Upload
elfreda-sharp
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
The Windows wilderness: a look on malware
SPI2009Kaido Kikkas
Computers and knives
A knife has two very different uses: tosave someone's life (when used by a doctor) to kill someone (used by a killer)
So does the computer Again we hit the paradigm of well-equipped
fools...
Some clarification Virus – a piece of software capable of self-
propagation by either infecting files or certain parts of data carriers
Trojan horse – a piece of malicious software posing as legitimate. No self-replication abilities
Worm – a piece of software that propagates itself over networks via various software vulnerabilities. User intervention is not needed
Rootkit – a piece of software used to hide tracks of some other software. NB! Exist for all systems
Today's malware may have all these combined
In ancient times
Greeks built a wooden horse and cheated on Trojans
Already in early computing, the same concept came into use – before there were viruses, there were Trojan horses: Internet proper was an elite thing (but first malware
concept was introduced on Multics in 1974) ordinary users had only Fidonet: no chance for heavy
traffic. So they had to create small and nasty stuff like PKZ Trojan horse (pretended to be an utility)
Virus vs Bill
First case: Elk Cloner, AppleDOS 3.3 – so no Microsoft at all...
But it changed soon – viruses became nearly synonymous with IBM PC compatible computers and Microsoft systems
The following is a brief tour ...
The Pakistani Brain
1986; aka Lahore, Pakistani Flu, UIUC Written by Basit and Amjad Farooq Alvi, two
Pakistani brothers, to prevent copying of their software. Soon, they had to regret it
Boot sector virus Simple stealth capabilities No destructive payload, more an annoyance
Lehigh
1987 First to attack COMMAND.COM, the core file of
DOS (in fact, attacked only this file) First TSR (Terminate and Stay Resident) virus After a number of infections, messed up the disk Could be defeated by making COMMAND.COM
read-only
Jerusalem
1987 TSR, but did NOT infect COMMAND.COM (to
hide from detection) Slowdown, on Friday the 13th destroyed all
programs that were run
Stoned
1989-91, Australia and New Zealand First widespread boot sector virus “Your PC is now stoned.”
The Morris worm
Black Thursday, 2nd of November 1988 Regarded as the birthday of computer security Hit the REAL Internet machines Robert Morris, Cornell University Security holes, weak passwords; 6000 machines Miscalculation of speed – 10 times faster 3 years of probation, 400 hours of community
service, $10 050 fine Remained a single case
Yankee Doodle
1989, Bulgaria Many variants, very widespread (also in Estonia,
whole computer labs were singing...) Notable effect of playing the title song from
speakers (otherwise relatively harmless)
Cascade
Around 1988, former Yugoslavia; a.k.a. Falling Letters
Very colourful visual effect – letters fell from screen to a pile below. While otherwise harmless, it greatly disrupted the work
Dark Avenger
1989, Bulgaria; a.k.a. Eddie TSR file infector, could infect also by reading One of the most destructive early viruses – every
16th infection destroyed a random sector on disk, slowly causing permanent, serious damage
In 1992, the same author introduced the Mutation Engine – a virus library designed to create self-changing (stealth) viruses
Dir II
1991, Bulgaria or India (sources differ) A TSR virus which changed the information
structure on disk – booting from a clean disk rendered the files unusable
Michelangelo
1991, a derivative of Stoned One of the biggest hypes among viruses – created
a huge media bubble in the beginning of 1992 as it was to activate on March 6. Actual damage was negligible
CIH
1998, Russia(?); a.k.a. SpaceFiller, Chernobyl Wrote over the beginning of the disk as well as
some of the BIOS upon activation (the latter did not work in some BIOSes)
Was designed for Windows 9x – did not work on NT family
The age of macro viruses
Viruses which resided on MS Office environment. Success reasons include: wide spread of Windows and MS Office permeating nature of Visual Basic for Applications in
MS Office, allowing deep access stretched further by unintended privilege escalation cases
proprietary systems => only Microsoft knew the internals
Most stress was on Word (.doc files)
Melissa
March 26, 1999 New Jersey First successful virus+worm combo – after
infection, used a worm-like spreading method, clogging up a large share of networks
Needed Word 97 or 2000 to work and Outlook 97 or 98 to spread – yet there was more than enough of them
1999 Linux Timeline: “Melissa creates difficulties worldwide. Linux users yawn.”...
ILoveYou
2000, Philippines; a.k.a. LoveLetter, Love Bug Similar to Melissa, mostly a worm caused estimated financial loss of 10 bln USD Outlined the problems with file extension hiding
and double extensions in Windows
Hijackers
a class of (typically) client-server applications used to remote control Windows machines Back Orifice 1998 NetBus 1998 SubSeven 1999
The case of Magnus Eriksson in 1999 Netbus-originating child pornography in his PC lost his job at Lund University law school had to flee the country after his name was published
Code Red
2001 China Attacked only MS IIS web servers, but made
attempts on all (did not check the type) Attempted DOS attacks from conquered
machines MS reacted in a week (a rare case) “Hacked by Chinese” became a slogan...
Nimda
September 2001 “Administered” (“admin” backwards) the
conquered machine enabled sharing guest account with admin privileges
Infected web servers contagiated visitors using IE
Blaster
August 2003; a.k.a. Lovesan Infected more than 8 mln computers DOSsed MS update service
MyDoom
January 2004, the fastest spread to date DOSsed the SCO website – alleged 'open-source
revenge' (later overturned) In July, stopped all main search engines for a day
Sasser
April 2004 Massive swamping attacks on different online
services, lots of downtime (mostly in Europe) Authored by Sven Jasschan, a German student –
received 21 months of probation but was later employed by a security company
Zotob
August 2005 One of the first “mercenary worms” apparently
ordered by spyware industry – helps to forward different malware
Estimated damage – 97 000$ + 80 hours of work per company infected. On August 16, CNN Live went down due to Zotob, other big hits were Boeing, ABC News, Homeland Security...
The next year, two men named Farid Essabar and Achraf Bahloul were sentenced in Morocco – but finally just for a year
Samy
A.k.a. JS.Spacehero, October 2005 MySpace XSS (cross-site scripting) worm Used MySpace vulnerabilities (e.g. JavaScript
code injection via CSS) Spread onto the pages of > 1 mln users in 20
hours, arguably the fastest spreading malware The author, Samy Kamkar, got 3 years on
probation, 90 days of community services and unknown amout of fines
Monkey business, Sony-style
October 2005 Sony BMG released 102 titles of CD-s equipped
with XCP and MediaMax - two “copy protection” systems which were actually rootkits, interfering with the system and opening new security holes in Windows machines
First, a “removal tool” was issued which actually made thing worse (brushed under the carpet). The second one was no better
Finally recalled all the CD-s in question
Storm
January 2007 A worm used to build one of the largest botnets
to date Initially spread 'the old way' via mail attachments The botnet at the largest contained about 1-50
mln computers (different estimates), the current estimated size is 5 000 - 40 000. Another estimate is it forming 8% of all malware
Possible traces to RBN and cyber-attacks
Conficker
A.k.a. Downadup or Kido - the latest hit from October 2008
Exploits Windows server vulnerabilities (all versions from 2000 upwards)
January 9 estimate: ~ 9 mln Windows Pcs Hit the UK Ministry of Defense, a number of
Royal Navy warships, about 800 computers in Sheffield hospitals...
Two notables
January 2001 – Ramen, a single brief appearance of a Linux worm. Was limited to Red Hat 6.2 and 7.0, used their security holes. In principle was similar to the Morris worm
August 2003 – Weichia, a helpful wormAttempted to update Windows, removed Blaster and was supposed to kill itself in 120 days
Also, two cases are known for MacOS X - Leap/Oompa in February 2006 and the currently active iServices.A trojan horse (~20 000 infected Macs)
Stages in malware motivation
Hacker'y exploration (“What's in there?”) Clueless experimentation (“What happens if”) Expression of frustration (“I'll show you all!”) Expression of politics (“Free X or suffer!”) Malware as a weapon Malware as a business model
Still – why Windows?
A number of factors, including largest market share (but not the dominating factor
as Microsoft wants to believe) the chronic security problems in Microsoft products the most clueless user base by far the security industry which has created its shadow
counterpart in malware industry The only way to get rid of it is to destroy the
roots – has been unsuccessful to date
Conclusion
Malware has greatly evolved over time The diversity is great The resilience lies in economic incentives One of the easiest solutions against it is to change
the platform – Microsoft needs to 100% redesign its systems to decrease the threat
That's it!