![Page 1: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/1.jpg)
Malicious Code: HistoryDr. Richard Ford
![Page 2: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/2.jpg)
What We’re Going to Talk About
Where viruses have been… How it all began Milestones in virus and antivirus
history The Technology Race Between Black
Hats and White Hats Where Things Are Today
![Page 3: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/3.jpg)
Way Back in the ’50s
Bell Labs… Core Wars Two computer programs would
“battle it out” in the “core” of a computer. The victor would be the last man standing
Mainstreamed in May 1984 in Scientific American
![Page 4: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/4.jpg)
First Things…
Where it all began: Elk Cloner “It will get on all your disks It will
infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner!”
Virus folklore tells us that this virus was actually an experiment gone wrong… readers beware
Attacked the Apple II
![Page 5: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/5.jpg)
Fred Cohen: Theory
Fred’s work is really famous… You can read some of his papers at
http://www.all.net/resume/papers.html
Cohen postulated that one could construct a computer program that could “infect” other programs with a “possibly evolved” version of itself.
![Page 6: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/6.jpg)
Cohen: Example
The following pseudo-program shows how a virus might be written in a pseudo-computer language. The ":= symbol is used for definition, the ":" symbol labels a statement, the ";" separates statements, the "=" symbol is used for assignment or comparison, the "~" symbol stands for not, the "{" and "}" symbols group sequences of statements together, and the "..." symbol is used to indicate that an irrelevant portion of code has been left implicit.
program virus:= {1234567; subroutine infect-executable:= {loop:file = get-random-executable-file; if first-line-of-file = 1234567 then goto loop; prepend virus to file; }
subroutine do-damage:= {whatever damage is to be done} subroutine trigger-pulled:= {return true if some condition holds}
main-program:= {infect-executable; if trigger-pulled then do-damage; goto next;}
next:}
![Page 7: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/7.jpg)
Milemarker 1: Brain
First virus that anyone really noticed Basit and Amjad Farooq Alvi, of
Lahore, Pakistan. Simple Boot Infector – harkens back
to the days of boot from floppy
![Page 8: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/8.jpg)
Lehigh Virus
Appeared in 1987 Introduced some important
techniques: Infected COMMAND.COM Went resident in memory Infected any disks that were accessed
from the infected machine Had an unpleasant trigger: trashed the
FAT after four infections
![Page 9: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/9.jpg)
Jerusalem
Appeared in 1988 ,reported by Yisrael Radai
Memory-resident COM/EXE infector Contained a big: infected itself over
and over again… Spawned MANY virus variants
What’s a virus variant?
![Page 10: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/10.jpg)
Christma.EXEC
1987… Written in REXX, a scripting language
by IBM Sent in SOURCE form by email Required a user to run it When it ran, sent itself to all your
contacts It was an early, human-driven WORM
![Page 11: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/11.jpg)
The Morris Worm
1988 See:
ftp://coast.cs.purdue.edu/pub/doc/morris_worm/ for all the details you could ever need and more
Used multiple vulnerabilities Sendmail bug Fingerd bug Via .rhosts files Via password cracking
Infected a *lot* of hosts for the then fledgling Internet
![Page 12: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/12.jpg)
AIDS Trojan: The Law Catches Up
Trojan Disk sent out widely in 1992 Encrypted data on the fixed disk after a certain number
of boots License verbage: "In case of breach of license, PC Cyborg Corporation
reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other program applications on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement."
See: http://www.virusbtn.com/magazine/archives/pdf/1992/199201.PDF
![Page 13: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/13.jpg)
The Bulgarian Virus Factory
More of an Icon than a reality But, for a time, the most complex
viruses did come from Bulgaria Many the work of one person, the
mysterious “Dark Avenger” Dark Avenger ultimately wrote a
“fast infecting” virus and the infamous Mutation Engine (aka MtE or DAME)
![Page 14: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/14.jpg)
Tequila
Welcome to Terry Tequila’s latest venture
1991 First fully polymorphic, full stealth
virus
![Page 15: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/15.jpg)
Michelangelo
March 6th, 1992 Serious enough that there was actually a CERT
Advisory: http://www.cert.org/advisories/CA-1992-02.html
A Boot Sector Virus with a payload Quotes: “hundreds of thousands of computers” – John
McAfee, also labeled with the number “five million” “One out of four computers” – Reuters In fact, total damage was low… very low: 10 to 20
thousand For an interesting take on epidemiology, read:
http://www.research.ibm.com/antivirus/SciPapers/Kephart/PREV/prevalence.gopher.html
![Page 16: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/16.jpg)
MtE
Also in 1992 A linkable object, never distributed in
source form Caused massive variation in code
structure of a computer virus Caused a complete redesign of
several antivirus products, and was the end of simple “signature scanning”
![Page 17: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/17.jpg)
The Virus Creation Lab
Menu-driven virus creation for the masses!
Primarily simple COM infectors Capable of basic encryption The first of many…
![Page 18: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/18.jpg)
The Black Baron
Pathogen and Queeg SMEG, the “Simulated Metamorphic Encryption
Generator” See:
http://www.soci.niu.edu/~crypt/other/pyle.htm for the full story
Also, see http://www.computer-investigations.com/chist/chist01.html for an account of the investigation from an old friend, Jim Bates
Convicted under the UK’s Computer Misuse Act
![Page 19: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/19.jpg)
Concept
Appeared around 1996 First “data” infecting virus? Well, not
really… Written in Word Macros Forced large-scale changes in the
antivirus industry Interestingly, everyone infected by
concept saw one of these:
![Page 20: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/20.jpg)
Laroux
Hot on the heels of Concept Auto_open and Check_files Simple example of what could be
done Infected PERSONAL.XLS, which is
loaded whenever Excel is run
![Page 21: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/21.jpg)
Laroux: Illustration
![Page 22: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/22.jpg)
Strange Brew
1998 A virus that was written in Java that
infects Java class files Primarily a proof of concept See:
http://www.sophos.com/virusinfo/articles/java.html for a useful FAQ
What about the Sandbox?
![Page 23: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/23.jpg)
Melissa
1999 (see CERT advisory CA-1999-04)
A virus that propagated via Email attachments
Used MAPI to spread Incredibly effecting technique Poor David Smith! See:
http://news.bbc.co.uk/1/hi/world/americas/1963371.stm
![Page 24: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/24.jpg)
DDoS
DDoS = Distributed Denial of Service Simple process:
Pwn a large number of machines Install a remote control “bot” on them Command them to attack a particular
site Why is this so dangerous?
![Page 25: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/25.jpg)
CodeRed
CERT advisory CA-2001-19 Common buffer overrun in IIS Spread like WILDFIRE Question: Why?
![Page 26: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/26.jpg)
SQL.Slammer
Launched in January 2003 Utilized a buffer overrun in
Microsoft’s popular SQL Server Spread from machine to machine
with a peak population doubling rate of 8.5 seconds
Infected 90% of all machines it would ever infect in 10 minutes
Actually impacted BGP Route Stability on the Internet!
![Page 27: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/27.jpg)
The Rise and Rise of Spyware Windows makes it quite easy to write
Spyware Spyware can take over a machine and
make it “unrecoverable” in many senses, without a reinstall
As Spyware becomes more “commercial” (in some senses of the word) it becomes a harder problem to fight Blurred lines between legal and illegal Context sensitivity and EULAs
![Page 28: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/28.jpg)
Blue Pill
The “undetectable” rootkit Server virtualization used for gain? How much of this is a real threat?
![Page 29: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/29.jpg)
Sony “rootkit” brouhaha
Sony adds a “rootkit” to CDs in an attempt to manage its digital rights… More complicated than it sounds, but
interesting story
![Page 30: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/30.jpg)
2007: Cybercrime rates rise
For the first time, the UK cybercrime rate rises to meet the “real world” crime rate
![Page 31: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/31.jpg)
2007: Zero-Day Attacks
Are everywhere: PDF Realplayer IE …
![Page 32: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/32.jpg)
DLP Becomes Big Business
2007: Symantec acquires Vontu Companies begin to focus on protecting
data at rest and while in transit
![Page 33: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/33.jpg)
Viruses in Space: August 08
Autorun Worm found on the International Space Station Password-stealing, but not mission
critical
![Page 34: Dr. Richard Ford. Where viruses have been… How it all began Milestones in virus and antivirus history The Technology Race Between Black Hats and White](https://reader035.vdocument.in/reader035/viewer/2022062417/5517a8bb5503460e6e8b5ff2/html5/thumbnails/34.jpg)
The Future?
More viruses More Worms More Trojans More software that Blurs the Lines