaper, and the people who consider price only are cheaper, and the people who consider price only are this man's lawful prey. - John Ruskinthis man's lawful prey. - John Ruskin

19941994

Good Times hoaxGood Times hoax Risk – don't believe everything you readRisk – don't believe everything you read

Springer-Verlag publishes "Robert Slade's Springer-Verlag publishes "Robert Slade's Guide to Computer Viruses"Guide to Computer Viruses" (ummm ...)(ummm ...)

19951995

ConceptConcept Macro virusMacro virus RisksRisks

Outdated definitions of “program”Outdated definitions of “program” Extraneous functionalityExtraneous functionality

19991999

MelissaMelissa First of the “fast burners”First of the “fast burners” Used multiple linked applicationsUsed multiple linked applications

RisksRisks Platform dominancePlatform dominance ConvenienceConvenience (Pornography)(Pornography)

20002000

Life StagesLife Stages Risk - file formats and extensionsRisk - file formats and extensions

20012001

Lindose/WinuxLindose/Winux Cross-platformCross-platform

Code RedCode Red Worm speedWorm speed

IntermissionIntermission DCOMDCOM

20032003

SobigSobig SpambotnetsSpambotnets

Risk – commercial and criminal impetus to Risk – commercial and criminal impetus to malwaremalware

Spyware and AdwareSpyware and Adware

Potentially Unwanted Software – PUSPotentially Unwanted Software – PUS Risk - definitionRisk - definition

MobileMobile

Cell phones, PDAs, Blackberry, etc.Cell phones, PDAs, Blackberry, etc. Risk – computers everywhereRisk – computers everywhere

20 Years of Malware Risk20 Years of Malware Risk

Robert M. Slade, M. Sc., CISSPRobert M. Slade, M. Sc., CISSPmalware@shaw.camalware@shaw.ca, rslade@isc2.org,, rslade@isc2.org,

rslade@computercrime.orgrslade@computercrime.org

http://victoria.tc.ca/techrev/rms.htmhttp://victoria.tc.ca/techrev/rms.htm