Terminology

• Worm– A computer program that duplicates itself over

computer networks.

• Virus– A computer program that inspects it’s environment

and copies itself into other programs.

• Trojan Horse– A useful computer program that has been

compromised with extra code to do non desired stuff

The First Virus

• Created in 1983 (5 years before one was released into the internet)

• Created by Len Adelman (founder of RSA)• The virus was implanted into the UNIX vd

command– The virus was tested 5 times in a controlled lab– In each case, all system rights were granted in

under an hour.– Later tested on VMS, VM/370, and Tops-20 with

the same results

Short Sighted System Administrators

• Early designers of viruses were Len Adelman, Fred Cohen, Tom Duff, and Doug McIlroy– They were called White-Hat scientists– They encountered resistance to virus research.– Fred Cohen, 1987

“Once the results of the experiments were announced, administrators decided that no further computer security experiments would be permitted on their system. The ban included the planned addition of traces which would track potential viruses and password augmentation experiments which could potentially have improved security to a great extent. This fear reaction is typical, rather than try to solve technical problems technically, inappropriate and inadequate policy solutions are often chosen”

Short Sighted System Administrators

• More Fred Cohen“After several months of negotiation and administrative

changes, it was decided that the experiments would not be permitted. The Security officer at the facility was in constant opposition to security experiments, and would not even read any proposals. This was particularly interesting in light of the fact that it was offered to allow system programmers and security officers to observe and oversee all aspects of all experiments. In addition, system administrators were unwilling to allow sanitized versions of log tapes to be used to perform offline analysis of potential threat of viruses, and were unwilling to have additional traces added to their systems by their programmers to help detect viral attacks. Although there is no apparent threat poses by these activities, and they require little time, money, and effort, administrators were unwilling to allow investigations.”

As a Result…

• Robert Morris launched the first internet worm on November 2nd, 1988

• It invaded ~6,000 computers within hours (10% of the internet at the time)

• Instructions were posted on how to stop the worm, but the computer the instructions were posted on was disabled by the worm before anyone read the instructions.

• Estimated damage ranged from $10,000 to $97 million ( shows how hard cyber crime are to estimate)

How it worked

• Buggy Code– Exploited a buffer overflow problem in the finger daemon.– And a hole in the UNIX sendmail daemon

• When sendmail was run in debug mode, sendmail would execute commands the worm sent it

• At that time most programs ran in “debug” mode to generate traces of execution

• Clueless Users– The worm used a dictionary of just 432 words to crack

passwords– And it tested the password file against the dictionary in a

random order.

Why it worked

• Many sites were running old versions of the fingerd daemon– The buffer overflow was know about and fixed

BEFORE the worm attack– Shows the importance of upgrading software

• Sendmail’s vulnerability– Large, buggy, and networked

• Poor passwords– Users picked guessable passwords.– Many used their user id as their password

Results of the worm

• Formation of CERT– CERT is the “center of Internet security expertise”– Run by Carnegie Mellon University– www.cert.org

• Heightened awareness of computer system vulnerabilities

Types of Viruses/Worms

• Macro Virus– Usually infects Microsoft Office and Outlook

Express

– Cross platform. The Microsoft products give a base platform to run in.

– Usually passed by trading documents

– viruses email themselves out using the address book in outlook

– Automatically activated by being named the same as macros Office/Outlook runs automatically when opening or closing a document (AutoOpen, AutoClose).

Types of Viruses/Worms

• Boot sector– Effects the boot sector of the hard drive– Usually spread by trading programs– Most can’t spread via the net

• Polymorphic– Changes itself every time it is copied to avoid

detection.– Virus signatures don’t work on these viruses

because the signature changes each time.– May even use encryption to hide itself.

Types of Viruses/Worms• Multipartite

– Infects both the boot sector and files– Spreads via the network infecting files which in turn

infects the boot sector.

• Stealth– Inserts code between the end application and the

kernel.– Gives results to the application that the application

would expect.– May remove itself from the media while the system

is running, to avoid virus detection, then copies itself back to the media when the system is shut down.

Types of Viruses/Worms

• Retro– Tries to attack anti virus software directly.– Usually tries is to change the “signature” file to avoid

detection

• Armored– They make themselves difficult to get a “signature” from.– They are tightly wound around an executable so that it is

hard to tell the executable from the virus

• Companion– Attaches to an executable and copies the executable to the

same name but with a different extension.

• Phage– A Virus that modifies another program to “morph” the good

program to become a virus.

Anti Viral Software

• A database of “signatures” are kept on the local machines.

• All data coming into or out of the computer is scanned and compared bit by bit to the “signatures”

• Problem– Reactive – only discovers viruses/worms after the

fact– Dumb – any minor change in the virus signature

makes the anti-virus program useless– No substitute for good security practices.– Active scanning only probes known ports